Does the WAYF Cloud comply with the General Data Protection Regulation (GDPR) of the European Union (EU)?
The WAYF Cloud is developed taking into account the GDPR requirements and will fully comply to it once released. Compliance to GDPR is mandatory for all service providers, including the WAYF Cloud and it will start being enforced on May 2018.
The WAYF Cloud requires user provided data to be stored in central location. Does this not conflict with GDPR requirements?
No. GDPR lays down rules relating to the protection of natural persons with regard to the processing of personal data and rules relating to the free movement of personal data (chapter 1, Article 1, paragraph 1).
The WAYF Cloud does process user provided data, hence GDPR does apply to the WAYF Cloud as it applies also for other products and services that process user provided data independently of whether the data are stored in a central location or if they are distributed.
They WAYF Cloud requires user provided data to be exchanged between service provider platforms. Does this not conflict with GDPR requirements?
No. As per the GDPR General Provisions, the free movement of personal data within the Union shall be neither restricted nor prohibited for reasons connected with the protection of natural persons with regard to the processing of personal data (Chapter 1, Article 1, paragraph 3).
The exchange of user provided data between service providers is allowed provided the user’s consent and a number of additional requirements about the transparency of how this data is used. There numerous examples of services, including SAML itself, that are based on the exchange of user data.
No. The user’s consent is also a GDPR requirement and the WAYF Cloud complies to it by requiring the user’s consent. This is the ‘remember me across publishers’ option offered during an Organizational Login attempt. User’s consent can be easily withdrawn by visiting via the WAYF Cloud web-page from their device.
Can I access the data stored for me in the WAYF Cloud?
Yes. The Right to Access is also a GDPR requirement and the WAYF Cloud complies to it by providing users access to their data via a web based user interface, with the option to remove data or withdraw their consent.
Can I request that my data are deleted?
Yes. The Right to be Forgotten is also a GDPR requirement and the WAYF Cloud complies to it by providing users access to their data via a web based user interface, with the option to remove data or withdraw their consent.
Does the WAYF Cloud track the websites I am visiting?
No. The WAYF Cloud can correlate your visits to the service providers that participate in the WAYF Cloud. It uses this information to create a list of Identity Provider metadata that have been used by a device to successfully authenticate to a service provider.
Does the WAYF Cloud have access to my credentials?
No. The WAYF Cloud does not have access to your username, password, name, e-mail address or any other information that can be directly used to personally identify you. The WAYF Cloud is a discovery service, its not involved in the authentication between a user to Identity Provider.
What data or relationships are maintained in the WAYF Cloud?
All the WAYF Cloud needs in order to identity a device, such as a web browser or a mobile device, used across service provider domains is a set of unique randomly generated identifiers.
For each device, represented by a randomly generated identifiers, a relationship with Identity provider metadata, as well as an event log of successful authentication attempts are maintained.
What is the risk for a user on the event of a security breach at the WAYF Cloud?
The WAYF Cloud is built and operated in compliance with high security standards. On the unlikely event of a data breach, event logs of successful authentication attempts at a service provider along with metadata of the Identity Provider used to authenticate will be exposed.
Note, that Identity Provider metadata is information which is publicly available in the internet. The relationship between random device IDs and Identity provider metadata which is maintained in the WAYF Cloud cannot be used by the attacker to impersonate a user on any of the service providers that participate in the WAYF Cloud.
Also the stolen data cannot be directly used to personally identify a real person. In combination with data stored at your web-browser, or at the publisher platform, it might be possible for attacker to relate the randomly generated IDs maintained in the WAYF Cloud with a real person.