Data protection information for e-learning at the Berlin School of Economics and Law on the Moodle learning platform for external users in accordance with the EU General Data Protection Regulation (EU-GDPR) / Privacy Policy

By using the learning platform, personal data about you will be stored. We ensure that internally only those people who absolutely need this access have access to this information. We treat personal data confidentially and do not make it available to the general public.

1. Controller

Berlin University of Economics and Law

Badensche Strasse 52

10825 Berlin (Germany)

praesident@hwr-berlin.de

Legal representative:

Prof. Dr. Andrew Zaby

Data Protection Officer:

Vitali Dick

Badensche Strasse 52

10825 Berlin (Germany)

datenschutz@hwr-berlin.de

The E-Learning Center of the HWR Berlin is responsible for the content of the learning platform.

Berlin University of Economics and Law

Badenstrasse 52

10825 Berlin

E-Learning Center of the HWR Berlin

elearning[at]hwr-berlin.de

The HWR Berlin will be happy to answer your questions about data protection. Send an email to: datenschutz-elearning[at]hwr-berlin.de

2. Purposes of processing personal data

The system is used for the following purposes:

Provision of a digital platform for e-learning, e-teaching and e-assessment, including user administration.The following deployment models are possible:

A. Joint projects of several participants including the HWR Berlin: The participants work together to develop e-learning content and exams. User administration is the responsibility of HWR Berlin. A cooperation agreement is always concluded between the parties involved. It is regularly a joint responsibility according to Article 26 GDPR, according to which the HWR Berlin is jointly responsible.

The joint responsibility covers only the respective project. The point of contact for enforcing all rights and obligations in the external relationship is initially the HWR Berlin.

List of joint controllers:

§ Project PadLL: Berlin University of Applied Sciences (BHT), Alice Salomon University of Applied Sciences Berlin (ASH), Berlin University of Applied Sciences (HTW)

B. External users (institutions) develop e-learning content and examinations on their own responsibility or ready-made courses are made available for use (service / SaaS): The HWR Berlin only provides the Moodle platform (SAAS), the courses and user management is available. It is regularly an order processing by the HWR Berlin for the institution according to Article 28 DSGVO, according to which the HWR Berlin is the order processor. The relevant institution (client) is responsible.

C. External users (individuals) develop e-learning content and exams independently or ready-made courses are made available for use (service / SaaS). It is regularly a service provided by the HWR Berlin for the external user, according to which the HWR Berlin is responsible.

3. Collection and Use of Personal Information

In principle, we only collect and use personal data from our users to the extent that this is necessary to provide Moodle and its functions.

When using Moodle, the following categories of data are collected:

§ Master data / access data (eg surname, first name, e-mail, user ID, password, user name)

To use the service it is necessary to have a user account. The data required for this will be collected from you.

§ Activity reports for teaching and exam purposes

Those responsible for the course (in the role of “teacher”) have access to so-called activity overviews for the purposes of teaching, organizing teaching and monitoring the success of the course in question. Personal contributions to activities such as forums, wikis, blogs or tasks are shown here.

§ Content data (e.g. uploaded files, forum posts, audio and video data) for teaching and examination purposes

Content data is created when you enter data into Moodle yourself. These include e.g. B. Posts in forums and wikis.

§ Cookie Data

Moodle uses cookies. Cookies are text files that are stored in the internet browser or by the internet browser on the computer system of the user. If Moodle is accessed, a cookie can be stored on the user’s operating system. This cookie contains a characteristic character string that enables the browser to be clearly identified when the website is called up again. Only technically required cookies are set, which do not require consent according to TTDSG. The cookies are deleted after the end of the browser session.

§ Log data (e.g. log files about usage processes, configuration changes, web server log files)

The data (in particular connection/access and types of content data) are also stored in log files. Storage in log files is done to ensure the functionality of Moodle. In addition, we use the data to optimize Moodle and to ensure the security of our information technology systems.

§ Connection data (e.g. IP address, date and time of access)

The temporary storage of the connection data, in particular the IP address, by the system is necessary to enable Moodle to be delivered to the user’s computer. For this purpose, the IP address of the user must be stored for the duration of the session.

§ Embedding external content (voluntary access to content)

When using our service, external content (esp. Youtube, Vimeo) is added to Moodle as files, links or in the form of text input. When you click on the external content, personal data is transmitted to the provider of the external content. This can (e.g. in the case of YouTube) lead to transmissions to insecure third countries. The level of data protection in third countries outside the EU does not correspond to that of the European Union. In addition, the contact person for enforcing your rights is not the HWR Berlin, but the respective provider. You can find more information here: https://policies.google.com/privacy / https://vimeo.com/privacy

§ Profile data (voluntary) / other voluntary data such as images, photos, etc.

Photos and other unnecessary data can be entered.

4. Legal basis of processing

We process the data on the following legal bases:

A. Joint projects of several participants including the HWR Berlin: §3 BlnDSG and §4 (4) BerlHG in conjunction with §6 (1) 12 BerlHG, joint responsibility according to Article 26 DSGVO.

§ Cookies: Only technically required cookies are set, which do not require consent according to TTDSG. The legal basis is Section 3 BlnDSG and Section 4 (4) BerlHG in conjunction with Section 6 (1) 12 BerlHG.

§ External content: The legal basis for the provision of external content is the consent of the person concerned to the data processing to the provider in accordance with Article 6 Paragraph 1 lit.

