Opinion of 6 February 2008 on a notification for prior checking realted to the Identity Management Service (Case 2007-349)
DIGIT provides the Identity Management Service (IMS), a service used primarily to manage user populations and their rights in the context of information services. In particular, IMS facilitates the authentication and access control of users to different Commission information services, which are managed by different Directorates General. In doing so, IMS customizes user's interfaces according to user's individual characteristics. IMS is used for Commission staff as well as for personnel of other organizations and members of the public.
The EDPS recommendations to be implemented by DIGIT include, inter alia,
(i) obtain users' consent to process data processed through IMS for customization purposes (interactively and on screen, for example, using the technique of a "pop up" window).
(ii) consider shortening the data retention deadlines for log files
(iii) put in place a system that ensures the accuracy of personal information of non Commission staff members who have been registered in IMS by third parties such as their employers.
(iv) amend the privacy statement and ensure its display before the use of IMS as well as the possibility to consult it at any time