Go back to previous page

List of active policies

Name Type User consent
Privacy Policy Privacy policy All users

Privacy Policy

Summary

The privacy policy describes how information about you is collected and stored.

Full policy

Data Privacy Statement for the Teaching/Learning Platform “Moodle” of University of Lübeck
 
1 Name and Address of the Person Responsible

The person/ party responsible as defined by the General Data Protection Regulation and other national data protection laws of the member states as well as other data protection regulations is the: University of Lübeck, Ratzeburger Allee 160, 23562 Lübeck, represented by its president.

2 Name and address of the Data-Protection Officer

The data-protection officer of the responsible party is:

University of Lübeck
President
Ratzeburger Allee 160
23562 Lübeck
Tel.: +49 451 3101 1000
Email: praesident@uni-Lübeck.de

x-tention Informationstechnologie GmbH
Margot-Becke-Ring 37
69124 Heidelberg
Tel.: +49 451 3101 1903
Email: datenschutz@uni-Lübeck.de

3 General Information on Data Processing

Data processing involves the collection, recording, organization, filing, storage, adaptation, modification, reading, consultation, transmission, and deletion of personal or person-related data.

Personal or person-related data (subsequently referred to as personal data) is all information relating to an identified or identifiable natural person and conveying his or her identity.

University of Lübeck, as a public corporation, processes personal data on the basis of the EU General Data Protection Regulation (GDPR) as well as the relevant national data protection laws and regulations of the Federal Republic of Germany and the State of Schleswig-Holstein, which apply in addition or subordinate to the regulations of the European Union. Once it has been implemented, this is in particular the Data Protection Act of the State of Schleswig-Holstein in its amended version that has been adapted to the GDPR.

Purpose of Processing Personal Data

The purpose, scope, and duration of our data processing procedures are in most cases based on the legal mandate of the university according to § 3 Hochschulgesetz SH and the related legal norms.

This mandate includes the maintenance and development of the sciences and arts through research, teaching, studies and further education in a free, democratic and social state governed by the rule of law. Based on Art. 6, para. 1, lit. e GDPR, as well as Art. 89 GDPR in conjunction with Art. 13 DSG SH, the data may also be processed for scientific or historical research purposes and for statistical purposes without prior consent, if the processing is necessary for these purposes and the data subject's interests deserving protection do not outweigh these purposes. The data will be anonymized in accordance with §13, para. 2 DSG SH as soon as this is possible with respect to the research or statistical purpose. The data will be deleted as soon as the research or statistical purpose allows it. The university is also subject to various legal obligations in the fulfillment of its mission, which requires the processing of personal data.

While fulfilling these tasks, University of Lübeck is also obliged to take all necessary technical and organizational precautions to ensure the security of your personal data. Precautions that may also involve the processing of personal data.

In addition, data may be processed with your explicit consent, which may be revoked at any time (GDPR: Art. 6 para. 1 lit. a).

If your personal data is processed, you are considered a data subject as defined by the GDPR.

Your rights as a data subject can be found in section 6.

4 Data Processing in Moodle

The teaching and learning platform Moodle (https://itsec-etest.uni-Lübeck.de) is a web-based software that enables access to a module- or course-based learning environment.

Moodle's system environment includes databases with course and user data and a specially set up web server which stores the Moodle program code as well as the files that are uploaded by users. Only the system administrators of University of Lübeck have access to this database.

For Moodle users without administrative privileges, this data can only be accessed from within Moodle.

4.1 Registration (Login Details)

For general access to the teaching/learning environment Moodle, you require an email address and an applicant number.

Moodle user profiles do not contain passwords, as the authentication is done via the central user administration.

4.2 Teaching and Learning in Moodle

Running a Moodle course involves several operations and activities on the part of the authorized person running the course. During this process, the following information is recorded in the database. The collection of this data is essential for the operation of Moodle. Therefore, there is no possibility for the user to object.

Processing Personal Data in Teaching/Learning with Moodle:

All posts, assignments, or activities that are made or carried out in forums or other activities while using the platform are stored in the Moodle database. These include for example:

  • Forum posts
  • Voting in a poll
  • document uploaded by user
  • Pictures/Photos uploaded by user
  • tests, quizzes and exams

Course managers (in the role of “Teacher”) have access to so-called activity overviews for the purpose of teaching, organizing teaching and evaluating the teaching success of the course. These overviews show personal contributions of course participants to activities such as forums, wikis, blogs, or tasks and the time at which the action was carried out. This data may only be used for teaching purposes, as long as this is necessary for the fulfillment of the task and the economy of the data processing is proportional to the purpose for which it is used. This form of data in the Moodle log files is deleted after 30 days. The purpose of this data recording is to support the communication and co-operation of the Moodle users, to check their learning progress and to provide feedback.

4.3 Provision of the Application and Creation of Log Files

Moodle keeps a log on the server in which every HTTP access (especially every connection of a web browser to Moodle) is recorded. The log file records the time, IP address, URL path, and in the case of functions that require authentication, a pseudonymized identifier of the user.

