DENIC ID – Data Handling Policy
Last Modified: April 11th, 2019
Effective Date: April 15th, 2019
What is the scope of this policy
DENIC ID is the authentication service for your ID4me-based identity, or in simple terms, the entity that stores and verifies your password when you log in with ID4me.
DENIC ID is a service operated by DENIC eG, Kaiserstraße 75-77, 60329 Frankfurt, Germany (in this document referred to as “DENIC” or “we”). The service is provided to you as a subscriber of a digital identity service (in this document referred to as “you”). You have typically subscribed to this service through an identity provider (in this document referred to as “ID Provider” or “ID Agent”) and are using the service to gain access to third-party websites (in this document referred to as “Login Partner”).
This policy describes the data DENIC collects to provide you with the DENIC ID service, how it is used and shared with others, and which choices you have regarding this data. We recommend reading this Data Handling Policy along with our Data Privacy Statement, which includes information on how we protect your data and whom to contact for any concerns or questions you may have related to DENIC ID data privacy.
What kind of data do we collect and/or process
In order to provide you with your ID, we need to collect and process certain data about you. Protecting your privacy and enabling you to control which data you chose to share or not share with others is a key objective of the DENIC ID service. Certain kinds of data are optional for you to provide, others are required for the DENIC ID service to work.
Data you provide yourself
- During the sign-up process for an ID, you will get a unique link from your ID Provider that will allow you to set up a password and other settings for your identity. You provide us with this unique link, either by navigating there yourself or by way of redirection from your ID Provider, so that you can complete the setup process for your ID at DENIC.
- You provide us with a password for your identity.
- You have the option to set up a 2nd authentication factor for your identity. If you choose to do so, you will provide us with a corresponding code from your device to set up and subsequently use such 2nd factor.
- You have the option to set up a password recovery email address for your identity in case you wish to reset your login credentials with DENIC ID at some point in the future.
- You inform us if you wish to grant or decline permission for resetting the password for your identity via your ID Agent.
- You have the option to specify your preferred language of communication, so that we can interact with you in the language of your choice.
- You provide us with your identifier when you log in to your DENIC ID dashboard (at https://id.denic.de/dashboard) to manage your identity.
- When you authenticate with DENIC ID for access to a Login Partner service, you have the option to choose which of your personal data you agree to share with this specific Login Partner (your “consent settings”). We will store your consent settings for this Login Partner until you decide to change your settings or revoke your consent.
Data created while you use the service
- When your ID Provider initially creates your identity with DENIC ID, we assign a unique code to your identity (a “handle”) which will remain the same throughout the lifetime of your identity, even if you change your identifier or use multiple identifiers for your identity.
- We will record and store the date, time, your source IP address and your browser data every time you try to authenticate with DENIC ID, along with information if those logins were successful or not. The same information will be recorded and stored every time you change, reset or try to change the password, 2nd factor or recovery email address for your identity.
Data your ID Provider relays to us
- Your ID Provider will provide us with the information that you have chosen them as the agent to maintain your identity with DENIC ID on your behalf.
- Your ID Provider will provide us with the identifier that you selected when signing up for your identity.
- Your ID Provider has the option to provide us with a password recovery email address that you may have selected when signing up for your identity with them.
- Your ID Provider has the option to provide us with your preferred language of communication.
- You have the option to transfer the management of your ID from one sponsoring ID Agent to another. During this process, when your new ID Agent initiates the transfer of your identity to them as gaining agent, they will provide us with your identifier and with the unique handle associated with your identity (see above).
Data about your interactions with Login Partners
- You can use your ID to authenticate for access to Login Partner services. We will record and store the time, date, source IP address and browser information for all authentication requests made by Login Partners in relation with your identity, along with information if those logins were successful or not.
- When a Login Partner requests us to authenticate your ID to give you access to their service, they may request access to certain types of your personal data that you have stored with your ID Agent. We will record the types of data a Login Partner has requested for each authentication request, regardless if you eventually consent or decline to share those types of data with such Login Partner.
- When using the DENIC ID service, we store certain information regarding the device and software you are using to interact with the service.
- This information includes IP address, browser and operating system types and versions, browser language settings, and unique device identifiers.
How we use this data
To set up and manage your identity with DENIC ID
- We use the information your ID Agent provides about you (identifier, recovery email, preferred language) to initially set up your DENIC ID.
