Privacy Statement – Digital Learning Environment
Last update: October 2022
Privacy is a highly important topic for the University of Amsterdam (UvA, we/us/our), and therefore the UvA handles your personal data with care. In this Privacy Statement we describe how personal data is processed in The Digital Learning Environment (DLE) and how the privacy of all users of the DLE is protected. It informs you of our privacy practices and security measures concerning the personal data we may collect from you when you use the DLE via website or Canvas apps.
In addition to this specific DLE Privacy statement, the UvA also has a general Privacy statement UvA Privacy Statement which explains the purposes and methods for processing personal data obtained through all the UvA website(s) (which also include(s) (canvas.uva.nl)
The most recent version of this Privacy Statement is dated: October 31st 2022 and replaces any previous version(s).
1. Who is responsible for processing my personal data?
When you use our DLE - via the website or Canvas apps - we will process various personal data of you.
The UvA is responsible for processing your personal data within the meaning of the General Data Protection Regulation (‘GDPR’). The UvA is located at Spui 21, 1012 WX Amsterdam. Our postal address is PO Box 19268, 1000 WX Amsterdam.
Any questions about this privacy statement or about data that are processed in the UvA DLE you might have, can be emailed to email@example.com
2. What personal data do we process?
2.1. Your personal data is any data directly or indirectly attributable to you. The personal data we may collect from you when you register as an employee or student and use the DLE may include your name, e-mail address, login name and password, unique identification number (SIS-ID and the LMS user ID, which is only used in Canvas and not in any other system), IP address, browser details (type of browser and browser version, desktop or mobile app), logging information and any information included in your communication with the UvA or uploaded by you through the DLE (including but not limited to inquiries and input on the discussion forum and documents provided).
2.2 If you are a student: We may also process the following data: student number, details of the courses followed, uploaded files, feedback on submitted work and study results.
2.3 If you are a (guest) lecturer and teaching assistant: We may also process the following data: details of the courses given and feedback on submitted work.
2.4 A synopsis of personal data that is processed in the different DLE tooling can be found in this overview of DLE tooling.
3. Personal data as available via your Canvas profile
Other users of the DLE (students, teachers, support staff) that are enrolled in courses you are enrolled to have access to some of your personal data. This concerns data from your Canvas personal profile (https://canvas.uva.nl/profile):
- Display name
- Biography (if added via https://canvas.uva.nl/profile)
- Personal pronouns (if added via https://canvas.uva.nl/profile/settings)
- Links to websites (if added via https://canvas.uva.nl/profile/settings)
Teachers of the courses you are enrolled in will also see your LoginId/SIS-ID.
You cannot change your display name or your primary email address
4. For what purposes do we process personal data?
The UvA will only process your personal data in the context of the use of the DLE, more specifically for the following purposes:
- access control and safeguarding of your account;
- to check if the student can be identified as the individual that participated in the DLE, for example to give the student access to the DLE and to identify the student when submitting assignments;
- enabling you to use the features and services of the DLE;
- for maintaining contact with you about your use of the DLE and - if you are a student - for your study programme at the UvA;
- optimizing the DLE; and its usage to meet the needs of students, teachers and supporting roles
- for executing, developing, measuring, improving and evaluating the educational processes in general.
- for the handling of your requests, any complaints or disputes, and the investigation in this respect; and
- performing of audits.
4. Lawfulness of processing
4.1. We process your personal data on the basis of 'Public Task ' (article 6.1 (e) GDPR). This means that processing your data is necessary for the performance of a task of the University of Amsterdam carried out in the public interest (article 6.1 e GDPR), i.e. providing and managing (online) education.
5. Who has access to your personal data?
5.1. Your personal data may be accessed by our employees or other persons engaged on our behalf on a need-to-know basis only, such as lecturers, study counsellors,policymakers and administrative personnel. You may make certain additional information available within the DLE and for certain participants, for example by participating in group discussions. The UvA may also instruct trusted third parties to perform services in respect of processing your personal data on our behalf. With such service providers we have concluded data processing agreements to ensure that your personal data is processed carefully, securely and in accordance with GDPR. Our processing agreements also stipulates that the service provider (processor) and its subcontractors (sub‐processors) may never process the personal data for their own purposes and may only act in accordance with instructions of the UvA.
5.3. When you use our external plug-ins or social media buttons within the DLE environment, your personal data may be shared with the respective provider of such plug-in. You can find an overview of possible plug-in providers via https://canvas.uva.nl/profile/settings under “webservices”. Please note that the plug-in providers may process your personal data for their own purposes and may therefore qualify as data controllers. Neither UvA nor Instructure is responsible for the data processing activities carried out by these parties when acting as a data controller. We advise you to check out their respective privacy policies.
6. How is the impact on your privacy interests minimized and how do we protect your personal data?
6.1. For each application that’s being added to the UvA UvA DLE, including any significant change of the current UvA DLE applications, the applicable privacy & security procedure has been executed. Within this procedure the privacy- and security risks and the needed measures are identified by different roles (like the privacy officer, security officer, representatives of the Works Council and the Students Council) and the technical and organizational measures to safeguard your personal data are implemented.
6.2. We have implemented technical and organizational measures to safeguard your personal data. These measures include, among others:
- measures to ensure that only authorized personnel have access to the personal data; (for example, access will be granted on a need to know bases only);
- measures to protect the personal data against unintentional or unlawful destruction, unintentional loss or revision and unauthorized or unlawful storage, processing, access or disclosure; (for example, access to and processing of the personal data is being monitored constantly);
- measures to identify weak links in the personal data processing systems. (for example, periodic audits will be executed by the appropriate officers and councils to identify any weaknesses on technical or organizational levels).
- The risks and implemented measures will be evaluated periodically and will be supplemented and/or amended if needed.
For more information about UvA’s privacy & security procedure (IB&P and DPIA):
UvA students go to: https://student.uva.nl/en/content/az/privacy/privacy.html
UvA Employees go to: https://medewerker.uva.nl/en/content-secured/az/privacy/privacy.html
7. How long do we retain your personal data?
We will process your personal data for as long as necessary for the purposes as stated in this Privacy Statement. The personal data shall not be kept for longer than is necessary for the purposes as stated in this Privacy Statement, in accordance with the applicable data protection laws, unless you have submitted a reasonable and valid request to delete your personal data.
8. Questions and complaints
9. How can I exercise my privacy rights?
On the basis of the current GDPR, you have the right ‐ subject to certain conditions ‐ to access the personal data that we process, to correct your personal data if it contains factual inaccuracies, to have your personal data deleted, to limit the processing of your personal data, and to object to the processing of your personal data.
If you wish to exercise any of these privacy rights, you can contact the Privacy team via: firstname.lastname@example.org
To be able to deal with your request, you will be asked to provide proof of identity via e.g. your UvA e-mail address.