Skip to main content

Privacy Policy for the Moodle Learning Platform

1. Contact persons

1.1 Name and contact details of the person responsible

The responsible person in the sense of the general data protection regulation is:

University of Applied Sciences Potsdam
represented by the President
Prof. Dr. Eva Schmitt-Rodermund
Kiepenheuerallee 5
14469 Potsdam

1.2 Data Protection Officer

You can reach the data protection officer of the University of Applied Sciences Potsdam at the following address:

Data protection officer
University of Applied Sciences Potsdam
Kiepenheuerallee 5
14469 Potsdam

1.3 Persons responsible for the platform

E-Learning: Julia Lee

2. Legal basis for the processing of personal data

Insofar as personal data is processed for the operation and use of the Moodle learning platform at the FHP, this is done within the framework of the legal requirements of the EU's general data protection regulation (GDPR), the Brandenburg data protection act (BbgDSG), the Brandenburg university act (BbgHG) and the regulations based on these.

Insofar as the processing serves the implementation of courses and examinations, your personal mandatory data as a student will be processed on the basis of Art. 6 Para. 1 e) GDPR in conjunction with § 3 (university tasks), § 14 Para. 9 (data processing in the university context) and § 26 (courses offered) of the Brandenburg universityct (BbgHG).

If you would like to use your account for purposes beyond courses or exam participation, the processing is based on voluntary consent in accordance with Art. 6 Para. 1 a) GDPR. The same applies if you participate in Moodle as an external user on a voluntary basis and are not subject to university law.

3. Purpose and scope of the processing of personal data

The data is processed for the purpose of organising, preparing, conducting and evaluating courses as well as for the purpose of teaching and testing. In addition, Moodle can also be used voluntarily for own, e.g. student purposes.
When Moodle is used, personal data of users from the following categories are processed:

3.1 Registration data

For users with a Campus.Account: Data is transferred from the Campus.Account of the University of Applied Sciences Potsdam to Moodle. The Campus.Account is a central access point to the campus data network and the various electronic services of the University of Applied Sciences Potsdam. For more information, please visit
For users with self-registration: Here, all necessary login data is collected from you. Alternatively, registration procedures via Shibboleth are supported.

When you register for the first time or afterwards, you can voluntarily add further information under your "profile". You can remove the voluntarily added data at any time.

3.2 Usage data

Usage or content data is created when you enter data into Moodle. This includes, for example, contributions to forums and wikis, and activities in assignments, tests or interactive content. Uploaded files also count as content data.
Only Moodle support administration has global access to usage data, while e-learning staff only have access to partial areas for the purposes of course set-up and support for teachers in digital teaching and online exams. Course administrators are generally teachers. Course administrators also have only limited access to aggregated, personalised activity overviews for the purposes of teaching, course organisation, teacher success monitoring and examination performance in the course in question.
Course administrators supplement the usage data with data on learning success (e.g. assessment of submitted tasks) and on educational success (e.g. assessment of examination results). This data is only visible to course administrators, e-learning staff and Moodle support administration.
Insofar as the data is processed for courses or examinations, the data is used exclusively for teaching and examination purposes. This is done insofar as this is necessary for the fulfilment of the task and the data processing is proportionate to the purpose associated with it against the background of the principle of data economy.

3.3 Log data

Moodle collects log data in the background about which components of the learning management system and which profiles of other users are accessed at what time and with which IP, as well as information about actions in Moodle. Only the Moodle support administration has access to this log data for reasons of system operation and IT security.

3.4 Participation as an anonymous guest

If a course is accessible to anonymous guests, you can read certain course content without logging in. In this case, only protocol data will be processed.

4. Duration of storage

The general data in your user profile (login data and additional profile data) will be stored until the user profile is deleted. You can add to and delete the additional entries in the user profile yourself at any time. Data from participation in courses (usage data) is stored until the course is deleted.

Log data within Moodle is deleted 180 days after the end of the usage process, unless other retention periods apply. Other log data on the servers is deleted after 14 days.

In addition, there are deletion periods that result from requirements for examination performance and are adhered to by the lecturers: According to § 31 Paragraph 2 of the framework Regulations for studies and examinations (RO-SP) of the FHP, examinations and the documents documenting their assessment are stored for at least one year from the time the assessment is announced – if Moodle was used for this, the documents are stored accordingly in Moodle. In the case of processing in the context of examinations, examination results and other examination data are taken to the study records outside Moodle and stored for up to 50 years in accordance with § 31 Paragraph 1 of the framework regulations for studies and examinations (RO-SP) of the FHP.

If the Moodle account was registered via the Campus.Account, the Moodle account will be deleted 30 days after the deletion of the Campus.Account. Once the central University of Applied Sciences Potsdam user account (Campus.Account) has been deactivated, it is no longer possible to log in to Moodle.

