Privacy Policy v2 (20.01.2021)


  1.   GENERAL

    At Graz University of Technology, protecting your data is a top priority. Detailed information on data processing in the publicly accessible sections of the website is provided in the General Privacy Policy. The following privacy policy specifically for iMooX platform provides additional information on data processing on the user-restricted sections of the iMooX platform (hereinafter: platform).

  2.   CONTACT

    The data controller is Graz University of Technology (hereinafter: TU Graz), Rechbauerstraße 12, 8010 Graz.
    The data protection officer of TU Graz is x-tention Informationstechnologie GmbH, Römerstraße 80A, 4600 Wels, datenschutzbeauftragter@tugraz.at.
    If you have any questions of data protection please contact datenschutz@tugraz.at.
    If the respective courses are offered by a partner university as part of the degree programme, both TU Graz and the respective partner university are jointly responsible for the processing of personal data. The contact details of the Data Protection Official of the respective partner university can be found in the respective course description.

  3.   CATEGORIES OF PERSONS AND DATA

    The following categories of personal data are processed when using the platform:

    • All registered iMooX users: Master data (Moodle user ID, first name, last name, e-mail address), IP address, log data (see section 5), profile data (voluntary information such as profile pictures, etc.), data related to the course (course ID, course activities, grades, information provided throughout the course such as posts in forums, assignments, chats, quiz answers, etc.)
    • Furthermore, for users with an EduID account: Additional master data (institution affiliation, user institution ID)
    • Course instructors/certified course creators: Additionally, academic degree, personal information, teaching materials, image and sound recordings
    • Co-operation partners: Information on the legal person

  4.   PURPOSE AND LEGAL BASIS

    The platform supports the public dissemination of teaching and learning content for students, staff and external persons in order to make education freely accessible. The processing of personal data takes place for the purpose of

    • Organising and implementing the course
    • Implementing the didactic concept – see information in the course description (e.g., e-mail notifications about news for the enrolled course)
    • Assuring the quality of online teaching
    • Mailing out information about iMooX courses (newsletter)
    • Facilitating scientific research (in anonymised and pseudonymised form)
    • Making the platform technically available and ensuring smooth use

    Data processing for the purpose of fulfilling a contract to which the data subject is party takes place on the legal basis of Art 6 (1) b GDPR (processing necessary for the performance of a contract – Condition of Use/implementation of courses - fulfilment of pre-contractual measures).
    Data necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller takes place on the legal basis of Art 6 (1) e GDPR in conjunction with §§ 2, 3, 13 Universities Act 2002.
    Uploading and/or using content and/or services voluntarily (e.g., profile pictures, newsletter) along with any resulting sensitive data is considered as data subject giving consent to the processing of his or her personal data1 in accordance with Art 6 (1) a GDPR.

    STUDENTS
    Personal data is used and transmitted within the framework of the course to facilitate the implementation and organisation of the course itself together with the didactic concept for the respective course. The purpose of such use and transmission is to maintain teaching activities and to offer extensive digital teaching and learning opportunities (see section 6, Students).

    PROCESSING FOR SCIENTIFIC RESEARCH PURPOSES
    Graz University of Technology further processes pseudonymised and anonymised data in compliance with suitable technical and organisational measures for scientific research purposes, for example to evaluate which functions and applications are particularly frequently used by users, in order to continuously improve the services offered by the iMooX platform. Data processing for these evaluations is necessary for the performance of a task carried out in the public interest in accordance with Art 6 (1) e GDPR.

  5.   INTERNAL SERVICES AND INTERNAL DATA TRANSFER

    MATOMO ANALYSIS TOOL WITH ANONYMISATION FUNCTION
    Our means of ensuring the quality of online instruction is to use our own TU Graz Analytics tool based on the open-source web analysis service Matomo. This requires analysis cookies to enable us to statistically evaluate the content accessed (e.g., creating reports on website activity). The information is only saved once the respective IP address has been shortened and/or anonymised. The shortened IP address thus no longer provides any conclusive information about the original user. When using this website analysis tool, no personal data is transferred to third parties. The data is processed exclusively on secure servers of TU Graz.

