Privacy notice: Online learning environment Moodle

Date of publication: 27 September 2020 (Updated: 12 August 2024)

City of Espoo

Ann-Christine Stenbacka, Assistant Principal

email: ann-christine.stenbacka@espoo.fi

Tel. 09 816 21 (switchboard)

Anette Ohlström, Department Secretary
email: anette.a.ohlstrom@espoo.fi

Address: Esbo Arbis, P.O. Box 3560, 02070 CITY OF ESPOO

Tel. +358 9 81621 (switchboard)

Data Protection Officer of the City of Espoo

Helena Niemi

Address: P.O. Box 12, 02070 City of Espoo

Tel. +358 9 81621 (switchboard)

Email: tietosuoja@espoo.fi

Espoo’s Swedish-speaking adult education centre (Esbo Arbis) uses Moodle as a learning environment and communication channel. Moodle has two main pages, one for students and one for staff. The learning environment contains materials and content produced by users (teachers / other staff, students).

Personal data is used for:

• managing Moodle user rights;

• enabling interaction between users in their own groups;

• learning and guiding students’ learning and giving feedback on their performance.

Personal data recorded in the log when using the service is used for:

• monitoring the performance of the server and data communications;

• investigating technical problems and violations.

Article 6(1)(c) of the General Data Protection Regulation of the European Union: Processing is necessary for compliance with a legal obligation to which the controller is subject.

Teachers and other staff at Esbo Arbis:

• User’s name
• Teaching groups
• Encrypted unique identifier
• Email address
• Username
• Password
• Content produced by teachers / other staff

Students:

• User’s name
• Information on participation in courses (course, group etc.)
• Encrypted unique identifier
• Email address
• Username
• Password
• Content produced or information added by the student

Content produced by teachers, other staff members or the student refers to images, texts, links, videos and audio files recorded in the system.

The required personal data is provided when signing up for an online course through Ilmonet or by phone. The data is stored in the Kursor system (see separate privacy notice for the Kursor system). Students activate their own user IDs through Moodle. The teacher adds students to their course through Kursor with the help of an attendance list.

The teacher first creates their own user ID as a student user, after which the administrator gives them a teacher’s user rights so that they can create their own courses (‘course creator’).

Data and documents are disclosed to the person requesting them in accordance with the Act on the Openness of Government Activities. Information and documents are public unless specifically defined as confidential under law.

The disclosure of public information from a register controlled by an authority is based on section 16, subsection 3 of the Act on the Openness of Government Activities. According to the act, the party requesting access must have the right to record and use the personal data in question. Personal data can only be disclosed following a detailed request for data. (Act on the Openness of Government Activities, section 13, subsection 2)

Public information may only be disclosed for the purposes of direct marketing, polls or market research with the consent of the data subject or the guardian of a minor.

Confidential information may only be disclosed with the consent of the data subject or the guardian of a minor or, in individual cases, based on a separately requested authorisation. (Act on the Openness of Government Activities, section 28)

Confidential information may only be disclosed with the express consent of the data subject or the guardian of a minor or if there is a specific provision on the collection of information or the right of access (Act on the Openness of Government Activities, chapter 7).

As a rule, personal data is not disclosed to third parties.

Log data is not disclosed to third parties.

Data will not be transferred outside the EU or the EEA.

Data is stored and destroyed in line with the City of Espoo’s records management plan and the applicable provisions and regulations issued by the National Archives of Finland.

Personal data is stored in the service for three (3) months after the use of the service has ended.

Data protection legislation guarantees various rights for the data subject in relation to the processing of personal data. Requests concerning the data subject’s rights can be submitted to the city’s Data Protection Officer or the contact person of the register using the above-mentioned contact details.

If necessary, the controller may ask the data subject to provide additional information to fulfil the request.

The controller must respond to a request concerning the data subject’s rights without undue delay and no later than one month after receiving the request. That period may be extended by two further months where necessary, taking into account the complexity and number of the requests.

If the data controller does not take action on the request of the data subject, the data controller must inform the data subject without delay, and at the latest within one month of receipt of the request, of the reasons for not taking action and of the possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy.

Requests from the data subject and any resulting actions are, as a rule, free of charge. However, where requests from a data subject are manifestly unfounded or excessive, in particular because of their repetitive character, the controller may either charge a reasonable fee taking into account the administrative costs of providing the information or communication or taking the action requested, or refuse to act on the request.

The data subject shall have the right to obtain from the controller confirmation as to whether personal data concerning him or her is being processed as well as the right to access the data and to obtain a copy of the data. However, the provision of data shall not adversely affect the rights or freedoms of others.

The data subject shall have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her. In addition, taking into account the purposes of the processing, the data subject shall have the right to have incomplete personal data completed.

Under certain conditions, the data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her. For example, if the processing of personal data is based on consent and the data subject withdraws his or her consent and there is no other legal ground for the processing, the data subject shall have the right to have his or her data erased. However, the data subject shall not have the right to erasure if the processing of data is necessary for compliance with a legal obligation or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

The data subject shall have the right to request the restriction of processing in certain situations. For example, if the accuracy of the personal data is contested by the data subject, processing is restricted for a period enabling the controller to verify the accuracy of the personal data. The right also applies if the data subject has objected to processing pending the verification whether the legitimate grounds of the controller override those of the data subject.

The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her, which is processed for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. In such a situation, the controller may only continue processing the personal data if the controller demonstrates compelling legitimate grounds for the processing. Processing may also continue if it is necessary for the establishment, exercise or defence of legal claims.

The data subject shall have the right to lodge a complaint with a supervisory authority if the data subject considers that the processing of personal data relating to him or her infringes data protection legislation. The data subject can lodge a complaint with the Office of the Data Protection Ombudsman: www.tietosuoja.fi(external link, opens in a new window)

Change history: -