Terms and Conditions. Privacy Policy.

The present page describes terms and conditions, as well as the processing of personal data of the QWAC Validator add-on for the Mozilla Firefox web browser, pursuant to articles 13–14 of Regulation (EU) № 679/2016 of the European Parliament and of the Council (“GDPR Regulation”).

QWAC Validator validates the qualification status of the web-access certificate (QWAC) employed by the currently visited website, by checking that it has been issued by a CA accredited for such kind of qualified electronic certificates, as it is published in the European Trust List (TL).

Controller of personal data processing
AgID – Agency for Digital Italy
Address: via Liszt 21 – 00144 Rome
Registered email: protocollo@pec.agid.gov.it
Data Protection Officer contacts
via Liszt 21 – 00144 Rome, c/o AgID
e-mail: responsabileprotezionedati@agid.gov.it

Supervisory body for personal data processing
Garante per la Protezione dei Dati Personali, website: https://www.garanteprivacy.it/web/guest/home_en.

Purposes of personal data processing
Processing of personal data of the user (as the ‘data subject’) enables the verification, against the European TL, of the QWAC used by the currently visited website.

To such an extent, QWAC Validator, developed by the Agency for Digital Italy (AgID), temporarily processes the following browsing data of the user:
• the IP address of the user’s device running the web browser;
• the domain name which the certificate is validated for, communicated to the add-on, by the web browser, as the currently visited URL;
• the web access certificate used by the visited website in establishing a communication channel with the user’s web browser, which contains the domain name as its subject.

Operations and procedures for the processing of personal data
User browsing data are processed in an automated manner: after the installation, the QWAC Validator add-on sends those data to the European TL’s online validation API at website https://webgate.ec.europa.eu/tl-browser/#/ and hence processes them only within the user host computer, for the shortest period required to manage the browser session within the same visited domain.

Besides the aforementioned, automated data processing operations, AgID does neither perform any personal data processing on data stored by the QWAC Validator, nor any browsing data besides those stored in the user’s device.

Legal basis for the processing of personal data
The legal basis for processing is intended as the execution of purposes in the public interest and/or however connected with AgID’s exercise of its public powers, especially pursuant to article 17 of the Regulation (EU) № 910/2014 of the European Parliament and of the Council (“eIDAS Regulation”) and to article 15-bis of D.Lgs № 82/2005, assigning to AgID functions of Italian supervisory body on qualified electronic trust services – pursuant to eIDAS Regulation – as well as fostering digital innovation and the usage of digital technologies, both among Italian public administrations and between them, the citizenship and the private organizations.

Recipients
The communication of the user’s browsing data to the European TL is required to enact the validation: in case the data subject denies to send them, QWAC Validator is not able to complete the above validation.

While browsing on a website authenticated by a web access certificate, QWAC Validator shows a greyed-out icon on the browser’s URL tab, which the user may click on to start the validation of that particular certificate. Therefore, the user may freely choose whether or not the own browsing data are sent to the European TL API in order to complete the validation of the web access certificate.

However, even if the user decides to proceed with the validation, QWAC Validator sends the user’s browsing data to the European TL’s API only in case the visited website’s web access certificate includes, as minimum requirements, the X.509 OIDs "0.4.0.1862.1.1", "0.4.0.1862.1.6.3"; if such requirements are not met a priori, the validation stops with a negative response and no data is sent outside.

After clicking on the aforementioned greyed-out icon, this is replaced by a blue/yellow coloured EU logo in case the certificate is qualified (QWAC). Otherwise, the icon is slashed by a red line, to indicate that the certificate is not qualified.

Other than being asked for consent upon first installation of the add-on, the user may change the configuration settings of QWAC Validator to disable or re-enable the add-on, at any time later on.

Profiling and automated personal data processing
AgID assures that QWAC Validator does not perform any automated decisional processing of, with any legal effects on, the user’s personal data.

QWAC Validator does not allow identification or profiling of the user, who may always enable or disable the QWACs’ validation function of the add-on by changing its configuration settings, according to the instructions published by AgID.

Rights of the data subjects
Users can uninstall QWAC Validator at anytime, thus also removing any personal browsing data stored by the add-on.

As a consequence of the functioning of the add-on, users have no rights to ask to the controller for either the access to, rectification of, or erasure of their own personal data, as well as to oppose to their processing, besides to the right of data portability.

Any questions related to personal data processing may be directed to AgID by contacting its data protection officer (DPO).

It is however, without prejudice to the right of the interested party, to appeal to the Judicial Authority and to lodge a complaint with the supervisory body for the protection of personal data if the subject believes that the processing violates the GDPR Regulation.

Responsibility
QWAC Validator is not a qualified electronic trust services for the validation of qualified certificates: it only returns generalist information on web access certificates of visited websites. Therefore, AgID is not responsible for the effective qualification of electronic certificates processed by QWAC Validator.

The information made available through the present policies do not relate to any other online services that the add-on may connect with, especially the European TL’s certificate validation API available at URL https://webgate.ec.europa.eu/tl-browser/#/.

In no case AgID shall be considered responsible for the processing of personal data performed by the aforementioned API hosted on a European Commission website.