DATA PROTECTION STATEMENT ON THE EUNICE MOODLE
1. Joint controllers
POLITECHNIKA POZNAŃSKA Pl. Marii Skłodowskiej-Curie 5 60-965 Poznan POLAND +48 61 833 3881 | BRANDENBURG UNIVERSITY OF TECHNOLOGY (BTU) Cottbus-Senftenberg Postfach 101344 03013 Cottbus GERMANY +49 355 69-0 | UNIVERSITÉ POLYTECHNIQUE HAUTS-DE-FRANCE Campus Mont Houy 59313 Valenciennes cedex 9 FRANCE +33 3 27 51 12 34 |
UNIVERSIDAD DE CANTABRIA Avda. de los Castros, s/n 39005 Santander SPAIN +34 942 20 22 23 | UNIVERSITÉ DE MONS Place du Parc , 20 7000 Mons BELGIUM +32 65 37 31 11 | UNIVERSITÀ DI CATANIA Piazza Università, 2 95131 Catania ITALY +39 095 730 7777 |
VAASAN YLIOPISTO Wolffintie 32 65200 Vaasa FINLAND +358 29 449 8000 | UNIVERSITY OF PELOPONNESE Erythrou Stavrou 28 & Karyotaki 22131 Tripolis GREECE +30 2710230000 | INSTITUTO POLITÉCNICO DE VISEU Av. José Maria Vale de Andrade Campus Politécnico 3504-510 Viseu PORTUGAL +351 232 469 703 |
KARLSTAD UNIVERSITY Universitetsgatan 2, 65188 Karlstad SWEDEN +46 54 700 10 00 | EUNICE AISBL Place du Parc 20 7000 Mons BELGIUM +32 492 033 760 |
1. Personal data processor
Mediamaisteri Oy
PO Box 82 (Erkkilänkatu 11)
33101 Tampere
Phone +358 10 281 8000
info@mediamaisteri.com
2. Contact persons in matters concerning the data file
In data protection matters, the contact point for data subjects are the EUNICE partner DPO’s, whose contact details are as follows:
Poznan University of Technology (PUT) Piotr Otomański Politechnika Poznanska, Pl. M. Sklodowskiej Curie 5 60-965 Poznan, Poland +48 61 665 3631 piotr.otomanski@put.poznan.pl | Brandenburg University of Technology Cottbus -Senftenberg (BTU) Sergey Romanov VG1C, R. 2.40, Konrad Wachsmann Allee 5 03046 Cottbus +49(0)355/69 -2112 datenschutz@b-tu.de | Université Polytechnique Hauts-de France (UPHF) Camille Deman Campus Mont Houy 59313 Valenciennes Cedex 9 France +33 3 27 51 13 36 dpo@uphf.fr |
Universidad de Cantabria (UC) Gema Bilbao Prieto Avenida de los Castros, 54 39005 Santander (Cantabria) +34942200909 dpd@unican.es | University of Mons (UMONS) Graciela SCHIFFINO 23, Place du Parc 7000 Mons +32 65 37 37 02 dpo@umons.ac.be | University of Catania (UNICT) Lorena Virgillito Piazza dell'Università, 2. Palazzo Centrale. 95131 -Catania +39 095 7307376 giuseppina.gravagna@unict.it ; rpd@unict.it |
University of Vaasa (UVA) Sami Kinnunen University of Vaasa, Wolffintie 34, 65200 Vaasa +358 40 588 4282 sami.kinnunen@uwasa.fi | University of the Peloponnese (UoP) Nikolopoulos Stavros Erythrou Stavrou 28 & Karyotaki, 22131 Tripolis, GREECE +30 27210 45334 dpo@uop.gr, nikplos@uop.gr | Instituto Politécnico de Viseu (IPV) Paula Bettencourt Av. Cor. José Maria Vale de Andrade Campus Politécnico 3504-510 Viseu, Portugal (+351) 232 480 781 pbettencourt@sc.ipv.pt, dpo@sc.ipv.pt |
Karlstad University (KAU) Conny Claesson Universitetsgatan 2, 65188 Karlstad, SWEDEN +46 54 - 700 19 46 | EUNICE AISBL Magdalena Sikorska Place du Parc 20, 7000 Mons, BELGIUM +32 492 033 760 |
3. Purpose of processing personal data
We process your personal data for the following purposes:
Management of user rights in the learning environment (1) (3)
Management and assessment of completed studies and compilation of related statistics (1) (2)
Communication as well as study-related advice and guidance (1) (2) (3)
Resolution of technical problems and misuse (3)
Monitoring of student activity (1) (2)
4. Legal basis for processing personal data
The processing of personal data is based on (1) compliance with a legal obligation (e.g., the Universities Act 558/2009 and decrees issued pursuant to it, the Universities of Applied Sciences Act 932/2014, the Act on the National Registers of Education Records, Qualifications and Degrees 884/2017), (2) performance of a task in the public interest or in the exercise of official authority vested in the controller, and (3) legitimate interest.
