The following terms and conditions apply to all registered users of the free learning management system (LMS) Moodle used by Stralsund University of Applied Sciences (HOST). URL of the LMS: https://moodle.hochschule-stralsund.de

This document does not explicitly use the masculine and feminine forms of address. In all places where only the masculine form is used, the feminine form is always meant as well.

Preambel

The LMS is used at the HOST to provide technical support for digital teaching. Offers (courses, etc.) within the LMS can be created and accessed by members of the HOST, provided that they observe the IT regulations of the Center for Information and Communication Technology.
Use for other purposes (research, etc.) is possible as long as the conditions of use are observed and the regular operation of the LMS is not impaired. For the additional purposes mentioned, this condition of use may not be sufficient. This must be determined on a case-by-case basis by the system users.

The LMS will be in trial use from the winter semester 2021. The range of functions, visual design, etc. may change until the university-wide rollout.
The use of the LMS for online examinations is not supported, as requirements such as reliability or archiving, which are necessary for online examinations, cannot currently be guaranteed and there is no corresponding approval under examination law.

The use of the LMS is basically voluntary. It can be used as a mandatory part of a course for didactic and/or technical reasons.

§1 Privacy Policy

Related to the usage of our Learning Management System (LMS) personal data is being collected and processed. This data is linked to a user account and thus to a real person. The system administrators ensure that user accounts only receive internal access to this information, which they require in the course of their duties.

Data transmission to a third-party is excluded, as long as the user has not given permission. This reglementation can be overruled by federal or state law which obligate the Stralsund University of Applied Sciences (HOST) to transmit data.

Individual data in the LMS can be collected and processed by the HOST teachers as part of their teaching duties. In addition, components of the data collection are processed to the necessary extent for the purpose of continuous improvement of the LMS.

There is no automated decision-making or profiling, according to arcticle 22 of the General Data Protection Regulation (GDPR) within the LMS.
Within a course test results can be used as proof for a necessary qualification and / or as final exam for the course. These tests can be assessed automatically and subsequently be evaluated and edited by teaching staff.

§1.1 Registration / Login to the LMS

For usage of The LMS a personal user-account is required. Every HOST Member can login to the LMS using the respective university-account. That refers to the credentials that are used to university services like the webmailer.

During first logon with the university account the personal user-account in the LMS is created. With every further login the data of the university system and the LMS are synchronized.
Persons without a valid university-account can request a separate- or guest account from the system-administrator.

Synchronized data of the university-system are the general login (e-mail address), first- and last name, e-mail-address and personal- respectively group-identifier (faculty, program, semester, etc.).

§1.2 End of an usage authorization

The authorization to use the LMS expires as soon as the system user leaves the HOST or after the expiration of the limited access.

The HOST may suspend an access authorization in whole or in part or terminate a user authorization if the LMS is actively used by a user ID in a manner that, in the view of HOST, constitutes a violation of these terms and conditions or that may lead to a disadvantage for HOST in some other way, in particular if there is suspicion of a criminal offense, misuse of rights or violation of the rights of third parties. This applies to the use of an access authorization of the person assigned accordingly or by a third-party. The suspensions or termination of an access authorization may also be caused by the exercise of individual rights of the system user (see §1.8).

Once a user-authorization is terminated, there a no rights of reinstation against the HOST. If, in the view of the system user, usage rights have been wrongfully withdrawn, the user can submit a written request for reinstatement to the system administrators. These cases will be examined, and individual persons or departments of the HOST may be involved. The latter falls under §1.6.1.

§1.3 Which data are stored?

  • Master data are informations of the user account, e.g. name, e-mail address (see §1.1). They can be partially viewed and conditionally edited in the respective profile settings.
  • Inventory data are generated by the user account during interaction with courses and their activities (forums, wikis, task submissions, etc.). They can also be generated by predefined technical processes, such as the automatic assessment of tests, or by manual entries made by the person responsible for the course and assigned to a user account.
  • Transaction data summarizes information that can be used, for example, to track when which page was accessed, which courses were used, or which performance results were achieved. This also includes the temporary storage of individual connection data. Individual activities in the LMS can be excluded from the storage of transaction data. If an activity can be used anonymously, it is marked accordingly. This can be a course evaluation, for example.
  • Diagnostic data (automatic storage of master, inventory and transaction data) are collected to ensure or increase system stability, performance and security.

