The GÉANT Data Protection Code of Conduct for Service Providers

The GÉANT Data Protection Code of Conduct applies to SPs based in EU and EEA countries, and to those with adequacy decisions.

Our understanding, in January 2022, is that the UK has a data adequacy agreement with the EU, and this will continue until the end of June 2025 unless there is divergence between UK and EU contexts. The agreement may continue past this date, but there is no guarantee that this will be the case long term. Service providers based in one of the jurisdictions of the UK are, therefore, able to assert the Code of Conduct.

If the agreement ends, the UK federation may be obliged to remove the Code of Conduct element from SPs' metadata at short notice.

If you are an SP operator, you should consider the effect of the removal of the Code of Conduct, both in terms of future interoperability, and for the data that has been stored by your SP under the Code of Conduct.

SP operators can signal to IdP operators that they follow good practice in data protection by asserting that they follow the GÉANT Data Protection Code of Conduct. If IdP operators decide they will release the requested attributes to a Code of Conduct-committed Service Provider without administrative involvement, they can signal this by asserting the entity category support attribute.

Please Note: this entity category is self-asserted by the SP. The UK federation does not verify that a SP complies with the Code of Conduct. For SPs registered by the UK federation, we verify only that the entity category has been asserted correctly. For SPs registered outside the UK federation that assert the entity category, we import the entity category as-is.


SP operators should be familiar with the GÉANT Data Protection Code of Conduct for Service Providers and Code of Conduct SAML 2 profile before contacting the helpdesk.

You should be familiar with the UK federation's guidance on RequestedAttribute elements in an SP's metadata.

Full documentation on this entity category can be found at the GÉANT Data Protection Code of Conduct Home.

How do I request that my SP shows it follows the Code of Conduct?

What must be in the request?

  • The request MUST include an entityID for a registered SP (or be part of a registration request).
  • The request MUST be emailed to us by an appropriate person. In the case of an existing entity, this would be the administrative contact for the entity or Management Contact for the organization. New registration requests must always come from an organization's Management Contact. (A description of the various roles is available here.)
  • The request MUST include a mdui:PrivacyStatementURL value with xml:lang="en". There may be more than one mdui:PrivacyStatementURL. Each one must have a unique xml:lang attribute, although they could conceivably all have the same URL if the document has sections for the different languages.
    <mdui:PrivacyStatementURL xml:lang="fi"></mdui:PrivacyStatementURL>
    <mdui:PrivacyStatementURL xml:lang="en"></mdui:PrivacyStatementURL>
  • The mdui:PrivacyStatementURL with xml:lang="en" MUST resolve to a document.
  • The Privacy Statement MUST include the name, address and jurisdiction of the Service Provider.
  • The Privacy Statement MUST indicate a commitment to the Code of Conduct. The Privacy Statement should therefore include text about the Code and should link to the Code URI ( Note that the eduGAIN Code of Conduct checking tool will check for the exact URL and flag a warning if it is not present.
  • The SP's metadata MUST include RequestedAttribute elements to indicate the attributes that the SP will request. Please note that the core attributes for the UK federation are defined in the eduPerson schema (see section 7 of the UK federation Technical Recommendations for Participants) whilst other federations may use attributes from other schemas e.g. SCHAC. Information on the form of the RequestedAttribute information can be seen on the Shibboleth wiki, or contact the UK federation service desk for more information. Note that the simple semantics of the isRequired flag cannot fully capture the complexities of attribute requests in SAML, so we recommend you contact the service desk for advice in this regard.

What's recommended to be in the request?

  • The SP's metadata should include at least one mdui:DisplayName. If it does, there MUST be one mdui:DisplayName with xml:lang="en"
  • The SP's metadata should include at least one mdui:Description. If it does, there MUST be one mdui:Description with xml:lang="en"

What happens next?

The UK federation support team will review your request. When we have ensured that all is in order, we will update the SP's registration and publish updated metadata.

How do I request to show that my IdP supports the Code of Conduct?

The Administrative Contact for the entity or Management Contact for the organization must send an email to the UK federation service desk, at, requesting that the entity category support attribute should be added to the IdP.

Other information

This Code of Conduct monitoring tool checks whether SPs asserting the Code of Conduct do so correctly, in the sense that they include all the required elements of metadata. Instructions for the tool are here.