§ Voluntary profile data, other voluntary data: The legal basis for the creation of voluntary profile data and content is the consent of the data subject to data processing in accordance with Article 6 (1) (a) GDPR.

§ Log files, activity logs: The processing is necessary to fulfill a legal obligation. The legal obligation consists of implementing technical security measures and investigating security incidents. The legal basis is Art. 6 (1) e GDPR in conjunction with Art. 32 GDPR and §26 (3) and §50 BlnDSG.

B. External users (institutions) develop e-learning content and testing on their own responsibility or receive finished courses: order processing or Article 6 (1) b GDPR. The processing legal bases are the responsibility of the client.

C. External users (individuals) are provided with ready-made e-learning content and exams by the HWR Berlin: Article 6 (1) b GDPR.

§ Cookies: Only technically required cookies are set, which do not require consent according to TTDSG. The legal basis is Article 6 (1) b GDPR.

D. Internal users, user management and administration: Section 3 BlnDSG and Section 4 (4) BerlHG in conjunction with Section 6 (1) 12 BerlHG and Section 88 GDPR in conjunction with Section 26 BDSG.

§ Cookies: Only technically required cookies are set, which do not require consent according to TTDSG. The legal basis is Section 3 BlnDSG and Section 4 (1) BerlHG in conjunction with Section 6 (1) 12 BerlHG and Section 88 GDPR in conjunction with Section 26 BDSG.

5. Duration of storage of data/deletion deadlines

We delete the data according to the following deletion periods:

External users of joint projects of several participants including the HWR Berlin:

§ As soon as the external user leaves the project, their account will be deleted.

§ Course content will be deleted or anonymised 6 months after the project has ended.

External users (institutions) develop e-learning content and testing on their own responsibility or receive finished courses:

§ As soon as the service contract is terminated or the account is inactive for 1 year. The personal data will then either be deleted, returned to the client or made anonymous.

External users (individuals) are provided with ready-made e-learning content and exams by the HWR Berlin:

§ As soon as the service contract is terminated or the account is inactive for 1 year. The personal data is then either deleted, returned to the individual, or made anonymous.

Internal users of the HWR Berlin

§ User accounts and associated student content: 150 days after de-registration or leaving the university.

§ User accounts and associated content of employees, teachers, lecturers: 30 days after leaving the service.

General deletion periods:

§ Log files:

1. Configuration changes made by admins – 30 days after leaving the service
2. Activities and event log
3. Server logs – 14 days
4. Error logs – 14 days

§ Cookie: The session cookie is deleted after the end of the browser session

§ External content: See data protection information of the external providers.

§ You can delete profile data that you have entered voluntarily at any time

6. Recipients of the personal data / third country transfers

If several project participants work on the same e-learning, e-teaching and e-assessment units, this content can also be viewed by the other participants.

If embedded content from third-party providers (Youtube, Vimeo, etc.) is called up with consent, content (videos, scripts, fonts, etc.) from the provider will be reloaded from your browser and cookies (especially tracking and analysis cookies) may be set. This can lead to profiling, marketing and user analysis by the provider. In most cases, your browser information and IP address will be transmitted. This content is only reloaded when you actively click on the corresponding embeds. The third-party providers usually come from the USA, but can be based anywhere in the world. HWR Berlin no longer has any influence on the data transmitted during the browser session or on the subsequent data processing by the provider.

The data protection notices of the providers can be found here: https://policies.google.com/privacy / https://vimeo.com/privacy

7. Rights of the data subject:

The person affected by the processing has rights in accordance with Art. 13 – 23 GDPR, which can be asserted against the HWR Berlin as the person responsible. An overview of the most important rights is listed below:

§ Right to revoke consent according to Art. 7 (3) GDPR

§ Right of access by the data subject (HWR Berlin) according to Art. 15 DSGVO

§ Right to rectification (HWR Berlin) according to Art. 16 DSGVO

§ Right to erasure (HWR Berlin) according to Art. 17 DSGVO

§ Right to restriction of processing of data stored by the person responsible (HWR Berlin) according to Art. 18 DSGVO

§ Obligation to notify in connection with the correction or deletion of personal data or the restriction of processing according to Art. 19 DSGVO

§ Right to data portability according to Art. 20 GDPR

§ Right to object to the data processing, provided that the processing according to Art. 6 (1) e GDPR is necessary for the performance of a task that is in the public interest or in the exercise of official authority according to Art. 21 GDPR.

§ Right not to be subject to a decision based solely on automated processing – including profiling – which produces legal effects concerning you or similarly significantly affects you.

§ Right to notification according to Art. 34 GDPR of the person affected by a breach of the protection of personal data.

If the HWR Berlin acts as a processor, we will forward data protection inquiries to the respective client. This person is responsible for data processing in relation to the data subject.

8. Obligation to provide personal data

Except for the data that can be provided voluntarily, the personal data must be provided so that the processing purposes specified above by the person responsible can be fulfilled. The obligation to provide results from the cooperation or service contracts.

9. Exercise of Rights

If you would like to exercise your rights, please contact the data protection officer named above or submit the request using the link . ^{^[1]}

10. Right to Complain

The person concerned also has the right to complain to a supervisory authority about the HWR Berlin. The competent supervisory authority in the state of Berlin is

Berlin Commissioner for Data Protection and Freedom of Information

Friedrichstr. 219
10969 Berlin
mailbox@datenschutz-berlin.de

11. Automated Decision Making:

There is no automated decision-making or profiling.

Moodle External