Transfer of personal data to moso.as when using federated login
Description of moso.as
moso.as is a service aimed at students and teachers from universities that are members of SWAMID. The service provides authentication and authorization to users who have an electronic identity from SwamID for the Mentoring and Observation SaaS application. The service uses the swamid.mentoringapp.com endpoint.
Processing of personal data
Transfer of personal data
During the login process, personal information is transferred from the identity provider (your login service) to the moso.as service in order to identify you as a user and grant you access to the service. When logging in, the following personal data is requested from the identity provider:
Name
To identify yourself to other users in the service.
cn
displayName
givenName
sn
E-mail address
Used to be able to contact you by e-mail
Unique identifier
To give you access to your information
eduPersonPrincipalName
eduPersonUniqueID
Organizational data
Identify your organization so that you have access according to the rights you have been granted.
o
eduPersonAffiliation
eduPersonScopedAffiliation
In addition to direct personal data, indirect personal data is also transferred, such as the user's organizational affiliation. In combination with the aforementioned personal data, this information can be used to uniquely identify an individual.
Other processing of personal data within the service
The service stores information about:
Who has created, edited, updated, deleted, and commented on sessions (plans), workspaces, evaluations, notes, and files.
Who has created and deleted messages.
Transfer of personal data to third parties
Personal data is stored within AWS services located in the European region (Stockholm). No personal data is transferred to other third parties.
Lawful basis
The legal basis for processing personal data is the necessity to perform a task in the public interest (Article 6(1)(e) of the GDPR), specifically ensuring that only authorized users and information systems have access to the IT environment (Chapter 4 § 3 MSBFS 2020:7).
Right of access, right of rectification, and right of erasure of personal data
For access, rectification, and erasure of your personal data, please contact the Personal Data Controller. Rectification of personal data that was transferred during the login process must be done through the identity provider used for logging in. This information will be corrected in the service upon the first login after the personal information has been corrected in the identity provider.
Purging of personal data
All user data is automatically deleted when the user is removed from the service. The data controller has the ability to establish customized data deletion procedures for the organization.
Personal data controller
The respective organization acts as the personal data controller responsible for the processing of personal data. Contact information for the data protection officer can be obtained from the relevant higher education institution.
GÉANT Data Protection Code of Conduct
This service adheres to the international framework known as the GÉANT Data Protection Code of Conduct (http://www.geant.net/uri/dataprotection-code-of-conduct/v1) for the secure transfer of personal data from identity providers to the service. This framework is designed for services used in research and higher education within Sweden, the EU, and the EEA.
Last updated