Online exams

This supplementary declaration contains information on how and to what extent Clausthal University of Technology collects data in the context of online exams and how this data is processed. An online exam is understood to be any format in which exam content is provided via the Moodle system and exam supervision takes place via the BBB video conferencing service. Both systems are operated independently by TU Clausthal at the Clausthal-Zellerfeld site. The data collected will only be processed and used within Clausthal University of Technology and will not be passed on to third parties.

Further contact persons

The respective examiner is responsible for the content and specific design of online exams. Students are informed of the contact details at the beginning of each course.

The Moodle system and the Clausthal University of Technology video conferencing system BBB are operated by the Clausthal University of Technology Computer Center. If you have any technical questions, please contact support@rz.tu-clausthal.de.

Legal basis for the processing of personal data

The basis for the processing of personal data is basically § 17 para. 1 NHG. In addition, the General Examination Regulations (APO) of Clausthal University of Technology apply in their currently valid version.

Insofar as we have the consent of the data subject for the processing of personal data, Art. 6 para. 1 lit. a EU General Data Protection Regulation (GDPR) serves as the legal basis.

Insofar as the processing of personal data is necessary to fulfill a legal obligation to which Clausthal University of Technology is subject, Art. 6 para. 1 lit. c GDPR serves as the legal basis.

Under conditions of the Covid-19 pandemic, the implementation of online exams is also based on a public interest in combination with the protection of vital interests of the data subjects in accordance with Art. 6 para. 1 lit. d and e GDPR.

Personal data is processed by us for the purpose of administrative user management, for contacting and interacting with users and for providing personalized services, for carrying out studies as students or activities as employees at Clausthal University of Technology. The website https://moodle.tu-clausthal.de/ is an internal, access-restricted area to which only TU members (students and individual employee groups) are granted access after a registration process. As part of online exams, examiners provide exam content here that can be accessed by students and submitted within a specified time window. All exam participants are prohibited from making sound and image recordings during online exams; this includes making screen recordings (screenshots) or videos of exam content as well as transmitting (streaming) video and audio data to external platforms.

Type and scope of data collected

The following data is automatically collected and processed for the use of Moodle

• Login data (user name and password, first name, last name, matriculation number, TU e-mail address)
• Log file data (IP address, date, time and browser version at the time of access)

The temporary storage of this data by the system is necessary for the registration process in order to enable the delivery of requested documents to the user's computer. For this purpose, the user's IP address must remain stored for the duration of the session. The data is stored in log files to ensure the functionality of the website. In addition, the data is used to optimize the website and to ensure the security of the information technology systems.

Other data that may be stored by users is content that is uploaded to the Moodle system by the users themselves as part of their studies or work as employees of Clausthal University of Technology. The disclosure of this data by the user is expressly voluntary. This includes

• Voluntary personal details, posts in forums, chat histories, internal messages, calendar entries and timetables, participation in courses, study groups, organizational committees, personal settings and configurations.

A personal description, picture and other data can be entered in the respective personal profile. These can be viewed by other registered users. The visibility of the e-mail address in the user profile for others can be set.

The following personal data is stored in the context of online exams:

• Introductory questions ("Do you confirm that you are in good health to take the exam?", "Do you confirm that you will complete the exam without outside help and only with the permitted aids?", "Do you confirm that you have registered with your own RZ ID?" and "Do you have the technical requirements and skills to take this exam?"),
• Start and end of processing, information on which data was downloaded, answers of each student, evaluation of answers, points awarded.

Duration of data storage

The personal data you have entered yourself in Moodle will be stored for the duration of your studies/employment at Clausthal University of Technology. Your data will be deleted once your employment has ended and the statutory retention periods have expired. This includes, for example, your self-completed profile data. Exceptions are forum entries, which are retained even after a user has left the university.

In the case of online exams, the retention period is 5 years for all associated uploaded data and entries.

Cookies

Moodle uses a session cookie. This small text file only contains an encrypted character string that helps you navigate the system. The cookie is deleted when you log out of Moodle or close the browser.

Server log files

Log file data is only collected and used for purely statistical evaluation purposes of the learning platform. They are not stored or evaluated in connection with names or e-mail addresses. This data is stored for a period of 180 days on secure systems at Clausthal University of Technology and is also not passed on to third parties.

