Form di ricerca

IDEM privacy EN

Service Name

Identity Provider

Service Description

The federated authentication service allows users of the Politecnico of Torino to access federated resources using their institutional credentials. The Resources can be provided through the Italian Federation of Identity of Universities and Research Bodies (IDEM), or directly. The Federated Authentication Service is responsible for authenticating the user and issuing an authentication token and, if required, a minimum set of personal data for accessing the Resource.

Data Processor


  • Name: Politecnico of Bari
  • Email:
  • Address: Via Amendola 126/b - 70126 BARI, IT
Responsible for Data Protection(GDPR Section 4) (if applicabile)
  • Name: Dott. Sandro Spataro
  • Email: -
  • Address: via Amendola 126/b - 70126 BARI, IT

Jurisdiction and supervisory authority


IT-IT Italian Data Protection Authority

Categories of direct and indirect personal data processed and legal basis for processing

  • one or more unique identifiers;
  • identification credential;
  • first and last name;
  • e-mail address;
  • role in the organisation;
  • specific rights to resources;
  • name of the affiliated organisation;
  • IdP service log records: User identifier, date and time of use, requested Resource, submitted attributes;
  • Log records of the services necessary for the operation of the IdP service.

Any collected personal data is stored in Italy, in accordance with the GDPR. The data processing purpose is the provisioning of the authentication service. The legal basis for data processing is the fulfillment of contractual obligations (through the provisioning of the authentication service) and the legitimate interest of the Controller.

Purposes of personal data processing

To provide the federated authentication service in order to access the Resources requested by the User. To verify and monitor the proper functioning of the service and ensure its security (legitimate interest). To fulfil any legal obligations or requests from the judicial authorities.

Third parties to whom the data are communicated

The Controller, in order to provide the service correctly, communicates to the Resources providers to which the User intends to access proof of authentication and only the personal data (attributes) requested, in full compliance with the principle of minimization. Personal data is transmitted only when the subject requests access to the Resource of the third party. For purposes related to the legitimate interest of the Controller or the fulfilment of legal obligations, some log data may be processed by third parties (e.g. CERT, CSIRT, Judicial Authority).


Exercise of Subjects’ rights

To request access to your personal data and their correction or deletion or to object to their processing, or to exercise the right to data portability (Articles 15 to 22 of the GDPR), contact the Controller at the above mentioned contact details.

Revocation of the consent of the interested party

The only data collected with the consent of the subject are preferences about the visualization of the attribute transmitted to the Resources. The preferences are collected at the time of the first access to the Resource and may be changed afterwards by starting over again the access procedure.

Data portability

The Interested Party may request the portability of their data concerning the federated authentication service, including preferences regarding the visualization of the attributes transmitted to the Resources, which will be provided in open format and in accordance with Art. 20 of the GDPR. The data portability service is free of charge.