DATA PROTECTION STATEMENT ON THE EUNICE MOODLE 


1. Joint controllers


POLITECHNIKA POZNAŃSKA 

Pl. Marii Skłodowskiej-Curie 5 

60-965 Poznan 

POLAND 

+48 61 833 3881

BRANDENBURG UNIVERSITY OF TECHNOLOGY (BTU) 

Cottbus-Senftenberg 

Postfach 101344 

03013 Cottbus 

GERMANY 

+49 355 69-0 


UNIVERSITÉ POLYTECHNIQUE HAUTS-DE-FRANCE 

Campus Mont Houy 

59313 Valenciennes cedex 9 

FRANCE 

+33 3 27 51 12 34 



UNIVERSIDAD DE CANTABRIA 

Avda. de los Castros, s/n 

39005 Santander 

SPAIN 

+34 942 20 22 23 


UNIVERSITÉ DE MONS 

Place du Parc , 20 

7000 Mons 

BELGIUM 

+32 65 37 31 11 



UNIVERSITÀ DI CATANIA 

Piazza Università, 2 

95131 Catania 

ITALY 

+39 095 730 7777



VAASAN YLIOPISTO 

Wolffintie 32 

65200 Vaasa 

FINLAND 

+358 29 449 8000 


UNIVERSITY OF PELOPONNESE 

Erythrou Stavrou 28 & Karyotaki 22131  

Tripolis 

GREECE 

+30 2710230000

INSTITUTO POLITÉCNICO DE VISEU 

Av. José Maria Vale de Andrade 

Campus Politécnico 

3504-510 Viseu 

PORTUGAL 

+351 232 469 703 


KARLSTAD UNIVERSITY 

Universitetsgatan 2, 

65188 Karlstad  

SWEDEN 

+46 54 700 10 00 

EUNICE AISBL 

Place du Parc 20 

7000 Mons 

BELGIUM 

+32 492 033 760 




1. Personal data processor 


Mediamaisteri Oy
PO Box 82 (Erkkilänkatu 11) 

33101 Tampere
Phone +358 10 281 8000 

info@mediamaisteri.com


2. Contact persons in matters concerning the data file

In data protection matters, the contact point for data subjects are the EUNICE partner DPO’s, whose contact details are as follows:

Poznan University of Technology (PUT) 

Piotr Otomański 

Politechnika Poznanska, Pl. M. Sklodowskiej 

Curie 5 

60-965 Poznan, Poland 

+48 61665 3631 

piotr.otomanski@put.poznan.pl       

Brandenburg University of Technology Cottbus -Senftenberg (BTU) 

Sergey Romanov 

VG1C, R. 2.40, Konrad Wachsmann Allee 5  

03046 Cottbus 

+49(0)355/69 -2112 

datenschutz@b-tu.de 

Université Polytechnique Hauts-de France (UPHF)

Camille Deman 

Campus Mont Houy 59313 Valenciennes Cedex 9 France 

 +33 3 27 51 13 36 

dpo@uphf.fr 




Universidad de Cantabria (UC)

Gema Bilbao Prieto 

Avenida de los Castros, 54 39005 Santander (Cantabria) 

+34942200909 

dpd@unican.es

University of Mons (UMONS)

Graciela SCHIFFINO 

23, Place du Parc 

7000 Mons 

+32 65 37 37 02 

dpo@umons.ac.be

University of Catania (UNICT)

Lorena Virgillito 

Piazza dell'Università, 2. Palazzo Centrale. 95131 

-Catania 

+39 095 7307376 

 giuseppina.gravagna@unict.it ; rpd@unict.it 

University of Vaasa (UVA)

Sami Kinnunen 

University of Vaasa, 

Wolffintie 34, 65200 Vaasa 

+358 40 588 4282 

sami.kinnunen@uwasa.fi



University of the Peloponnese (UoP) 

Nikolopoulos Stavros 

Erythrou Stavrou 28 & Karyotaki, 

22131 Tripolis, 

GREECE 

+30 27210 45334 

dpo@uop.gr, nikplos@uop.gr 


Instituto Politécnico de Viseu (IPV) 

