List of active policies
|Nutzungsbedingungen | Site policy||Site policy||All users|
SummaryData Privacy Statement for the Teaching/Learning Platform "Moodle" of Technische Hochschule Lübeck
1 Name and Address of the Person ResponsibleThe person/ party responsible as defined by the General Data Protection Regulation and other national data protection laws of the member states as well as other data protection regulations is the: Technische Hochschule Lübeck, Mönkhofer Weg 239, 23562 Lübeck, represented by its president.
2 Name and address of the Data-Protection OfficerThe data-protection officer of the responsible party is:
Technische Hochschule Lübeck
Mönkhofer Weg 239
3 General Information on Data ProcessingData processing involves the collection, recording, organization, filing, storage, adaptation, modification, reading, consultation, transmission and deletion of personal or person-related data.
Personal or person-related data (subsequently referred to as personal data) is all information relating to an identified or identifiable natural person and conveying his or her identity.
Technische Hochschule Lübeck, as a public corporation, processes personal data on the basis of the EU General Data Protection Regulation (GDPR) as well as the relevant national data protection laws and regulations of the Federal Republic of Germany and the State of Schleswig-Holstein, which apply in addition or subordinate to the regulations of the European Union. Once it has been implemented, this is in particular the Data Protection Act of the State of Schleswig-Holstein in its amended version that has been adapted to the GDPR.
Purpose of Processing Personal DataThe purpose, scope and duration of our data processing procedures are in most cases based on the legal mandate of the university according to § 3 Hochschulgesetz SH and the related legal norms.
This mandate includes the maintenance and development of the sciences and arts through research, teaching, studies and further education in a free, democratic and social state governed by the rule of law. Based on Art. 6, para. 1, lit. e GDPR, as well as Art. 89 GDPR in conjunction with Art. 13 DSG SH, the data may also be processed for scientific or historical research purposes and for statistical purposes without prior consent, if the processing is necessary for these purposes and the data subject's interests deserving protection do not outweigh these purposes. The data will be anonymized in accordance with §13, para. 2 DSG SH as soon as this is possible with respect to the research or statistical purpose. The data will be deleted as soon as the research or statistical purpose allows it. The university is also subject to various legal obligations in the fulfillment of its mission, which requires the processing of personal data.
While fulfilling these tasks, Technische Hochschule Lübeck is also obliged to take all necessary technical and organizational precautions to ensure the security of your personal data. Precautions that may also involve the processing of personal data.
In addition, data may be processed with your explicit consent, which may be revoked at any time (GDPR: Art. 6 para. 1 lit. a).
If your personal data is processed, you are considered a data subject as defined by the GDPR.
Your rights as a data subject can be found in section 6.
4 Data Processing in MoodleThe teaching and learning platform Moodle (https://lernraum.th-luebeck.de) is a web-based software that enables access to a module- or course-based learning environment.
Moodle's system environment includes databases with course and user data and a specially set up web server which stores the Moodle program code as well as the files that are uploaded by users. Only the system administrators of Technische Hochschule Lübeck have access to this database.
For Moodle users without administrative privileges, this data can only be accessed from within Moodle.
Access to the teaching/learning platform Moodle is available to members of Technische Hochschule Lübeck according to §13 HSG SH and to other individuals who are involved in teaching or research at the university. There is a separate data privacy statement for alumni and individuals who are engaged in teaching or research at the university.
4.1 Registration (Login Details)For general access to the teaching/learning environment Moodle, you require a THL-IT account of Technische Hochschule Lübeck and thereby the admission to the central user administration (LDAP).
Invalid user profiles are automatically deleted within 24 hours.
During the login process, information from the LDAP account is automatically transferred to the corresponding Moodle user profile and updated when the user logs in again:
- (university related) E-Mail address
- First Name
- Last Name
- Abbreviation of the study course (not with employees of THL)
4.2 Teaching and Learning in MoodleRunning a Moodle course involves several operations and activities on the part of the authorized person running the course. During this process, the following information is recorded in the database. The collection of this data is essential for the operation of Moodle. Therefore, there is no possibility for the user to object.
