Related to the usage of our Learning Management System (LMS) personal data is being collected and processed. This data is linked to a user account and thus to a real person. The system administrators ensure that user accounts only receive internal access to this information, which they require in the course of their duties.
Data transmission to a third-party is excluded, as long as the user has not given permission. This reglementation can be overruled by federal or state law which obligate the Stralsund University of Applied Sciences (HOST) to transmit data.
Individual data in the LMS can be collected and processed by the HOST teachers as part of their teaching duties. In addition, components of the data collection are processed to the necessary extent for the purpose of continuous improvement of the LMS.
There is no automated decision-making or profiling, according to arcticle 22 of the General Data Protection Regulation (GDPR) within the LMS.
Within a course test results can be used as proof for a necessary qualification and / or as final exam for the course. These tests can be assessed automatically and subsequently be evaluated and edited by teaching staff.
§1.1 Registration / Login to the LMS
For usage of The LMS a personal user-account is required. Every HOST Member can login to the LMS using the respective university-account. That refers to the credentials that are used to university services like the webmailer.
During first logon with the university account the personal user-account in the LMS is created. With every further login the data of the university system and the LMS are synchronized.
Persons without a valid university-account can request a separate- or guest account from the system-administrator.
Synchronized data of the university-system are the general login (e-mail address), first- and last name, e-mail-address and personal- respectively group-identifier (faculty, program, semester, etc.).
§1.2 End of an usage authorization
The authorization to use the LMS expires as soon as the system user leaves the HOST or after the expiration of the limited access.
The HOST may suspend an access authorization in whole or in part or terminate a user authorization if the LMS is actively used by a user ID in a manner that, in the view of HOST, constitutes a violation of these terms and conditions or that may lead to a disadvantage for HOST in some other way, in particular if there is suspicion of a criminal offense, misuse of rights or violation of the rights of third parties. This applies to the use of an access authorization of the person assigned accordingly or by a third-party. The suspensions or termination of an access authorization may also be caused by the exercise of individual rights of the system user (see §1.8).
Once a user-authorization is terminated, there a no rights of reinstation against the HOST. If, in the view of the system user, usage rights have been wrongfully withdrawn, the user can submit a written request for reinstatement to the system administrators. These cases will be examined, and individual persons or departments of the HOST may be involved. The latter falls under §1.6.1.
§1.3 Which data are stored?
- Master data are informations of the user account, e.g. name, e-mail address (see §1.1). They can be partially viewed and conditionally edited in the respective profile settings.
- Inventory data are generated by the user account during interaction with courses and their activities (forums, wikis, task submissions, etc.). They can also be generated by predefined technical processes, such as the automatic assessment of tests, or by manual entries made by the person responsible for the course and assigned to a user account.
- Transaction data summarizes information that can be used, for example, to track when which page was accessed, which courses were used, or which performance results were achieved. This also includes the temporary storage of individual connection data. Individual activities in the LMS can be excluded from the storage of transaction data. If an activity can be used anonymously, it is marked accordingly. This can be a course evaluation, for example.
- Diagnostic data (automatic storage of master, inventory and transaction data) are collected to ensure or increase system stability, performance and security.
- Session cookie: This cookie is necessary so that the LMS can identify the active user account across multiple page views without having to re-authenticate or log in each time the user changes pages. The cookie is set the first time the LMS is called up and remains until the user account logs out of it, the browser is closed or the cookie is removed from the browser.
§1.5 Who has access to which data?
In the LMS, individual classes are mapped as courses. A course is always a part of a course area, e.g. a faculty or a study program, whereby individual course areas can be nested within each other. User accounts can be assigned separate roles and/or permissions at the level of courses and course areas. In this way, user accounts are given the opportunity to manage courses and course areas, to design their content and, if necessary, to grant other people the corresponding authorizations.
The descending valence of roles in the LMS is:
Administrator > Manager > Trainer > Participant > User
- If a course is not explicitly released for guests or accessible via an unprotected enrollment procedure, it can only be viewed by a certain group of people. The group of persons is defined by the person responsible for the course, usually the role of trainer, or a higher-ranking role.
- Participants have access to courses for which they have been activated by trainers or managers and can participate in or use activities within the guidelines of the course owner. They can see data (name, email address, etc.) and course content of other members of the course.
- Course owners, in the role of trainer, have access and editing rights for the respective course. They can configure the course, its content and activities, as well as access to them, i.e. control roles and permissions. In the user administration area of a course, the responsible persons can access the participant list and thus the public master data of the registered user accounts. They can also access all names and e-mail addresses in the LMS in the user administration area. In addition, the course administrators can access all generated content of the registered user accounts within the course.
- Managers are area administrators who, for example, perform administrative tasks in the LMS of a faculty. They have permissions for course areas, create sub-course areas and courses, assign rights and support course administrators in the use and configuration of courses. Managers have at least the same permissions within an area as the trainers themselves.
- Administrators are entrusted with the technical management of the LMS and have permissions for the entire system. They have full access to all data of the LMS.
§1.6 Data sharing
In certain scenarios, the LMS transfers personal data to technical third-party systems. This happens in the interest of the user account, with a specific purpose, and is capped by the user's consent (see §1).
§1.6.1. HOST's technical third-party systems
In order to improve and maintain it-supported processes of teaching and learning, the IT landscape of the HOST connected to the LMS may be expanded or changed by third-party systems. Individual systems are listed below.
The change of the IT landscape and the associated transfer of personal data within the HOST does not have to be comprehensively recorded in these data protection provisions.
