List of active policies
ZHAW Data Protection Notice:
Für Deutsch wählen sie die Sprache im Menü
In this document, we provide you with information on how your data is collected and processed on Moodle.
This data protection notice gives an overview of how data is collected and processed in the learning management system (https://moodle.zhaw.ch) of the ZHAW (hereinafter referred to as “Moodle”). Moodle is an open-source learning management system (LMS) and is used by the ZHAW as its main learning platform. The courses located on Moodle provide students with a source of information and learning resources. Moodle is also used for assessments. This data protection notice is aimed at all users of Moodle, in particular students and teaching staff.
Who operates Moodle at the ZHAW?
Moodle is hosted and operated at the ZHAW. The LMS team, which comprises e-learning experts from the Teaching Technologies and Didactics section (President’s Office) as well as employees from the Teaching and Studying ICT Group (Finance and Services), ensures the provision of user and technical support as well as the development of Moodle. External IT specialists, generally employees from official Moodle partners, are also tasked with providing technical support and developing Moodle on a project and needs-specific basis.
What sources and data do we use?
We process data that you actively enter yourself, including forum posts, wiki contributions, solved tasks and exam answers, as well as additions to your profile. Then there is data about the grading of tests, tasks and assessments, which is either generated automatically or actively entered by your course supervisor. We also record which courses you use as well as what you do in these courses and when (e.g. which pages you visited). Master data such as your name and e-mail address is also processed. This data can be provided from other internal systems such as Evento and Active Directory as well as from external services like SWITCH edu-ID. Log files record every visit to Moodle and include data such as the IP address, information on the browser type and the date and time that Moodle was accessed.
Why do we process your data (processing purpose) and on what legal basis do we do so?
We process your data in order to provide you with access to the ZHAW’s e-learning offerings in the areas of academic programmes and continuing education courses and to ensure university operations. This allows you to interact with one another in various activities such as chats, forums, surveys or tests. Processing your master data enables us to identify you and authorise you to use Moodle. It also means that the Moodle settings defined by you are available again in the same form the next time you log in. Log files are initially saved for statistical purposes, to secure the service, to analyse cyber attacks and to ensure technical stability. On the other hand, we may access log files in the context of examinations or assessments in order to check whether there has been any dishonest conduct or to enable us to better track technical problems.
Moodle has a learning analytics function. It works on the basis of usage data from the past and current user behaviour and aims to predict the learning success of individual learners and to make diagnoses and recommendations. We currently only use this function in selected projects for purposes of internal research.
We process your data in accordance with the provisions of the law on Information and Data Protection (IDG) of the Canton of Zurich, the Swiss Federal Act on Data Protection (FADP) and the European General Data Protection Regulation (GDPR) to the extent that their corresponding regulations are applicable.
Data processing on the basis of legal requirements or to perform a task in the public interest
§ 6a of the FaHG law governing the Zurich universities of applied sciences and arts grants us the legal authority to process your data. This involves fulfilling the tasks that we as a university are granted by law. Among other things, our service mandate includes the provision of academic programmes, continuing education and applied research (§ 6 – 8 of the ZHAW university regulations).
To meet contractual obligations
We sometimes also process your data as this is necessary for executing a contract concluded with you, for example in the area of continuing education.
To protect our legitimate interests
Examples include establishing legal claims and defending legal disputes, ensuring IT security and IT operations, analysing traffic on Moodle and improving its functionality, and preventing and investigating criminal offences.
Based on your consent
To the extent that you have given us your consent to process your personal data for specific purposes, such processing is lawful based on your consent. Your consent may be revoked at any time. The revocation of consent does not affect the lawfulness of data processed before the revocation.
Your data is processed on our own servers in Switzerland with all due care and attention, and it is securely protected from being accessed by any unauthorised third parties. The ZHAW implements the necessary technical and organisational measures to ensure that the security of your data is maintained.
Who receives my data?
Within the ZHAW, access to your data will only be granted to those employees who require it to fulfil their tasks. These may be course directors, lecturers, administrative staff, support staff or administrators.
Other course participants have access to the courses that have been activated for them. Within these courses, they can see the first name, last name, email address and course contents (e.g. individual forum posts) of the other course participants.
Your data will only be disclosed to third parties (e.g. other public bodies) if this is done within the framework of a legal or official obligation or if the disclosure is necessary for legal or criminal prosecution. The ZHAW may, where necessary, commission external service providers to process your data for the purposes described above. These include companies in the categories of IT services and telecommunications. In these cases, the ZHAW takes the required measures to ensure compliance with the applicable data protection provisions.
The disclosure of certain data to providers of external services that are embedded in Moodle is described below.
How long will my data be stored?
We process and store your personal data for as long as is necessary to fulfil our contractual and statutory obligations or for as long as we consider it necessary for the purposes for which it is being processed.
