Privacy Policy v4 (20.04.2022)

 
  1.   GENERAL

    At Graz University of Technology, protecting your data is a top priority. Detailed information on data processing in the publicly accessible sections of the website is provided in the General Privacy Policy. The following privacy policy specifically for iMooX platform provides additional information on data processing on the user-restricted sections of the iMooX platform (hereinafter: platform).

  2.   CONTACT

    The responsible party for the processing of your personal data within the scope of operation is the Graz University of Technology (hereinafter: TU Graz), Rechbauerstraße 12, 8010 Graz.
    The data protection officer of TU Graz is x-tention Informationstechnologie GmbH, Römerstraße 80A, 4600 Wels, datenschutzbeauftragter@tugraz.at.
    If you have any data protection concerns, please contact datenschutz@tugraz.at or the respective course providers.
    The persons responsible for the processing of personal data in the course (see point 4) are basically the providers of the respective course.

  3.   CATEGORIES OF PERSONS AND DATA

    In the process of using the platform, the following categories are processed by TU Graz in the course of its operation:

    • All users registered on the platform who have an account: Master data (Moodle userID, first name, last name, email address), IT security data (IP address, log data), profile data (confirmation of participation, voluntary data such as profile pictures, etc.), standardized feedback/questionnaires, newsletter
    • For users with an EduID account: Additional master data (institution affiliation, user institution ID)
    • Course instructors/certified course creators: Additionally, academic degree, personal information, teaching materials, image and sound recordings
    • Co-operation partners: Information on the legal person

    In the course of participation in a course, the following categories are processed by the respective providers as part of the course:

    • All users registered for the course: contact details (first and last name, email address), course data (enrolled course, data related to course activities, course responses, results, assignments, badges, entries in forums, etc.).

  4.   PURPOSE AND LEGAL BASIS

    The platform serves to support the public dissemination of teaching and learning content for students, staff as well as external persons in order to make education freely accessible. The processing of personal data takes place

    by the TU Graz for the following purposes

    • Operation of the platform (administration, user management, public relations, participation confirmations, etc.)
    • quality assurance of online teaching (statistical evaluation)
    • technical provision of the platform and ensuring smooth use (data security)
    • scientific research (in anonymized and pseudonymized form)

    by the providers for the following purposes

    • Organizational and administrative activities in the course (optional feedback/questionnaires, badges, notifications, visualization of the course and the course management etc.)
    • Implementation of the didactic concept - see details in the course description (features - quiz, forum, videos, notifications etc.)

    Data processing for the purpose of fulfilling a contract to which the data subject is party takes place on the legal basis of Art 6 (1) b GDPR (processing necessary for the performance of a contract – Condition of Use/implementation of courses - fulfilment of pre-contractual measures).
    Data processing that is in connection with the performance of tasks in the public interest or in the exercise of official authority is based on the legal basis in Art 6 Abs lit e DSGVO iVm §§ 2, 3 and 13 UG 2002 (operation of the platform - quality assurance of online teaching, scientific research).
    The legal basis for data processing of voluntarily uploaded and/or used content and/or services (e.g. profile pictures, newsletters) including any resulting sensitive data[1] is your consent according to Art 6 Abs 1 lit a DSGVO or Art 9 Abs 2 lit a DSGVO.
    To ensure data security, the processing of personal data is carried out in the overriding legitimate interest of Graz University of Technology according to Art 6 para 1 lit f DSGVO.


  5.   INTERNAL SERVICES AND INTERNAL DATA TRANSFER

    MATOMO ANALYSIS TOOL WITH ANONYMISATION FUNCTION
    Our means of ensuring the quality of online instruction is to use our own TU Graz Analytics tool based on the open-source web analysis service Matomo. This requires analysis cookies to enable us to statistically evaluate the content accessed (e.g., creating reports on website activity). The information is only saved once the respective IP address has been shortened and/or anonymised. The shortened IP address thus no longer provides any conclusive information about the original user. When using this website analysis tool, no personal data is transferred to third parties. The data is processed exclusively on secure servers of TU Graz.

    LOG DATA
    Log data essential for technical purposes is stored when using the platform. This allows Graz University of Technology to identify, limit and eliminate system malfunctions, system errors that limit the availability of online services and unauthorised access to our systems. The log data is not linked to other personal data. The following data categories are processed: Date and time of a query, name and URL of the resources accessed, data volume (in bytes) of the requested and/or accessed resource, response from the server (e.g., http status code), identification data of the browser and operating system used, the website from which the access was made, IP address, MAC address, and user name.

  6.   RECIPIENTS

    Only those personal data will be transmitted to the providers that are necessary for the processing of the course.

  7.   THIRD COUNTRY TRANSFER

    YOUTUBE
    The providers can integrate plugins (videos) of the provider YouTube in the course as part of the didactic concept. When calling up the platform or the course, no user data is transmitted to YouTube. The videos only appear as preview images. The video content is only loaded and played once the user has given consent by actively clicking on the "Start video" link. By doing so, the user agrees to the data transmission, on the basis of which personal data (e.g., IP address) are transmitted to YouTube. When using YouTube, data may be transmitted to the USA (third country). YouTube or Google LLC are considered an electronic communication service within the meaning of 50 U.S. Code § 1881 (b) (4) and as such are subject to surveillance by US agencies in accordance with 50 U.S. Code § 1881a ("FISA 702"). Compliance with the European data protection requirements cannot therefore be guaranteed. The transfer of such personal data to a third country for a specific purpose takes place in accordance with the exemption clause of Art 49 (1) a GDPR once the user as given his or her consent after having been informed about the risks. For more information about the processing and use of personal data by YouTube, please refer to the Privacy Policy of the service provider: Google LLC, 1600 Amphitheater Parkway, Mountain View, California 94103, USA. Privacy Policy: https://policies.google.com/privacy/partners

  8.   STORAGE PERIODS (CRITERIA USED TO DETERMINE THE PERIOD)

    GENERAL
    The log data is generally stored for eight weeks. Depending on the system, data may be stored for a longer period, but not longer than twelve months.

    PERFORMANCE OF A CONTRACT/PRE-CONTRACTUAL STEPS
    We will store your personal data for as long as is necessary to fulfil the contract respectively it is necessary to carry out pre-contractual steps.

    IN CASE OF PUBLIC INTEREST
    We will process the data for as long as this is necessary to serve the public interest or until justified objections are raised.

    IN CASE OF CONSENT
    If you have given us your consent to the processing of your data, your personal data will be stored until you withdraw your consent. In the event of you withdrawing your consent, only your data that is necessary for the purpose of proving your consent or its withdrawal will be stored for a period of three years from withdrawal.
    Furthermore, your data is only stored if statutory retention periods or limitation periods regarding potential legal claims apply.

  9.   RIGHTS OF DATA SUBJECTS

    You have the right to information, rectification, portability, restriction of processing, objection and erasure of data, whereby it is noted that it is not possible to use the iMooX platform without processing personal data. Beside these, you also have the right to withdraw your consent to the processing of data (in case of consent). However, bear in mind that withdrawal of consent does not affect the legality of the processing of your data retrospectively. Also, the exercise of these rights cannot override contractual or statutory obligations.
    You also have a right to make a complaint to the Austrian Data Protection Authority, Barichgasse 40-42, 1030 Wien.

1 Racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.