Processing Personal Data in Teaching/Learning with Moodle:All posts, assignments or activities that are made or carried out in forums or other activities while using the platform are stored in the Moodle database . These include for example:
- Forum posts
- Votings in a poll
- document uploaded by user
- Pictures/Photos uploaded by user
- test and exams
4.3 Provision of the Application and Creation of Log FilesMoodle keeps a log on the server in which every HTTP access (especially every connection of a web browser to Moodle) is recorded. The log file records the time, IP address, URL path, and in the case of functions that require authentication, a pseudonymized identifier of the user.
Further technical information e.g. if the access was TLS-protected (https://) and the HTTP response code is included. Internal notes on the execution of the service (especially on errors that occurred during processing) may also be stored.
This information serves the following purposes:
- Error analysis and problem solving,
- Ensuring the IT security of our systems,
- User Support (second level support by the Moodle administration),
- Clarification of various issues (e.g. confirmation of an involuntarily missed deadline due to technical problems),
- Source for statistics.
The legal basis for the temporary storage of data and log files is Art. 6 para. 1 lit. 1 e GDPR.
The collection of data to provide the application and the storage of the data in log files are essential for the operation of Moodle. There is therefore no possibility for users to object.
Moodle uses two cookies: One cookie is called MoodleSession. This cookie must be enabled so that the login is retained when accessing different pages on the website. The cookie is automatically deleted when you log out or close your web browser.
The other cookie is for convenience and is called MoodleID. This cookie stores the login name in the web browser and is retained after you log out. The next time you log in, the login name has already been entered. You can disable this cookie, but you will have to enter your username each time you log in.
Cookies are stored on the computer of the user and are transmitted to our site. This means that users have full control over how cookies are used. They can deactivate or restrict the transmission of cookies by changing the settings in their internet browser. Cookies that have already been stored can be deleted at any time. This can also be carried out automatically. If you disable cookies for Moodle, you may not be able to use all the features provided by Moodle.
4.5 Web Analysis and Social MediaSocial media plugins are not centrally embedded for all Moodle users.
4.6 Video/Audio Transmissions or Recordings of Web Conferences (BBB)The web conference software BigBlueButton can be integrated in individual courses. When using this feature, audio, video, and text data (chat messages) of the participants are transmitted to other participants.
During an active web conference, the metadata of the connection (IP address, browser identification) are recorded in addition to the user data (audio, video, text chat), that is forwarded to other participants. In some cases, the teacher can have the system record these sessions. This is visible in the interface for all participants of the web conference. In that case the video, audio and text data will be recorded and subsequently displayed in the Moodle course. These recordings can then be viewed by all participants of the course. Since the video and audio recordings are potentially sensitive data which could be used, among other things, for biometric identification, web conference sessions (with audio or video contributions of students) may only be recorded with their explicit consent in accordance with Art. 9 (2) lit. a) GDPR.
Technische Hochschule Lübeck does not use these records for the creation of biometric profiles or for biometric identification. The meta data (IP address and browser identification) that is collected during the web conference will be stored for the purpose of providing a reliable technical operation, troubleshooting and error analysis. This form of processing constitutes a legitimate interest under Art. 6 para. 1 lit. f GDPR.
The above data is used for the purpose of online teaching and blended learning, primarily for the transfer of teaching content to students in different locations and as a tool that enables group work from remote locations. The log data/metadata (IP address, browser identification) of the web conferences are automatically deleted after a retention period of 7 days.
4.7 Areas of Responsibility of the Content ProvidersMoodle is a publication platform for course content that is prepared and offered by the respective content providers (e.g. lecturers of the departments or central service facilities of the university).
