Does the WAYF Cloud comply with the General Data Protection Regulation (GDPR) of the European Union (EU)?
The WAYF Cloud is developed taking into account the GDPR requirements and will fully comply to it once released. Compliance with GDPR is mandatory for all service providers, including the WAYF Cloud and it will start being enforced on May 2018.
When an anonymous user selects his Identity Provider and this information is collected and processed by a service provider, this is considered to be personal user data. In that sense, the WAYF Cloud does store personal user data and GDPR requirements apply to the WAYF Cloud.
In particular, the WAYF Cloud stores pseudoanonymized (hashed) device IDs (randomly generated identifiers) and associates them with Identity Provider metadata such as the entity ID and federation ID. These data cannot be used to personally identify a user, unless combined with data maintained at a user's web browser, or at the logs of the service provider platforms.
The WAYF Cloud does not process sensitive user data (ethnicity, race, religion, health etc), neither genetic and biometric data.
The WAYF Cloud requires user provided data to be stored in a central location. Does this not conflict with GDPR requirements?
No. GDPR lays down rules relating to the protection of natural persons with regard to the processing of personal data and rules relating to the free movement of personal data (chapter 1, Article 1, paragraph 1).
The WAYF Cloud does process user data, hence GDPR does apply to the WAYF Cloud as it applies also for other products and services that collect and process personal user data independently of whether the data are stored in a central location or if they are distributed.
The WAYF Cloud requires user provided data to be exchanged between service provider platforms. Does this not conflict with GDPR requirements?
No. As per the GDPR General Provisions, the free movement of personal data within the Union shall be neither restricted nor prohibited for reasons connected with the protection of natural persons with regard to the processing of personal data (Chapter 1, Article 1, paragraph 3).
The exchange of user provided data between service providers is allowed provided the user has given consent and a number of additional requirements about how this data is used are met.
My service provider is a member of the WAYF Cloud. Are my data now shared between service providers?
No. The user's consent is a GDPR requirement and the WAYF Cloud complies to it by requiring the user’s consent. This is the 'remember me across publishers' option offered during an Organizational Login attempt. User's consent can be easily withdrawn by visiting the "WAYF Cloud for Users" application from their device.
Yes. The Right to Access is a GDPR requirement and the WAYF Cloud complies to it by providing users access to their data via a web based user interface, with the option to remove data or withdraw their consent.
Yes. The Right to Erasure is a GDPR requirement and the WAYF Cloud complies to it by providing users access to their data via a web based user interface, with the option to remove data or withdraw their consent.
No. The WAYF Cloud does not have access to your username, password, name, e-mail address or any other information that can be directly used to personally identify or impersonate you. The WAYF Cloud is a discovery service, it is not involved in the authentication of a user to Identity Provider. You may want to read how does the WAYF Cloud work to better understand how the Sign-in process can be simplified without the use of personal information.
No. The WAYF Cloud can correlate your visits to the service providers that participate in the WAYF Cloud. It uses this information to create a list of Identity Provider metadata that have been used by a device to successfully authenticate to a service provider.
The WAYF Cloud is built and operated in compliance with high security standards. On the unlikely event of a data breach, event logs of successful authentication attempts at a service provider along with metadata of the Identity Provider used to authenticate will be exposed.
The stolen data cannot be used by the attacker to impersonate a user on any of the service providers that participate in the WAYF Cloud.
Also the stolen data cannot be directly used to identify a real person. In combination with data stored at the user's web-browser, or at the publisher platforms, and under the condition that the hashing key used for data pseudoanonymization is also compromised, it might be possible for an attacker to relate the hashes of the randomly generated IDs maintained in the WAYF Cloud with a real person.
Note, that any Identity Provider metadata maintained in the WAYF Cloud is information which is already freely available in the internet.
Updated almost 6 years ago