§126.96.36.199. Support requests
Support requests of any kind can be transferred to the HOST ticket system (https://topdesk.hochschule-stralsund.de). This transfer of personal data can be performed automatically or manually. The transfer of personal data is kept to a minimum (name and/or e-mail address).
If a support request falls under the direct responsibility of an employee of the HOST who is not part of the support staff of the LMS, the request will be forwarded to this employee for further processing.
§188.8.131.52 Videoconferencing systems
If a user account from the LMS joins a video conference in the BigBlueButton system of the HOST (https://bbb.hochschule-stralsund.de), the user agrees that the name of the account will be transferred to the system and processed there for a specific purpose. In the BigBlueButton system, the terms of service, data usage information and data protection information apply.
§1.6.2. Third-party IT landscape
In individual cases, personal data may be transferred to third-party systems that are not operated by the HOST.
§184.108.40.206. Data transfer through embedded third-party content
The LMS has various input options for source / HTML code. With these functions, course administrators or participants can integrate third-party content into areas of the LMS. Examples include embedded YouTube videos or similar content based on iframes or embedding.
Embedded third-party content can behave exactly as if the provider's website in question is visited directly. In this way, these websites can collect personal data, store cookies, embed additional third-party tracking services and record interaction with the embedded content.
For embedded third-party content, data subjects are therefore subject to the privacy policies of the providers of this content.
The system administrators have no influence on such course content. No liability claims can be asserted against the HOST as operator of the LMS which are attributable to embedded third-party content.
§220.127.116.11. Access to external application programming interfaces (APIs) and content delivery networks (CDNs)
Individual LMS extensions have access to external CDNs via an API. For some course components, the use of these services is indispensable. The integration of corresponding extensions is under the legal basis of artical 6 para. 1 f) GDPR.
The LMS uses services from
1600 Amphitheatre Pkwy
Mountain View, California 94043, USA
§1.7 Data deletion
If there are no legal time limits for the retention of data, it will be removed from the LMS as soon as it is no longer relevant for collection purposes or the revocation of the usage agreement has been formulated by a user account.
- Data created via a user account (information in the user profile, forum entries, etc.) can be deleted by the user.
- Master data of a user account will be stored until it is deleted. The deletion is determined by:
- A period of six months after the de-registration of students.
- A period of inactivity of two years after the last login.
- Inventory data created during interaction with courses or its activities are stored until the course is deleted. Results from tests, learning packages, and assignments, as well as course completion and overall assessment data, are stored for a maximum period until the expiration of legal retention obligations. There is no entitlement to deletion of data if it was created by a user account and it is in context with information of other system users.
- Transaction data (log data) are deleted from the LMS after 30 days.
§1.8 User rights
Users of the LMS have various rights against the system administrators in relation to personal data storage. If the LMS obtains individual data from third-party systems, such as parts of the master data of a user account, this information can only be accessed, corrected or deleted by the respective system administrators of the corresponding services.
- Right of information (Article 15 GDPR): BUsers have the right of information about the storage and processing of personal data. In the context of the LMS, this data is to be considered master data and can be viewed independently in the user profile.
- Right of correction (Article 16 GDPR): Users have the right to correct incorrect personal data. This master data can be edited independently in the user profile if it has been stored independently by a user account. Master data that cannot be edited directly in the LMS originates from a third-party system. Due to processing times, such change requests should be ordered directly from the study office.
- Right of restriction of processing (Article. 18 GDPR): The system owners shall ensure that personal data with restricted processing rights is only made accessible to groups of persons who need to process this data. Technical procedures for anonymization and/or pseudonymization can be used for this purpose. If a user exercises this right, this may result in the user's access to the LMS being revoked.
- Right of data portability (Article 20 GDPR): Users can make a claim, subject to compliance with legal requirements, to receive data produced by them independently, in an electronic format, with the right to use it in other contexts. In this context, business secrets, personal rights or copyrights, etc. may lead the system operator to suspend the transfer of data.
- Right of objection (Article 21 GDPR): Users may object to further use of personal data under legal conditions. In the case of an objection, this circumstance becomes effective for future work of the system operator. The objection itself is not an automatic obligation of the system operator to delete data. If the responsible party has storage obligations for other legal reasons, these take precedence. If a user takes advantage of this right, this may result in the user's access to the LMS being revoked.
- Right of withdrawal (Article 7 para. 3 GDPR): Users have the right to revoke their consent to the processing of personal data for future work of the system operator. In the event of a revocation, the data collected up to that time shall remain in the status of lawful collection. The withdrawal itself is not an automatic obligation of the system operator to delete data. If a user takes advantage of this right, this may result in the user's access to the LMS being withdrawn and thus participation in courses no longer possible. This right may be restricted for persons with an employment relationship with the HOST.
By requesting deletion, restriction or revocation of a user, the use of the LMS can be prevented with immediate effect and the user account can be deactivated or deleted. This means that it is no longer possible to view information stored in the LMS, participate in courses and interact with activities there. Depending on the course format, this may affect collaboration with teachers and/or learners as well as participation in (compulsory) courses and assessments.
§2 Responsible entities
§2.1 System support
zur Schwedenschanze 15
18435 Hansestadt Stralsund
Tel.: +49 (0) 3831 45 6592
E-mails sent to the specified e-mail address can be processed in the HOST ticket system (see §1.6.1).
§2.2 Data Protection Officer
Tel.: +49 (0) 385 545 5203