SSL encryption

The connection to Moodle is made using SSL encryption (https). Data encrypted via SSL cannot be read by third parties.

Personal data is processed by us for the purpose of administrative user management, for contacting and interacting with users and for providing personalized services, for carrying out studies as students or activities as employees at Clausthal University of Technology. The video conferencing system is used in the context of online exams for exam supervision. This may include checking the identity of students, making announcements by examiners or answering questions and ensuring that the exam runs smoothly. Recordings of video conference sessions are prevented on the server side for the BBB system at Clausthal University of Technology. The creation of sound and image recordings during online exams is prohibited; this includes the creation of screen recordings (screenshots) or videos as well as the transmission (streaming) of video and audio data to external platforms.

Type and scope of data collected

The following data is automatically collected and processed for the use of BBB

• User ID (user name and password, first name, surname, TU e-mail address)
• Log file data (IP address, date, time and browser version at the time of access)

The temporary storage of this data by the system is necessary for the login process in order to enable the delivery of requested documents to the user's computer. For this purpose, the user's IP address must remain stored for the duration of the session.

The BBB video conferencing service enables the transmission of audio, image and text data between a defined, limited group of participants. Participants must independently release their webcam or microphone for this purpose. Examiners inform students before the exam whether an identity check will be carried out via the BBB video conferencing service. The student will be asked to hold their ID up to the camera. The creation of biometric profiles or biometric identification is expressly not carried out. Examiners can request that the student's camera remains switched on during the online exam to ensure that the exam is conducted properly. A request may be made to pan the camera around the room. Examiners may request that participants respond to chat messages in the BBB. Students may be asked by the supervisor to enter a breakout room with a private chat message. The request to pan the camera and/or to be shown specific objects is permitted. The video conferencing system for online exams is configured in such a way that the individual exam participants cannot see or hear each other. Data is not passed on to third parties.

Duration of data storage

The content of the video conference, such as audio, image and text data, will not be processed after the video conference has ended and will be deleted at the end of the session. The content of the BBB chat can be documented by the examiners in the examination record. The examination protocol has a retention period of 5 years. Statistical data such as the number of video conferences per calendar day or the number of participants per video conference session are processed anonymously and are used to optimize the video conference service.

SSL encryption

The connection to the BBB video conferencing service is made using SSL encryption (https). Data encrypted via SSL cannot be read by third parties.

If your personal data is processed, you are a data subject within the meaning of the GDPR and you have the following rights in particular vis-à-vis the controller:

Right of access pursuant to Art. 15 GDPR

You can request confirmation from the controller as to whether personal data concerning you is being processed by Clausthal University of Technology.

Right to rectification in accordance with Art. 16 GDPR

You have a right to rectification and/or completion vis-à-vis the controller if the processed personal data concerning you is incorrect or incomplete. Please contact the controller immediately if you dispute the accuracy or incompleteness of your personal data.

Right to restriction of processing pursuant to Art. 18 GDPR

Under certain circumstances, you may request the restriction of the processing of personal data concerning you, e.g. if you contest the accuracy of the personal data concerning you for a period enabling the controller to verify the accuracy of the personal data or if the processing is unlawful and you oppose the erasure of the personal data and request the restriction of their use instead.

Right to data portability pursuant to Art. 20 GDPR

You have the right to receive the personal data concerning you, which you have provided to the controller, in a structured, commonly used and machine-readable format. You also have the right to transmit this data to another controller without hindrance from the controller to which the personal data has been provided, provided that (1) the processing is based on consent pursuant to Art. 6 para. 1 lit. a GDPR or Art. 9 para. 2 lit. a GDPR or on a contract pursuant to Art. 6 para. 1 lit. b GDPR and (2) the processing is carried out by automated means. The right to data portability does not apply to the processing of personal data necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

Automated decision-making in individual cases including profiling in accordance with Art. 22 GDPR

You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you. A purely automated evaluation of the exam without a personal professional assessment by the examiner is not permitted.

Right to lodge a complaint with a supervisory authority

Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement if you consider that the processing of personal data relating to you infringes the GDPR. The supervisory authority with which the complaint has been lodged shall inform the complainant on the progress and the outcome of the complaint including the possibility of a judicial remedy pursuant to Art. 78 GDPR.