Paula Bettencourt 

Av. Cor. José Maria Vale de Andrade 

Campus Politécnico 

3504-510 Viseu, Portugal 

(+351) 232 480 781 

pbettencourt@sc.ipv.pt, dpo@sc.ipv.pt 


Karlstad University (KAU) 

Conny Claesson 

Universitetsgatan 2, 

65188 Karlstad, 

SWEDEN 

+46 54 - 700 19 46 

EUNICE AISBL
Magdalena Sikorska
Place du Parc 20,
7000 Mons,
BELGIUM 
+32 492 033 760 



3. Purpose of processing personal data


We process your personal data for the following purposes: 

 

  • Management of user rights in the learning environment (1) (3) 

  • Management and assessment of completed studies and compilation of related statistics (1) (2) 

  • Communication as well as study-related advice and guidance (1) (2) (3) 

  • Resolution of technical problems and misuse (3) 

  • Monitoring of student activity (1) (2)


4. Legal basis for processing personal data 


The processing of personal data is based on (1) compliance with a legal obligation (e.g., the Universities Act 558/2009 and decrees issued pursuant to it, the Universities of Applied Sciences Act 932/2014, the Act on the National Registers of Education Records, Qualifications and Degrees 884/2017), (2) performance of a task in the public interest or in the exercise of official authority vested in the controller, and (3) legitimate interest.


5. Categories of personal data to be processed 


Basic data   

  • Identifiers: name, national learner ID 

  • Login data: login method, username, linked login profiles 

  • Contact data (email address) 


Study-related data 

 

  • Course registration data 

  • Course and other study-related assessments/grades 

  • Assignments returned in courses and their assessments/grades 


Communication data

  • Discussions and communication stored in the system by users regarding, for example, study-related advice and guidance 

  • Blog entries


Data about the use of Eunice learning platform

  • Browser session data

  • Support requests



6.  Storage periods

User profiles will be removed 12 months after the last login. Users are being notified by mail two months before. Course log data and participation data older than 12 months will be removed. Students’ course data (assignments, forum posts, etc.) will be removed from a course 12 months after the defined course end date. These processes will be managed by Mediamaisteri Oy in cooperation with EUNICE personnel to ensure GDPR compliance and proper implementation. 

To the extent data are transferred to be processed in registers independently managed by controllers, and then not covered by this agreement, the storage periods will be determined in accordance with national legislation and with the archiving plans or information management plans of the educational institutions in question.
 


7. Where the Joint Controllers obtain data


The Joint Controllers obtain personal data in the EUNICE learning platform related to user logins from the organisation that manages the credentials in question (Haka federation, Google login, Moodle login). Study-related data are obtained from the users themselves, or they are generated in connection with the use of the service and the completion of studies. Users themselves can produce data for the service, e.g., by publishing blog entries and storing files. Communication-related data are obtained from users. Browser session data are automatically generated in connection with the use of the service. 


8. Recipients of personal data and transfers outside the EU or EEA 


Personal data are not transferred outside the EU or EEA.  

The processing of personal data has been outsourced to the Eunice administrator. The administrator is bound by a non-disclosure obligation and does not have the right to disclose data to third parties or use data for purposes other than the implementation of the controllers’ commission. The data protection of the service has been arranged with the administrator, for example, by concluding agreements on the processing of personal data. 


9. Information security in the EUNICE learning platform  


PThe Parties ensure that the processing of personal data takes place using appropriate technical and organizational measures to achieve a satisfactory level of security in terms of the nature and scope of the processing, the technical development, implementation costs and from relevant risks to persons’ rights and freedoms.

The right to use personal data has been limited with the help of user right groups so that each user can only access the data they need in their work.

Systems containing personal data at Mediamaisteri Oy are protected by firewalls and other technical safeguards. Login and use of the systems is monitored. Devices and servers containing personal data are located in locked facilities and can be accessed only by designated persons. 


10. Automated decision-making and profiling  


Personal data processed in the service are not used for profiling or for decision-making based on automated means. 


11. Rights of data subjects and information 


Data Subjects have the right to obtain information on the processing of personal data and to inspect the data concerning them that are stored in the EUNICE learning platform. Data Subjects have the right to request the rectification or supplementation of erroneous, deficient or inaccurate data as well as the erasure of unnecessary personal data.

