Last update: December 12th 2017
When you make use of our LMS - via the website or Canvas apps - we will process various personal data of you. UvA is the data controller for the processing of your personal data under the applicable data protection law.
1. What kind of personal data do we process from you?
1.1 Your personal data is any data that is directly or indirectly attributable to you. The personal data we may collect from you when you register as a employee or student and use the LMS may include your name, e-mail address, login name and password, unique identification number, IP address, browser details, logging information and any information included in your communication with us or uploaded by you through the LMS (including but not limited to inquiries and input on the discussion forum and documents provided).
1.2 If you are a student: We may also process the following data of you: student number, details of the courses followed, uploaded files, feedback of the submitted and study results.
1.3 If you are a (guest) lecturer and teaching assistant: We may also process the following data of you: details of the courses given and feedback of the submitted work.
2. For what purposes do we process your personal data?
2.1 UvA will only process your personal data in the context of the use of the LMS, more specifically for the following purposes:
a. access control and safeguarding of your account;
b. enabling you to use the features and services of the LMS;
c. for maintaining contact with you in relation to your use of the LMS and - if you are a student - for your education program with UvA;
d. optimizing the LMS;
e. for the handling of your requests, any complaints or disputes, and the investigation in this respect;
f. for performance of audits;
g. to meet with our statutory obligations.
3. Who has access to your personal data?
3.1 Your personal data may be accessed by our employees or other persons engaged on our behalf on a need-to-know basis only, such as lecturers, study counsellors, policy makers and administrative personnel. Also, you may make certain information available within the LMS and for certain participants, for example by participating in group discussions. Next to that, we may also instruct trusted third parties to perform services in respect of processing your personal data on our behalf. With such service providers we have concluded data processing agreements in order to secure the processing of your personal data.
3.2 As one of our data processors, we have involved Instructure Global Ltd (Instructure), located in the United Kingdom (UK), being the hosting provider of the LMS. As Instructure may access your personal data via its affiliate Instructure Inc, located in Utah, United States of America (US), we have not only concluded a data processing agreement with Instructure, but also a data transfer agreement based on the Standard Contractual Clauses (controller / processor) validated by the European Commission, to safeguard the transfer of your personal data to Instructure. In addition Instructure Inc is certified under the Privacy Shield. For the delivery of the LMS, Instructure may involve its affiliates or third parties as sub-data processors in accordance with the data processing agreement that has been concluded between UvA and Instructure.
3.3 When you make use of our external plug-ins or social media buttons within the LMS environment, your personal data may be shared with the respective provider of such plug-in. You may find an overview of possible plug-in providers here. Please note that the plug-in providers may process your personal data for their own purposes and may therefore qualify as data controllers. Neither UvA nor Instructure is responsible for the data processing activities carried out by these parties when acting as a data controller. We advise you to check out their respective privacy policies.
4. How is your personal data secured?
4.1 We have implemented technical and organizational measures to safeguard your personal data. These measures include, among others:
a. measures to ensure that only authorized personnel have access to thepersonal data;
b. measures to protect the personal data against unintentional or unlawful destruction, unintentional loss or revision and unauthorized or unlawful storage, processing, access or disclosure;
c. measures to identify weak links in the personal data processing systems.
5. How long will your personal data be retained?
6. How can you exercise your rights?
You may contact us at:
University of Amsterdam
Attn: Data Protection Officer (Functionaris Gegevensbescherming) Secretariaat Juridische Zaken