5. Recipients of the data

Insofar as the data processing serves the purpose of conducting courses and examinations, the recipients of the data are the persons responsible for teaching or the examiners and invigilators. Examination work is also processed by all offices involved that are responsible for setting up, administering and assessing the examination and for processing the examination performance.
Data processing in other courses/areas is not passed on to third parties or processed for other purposes. However, on a voluntary basis, data and content may be shared with other Moodle participants.

6. Transfer of data to a third country or international organisation

Moodle data processing takes place on servers at the University of Applied Sciences Potsdam. Data is not transferred to an international organisation or a third country.

7. Obligation to provide data

As far as compulsory courses or participation in an examination is concerned, the provision of data is required within the framework of the study and examination regulations and other state law regulations.
Otherwise, the provision of e.g. extended profile data or other contributions is voluntary.

8. Automated decision-making

In principle, no automated decision-making pursuant to Art. 22 GDPR takes place.

9. Use of cookies

Moodle uses cookies. Cookies are text files that are stored in the internet browser or by the internet browser on the user's computer system. When the website is accessed, a cookie may be stored on the user's operating system. This cookie contains a characteristic string of characters that enables the browser to be uniquely identified when the website is called up again.
The following cookies are used:

  • MoodleSession identifies logged-in users by an anonymous ID and stores their login for the current session. This cookie is required for the use of Moodle to maintain login and access permissions within Moodle during the session. The cookie is automatically deleted when users log out of the system or close the web browser.
  • MoodleID stores the username in the web browser. The next time users log in to the system, it is automatically entered into the login screen to speed up the login process for users. They can optionally activate the cookie when logging in. The legal basis results from the consent of the users through the active storage of the user name in accordance with Art. 6 Para. 1 a) GDPR. You can delete the cookie at any time in your browser settings and will then be asked again on your next visit whether you wish to save it.

10. Software integrated into Moodle

10.1 Integration of QUAMP for the purpose of teaching evaluation

The evaluation platform QUAMP is operated on a server at the University of Applied Sciences Potsdam.

Moodle and QUAMP are connected via a technical interface. When a Moodle course page containing the integration of the Moodle block "course evaluation" is called up, the user name of the logged-in student is transferred from Moodle to QUAMP and stored in encrypted form in QUAMP. QUAMP returns the link to the evaluation questionnaire, which is unique to the student and course, back to Moodle. Moodle displays the link or "error text". QUAMP therefore stores the user name of the Moodle/Campus.account anonymously (you cannot calculate back the encrypted code). If the survey data is deleted, the user names are also deleted.

Course administrators can also provide general links to the questionnaire. With a QR code, the evaluation can also be done during the course.

10.2 Moodle Plug-Ins for the Use of Further FHP Services

The following additional services are integrated into Moodle: Opencast, Mahara, BigBlueButton.

These services run on FHP's own internal servers. The privacy policy for these services can be found on the websites of the respective services.

10.3 Linked services

In addition, other services are linked in Moodle, for example in the context of citation. The privacy policy for these other services can be found on their websites.

11. Your rights as a data subject

If your personal data is processed, you are a data subject within the meaning of the GDPR and you have the following rights vis-à-vis the controller:

  • You may request confirmation from the controller as to whether personal data concerning you are being processed. If such processing is taking place, you can request information about and a copy of this data from the controller in accordance with Article 15 of the GDPR. This data will be made available to you in your profile after your request has been processed.
  • You also have the right of rectification (pursuant to Art. 16 GDPR). If incorrect data is stored, you can partly adjust it yourself (profile data collected yourself) or request the data controllers to do so. The data controllers will comply with the request, provided that the correction is justified and appropriate.
  • You have a right to have the personal data concerning you deleted (in accordance with Art. 17 GDPR). You have a right to have data deleted that is actually wrong or has no further purpose for the controller(s). You do not have the right to have data deleted if the data controller is obliged to still retain the data for legal reasons or due to other obligations. The obligation to store data may also exist after exmatriculation. There is also no right to deletion if information was written by you yourself and this is in the context of information from other users (e.g. forum posts).
  • You have a right to restriction of processing by the data controllers (in accordance with Art. 18 DSGVO). The controllers will ensure that, in the event of restriction, data is only accessible to those persons who absolutely need to see the data. For this purpose, they may use the means of pseudonymisation and anonymisation.
  • You have the right to object to this processing (in accordance with Art. 21 GDPR). You can object to the further use of the data. This can only take effect in the future. The right to object is not an automatic obligation for the data controller to delete the data. If the data controllers have storage obligations for other reasons, they will consider this and inform you.
  • You have a limited right to data portability (according to Art. 20 GDPR, para. 1 and para. 3). That is, you have a right to receive data written by yourself outside of teaching situations in an electronic format that can be used for use elsewhere.

If you are of the opinion that the processing of personal data concerning you violates data protection regulations, you have the right to contact a data protection supervisory authority pursuant to Art. 77 GDPR, e.g. the

Brandenburg state commissioner for data protection and freedom of information
Stahnsdorfer Damm 77
14532 Kleinmachnow