The Parties commit themselves to provide the Data Subjects with any information referred to in Articles 13 and 14 of the GDPR in a concise, transparent, intelligible, and easily accessible form, using clear and plain language. The information shall be provided free of charge.

The joint Data Controllers shall be responsible for maintaining and updating of the written information (the Data Protection Statement) to the concerned Data Subjects containing all the necessary information on the processing of personal data, the way Data Subjects can exercise their rights and direct contact points for Data Subject’s requests. This data protection statement shall be provided to the Data Subjects in the EUNICE learning platform.

The Data Subjects always have the right to contact any of the Joint Controllers if they wish to exercise their rights related to the processing of personal data described in this Joint Controller agreement.

The Party that has been contacted by a Data Subject is responsible for taking the necessary measures regarding the Data Subject’s rights on behalf of the Parties. This shall be done taking into account the type of processing, and the information available to each Joint Controller. The Parties shall cooperate and, when so requested, provide each other with swift and efficient assistance in handling any Data Subject request.

Data Subjects have the right to lodge a complaint with respective national supervisory authority if they consider that the processing of their personal data violates the applicable data protection legislation. In addition to the above, Data Subjects have the right to use administrative and legal remedies. 

 

12.  Personal data breaches  


The Party responsible for a personal data breach that affects the joint processing of personal data shall take action in accordance with Article 33 of the GDPR, and notify the breach, where applicable, to the competent national supervisory authority. If a Party discovers a personal data breach in the operations of another Party, it shall immediately inform that Party thereof. If it is not possible to determine the origin of the breach, UVA shall be the Party responsible for taking action in accordance with Article 33 of the GDPR and notifying the breach to the Finnish supervisory authority.

In the event of a personal data breach that is subject to a notification obligation to the supervisory authority pursuant to Article 33 of the GDPR, the Party that is responsible for taking action according to the above paragraph shall without undue delay inform the other Parties of the breach in writing. A Party shall, taking into account the type of processing and the information available to each controller, also provide the other Parties with a written description of the personal data breach.

Notification pursuant to the previous section shall:

a) Describe the nature of the breach of personal data security, including, where possible, the categories of and approximate number of Data Subjects affected, and the categories of and approximate number of registrations of personal data concerned;

b) Contain the name and contact details of the Data Protection Officer or another contact point where more information can be obtained;

c) Describe the probable consequences of the breach of personal data security; and

d) Describe the measures that the data controller has taken or proposes to take to deal with the breach of personal data security, including, if relevant, measures to reduce any harmful effects as a result of the breach.

The information may, to the extent necessary, be provided step by step without further undue delay.

The Parties are obliged to implement all measures that can reasonably be required to remedy and avoid corresponding personal data breaches. The Parties shall, as far as possible, consult with the other Parties on the measures to be implemented, including assessing the other Parties’ proposed measures.

Each Party is responsible for all personal data breaches that occur as a result of an infringement of that Party’s obligations under this Joint Controller agreement and the GDPR. 


13. Joint controllers


As a rule, the controllers referred to at the beginning of this data protection statement are joint controllers of the personal data processed in the service. In addition, the controllers may process the personal data in the EUNICE learning platform as independent controllers. 

The joint controllers are jointly responsible for the processing of personal data in the service in accordance with the General Data Protection Regulation of the EU and other applicable data protection legislation. The joint controllers have set out procedures and responsibilities related to the processing of personal data by agreement. The joint controllers may disclose to each other data required for the provision of the service, provided that all recipients have a statutory right to process the data. Data can be processed only for the same purposes for which they were originally collected. 

Each joint controller takes appropriate technical and organisational measures for its part to ensure the security of the processing of personal data and to process personal data in accordance with applicable law. 

As described in this data protection statement, the administrator of the platform acts as the primary point of contact for data subjects, for example, to enable them to exercise their rights. However, despite the above, data subjects always have the right to contact any of the joint controllers if they wish to exercise their rights related to the processing of personal data described in this data protection statement.  

 

14. Changes to this data protection statement


We may occasionally update or change the content of this data protection statement. In such cases, we will post the updated data protection statement on our website, indicating the date of the update. If the changes are significant, we may also inform you about them in other ways, such as by email or by notifying you about the matter on our website. 

This data protection statement was updated in July 2025.