Course coordinators (at least with the role of "Assistant Teacher") have the possibility to connect external services (e.g. YouTube, WikiMedia, etc.) and transfer files to Moodle. These services are not operated by Technische Hochschule Lübeck and are subject to the procedures of the external provider with regard to security and data protection. The external repositories are marked as such. A transfer of personal data from the learning platform to the providers of external content is not possible.
5 Duration of Data Storage / Deletion Periods
StudentsTHL-IT accounts of students are deactivated 30 days after their exmatriculation and deleted after another 60 days. Users will no longer be able to log into Moodle after deactivation. The Moodle account, including personal details in the corresponding user profile, will be deleted 90 days after their exmatriculation.
It is possible to have your Moodle account deleted before the above-mentioned deadline. To do so, simply send an informal e-mail to the Lernraum team at lernraum(at)th-luebeck.de. If the user is re-enrolled at Technische Hochschule Lübeck before the end of the deletion period, the Moodle account will be retained.
The data from the participation in the course will be stored until the course is deleted. Examination-relevant results from tests, learning packages and tasks as well as data on completion and overall assessment are stored until the statutory retention obligations have expired.
Voluntarily provided profile data can be deleted by the user at any time.
Courses are usually reused in the semester after the next. Any personal data will be deleted during this process. Courses that are not going to be used again are moved by the Lernraum-Team to the (invisible) "Archive" area, later to the "Pre-delete" area before they are finally deleted.
Employees, Full-time Teachers and LecturersTHL-IT accounts of employees are blocked on the day of resignation and deleted 60 days later. THL-IT accounts for professors are blocked one year after they leave and deleted 60 days later. THL-IT accounts for lecturers are blocked 210 days after leaving and deleted 60 days later.
Once the THL-IT account has been blocked, it is no longer possible to login to Moodle. The Moodle account, including the personal data in the associated user profile, will be deleted within 24 h after the THL-IT account has been deleted.
6 Rights of the Data Subject
6.1 Right to be Informed - Art. 15 GDPRUsers have the right to obtain confirmation from Technische Hochschule Lübeck as to whether or not personal data concerning them are being processed.
Where that is the case, the following information can be requested:
(1) the purposes of the processing;
(2) the categories of personal data concerned;
(3) the recipients or categories of recipient to whom the personal data have been or will be disclosed;
(4) where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
(5) the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;
(6) the right to lodge a complaint with a supervisory authority;
(7) where the personal data are not collected from the data subject, any available information as to their source;
(8) the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject. Where personal data are transferred to a third country or to an international organization, the data subject shall have the right to be informed of the appropriate safeguards pursuant to Article 46 relating to the transfer.
6.2 Right to rectification - Art. 16 GDPRUsers have the right to obtain from Technische Hochschule Lübeck without undue delay the rectification of inaccurate or incomplete personal data concerning them.
6.3 Right to Restriction of Processing - Art. 18 GDPR(1) Users shall have the right to obtain from the controller the restriction of the processing where one of the following applies:
(a) the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data;
(b) the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
(c)the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defense of legal claims; or
(d) the data subject has objected to processing pursuant to Article 21(1) pending the verification whether the legitimate grounds of the controller override those of the data subject.
(2) Where processing has been restricted under paragraph 1, such personal data shall, with the exception of storage, only be processed with the data subject’s consent or for the establishment, exercise or defense of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.
(3) A data subject who has obtained restriction of processing pursuant to paragraph 1 shall be informed by the controller before the restriction of processing is lifted.
Restriction of the right to process data for scientific, historical or statistical research purposes:
The above mentioned right may be limited to the extent that it is likely to prevent or seriously hamper the realization of research or statistical purposes and the limitation is necessary for the realization of the research or statistical purposes.
Restriction of the right to process data for scientific, historical or statistical research purposes:The above mentioned right may be limited to the extent that it is likely to prevent or seriously hamper the realization of research or statistical purposes and the limitation is necessary for the realization of the research or statistical purposes.