§1.4 Cookies

The use of cookies is in the interest of the system user. Individual pages or functions of the LMS cannot be displayed or used correctly without the active use of cookies.

  • Session cookie: This cookie is necessary so that the LMS can identify the active user account across multiple page views without having to re-authenticate or log in each time the user changes pages. The cookie is set the first time the LMS is called up and remains until the user account logs out of it, the browser is closed or the cookie is removed from the browser.
  • Usability cookies: Individual components of the learning platform use cookies to increase user-friendliness - for example, to save the state of displayed or hidden web page elements across multiple page views.

§1.5 Who has access to which data?

In the LMS, individual classes are mapped as courses. A course is always a part of a course area, e.g. a faculty or a study program, whereby individual course areas can be nested within each other. User accounts can be assigned separate roles and/or permissions at the level of courses and course areas. In this way, user accounts are given the opportunity to manage courses and course areas, to design their content and, if necessary, to grant other people the corresponding authorizations.

The descending valence of roles in the LMS is:
Administrator > Manager > Trainer > Participant > User

  • If a course is not explicitly released for guests or accessible via an unprotected enrollment procedure, it can only be viewed by a certain group of people. The group of persons is defined by the person responsible for the course, usually the role of trainer, or a higher-ranking role.
  • Participants have access to courses for which they have been activated by trainers or managers and can participate in or use activities within the guidelines of the course owner. They can see data (name, email address, etc.) and course content of other members of the course.
  • Course owners, in the role of trainer, have access and editing rights for the respective course. They can configure the course, its content and activities, as well as access to them, i.e. control roles and permissions. In the user administration area of a course, the responsible persons can access the participant list and thus the public master data of the registered user accounts. They can also access all names and e-mail addresses in the LMS in the user administration area. In addition, the course administrators can access all generated content of the registered user accounts within the course.
  • Managers are area administrators who, for example, perform administrative tasks in the LMS of a faculty. They have permissions for course areas, create sub-course areas and courses, assign rights and support course administrators in the use and configuration of courses. Managers have at least the same permissions within an area as the trainers themselves.
  • Administrators are entrusted with the technical management of the LMS and have permissions for the entire system. They have full access to all data of the LMS.

§1.6 Data sharing

In certain scenarios, the LMS transfers personal data to technical third-party systems. This happens in the interest of the user account, with a specific purpose, and is capped by the user's consent (see §1).

§1.6.1. HOST's technical third-party systems

In order to improve and maintain it-supported processes of teaching and learning, the IT landscape of the HOST connected to the LMS may be expanded or changed by third-party systems. Individual systems are listed below.

The change of the IT landscape and the associated transfer of personal data within the HOST does not have to be comprehensively recorded in these data protection provisions.

§1.6.1.1. Support requests

Support requests of any kind can be transferred to the HOST ticket system (https://topdesk.hochschule-stralsund.de). This transfer of personal data can be performed automatically or manually. The transfer of personal data is kept to a minimum (name and/or e-mail address).

If a support request falls under the direct responsibility of an employee of the HOST who is not part of the support staff of the LMS, the request will be forwarded to this employee for further processing.

§1.6.1.2 Videoconferencing systems

If a user account from the LMS joins a video conference in the BigBlueButton system of the HOST (https://bbb.hochschule-stralsund.de), the user agrees that the name of the account will be transferred to the system and processed there for a specific purpose. In the BigBlueButton system, the terms of service, data usage information and data protection information apply.

§1.6.2. Third-party IT landscape

In individual cases, personal data may be transferred to third-party systems that are not operated by the HOST.

§1.6.2.1. Data transfer through embedded third-party content

The LMS has various input options for source / HTML code. With these functions, course administrators or participants can integrate third-party content into areas of the LMS. Examples include embedded YouTube videos or similar content based on iframes or embedding.

