Privacy Statement – UT Learning Management System
Version 1.4, last update: 6 September 2018
The UT Learning Management System (LMS) is provided for free by the University of Twente (also referred to as UT, we/us/our). The LMS facilitates and enriches UT educational processes, allows you to co-operate and communicate with other users and to access and share (course) content. The LMS is designed to make teaching and/or learning easier for you. You can read more about your rights and obligations with regard to your use of the LMS in our Acceptable Use Policy.
When you make use of our LMS, we will process various personal data of you. UT is the data controller for the processing of your personal data under the applicable Dutch data protection law.
This Privacy Statement applies to all users of the LMS and informs you on our privacy practices and security measures concerning the personal data we may collect from you when you make use of the LMS. This Privacy Statement does not see to the processing of personal data that is not related to your use of the LMS. We may change this Privacy Statement from time to time.
1.1. Your personal data is any data that is directly or indirectly attributable to you. The personal data we may collect from you when you register and use the LMS may include your name, title(s), gender, e-mail address, phone number, login name, unique identification number (UT ‘ICT-account’ number), IP address, browser details, search history, click patterns, logging information and any information included in your communication with us or uploaded by you through the LMS (including but not limited to inquiries and input on the discussion forum and documents provided).
1.2. If you are a student: we may also process the following data of you: student number, education background, details of the courses followed, interests in courses and information on the curriculum, uploaded files of work in progress, evaluations, feedback and study results.
1.3. If you are a lecturer, policy maker, study counsellor, educational coordinator, educational supporter, application management supporter or system administrator: we may also process the following data of you: reference number, information on your (academic) background, details of the courses given, evaluations and feedback of the submitted work by students;
1.4. If you are a guest user: information on your (academic) background, employment and if relevant details of courses given, evaluations and study results provided;
2.1. UT will only process your personal data in the context of the use of the LMS, more specifically for the following purposes:
- Access control and safeguarding of your account;
- Enabling you to use the features and services of the LMS;
- For maintaining contact with you in relation to your use of the LMS and - if you are a student - for your education program with UT;
- Optimizing the LMS;
- For the handling of your requests, any complaints or disputes, and the investigation in this respect;
- For performance of audits;
- To meet with our statutory obligations.
3.1. Your personal data may be accessed by our employees or other persons engaged on our behalf on a need-to-know basis only, such as lecturers, study counsellors, policy makers and administrative personnel. Also, you may make certain information available within the LMS and for certain participants, for example by participating in group discussions. Next to that, we may also instruct trusted third parties to perform services in respect of processing your personal data on our behalf. With such service providers we have concluded data processing agreements in order to secure the processing of your personal data.
3.2. As one of our data processors, we have involved Instructure Global LTD, located in London, United Kingdom, being the hosting provider of the LMS. As Instructure is also located outside the European Economic Area (EEA), in Salt Lake City, Utah, United States of America, we have not only concluded a data processing agreement with Instructure, but also a data transfer agreement based on the Standard Contractual Clauses (controller / processor) validated by the European Commission, to safeguard the transfer of your personal data to Instructure. For the delivery of the LMS, Instructure may involve its affiliates or third parties as sub-data processors in accordance with the data processing agreement that has been concluded between UT and Instructure.
Permitted Key Subcontractor
Description of Key Subcontract
AWS is Contractor’s data hosting and storage provider. The objective of this subprocessing/subcontracting is the performance of the Services pursuant to the Agreement or in connection with instructions from the Client, the extent of which is determined and controlled by the Client in its sole discretion. This uses S3 in their EU(Ireland) Region. ISO 27001.
(Redwood City, USA)
Box provides a third-party integrated tool (Crocodoc) that enables document preview (mainly for ‘.pdfs’) within the Service. The objective of this subprocessing/subcontracting is the performance of the Services pursuant to the Agreement or in connection with instructions from the Client, the extent of which is determined and controlled by the Client in its sole discretion.
(Salt Lake City, USA)
Kimono is a provider of cloud based Student Information Systems interoperability services. The objective of this subprocessing/subcontracting is the performance of the Services pursuant to the Agreement or in connection with instructions from the Client, the extent of which is determined and controlled by the Client in its sole discretion.
(San Francisco, USA)
Twilio is a provider of cloud based telephony and messaging services. The objective of this subprocessing/subcontracting is the performance of the Services pursuant to the Agreement or in connection with instructions from the Client, the extent of which is determined and controlled by the Client in its sole discretion.
3.3. When you make use of our external plug-ins or social media buttons within the LMS environment, your personal data may be shared with the respective provider of such plug- in. You may find an overview of possible plug-in providers here. Please note that the plug- in providers may process your personal data for their own purposes and may therefore qualify as data controllers. Neither UT nor Instructure is responsible for the data processing activities carried out by these parties when acting as a data controller. We advise you to check out their respective privacy policies.
4.1. Appropriate technical and organizational measures to secure Personal Data against loss or any form of unlawful processing are taken. Taking into account the state of the art and the costs of the implementation, these measures guarantee an appropriate security level given the risks associated with Processing and the nature of the Personal Data to be protected. The measures are, in part, aimed at preventing unnecessary collection and further Processing. The Processor shall record the measures in writing and shall ensure that the security as referred to in this paragraph meets with the security requirements under the Personal Data Protection Act.
5.1. We will process your personal data for as long as this is necessary for the purposes as stated in this Privacy Statement. Once you will no longer be connected to the UT, either as a student or as a lecturer, student counsellor or policy maker, we may retain your personal up to two years in accordance with the applicable data protection laws, unless you have submitted a reasonable and valid request to delete your personal data.
6.1. If you have any questions on the processing of your personal data, or if you would like to review, correct or change any personal data we may process of you, please contact us, using the following contact details:
You may contact us at:
University of Twente
Attn: Functionaris van de Gegevensbescherming
P.O. Box 217
7500 AE Enschede