Further technical information e.g., if the access was TLS-protected (https://) and the HTTP response code is included. Internal notes on the execution of the service (especially on errors that occurred during processing) may also be stored.

This information serves the following purposes:

  • Error analysis and problem-solving,
  • Ensuring the IT security of our systems,
  • User Support (second level support by the Moodle administration),
  • Clarification of various issues (e.g., confirmation of an involuntarily missed deadline due to technical problems),
  • Source for statistics.

The log file is recorded for 7 days at a time and deleted again during the following 7 days. Only the system administrators have access to it.

The legal basis for the temporary storage of data and log files is Art. 6 para. 1 lit. 1 e GDPR.

The collection of data to provide the application and the storage of the data in log files are essential for the operation of Moodle. There is therefore no possibility for users to object.

4.4 Use of Cookies

Moodle uses cookies. Cookies are text files that are stored in the internet browser or on the user's computer system by the internet browser. When Moodle is accessed, a cookie might be stored on the user's computer. This cookie contains a unique string of characters which allows the identification of the browser when the user returns to the site.

Moodle uses two cookies: One cookie is called MoodleSession. This cookie must be enabled so that the login is retained when accessing different pages on the website. The cookie is automatically deleted when you log out or close your web browser.

The other cookie is for convenience and is called MoodleID. This cookie stores the login name in the web browser and is retained after you log out. The next time you log in, the login name has already been entered. You can disable this cookie, but you will have to enter your username each time you log in.

The legal basis for processing personal data using cookies is Art. 6 para. 1 lit. f GDPR. The purpose of using such cookies is to simplify the use of websites. Some features of Moodle cannot be provided without the use of cookies. These need to be able to recognize the browser even after changing pages.

Cookies are stored on the computer of the user and are transmitted to our site. This means that users have full control over how cookies are used. They can deactivate or restrict the transmission of cookies by changing the settings in their internet browser. Cookies that have already been stored can be deleted at any time. This can also be carried out automatically. If you disable cookies for Moodle, you may not be able to use all the features provided by Moodle.

4.5 Areas of Responsibility of the Content Providers

Moodle is a publication platform for course content that is prepared and offered by the respective content providers (e.g., lecturers of the departments or central service facilities of the university).

Course coordinators (at least with the role of “Assistant Teacher”) have the possibility to connect external services (e.g., YouTube, WikiMedia, etc.) and transfer files to Moodle. These services are not operated by University of Lübeck and are subject to the procedures of the external provider with regard to security and data protection. The external repositories are marked as such. A transfer of personal data from the learning platform to the providers of external content is not possible.

5 Duration of Data Storage / Deletion Periods

Students

Moodle accounts of students are deactivated and deleted after the application period. Users will no longer be able to log into Moodle after deletion. The Moodle account, including personal details in the corresponding user profile, will be deleted after the application period.

It is possible to have your Moodle account deleted before the above-mentioned deadline. To do so, simply send an informal e-mail to the Moodle administrator a.rabich@uni-Lübeck.de. If the user is re-enrolled at University of Lübeck before the end of the deletion period, the Moodle account will be retained.

The data from the participation in the course will be stored until the course is deleted. Tests results, learning packages and tasks as well as data on completion and overall assessment are stored until the statutory retention obligations have expired.

Voluntarily provided profile data can be deleted by the user at any time.

Courses are usually reused in the semester after the next. Any personal data will be deleted during this process.

6 Rights of the Data Subject
6.1 Right to be Informed - Art. 15 GDPR

Users have the right to obtain confirmation from University of Lübeck whether personal data concerning them are being processed.

Where that is the case, the following information can be requested:

(1) the purposes of the processing;

(2) the categories of personal data concerned;

(3) the recipients or categories of recipient to whom the personal data have been or will be disclosed;

(4) where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;

(5) the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;

(6) the right to lodge a complaint with a supervisory authority;

(7) where the personal data are not collected from the data subject, any available information as to their source;

(8) the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject. Where personal data are transferred to a third country or to an international organization, the data subject shall have the right to be informed of the appropriate safeguards pursuant to Article 46 relating to the transfer.

6.2 Right to rectification - Art. 16 GDPR

Users have the right to obtain from University of Lübeck without undue delay the rectification of inaccurate or incomplete personal data concerning them.

6.3 Right to Restriction of Processing - Art. 18 GDPR
(1) Users shall have the right to obtain from the controller the restriction of the processing where one of the following applies:

(a) the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data;

(b) the processing is unlawful, and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;

(c)the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise, or defense of legal claims; or

(d) the data subject has objected to processing pursuant to Article 21(1) pending the verification whether the legitimate grounds of the controller override those of the data subject.

(2) Where processing has been restricted under paragraph 1, such personal data shall, except for storage, only be processed with the data subject’s consent or for the establishment, exercise, or defense of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.

(3) A data subject who has obtained restriction of processing pursuant to paragraph 1 shall be informed by the controller before the restriction of processing is lifted.