5. Categories of personal data to be processed
Basic data
Identifiers: name, national learner ID
Login data: login method, username, linked login profiles
Contact data (email address)
Study-related data
Course registration data
Course and other study-related assessments/grades
Assignments returned in courses and their assessments/grades
Communication data
Discussions and communication stored in the system by users regarding, for example, study-related advice and guidance
Blog entries
Data about the use of Eunice learning platform
Browser session data
Support requests
6. Storage periods
User profiles will be removed 12 months after the last login. Users are being notified by mail two months before. Course log data and participation data older than 12 months will be removed. Students’ course data (assignments, forum posts, etc.) will be removed from a course 12 months after the defined course end date. These processes will be managed by Mediamaisteri Oy in cooperation with EUNICE personnel to ensure GDPR compliance and proper implementation.
To the extent data are transferred to be processed in registers independently managed by controllers, and then not covered by this agreement, the storage periods will be determined in accordance with national legislation and with the archiving plans or information management plans of the educational institutions in question.
7. Where the Joint Controllers obtain data
The Joint Controllers obtain personal data in the EUNICE learning platform related to user logins from the organisation that manages the credentials in question (Haka federation, Google login, Moodle login). Study-related data are obtained from the users themselves, or they are generated in connection with the use of the service and the completion of studies. Users themselves can produce data for the service, e.g., by publishing blog entries and storing files. Communication-related data are obtained from users. Browser session data are automatically generated in connection with the use of the service.
8. Recipients of personal data and transfers outside the EU or EEA
Personal data are not transferred outside the EU or EEA.
The processing of personal data has been outsourced to the Eunice administrator. The administrator is bound by a non-disclosure obligation and does not have the right to disclose data to third parties or use data for purposes other than the implementation of the controllers’ commission. The data protection of the service has been arranged with the administrator, for example, by concluding agreements on the processing of personal data.
9. Information security in the EUNICE learning platform
PThe Parties ensure that the processing of personal data takes place using appropriate technical and organizational measures to achieve a satisfactory level of security in terms of the nature and scope of the processing, the technical development, implementation costs and from relevant risks to persons’ rights and freedoms.
The right to use personal data has been limited with the help of user right groups so that each user can only access the data they need in their work.
Systems containing personal data at Mediamaisteri Oy are protected by firewalls and other technical safeguards. Login and use of the systems is monitored. Devices and servers containing personal data are located in locked facilities and can be accessed only by designated persons.
10. Automated decision-making and profiling
Personal data processed in the service are not used for profiling or for decision-making based on automated means.
11. Rights of data subjects and information
Data Subjects have the right to obtain information on the processing of personal data and to inspect the data concerning them that are stored in the EUNICE learning platform. Data Subjects have the right to request the rectification or supplementation of erroneous, deficient or inaccurate data as well as the erasure of unnecessary personal data.
The Parties commit themselves to provide the Data Subjects with any information referred to in Articles 13 and 14 of the GDPR in a concise, transparent, intelligible, and easily accessible form, using clear and plain language. The information shall be provided free of charge.
