InAcademia is an affiliation validation service (hereinafter referred to as: ”Service”) and is a registered trademark of GÉANT VERENIGING (Association) – registered with the Chamber of Commerce in Amsterdam with registration number 40535155 with its registered address at Hoekenrode 3, 1102 BR, Amsterdam, The Netherlands (hereinafter referred to as: “we” or “GÉANT”)
This privacy statement describes how we process the personal data of you, the end user, when you use InAcademia Service.
InAcademia Service allows you to get additional discounts or special offers at merchants’ websites (web shops) on the basis of the positive verification of your affiliation with your academic institution.
How does the InAcademia Service work?
Visiting merchant website, you might find InAcademia button – once you will choose it, it will allow you to get special offers/discounts on the basis of the positive verification of your affiliation with your academic institution.
The validation of your affiliation by a merchant will only happen upon your request, when you press the InAcademia button at the Service. The Service requests InAcademia to handle the validation of a specific affiliation (“student”, “staff”, “faculty”, “member” or “affiliated”). The request to validate your affiliation does not contain any of your personal data. A transient session identifier is exchanged between the merchant and InAcademia to identify the session.
As a result of the request from the merchant, InAcademia will ask you to prove your affiliation with your Institution. This is done by requesting you to authenticate to InAcademia with your home Institution account. We ask your institution to authenticate you and to provide InAcademia with the following information:
- Your affiliation to the institution (“student”, “staff”, “faculty”, “member” or “affiliated”)
- A persistent identifier, that will identify the session between InAcademia and the system of your institution.
Upon successful authentication, InAcademia will evaluate the affiliation received from your institution and decide how to respond to the merchant.
If the affiliation provided by your institution matches the requested validation, InAcademia will signal to the merchant a successful affiliation validation was made. Upon request of the merchant, InAcademia may send a persistent identifier, the country and name of your institution as part of this confirmation. InAcademia will ask your consent before sending a response to the merchant.
If the affiliation provided does not match the requested affiliation, InAcademia will signal the merchant that the affiliation validation has failed. No additional data is sent to the merchant as part of such a transaction.
What data is processed?
InAcademia keeps a technical log of the transactions at InAcademia Service to be able to investigate abuse, fraud or technical issues. This technical log contains the following data:
- the date and time of your transaction;
- a session identifier for the merchant which requested the validation;
- an identifier for the merchant;
- a session identifier as provided by your institution;
- the affiliation provided by your Institution (in case of positive validation – including the country and name of your institution or in case of negative validation – simple no);
- the IP address used at the time of the transaction.
Even though we are not able to identify you without you providing additional data, we treat the technical log data as personal data.
GÉANT is the data controller of the above-mentioned data.
There is appointed Data Protection Officer at GÉANT, who can be contacted at: firstname.lastname@example.org
Purposes of the processing
InAcademia assists merchants, e.g. a web shop, who want to validate your affiliation to an academic institution in order to provide you benefits or discounts on products or access to specific content and services. For this purpose, InAcademia collects your affiliation from your institution and evaluates it on behalf of the merchants connected to InAcademia.
This way, the merchant may offer you – as the end user, based on the positive verification of your affiliation -benefits or discounts on products, or provide access to specific content and services. While InAcademia and your institution assist in validating your affiliation, neither can be held accountable for your ability or inability to get benefits, discounts or access to specific content and services.
Data provided by you will be used for the purposes of:
- Providing you additional value of the services you are using as an individual affiliated with educational/research institution – and based on the positive verification of your affiliation – by offering you access to discounts on products and access to specific content and services,
- Investigate abuse, fraud or technical issues
InAcademia has no means to correlate technical log data with personal data at either the merchant or the Institution, unless you provide additional data to us. InAcademia will not provide technical log data to anyone, unless ordered to do so by law, for example as part of a criminal investigation or fraud prevention activity.
InAcademia collects statistics on the use of InAcademia. For this purpose, we collect anonymized data. This data can in no way be related to a specific transaction or to a specific user.
The legal basis for processing your personal data is your consent.
InAcademia will ask for consent before releasing data towards a merchant. InAcademia treats each and every request for validation as a new transaction, and will not store, nor re-use previously given consent. We will therefore always ask for your consent for every validation. Your consent is the only way that allows for data to flow from InAcademia to a merchant.
You are always free to not consent to releasing the data. In such cases, you may however not be eligible to receive the benefits or discounts on products, or gain access to specific content or services from the merchant which is using InAcademia to validate your affiliation.
All our data is stored within the EEA.
InAcademia will store a technical log of the transactions for a period of 28 days from the date of your transaction.
Security of data
Access to technical log data is restricted and can only be accessed in a secure way by InAcademia staff. To prevent unauthorised access or disclosure we have put in place technical and organisational procedures to secure the data we collect.
Data Protection Code of Conduct
Personal data is protected according to the GÉANT Data Protection Code of Conduct, a common standard for the research and higher education sector to protect the user’s privacy.
You have the following rights:
- You may request a copy of the technical log data we are storing of your transaction(s) as described in the “Data Storage and Retention” section. Please note we can only provide you with this data if you can provide us with a valid session identifier that was used as part of your transaction. This identifier is presented on the consent screen. To retain such session identifier you must keep a copy of the consent screen of the specific transaction.
- You have the right to withdraw your consent, what will not affect the lawfulness of processing based on consent before its withdrawal. Please note that for this purpose it will be needed that you provide to us a valid session identifier that was used as part of your transaction. This identifier is presented on the consent screen. To retain such session identifier you must keep a copy of the consent screen of the specific transaction.
You can exercise your rights by contacting support desk at email@example.com.
Moreover, you have the right to lodge a complaint to the Supervisory Authority (Autoriteit Persoonsgegevens at https://autoriteitpersoonsgegevens.nl ).
Changes to this notice
This privacy statement might be changed at our discretion at any time. When we make changes to this notice, we will update the last modified date at the bottom of this page. We encourage you to review this privacy statement regularly to stay informed about how we are protecting your data.
Last revision: August 2018