Embedded third-party content can behave exactly as if the provider's website in question is visited directly. In this way, these websites can collect personal data, store cookies, embed additional third-party tracking services and record interaction with the embedded content.
For embedded third-party content, data subjects are therefore subject to the privacy policies of the providers of this content.

The system administrators have no influence on such course content. No liability claims can be asserted against the HOST as operator of the LMS which are attributable to embedded third-party content.

§1.6.2.2. Access to external application programming interfaces (APIs) and content delivery networks (CDNs)

Individual LMS extensions have access to external CDNs via an API. For some course components, the use of these services is indispensable. The integration of corresponding extensions is under the legal basis of artical 6 para. 1 f) GDPR.

The LMS uses services from

Google LLC
1600 Amphitheatre Pkwy
Mountain View, California 94043, USA
, in order to generate and display, for example, graphical representations of the results of live surveys, tooltips and QR code graphics. When you call up such a component of the LMS, content is transferred from the Google servers to your device. In this process, Google can gain knowledge that the LMS was used at a certain point in time via your IP address. You can find more information about Google services in Google's privacy policy: https://policies.google.com/privacy?hl=en

§1.7 Data deletion

If there are no legal time limits for the retention of data, it will be removed from the LMS as soon as it is no longer relevant for collection purposes or the revocation of the usage agreement has been formulated by a user account.

  • Data created via a user account (information in the user profile, forum entries, etc.) can be deleted by the user.
  • Master data of a user account will be stored until it is deleted. The deletion is determined by:
    • A period of six months after the de-registration of students.
    • A period of inactivity of two years after the last login.
  • Inventory data created during interaction with courses or its activities are stored until the course is deleted. Results from tests, learning packages, and assignments, as well as course completion and overall assessment data, are stored for a maximum period until the expiration of legal retention obligations. There is no entitlement to deletion of data if it was created by a user account and it is in context with information of other system users.
  • Transaction data (log data) are deleted from the LMS after 30 days.

§1.8 User rights

Users of the LMS have various rights against the system administrators in relation to personal data storage. If the LMS obtains individual data from third-party systems, such as parts of the master data of a user account, this information can only be accessed, corrected or deleted by the respective system administrators of the corresponding services.

  • Right of information (Article 15 GDPR): BUsers have the right of information about the storage and processing of personal data. In the context of the LMS, this data is to be considered master data and can be viewed independently in the user profile.
  • Right of correction (Article 16 GDPR): Users have the right to correct incorrect personal data. This master data can be edited independently in the user profile if it has been stored independently by a user account. Master data that cannot be edited directly in the LMS originates from a third-party system. Due to processing times, such change requests should be ordered directly from the study office.
  • Right of deletion (Article 17 GDPR): Users have the right of deletion of personal data if it is demonstrably incorrect or if the controller cannot prove a purpose for processing. The right to deletion does not exist if the controller is required by law and/or in the course of his duties to temporarily retain the data in question and the period has not yet expired. The right of deletion does not apply if individual data has been generated independently by a user account and this data is in an indissoluble context with other data. The system administrators are also obliged to comply with the right of deletion after the participation in a course, the termination of studies or employment or a revocation of the terms of use. If this right is exercised by a user, this may be interpreted as a revocation of consent to the terms of service. Accordingly, this may result in the user account being revoked from access to the LMS.
  • Right of restriction of processing (Article. 18 GDPR): The system owners shall ensure that personal data with restricted processing rights is only made accessible to groups of persons who need to process this data. Technical procedures for anonymization and/or pseudonymization can be used for this purpose. If a user exercises this right, this may result in the user's access to the LMS being revoked.
  • Right of data portability (Article 20 GDPR): Users can make a claim, subject to compliance with legal requirements, to receive data produced by them independently, in an electronic format, with the right to use it in other contexts. In this context, business secrets, personal rights or copyrights, etc. may lead the system operator to suspend the transfer of data.
  • Right of objection (Article 21 GDPR): Users may object to further use of personal data under legal conditions. In the case of an objection, this circumstance becomes effective for future work of the system operator. The objection itself is not an automatic obligation of the system operator to delete data. If the responsible party has storage obligations for other legal reasons, these take precedence. If a user takes advantage of this right, this may result in the user's access to the LMS being revoked.
  • Right of withdrawal (Article 7 para. 3 GDPR): Users have the right to revoke their consent to the processing of personal data for future work of the system operator. In the event of a revocation, the data collected up to that time shall remain in the status of lawful collection. The withdrawal itself is not an automatic obligation of the system operator to delete data. If a user takes advantage of this right, this may result in the user's access to the LMS being withdrawn and thus participation in courses no longer possible. This right may be restricted for persons with an employment relationship with the HOST.

