Public sector organisations that, in a broad sense, carry out an authority task through a web service may use WAYF as the technical provider of NemLog-in for the web service. With a standard technical integration to WAYF, the organisation gains the ability to allow users to identify themselves using MitID via NemLog-in, both citizens and employees.
Among the advantages of using WAYF as a NemLog-in provider are increased support and a simpler, more streamlined interface. There is no need to use OIOSAML and OCES certificates; instead, WAYF’s standard service interface is used with self-signed (i.e. free) certificates and without any requirement for ongoing maintenance. The user experience is entirely indistinguishable from that of a direct connection to the Danish Agency for Digital Government – the user does not “see” WAYF.
A common use case is the recovery of institutional accounts for existing users who have lost access: instead, the user can log in using MitID (via NemLog-in) and be recognised using their CPR number. On that basis, access can be granted for the user to regain control of their account. This can save a considerable amount of support time, for example for an educational institution with many users.
However, NemLog-in can also be used as the primary login method for a web service with WAYF integration, thereby providing users with exactly the same login experience as that offered by many well-known public self-service solutions.
If a service provider or institution (acting in the role of service provider) wishes to use NemLog-in via WAYF, the onboarding process follows exactly the same procedure as when other web services are connected to WAYF: a technical integration between the service and WAYF must be established, and the terms must be accepted. Read here about connecting services to WAYF.
Previously, service providers were required to enter into a written agreement with the Danish Agency for Digital Government in order to use NemLog-in through WAYF; this is no longer required. Now, it is sufficient simply to indicate acceptance of WAYF’s terms for the use of NemLog-in.
The following privacy policy applies to end users who access services using NemLog-in through WAYF:
Privacy Policy for the Use of NemLog-in through WAYF
Below you will find information – structured into nine points – about your rights in connection with the processing of your personal data that takes place when you use NemLog-in services through WAYF. WAYF, operated by the Technical University of Denmark, is the data controller for the processing of your personal data in connection with NemLog-in through WAYF.
1. Contact details of the data controller
DeiC – Danish e-Infrastructure Consortium
DeiC Research Network
Produktionstorvet
Building 426, ground floor
2800 Kgs. Lyngby
CVR no.: 30060946 – P no.: 1025571629
Telephone: +45 31 26 92 88
E-mail: sekretariat@wayf.dk
2. Contact details of the Data Protection Officer
DTU
Attn. DPO
Produktionstorvet
Building 426, ground floor
2800 Kongens Lyngby
E-mail: sekretariat@wayf.dk
Telephone: +45 35 88 82 02
3. Purposes of and legal basis for the processing of your personal data
The purpose of the processing is to enable you to identify yourself using NemLog-in in online services provided by public sector organisations in connection with the performance of authority tasks. The processing is carried out on the basis of section 13 of the Act on MitID and NemLog-in and therefore has a legal basis in Article 6(1)(e) of the General Data Protection Regulation – processing of personal data is lawful where it is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
4. Categories of personal data
We process identification data, including information on first and last name, e-mail address, date of birth, IP address, PID number, RID number, UUID number, CVR number, gender and CPR number.
5. Recipients or categories of recipients
We disclose your personal data to WAYF’s data processor, NORDUnet A/S, which assists with the operation and administration of our IT systems. We also disclose the data to the provider of the service with which you wish to identify yourself, for example an educational institution where you wish to access an examination system.
6. Source of your personal data
All data that we process about you are collected from the Danish Agency for Digital Government when you identify yourself via NemLog-in, typically using your MitID.
7. Storage of your personal data
When you use NemLog-in via WAYF to access a service, we store your personal data in the system for a few seconds. For security reasons, your personal data are logged when you use NemLog-in. The log is stored for 18 months, after which it is deleted.
8. Your rights
Under the General Data Protection Regulation, you have a number of rights in relation to our processing of information about you. If you wish to exercise your rights, please contact us. You have the right to access the data we process about you, as well as a range of additional information. In certain cases, you have the right to request restriction of the processing of your personal data. If you are entitled to restriction of processing, we may in future process the data only in specific cases in accordance with the General Data Protection Regulation. In certain cases, you also have the right to object to our otherwise lawful processing of your personal data. Read more about your rights in the Danish Data Protection Agency’s guidance on the rights of data subjects at datatilsynet.dk.
9. Complaint to the Danish Data Protection Agency
You have the right to lodge a complaint with the Danish Data Protection Agency if you are dissatisfied with the way we process your personal data. You can find the contact details of the Danish Data Protection Agency at datatilsynet.dk.