The joint Data Controllers shall be responsible for maintaining and updating of the written information (the Data Protection Statement) to the concerned Data Subjects containing all the necessary information on the processing of personal data, the way Data Subjects can exercise their rights and direct contact points for Data Subject’s requests. This data protection statement shall be provided to the Data Subjects in the EUNICE learning platform.
The Data Subjects always have the right to contact any of the Joint Controllers if they wish to exercise their rights related to the processing of personal data described in this Joint Controller agreement.
The Party that has been contacted by a Data Subject is responsible for taking the necessary measures regarding the Data Subject’s rights on behalf of the Parties. This shall be done taking into account the type of processing, and the information available to each Joint Controller. The Parties shall cooperate and, when so requested, provide each other with swift and efficient assistance in handling any Data Subject request.
Data Subjects have the right to lodge a complaint with respective national supervisory authority if they consider that the processing of their personal data violates the applicable data protection legislation. In addition to the above, Data Subjects have the right to use administrative and legal remedies.
12. Personal data breaches
The Party responsible for a personal data breach that affects the joint processing of personal data shall take action in accordance with Article 33 of the GDPR, and notify the breach, where applicable, to the competent national supervisory authority. If a Party discovers a personal data breach in the operations of another Party, it shall immediately inform that Party thereof. If it is not possible to determine the origin of the breach, UVA shall be the Party responsible for taking action in accordance with Article 33 of the GDPR and notifying the breach to the Finnish supervisory authority.
In the event of a personal data breach that is subject to a notification obligation to the supervisory authority pursuant to Article 33 of the GDPR, the Party that is responsible for taking action according to the above paragraph shall without undue delay inform the other Parties of the breach in writing. A Party shall, taking into account the type of processing and the information available to each controller, also provide the other Parties with a written description of the personal data breach.
Notification pursuant to the previous section shall:
a) Describe the nature of the breach of personal data security, including, where possible, the categories of and approximate number of Data Subjects affected, and the categories of and approximate number of registrations of personal data concerned;
b) Contain the name and contact details of the Data Protection Officer or another contact point where more information can be obtained;
c) Describe the probable consequences of the breach of personal data security; and
d) Describe the measures that the data controller has taken or proposes to take to deal with the breach of personal data security, including, if relevant, measures to reduce any harmful effects as a result of the breach.
The information may, to the extent necessary, be provided step by step without further undue delay.
The Parties are obliged to implement all measures that can reasonably be required to remedy and avoid corresponding personal data breaches. The Parties shall, as far as possible, consult with the other Parties on the measures to be implemented, including assessing the other Parties’ proposed measures.
Each Party is responsible for all personal data breaches that occur as a result of an infringement of that Party’s obligations under this Joint Controller agreement and the GDPR.
13. Joint controllers
As a rule, the controllers referred to at the beginning of this data protection statement are joint controllers of the personal data processed in the service. In addition, the controllers may process the personal data in the EUNICE learning platform as independent controllers.
The joint controllers are jointly responsible for the processing of personal data in the service in accordance with the General Data Protection Regulation of the EU and other applicable data protection legislation. The joint controllers have set out procedures and responsibilities related to the processing of personal data by agreement. The joint controllers may disclose to each other data required for the provision of the service, provided that all recipients have a statutory right to process the data. Data can be processed only for the same purposes for which they were originally collected.
Each joint controller takes appropriate technical and organisational measures for its part to ensure the security of the processing of personal data and to process personal data in accordance with applicable law.
As described in this data protection statement, the administrator of the platform acts as the primary point of contact for data subjects, for example, to enable them to exercise their rights. However, despite the above, data subjects always have the right to contact any of the joint controllers if they wish to exercise their rights related to the processing of personal data described in this data protection statement.
14. Changes to this data protection statement
We may occasionally update or change the content of this data protection statement. In such cases, we will post the updated data protection statement on our website, indicating the date of the update. If the changes are significant, we may also inform you about them in other ways, such as by email or by notifying you about the matter on our website.
This data protection statement was updated in July 2025.