    LOG DATA
    Log data essential for technical purposes is stored when using the platform and website. This allows Graz University of Technology to identify, limit and eliminate system malfunctions, system errors that limit the availability of online services and unauthorised access to our systems. The log data is not linked to other personal data. The following data categories are processed: Date and time of a query, name and URL of the resources accessed, data volume (in bytes) of the requested and/or accessed resource, response from the server (e.g., http status code), identification data of the browser and operating system used, the website from which the access was made, IP address, MAC address, and user name.

  6.   RECIPIENTS

    The courses are offered by TU Graz and/or by co-operation partners. Unless otherwise specified, no personal data is transmitted to the co-operation partners.

    STUDENTS
    The personal data of students who take part in a course offered by their university on the platform as part of their degree programmes is forwarded to the respective partner university for the purpose stated under section 4, Personal data (first name, last name, e-mail address, rating).

  7.   THIRD COUNTRY TRANSFER

    YOUTUBE
    Plugins (videos) from YouTube are used on the website and platform. When visiting the website, no user data is transmitted to YouTube. The videos only appear as preview images. The video content is only loaded and played once the user has given consent by actively clicking on the "Start video" link. By doing so, the user agrees to the data transmission, on the basis of which personal data (e.g., IP address) are transmitted to YouTube. When using YouTube, data may be transmitted to the USA (third country). YouTube or Google LLC are considered an electronic communication service within the meaning of 50 U.S. Code § 1881 (b) (4) and as such are subject to surveillance by US agencies in accordance with 50 U.S. Code § 1881a ("FISA 702"). Compliance with the European data protection requirements cannot therefore be guaranteed. The transfer of such personal data to a third country for a specific purpose takes place in accordance with the exemption clause of Art 49 (1) a GDPR once the user as given his or her consent after having been informed about the risks. For more information about the processing and use of personal data by YouTube, please refer to the Privacy Policy of the service provider: Google LLC, 1600 Amphitheater Parkway, Mountain View, California 94103, USA. Privacy Policy: https://policies.google.com/privacy/partners

  8.   STORAGE PERIODS (CRITERIA USED TO DETERMINE THE PERIOD)

    GENERAL
    Where it is technically possible, the personal reference of the data will be deleted after 30 days. Log data are generally stored for eight weeks. Depending on the system, data may be stored for a longer period, but never longer than twelve months.

    PERFORMANCE OF A CONTRACT/PRE-CONTRACTUAL STEPS
    We will store your personal data for as long as is necessary to fulfil the contract respectively it is necessary to carry out pre-contractual steps.

    IN CASE OF PUBLIC INTEREST
    We will process the data for as long as this is necessary to serve the public interest or until justified objections are raised.

    IN CASE OF CONSENT
    If you have given us your consent to the processing of your data, your personal data will be stored until you withdraw your consent. In the event of you withdrawing your consent, only your data that is necessary for the purpose of proving your consent or its withdrawal will be stored for a period of three years from withdrawal.
    Furthermore, your data is only stored if statutory retention periods or limitation periods regarding potential legal claims apply.

  9.   RIGHTS OF DATA SUBJECTS

    You have the right to information, rectification, portability, restriction of processing, objection and erasure of data, whereby it is noted that it is not possible to use the iMooX platform without processing personal data. Beside these, you also have the right to withdraw your consent to the processing of data (in case of consent). However, bear in mind that withdrawal of consent does not affect the legality of the processing of your data retrospectively. Also, the exercise of these rights cannot override contractual or statutory obligations.
    You also have a right to make a complaint to the Austrian Data Protection Authority, Barichgasse 40-42, 1030 Wien.