Restriction of the right to process data for scientific, historical or statistical research purposes:

The above-mentioned right may be limited to the extent that it is likely to prevent or seriously hamper the realization of research or statistical purposes and the limitation is necessary for the realization of the research or statistical purposes.

Restriction of the right to process data for scientific, historical or statistical research purposes:
The above-mentioned right may be limited to the extent that it is likely to prevent or seriously hamper the realization of research or statistical purposes and the limitation is necessary for the realization of the research or statistical purposes.

6.4 Right to Erasure - Art. 17 GDPR
Under the following conditions, users may request the deletion of personal data if one of the following grounds applies:

(a) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;

(b) the user withdraws consent on which the processing is based according to point (a) of Article 6 (1), or point (a) of Article 9 (2), and where there is no other legal ground for the processing;

(c) the user objects to the processing pursuant to Article 21(1) and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2);

(d) the personal data have been unlawfully processed;

(e) the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject;

(f) the personal data have been collected in relation to the offer of information society services referred to in Article 8(1).

Exceptions:
The right to erasure does not apply if processing is necessary:

(a) to exercise the right to freedom of expression and information;

(b) for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;

(c) for reasons of public interest in the area of public health in accordance with points (‌h) and (i) of Article 9(2) as well as Article 9(3);

(d) for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) in so far as the right referred to in paragraph 1 is likely to render impossible or seriously impair the achievement of the objectives of that processing; or

(e) for the establishment, exercise, or defense of legal claims.

6.5 Notification Obligation - Art. 19 GDPR

If users have asserted the right to rectification, erasure, or restriction of processing, the controller is obliged to notify all recipients to whom the personal data have been disclosed, unless this proves impossible or involves a disproportionate effort.

The controller has to inform the users about those recipients if the data subject requests it.

6.6 Right to withdraw consent -Art. 7(3) GDPR

Data subjects have the right to withdraw their consent at any time. The withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal. Please send the revocation informally to the controller with whom you have agreed to the data processing. (see also the separate data privacy statement for alumni and for individuals involved in teaching or research at University of Lübeck).

6.7 Right to Object - Art. 21 GDPR

(1) The users have the right to object at any time, on grounds relating to their particular situation, at any time to processing of personal data concerning them which is based on point (e) or (f) of Article 6 (1), including profiling based on those provisions. The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights, and freedoms of the data subject or for the establishment, exercise, or defense of legal claims.

(2) Where personal data are processed for direct marketing purposes, the users have the right to object at any time to processing of personal data concerning them for such marketing, which includes profiling to the extent that it is related to such direct marketing.

(3) Where the user objects to processing for direct marketing purposes, the personal data may no longer be processed for such purposes.

(5) In the context of the use of information society services, and notwithstanding Directive 2002/58/EC, the users may exercise their right to object by automated means using technical specifications

Limitation of the right to object regarding data processing for scientific, historical or statistical research purposes.
(6) Where personal data are processed for scientific or historical research purposes or statistical purposes pursuant to Article 89(1), the users, on grounds relating to their particular situation, shall have the right to object to processing of personal data concerning them, unless the processing is necessary for the performance of a task carried out for reasons of public interest.

6.8 Right to Lodge a Complaint - Art. 77 GDPR

Users have a right to lodge a complaint with a supervisory authority(Art. 77 GDPR). In the event of an infringement of legal provisions for the protection of their personal data, they may contact the supervisory authority. The supervisory authority is:

Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein
PO Box 71 16
24171 Kiel
Holstenstraße 98
24103 Kiel

Phone: 04 31/988-12 00
Fax: 04 31/988-12 23
Email: mail@datenschutzzentrum.de
http://www.datenschutzzentrum.de/

7 Legal Basis

Datenschutz-Grundverordnung (EU-DSGVO)
https://dsgvo-gesetz.de/

Bundesdatenschutzgesetz (BDSG)
https://dsgvo-gesetz.de/bdsg/

Telemediengesetz (TMG)
http://www.gesetze-im-internet.de/tmg/

Landesdatenschutzgesetz Schleswig-Holstein (LDSG)
http://www.gesetze-rechtsprechung.sh.juris.de/jportal/?quelle=jlink&query=DSG+SH&psml=bsshoprod.psml&max=true

Landesverordnung zur Erhebung und Verarbeitung personenbezogener Daten für Verwaltungszwecke der Hochschule und der Berufsakademie (StudDatenVO)
http://www.gesetze-rechtsprechung.sh.juris.de/jportal/?quelle=jlink&query=StudDatenV+SH&psml=bsshoprod.psml&max=true

Hochschulgesetz – Schleswig-Holstein
http://www.gesetze-rechtsprechung.sh.juris.de/jportal/?quelle=jlink&query=HSchulG+SH&psml=bsshoprod.psml&max=true&aiz=true#jlr-HSchulGSH2016pP3

Weitere Informationen zum Datenschutz finden Sie auf den Webseiten des Unabhängigen Landeszentrums für Datenschutz Schleswig-Holstein:
https://www.datenschutzzentrum.de/

Back to top