6.4 Right to Erasure - Art. 17 GDPRUnder the following conditions, users may request the deletion of personal data if one of the following grounds applies:
(a) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
(b) the user withdraws consent on which the processing is based according to point (a) of Article 6 (1), or point (a) of Article 9 (2), and where there is no other legal ground for the processing;
(c) the user objects to the processing pursuant to Article 21(1) and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2);
(d) the personal data have been unlawfully processed;
(e) the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject;
(f) the personal data have been collected in relation to the offer of information society services referred to in Article 8(1).
Exceptions:The right to erasure does not apply if processing is necessary:
(a) to exercise the right to freedom of expression and information;
(b) for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
(c) for reasons of public interest in the area of public health in accordance with points (h) and (i) of Article 9(2) as well as Article 9(3);
(d) for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) in so far as the right referred to in paragraph 1 is likely to render impossible or seriously impair the achievement of the objectives of that processing; or
(e) for the establishment, exercise or defense of legal claims.
6.5 Notification Obligation - Art. 19 GDPRIf users have asserted the right to rectification, erasure or restriction of processing, the controller is obliged to notify all recipients to whom the personal data have been disclosed, unless this proves impossible or involves a disproportionate effort.
The controller has to inform the users about those recipients if the data subject requests it.
6.6 Right to withdraw consent -Art. 7(3) GDPRData subjects have the right to withdraw their consent at any time. The withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal. Please send the revocation informally to the controller with whom you have agreed to the data processing. (see also the separate data privacy statement for alumni and for individuals involved in teaching or research at Technische Hochschule Lübeck).
6.7 Right to Object - Art. 21 GDPR(1) The users have the right to object at any time, on grounds relating to their particular situation, at any time to processing of personal data concerning them which is based on point (e) or (f) of Article 6 (1), including profiling based on those provisions. The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defense of legal claims.
(2) Where personal data are processed for direct marketing purposes, the users have the right to object at any time to processing of personal data concerning them for such marketing, which includes profiling to the extent that it is related to such direct marketing.
(3) Where the user objects to processing for direct marketing purposes, the personal data may no longer be processed for such purposes.
(5) In the context of the use of information society services, and notwithstanding Directive 2002/58/EC, the users may exercise their right to object by automated means using technical specifications
Limitation of the right to object regarding data processing for scientific, historical or statistical research purposes.(6) Where personal data are processed for scientific or historical research purposes or statistical purposes pursuant to Article 89(1), the users, on grounds relating to their particular situation, shall have the right to object to processing of personal data concerning them, unless the processing is necessary for the performance of a task carried out for reasons of public interest.
6.8 Right to Lodge a Complaint - Art. 77 GDPRUsers have a right to lodge a complaint with a supervisory authority(Art. 77 GDPR). In the event of an infringement of legal provisions for the protection of their personal data, they may contact the supervisory authority. The supervisory authority is:
Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein
PO Box 71 16
Phone: 04 31/988-12 00
Fax: 04 31/988-12 23
7 Legal BasisDatenschutz-Grundverordnung (EU-DSGVO)
Landesdatenschutzgesetz Schleswig-Holstein (LDSG)
Landesverordnung zur Erhebung und Verarbeitung personenbezogener Daten für Verwaltungszwecke der Hochschule und der Berufsakademie (StudDatenVO)
Hochschulgesetz – Schleswig-Holstein
Einschreibordnung (Satzung) der Technischen HochschuleLübeck
Weitere Informationen zum Datenschutz finden Sie auf den Webseiten des Unabhängigen Landeszentrums für Datenschutz Schleswig-Holstein:
Corona-Satzung Studium und Prüfung
Corona-Ergänzungssatzung Elektronische Prüfungen
§2 Rights of UseAll those who are studying, teaching and conducting research at Technische Hochschule Lübeck are entitled to use this software. This implies also all of those who are engaged in a teaching or research relationship with the University.
