How can I comply to the Data Protection Code of Conduct?

The GÉANT Data Protection Code of Conduct (DP-CoCo) is an approach to meet the requirements of the EU Data Protection Directive for releasing personal attributes to a Service Provider ( ) from an Identity Provider ( ). The DP-CoCo is not a formal assessment in nature, but rather an explicit self-commitment for a CLARIN Service Provider Federation SP by the CLARIN Centre operating it to adhere to the Data Protection Directive. This commitment is recorded in the metadata about said SP, which also allows IdPs to identify DP-CoC compliant SPs.
To implement the DP-CoCo, you need to do the following:
  1. Decide on which personal data, i.e. which attributes, you require for the services you provide. Our recommendations.
  2. Write and publish a Privacy Policy for your Service Provider. To complement authoring one based on the official DP-CoC documents, you can draw inspiration from those of other CLARIN Centres, by looking up the documents referred to in the mdui:PrivacyStatementURL elements in the SAML metadata about SPF production SPs.
  3. Adapt the SAML metadata about your SP. Again, please see the official documents listed on GÉANT Data Protection Code of Conduct (DP-CoCo), especially "SAML 2 Profile for the Data Protection Code of Conduct". Please mind that the example given in this document omits the schema-required 'index' attribute of the md:AttributeConsumingService element. Also, make sure that your SAML metadata still conforms to our guidelines for SAML metadata about your SP, which has precedence over the examples found in official DP-CoCo documents.

Optional: If you decide to join eduGAIN, you can check the proper implementation of the DP-CoCo via

Details and more background about this Centre requirement can be found in document CE-2013-0259.