What are my data protection rights?
You are entitled to different rights depending on the applicable legal basis. If the IDG is applicable, the following applies: you have the right to access your own personal data (§ 20(2) IDG), the right to have incorrect personal data corrected or destroyed (§ 21(a) IDG), the right to stop the unlawful processing of your data (§ 21(b) IDG), the right to the rectification of consequences arising from the unlawful processing of your data (§ 21(c) IDG), the right to determine the unlawful processing of your data (§ 21(d) IDG) and the right to have your data blocked (§ 22 IDG). If the GDPR is applicable, the following applies: you have the right of access (Art. 15 GDPR), the right to rectification (Art. 16 GDPR), the right to erasure (Art. 17 GDPR), the right to restriction of processing (Art. 18 GDPR), the right to object (Art. 21 GDPR) and the right to data portability (Art. 20 GDPR). In addition, there is a right to lodge a complaint with a competent data protection supervisory authority (Art. 77 GDPR). You may revoke consent to the processing of personal data at any time by informing us accordingly. Please note that such revocation will only be valid for the future and does not affect any processing done before the date of revocation.
Is “profiling” done?
The learning analytics function processes your data on an automated basis with the goal of evaluating certain personal aspects (i.e. profiling). We currently only use this function in selected projects for purposes of internal research.
Cookies are text files that are placed and stored on a computer system through a web browser. Moodle uses two different cookies (small text files) which are stored on your device. The first is the “Moodle Session” cookie, which you have to allow so that you remain logged in when moving from page to page when accessing Moodle. After logging out or closing your web browser, the cookie is deleted. The second cookie is the “Moodle ID” cookie, which serves to make things more convenient for you by saving your login name in the web browser. This cookie remains on your device even after logging out of Moodle, meaning that the next time you log in, your login name is already entered. If you do not allow this cookie, you will be required to re-enter your login name each time you wish to access Moodle. In addition to Moodle, providers of other services that are linked to Moodle can also place cookies on your device. You can at any time prevent cookies from being stored by means of a corresponding setting on your browser and thus permanently prevent them from being placed. In addition, previously stored cookies can be deleted at any time via your browser or other software programs.
Statistics / IT system logs
The website moodle.zhaw.ch and its direct sub-pages use web analytics software (currently Matomo). Known as tracking, this can be disabled by using the Do Not Track setting found in most web browsers. This setting adds a Do Not Track tag to the header of the browser request, indicating that the user does not want their browsing behaviour tracked.
IT system logs
Whenever you use the Internet, for example when accessing websites or sending e-mails, data is automatically transmitted that, in some cases, could be classified as personal data and stored by us in what are known as system logs. The system logs are stored by the ZHAW to identify errors or for security reasons. If the data is no longer required to fulfil operational or statutory obligations, it will be deleted.
On Moodle, users can integrate external content, for example from YouTube, Quizlet, Padlet and many more. When accessing the relevant site, the IP address is generally transmitted to the respective providers of the external content, and they may place cookies. If the person who accesses the page is also logged into the network of the respective third-party provider at the same time, activities can be assigned to their user account depending on the provider. While the ZHAW has a legitimate interest in integrating external content, it has no control over the manner in which the data is transmitted. The ZHAW guidelines on linking to Moodle (in German) govern the embedding of external content and the linking of third-party services on Moodle.
The Branded Moodle app (hereinafter referred to as the “Moodle app”) is a mobile app developed by Moodle Pty Ltd and branded for the ZHAW for accessing Moodle (exclusively moodle.zhaw.ch). When using the app, data is retrieved from our own Moodle servers.
Offline functionality and downloading data
To use certain materials (e.g. H5P) and offline courses, data is downloaded to your device. This data can be removed again via the settings in the app. Your are responsible for ensuring the careful handling of this data and data security on your device.
The Moodle app can send push notifications to your device if its operating system supports the encryption of push notifications (from iOS 13 or Android 8 and above). Push notifications are messages from an app that is not open that appear on your device’s screen. You can select which types of push notifications you would like to receive via the settings in the app. The push notifications are end-to-end encrypted and sent to the app by Moodle. This is done via a system comprising an AirNotifier, an external server hosted by AWS in Ireland, and the official services for sending push notifications of Google (Firebase Cloud Messaging) and Apple (Apple Push Notification System).
Changes to the data protection notice
The data protection notice is updated on an ongoing basis. You will be informed of any changes.
Who is responsible for data processing and how can I contact them?
Responsibility lies with:
ZHAW Zurich University of Applied Sciences,
Telephone: +41 (0)58 934 71 71,
If you have any questions on data protection, please contact:
ZHAW Zurich University of Applied Sciences,
President’s Office, Gertrudstrasse 15,