By requesting deletion, restriction or revocation of a user, the use of the LMS can be prevented with immediate effect and the user account can be deactivated or deleted. This means that it is no longer possible to view information stored in the LMS, participate in courses and interact with activities there. Depending on the course format, this may affect collaboration with teachers and/or learners as well as participation in (compulsory) courses and assessments.

§2 Usage obligations

  • During the registration of a user account in the LMS, the user is granted a non-transferable right of use for the platform.
  • The use of the LMS for private and / or commercial purposes, as well as for purposes of advertising, marketing or profiling (artical 22 GDPR) is not permitted.
  • All user accounts of the LMS are expressly prohibited from storing, changing, deleting or further processing personal data without authorization.
  • User accounts in the LMS may be provided with their own storage space. These storage areas may only be used for the intended use of the LMS.
  • During the use of user accounts, all system users undertake to comply with legal provisions (data protection law, GDPR, Uhreberrecht, etc.).
  • When creating content in the LMS, system users undertake not to violate legal provisions or to create pornographic, obscene, defamatory, slanderous, insulting, threatening, inciting or racist elements.
  • If system users refer to external Internet sites in individual content areas of the LMS (links), they must ensure that these do not contain any illegal content.

§2.1 Urheberrecht

  • Unless there are explicit markings on posted content of the LMS, all data are protected by copyright.
  • The system users are entitled to use accessible data to the extent offered (e.g. to read, download, print). This right exists exclusively for personal use in the context of teaching, learning and research at the HOST and expressly not for commercial purposes.
  • System users agree not to reproduce, modify, use, sell, transmit, publish, or otherwise make available for any other purpose, any other system user's data.
  • System users agree that data created by them personally, in a course, may be used by other system users in the context of teaching, learning and research.
  • The HOST is not obligated to screen posted content of any kind for copyright infringement in any way.
  • The HOST reserves the right to delete course content or courses that violate legal regulations and to take legal action if necessary.

§2.2 Duties of persons with extended rights

The group of persons with extended rights includes the system users with the roles: trainer, manager or higher (see §1.5)

§2.2.1 Responsibility

Course owners, usually the role of trainer, are responsible for the legally compliant configuration, content and operation of their course.

  • Those responsible for the course must ensure that suitable technical procedures (registration procedures, access keys, etc.) are in place to restrict access to information about the course or its participants to authorized persons or groups. The use of no or an empty course access key is strongly discouraged.

Managers make sure that at least one course owner is assigned to each course created by them.

§2.2.2 Access control

In the LMS, area-dependent access controls can be configured (enrollment method, rights, groups, etc.). These can be made publicly available or, depending on the procedure used, offered to a specific user group in a protected manner.

Those responsible for the course, usually the roles of trainer and manager with the right to administrate access control, undertake to check the roles and rights they have assigned at regular intervals (at least once per semester) to ensure that they are up to date and to adjust them if necessary. Legal requirements, in particular regarding the use and provision of works protected by copyright (UrhWissG) and the collection, processing and disclosure of personal data (GDPR), must be complied with. Access keys are to be changed at least in the time frame mentioned and are to be made available only to the targeted user group. Extended rights may only be granted to persons who are authorized to have these rights (corresponding employment contract or service and teaching contract, etc.).

§2.2.3 Storage of data relevant to the exam

Examination-relevant data must not be stored exclusively in the LMS. Thus, it must not be "converted" into an examination archive. Participant-related data is assigned to a specific user account by the LMS and is lost if the database or user account is deleted. Sustainable data storage over several semesters cannot be guaranteed.