§3 Registration(1) The use of the service requires you to open an account. University members can use their THL-IT account to log on to the learning platform.
(2) Members of the university use the password of their THL-IT account. External users will receive their own password, which must be kept strictly confidential and cannot be disclosed to third parties.
§4 Obligations of the Users(1) The use of the LMS is exclusively for university purposes. Any other use, in particular for business, commercial or private purposes, is not permitted.
(2) All users are obligated to treat the data of other users as strictly confidential and are not to pass them on without the written consent the person concerned. This applies especially to the names and e-mail addresses of other users.
(3) The contact between operator and user is handled exclusively via the user's e-mail account registered with the system. Users have to make sure that they can be contacted via this account.
(4) It is not permitted to use the statistical data of the LMS for performance and behavior checks and assessments.
(5) Every user is obliged to comply with all legal provisions, in particular the copyright law and data protection.
(6) Every user is responsible for ensuring that the content they post does not violate the rights of third parties and does not violate any other legal regulations, in particular copyright, competition or data protection regulations. It is not permitted to exchange, use or distribute copyright-protected material via the LMS if the legal requirements for this are not met. Copyrightable material or part of such material, e.g. course material, templates, excerpts from other works, images etc., which are used in the LMS and/or which are explicitly created for the LMS, may not be used outside the LMS and/or passed on to third parties. Prior to setting links, the linked contents must be checked for infringements. Links to unlawful sites, especially those with extremist, inciting or insulting content, are not permitted.
(7) The rules specified by paragraph 6 also apply to all other forms of communication within the LMS.
(2) Unauthorized use of the LMS occurs if
(a) data is modified, deleted, suppressed or rendered unusable without authorization,
b) material from unconstitutional organizations or unconstitutional ideology or ideas is disseminated, especially racist and xenophobic ideas,
c) pornography is distributed,
(d) offences against personal dignity, in particular insults or defamation occur,
f) the image/ reputation of Technische Hochschule Lübeck is damaged or the use is in conflict with its vested interests.
(3) Technische Hochschule Lübeck reserves itself the right to carry out random checks on the content of the course materials provided. Contents that violate applicable law can be removed by the provider without prior notice.
(2) Excluded users can be re-admitted if it is ensured that they will not engage in any further misconduct.
(3) Paragraphs 1 and 2 also apply if the provider of the LMS has reasonable cause to suspect that internal security measures have been undermined (e.g. e-mail misuse, the use of harmful components such as viruses, worms, or Trojans).
(4) In the interest of an efficient system management, Technische Hochschule Lübeck reserves itself the right to delete authorizations of users (without further notice) whose THL-IT account is no longer valid.
§7 Compliance with other Regulations(1) The framework regulations for the use of the communication and data processing infrastructure of Technische Hochschule Lübeck have to be observed as far as the user is bound by them. https://intranet.th-luebeck.de/dokumente/Weitere%20Satzungen/2010-12-15_Benutzungsrahmenordnung.pdf
(2) The rules and regulations concerning teaching and examinations have to be observed.
(2) The provider cannot guarantee the permanent availability of the online service. The provider strives to avoid temporary operational disruptions due to maintenance and/or internal disruptions of the system but cannot guarantee either.
(3) Technische Hochschule Lübeck is only liable for grossly negligent and intentional breaches of its obligations. This also applies to damages to the technical devices of the user caused by activities such as the download of software or material.
§9 Rights of Use(1) Upon registration, the user is granted a simple, non-transferable right to use the LMS.
(2) Technische Hochschule Lübeck remains the owner of all other property rights, copyrights, exploitation and other rights. This also applies if the user legally modifies data or connects it to his / her own programs or databases. In this happens or when program copies are made, the user has to attach a copyright notice that refers to TH Lübeck.
(3) Copyrights held by the user remain with the user.
(4) Storage capacity made available to the user may only be used to store the content created.