- We use the unique link that you visit during the sign-up process to set up your DENIC ID password, 2nd authentication factor, and to confirm your recovery email address and preferred language.
- We use the password and optionally a 2nd login factor to authenticate you when you log in to your DENIC ID dashboard.
- If you have set a recovery email address for your identity, we will use this recovery email address to send you a password reset link in case you ask us to reset your password, to send you a confirmation email after your password has been changed successfully, and to send you a notification in case a certain threshold of unsuccessful login attempts to your identity has been exceeded.
- We use your choice of allowing a password reset through your ID Agent, so that we can accept or deny such password reset requests from your ID Agent.
- If you have set a preferred language for your identity, or if we are able to detect your preferred language from your browser settings, we will use this information to interact with you in this language if we provide support for such language. Otherwise our interactions with you will be in German.
To authenticate you for access to services of Login Partners
- When a Login Partner asks us to authenticate your identity, they will provide an identifier along with their request. We use this identifier to find your ID in our system.
- We use your password and optionally a 2nd factor to authenticate your identity.
- When a Login Partner asks us to authenticate your identity, they may also request access to personal information that you maintain with your ID Agent. We will present you with the types of information requested by the Login Partner (such as your name, phone number or email address), and enable you to select which of the requested information you consent to share with the Login Partner.
How is this data shared
We share information about you only with Login Partners or ID Providers, so that we can provide the ID service. We will not share any of your data with third parties, unless we are required to do so under German or European law.
Sharing data with Login Partners
- After you have successfully authenticated for access to a specific Login Partner, we will deliver a signed token to such Login Partner that confirms your identity and will be used by them to grant you access to their service. This token remains valid for a certain period, until it is being revoked or expires.
- Based on your consent settings, we may also provide a separate signed token to the Login Partner that allows them to contact your ID Agent in order to retrieve the data that you have consented to share with them. This token remains valid for a certain period until it is being revoked or expires.
- No other data is being shared with Login Partners. More specifically, Login Partners never gain access to your password, 2nd authentication factor, recovery email address, or any other data about you.
Sharing data with ID Agents
- For your security, we will notify your ID Agent whenever a Login Partner requests authentication for your ID or access to personal information, so that your ID Agent can provide you with a list of all requests related to your ID and enable you to detect unauthorised authentication requests.
- You have the option to use more than a single identifier with your identity at DENIC ID. When your ID Agent adds or removes an identifier for your DENIC ID, we will share a list of all identifiers used with your identity with your ID Agent upon completion of this request.
- You have the option to transfer management of your ID from one ID Agent to another, if both ID Agents work with DENIC. During this process, when your new ID Agent initiates the transfer of your identity to them as sponsoring agent, we will provide them with a unique URL that they are required to pass on to you. This unique URL will allow you to confirm, by entering your password, that you agree to the transfer of your identity from your current to your new ID Agent. Upon completion of the transfer process, we will share a list of all identifiers used with your identity with your new ID Agent. We will also notify your previous ID Agent that management of your identity has been transferred to a new ID Agent.
- In case you request your ID Agent to reset the password for your DENIC ID, we will provide your ID Agent with a unique URL that they are required to pass on to you. You will need to follow this URL in order to reset the password for your identity with DENIC ID.
Sharing data with law enforcement authorities
- We will share personal information we have stored about you in relation with your identity with law enforcement authorities if and to the extent we are required to do so by German or European law.
How we retain and delete this data
DENIC requires the data gathered or created while using the service to provide the DENIC ID service. We retain your data for the duration of your service subscription and for a period of 6 months thereafter. Certain information, including transaction und usage data, will be stored for up to 6 years as it may be subject to prolonged legal retention requirements.
If you wish to delete your personal data, you can initiate the deletion process by cancelling your DENIC ID subscription with your sponsoring ID Provider. Once your ID Provider has requested a deletion, your identity will initially be disabled for a period of 30 days, during which it can be restored by your ID Provider on your behalf. After this period, your identity will be deleted, and related data will be retained as per the duration set out above.
How we update this Policy
We may update this Policy from time to time. If we make significant changes to this Policy, we will notify you when you log in to the DENIC ID dashboard. By continuing to use the DENIC ID service after such notice, you consent to updates to this policy.