§2.2.4 Information portability of (course-relevant) data

Data exports with the purpose of information porting from one course to another, using data generated by participants, require their prior consent. If the consent of the relevant persons or groups is not available, it must be ensured that no contributions or activities of these participants are transferred during the export.

§2.3 Duties of managers

Managers are obliged to carry out checks on the use of courses and course areas for which they are responsible at regular intervals (at least once a year). If individual components of the LMS are not actively used, managers are required to archive and/or delete the corresponding components, whereby the following aspects should be observed.

  • The creation of duplicate courses should be avoided as far as organizationally possible. The reuse of a course should be realized by resetting all activities with interaction information of course participants.
  • Course rooms, which are part of the regular teaching activities of the HOST, are not deleted at the end of a semester or archived to a special extent. Depending on the timetable and the directives of the course instructors, courses are switched offline in the following semester.
  • If it is necessary for organizational reasons that individual course archives remain, they will be deactivated or deleted at a later point in time by the managers in consultation with the course instructors. This can happen, for example, when there are no more participants in the course.

§3 Other regulations

§3.1 Cancellations from courses / from the system

§3.1.1 System logoffs

System cancellations or suspensions are carried out by the system administrators of the LMS after a period of inactivity of one year.

This regulation is related to §1.2, §1.7 und §1.8. In each case, the circumstance that arrives first is used to carry out systemwork.

§3.2 Liability of the system users

In the case of culpable violations of any kind against the terms of service or legal obligations, the system user is liable for the resulting damage in accordance with legal requirements. Furthermore, a liability claim on the part of the HOST can be asserted according to labor or employment law, civil and criminal law or according to the law of administrative offenses.

§3.3 Liability / Warranty of the HOST

In the role of the operator of the LMS, the HOST is liable exclusively for grossly negligent or intentional breaches of duty. This applies in particular to damages resulting from the receipt and use of data from the LMS, which was entered into the system by regular system users and not by the system administrators. The HOST shall be held harmless for any claims by third parties that are due to the system users non-compliance with copyright laws.

Based on the underlying software components of the LMS, the system users are expressly not guaranteed any specific properties. No guarantee is given that the system will be free of errors. No guarantee is given that the LMS is suitable for the desired purposes of individual users or groups and can work together with existing software.

The HOST does not guarantee the correctness and/or completeness of any data provided in the LMS.

The HOST does not guarantee the backup of any data provided in the LMS. The system users are responsible for a suitable backup of their data outside the LMS. There is no liability claim for data loss or resulting consequential damages.

The HOST does not guarantee that the LMS or its contents will be available to the system users at certain times or during certain periods in a fail-safe manner. The HOST shall not be liable for damages resulting from the unavailability of the LMS or its content. However, the HOST endeavors to keep (technically related) downtimes as short as possible.

§3.4 Modification of the Terms of Service

The HOST reserves the right to change, extend or suspend parts of these terms of service at any time. The system users will be informed of any such changes. The currently valid Terms of Service can be obtained from the LMS.

§3.5 Legal effect of these terms of service

If individual provisions of these Terms of Service do not comply in whole or in part with the applicable legal texts, the remaining components of the Terms of Service shall remain unaffected.

§4 Responsible entities

§4.1 System support

Hochschule Stralsund
zur Schwedenschanze 15
18435 Hansestadt Stralsund

Tel.: +49 (0) 3831 45 6592
E-mail: lms@hochschule-stralsund.de

E-mails sent to the specified e-mail address can be processed in the HOST ticket system (see §1.6.1).

§4.2 Data Protection Officer

René Schülke
Tel.: +49 (0) 385 545 5203
E-mail: datenschutz@hochschule-stralsund.de

§5 Privacy policy and terms of service statement

By confirming the terms of service, the system user …

  1. confirms that he has read and agreed to the terms of use.
  2. acknowledges which personal data will be collected and, if applicable, processed.
  3. acknowledges which rights and obligations he has.
  4. confirms that published data in the LMS can be processed on a technical level and made available to other system users.