InAcademia, a registered trademark of GÉANT Association in Amsterdam, is an affiliation validation service operated in The Netherlands.
This document describes how we treat the personal data of you, the end user, when you use InAcademia.
InAcademia assists merchants, e.g. a web shop, who want to validate your affiliation to an academic Institution. For this purpose, InAcademia collects your affiliation from your institution and evaluates it on behalf of the merchants connected to InAcademia.
This way, the merchant may offer you as the customer, based on your affiliation, provide you with benefits or discounts on products, or provide access to specific content and services. While InAcademia and your institution assist in validating your affiliation, neither can be held accountable for your ability or inability to get benefits, discounts or access to specific content and services.
Process and Data Transfer
The validation of your affiliation by a merchant will only happen upon your request, when you press the InAcademia button at the Service. The Service requests InAcademia to handle the validation of a specific affiliation (“student”, “staff”, “faculty”, “member” or “affiliated”). The request to validate your affiliation does not contain any of your personal data. A transient session identifier is exchanged between the merchant and InAcademia to identify the session.
As a result of the request from the merchant, InAcademia will ask you to prove your affiliation with your Institution. This is done by requesting you to authenticate to InAcademia with your home Institution account. We ask your institution to authenticate you and to provide InAcademia with the following information:
- Your affiliation to the institution (“student”, “staff”, “faculty”, “member” or “affiliated”)
- A persistent identifier, that will identify the session between InAcademia and the system of your Institution.
Upon successful authentication, InAcademia will evaluate the affiliation received from your Institution and decide how to respond to the merchant.
If the affiliation provided by your institution matches the requested validation, InAcademia will signal to the merchant a successful affiliation validation was made. Upon request of the merchant, InAcademia may send a persistent identifier, the country and name of your institution as part of this confirmation. InAcademia will ask your consent before sending a response to the merchant.
If the affiliation provided does not match the requested affiliation, InAcademia will signal the merchant that the affiliation validation has failed. No additional data is sent to the merchant as part of such a transaction.
InAcademia will ask for consent before releasing data towards a merchant. InAcademia treats each and every request for validation as a new transaction, and will not store, nor re-use previously given consent. We will therefore always ask for your consent for every validation. Your consent is the only way that allows for data to flow from InAcademia to a merchant.
You are always free to not consent to releasing the data. In such cases, you may however not be eligible to receive the benefits or discounts on products, or gain access to specific content or services from the merchant which is using InAcademia to validate your affiliation.
Data Storage and Retention
All our data is stored within the EU/EEA. Merchants that receive the affiliation validation confirmation upon your consent may be in the EU/EEA, or in countries with less adequate data protection provisions.
InAcademia will always ask for your consent to releasing data towards a merchant. InAcademia treats each and every request for validation as a new transaction, and will not store previously given consent. As we do not store your consent, we cannot provide you with information on previously given consent.
InAcademia keeps a technical log of the transactions at InAcademia to be able to investigate abuse, fraud or technical issues. This technical log contains the following data:
- the date and time of your transaction
- a session identifier for the merchant which requested the validation
- an identifier for the merchant
- a session identifier as provided by your Institution
- the affiliation provided by your Institution
- the IP address used at the time of the transaction
InAcademia will store a technical log of the transactions for a period of 28 days. Access to technical log data is restricted and can only be accessed in a secure way by InAcademia staff.
InAcademia has no means to correlate technical log data with personal data at either the merchant or the Institution, unless you provide additional data to us. InAcademia will not provide technical log data to anyone, unless ordered to do so by law.
InAcademia wants to collect statistics on the use of InAcademia. For this purpose we collect anonymized data. This data can in no way be related to a specific transaction or to a specific user.
Data Protection Code of Conduct
Personal data is protected according to the GÉANT Data Protection Code of Conduct, a common standard for the research and higher education sector to protect the user’s privacy.
You have the following rights:
- You may request a copy of the technical log data we are storing of your transaction(s) as described in the “Data Storage and Retention” section. Please note we can only provide you with this data if you can provide us with a valid session identifier that was used as part of your transaction. This identifier is presented on the consent screen. To retain such session identifier you must keep a copy of the consent screen of the specific transaction. We will respond to your request within 10 working days.
- We cannot provide you with consent information as we do not store it. InAcademia treats each and every request for validation as a new transaction. As we do not store your consent, we cannot provide you with information on previously given consent.
- We cannot allow you to revoke consent information as we do not store it. InAcademia treats each and every request for validation as a new transaction. As we do not store your consent, we cannot provide you with the ability to revoke previously given consent.
- You have the right to complain to the Supervisory Authority (Autoriteit Persoonsgegevens at https://autoriteitpersoonsgegevens.nl) about our data processing activities.
Please contact our support desk at firstname.lastname@example.org for any further information.
InAcademia, August 29, 2017.