Brightspace

nl

Brightspace

CAT > Brightspace support > Privacy Statement

Privacy Statement

In this privacy statement, we explain what happens with your personal data and how these are processed when you use Brightspace.

Who is responsible for processing data?

Utrecht University, located at Heidelberglaan 8, 3584 CS Utrecht, is responsible for processing your data in the ways outlined in this statement.

For what goal is my personal data processed?

Your personal data is processed to make the functionality and use of Brightspace possible. This functionality is that of the Learning Management System, where study materials can be centrally made accessible to students.

What personal data is processed?

The following student data is processed:

  • Name,
  • UU-email address,
  • Solis-ID,
  • Student Number
  • IP-address for logging in to the system,
  • Enrolled courses and their content, including results and information related to the courses, including the discussion board and actions you take in the course itself.

The following teacher data is processed:

  • Name,
  • UU-email address,
  • Solis-ID
  • IP-address for logging in to the system,
  • Enrolled courses and their content, including data related to given courses and future courses.

How long is this data stored?

Your Brightspace account is connected to your UU-account. The account will be archived and anonymized automatically 2 years after your UU-account is deactivated. (3 months after unenrollment or termination of employment).

Content in Brightspace courses will exist until it is deleted and will be automatically deleted after seven years.

Is my data shared with third parties?

Your data is shared with D2L, the company that offers Brightspace. Under certain conditions, your data can also be shared with subsidiaries of D2L.

D2L shares, as part of the Brightspace service, data with Amazon Web Services, Servicenow / Servicecloud, Atomic Jolt.

Is my data shared with countries outside the EU?

Your data is possibly given to the following countries:

  • United Kingdom,
  • Australia,
  • Canada,
  • Ireland

The list above contains multiple countries. The biggest part of this list contains subsidiaries of D2L. These companies get access to the data when Utrecht University has technical issues outside office hours.

What is the legal basis for this data processing?

For students, the legal basis is the performance of a task carried out in the public interest. The public interest that is served by this processing is the teaching duties that Utrecht University has according to the Higher education and Research Act (WHW).

For employees, the legal basis for the processing of their personal data is the legitimate interests of the controller. The legitimate interest of Utrecht University in the processing of this data is to make it possible for teachers to teach. More specifically, the purpose is to make it possible for teachers to communicate study material to students. Brightspace fulfills this function as a Learning Management System. The data that is processed of teachers is limited and has a minimal impact on the personal sphere of the teacher. We can thus safely conclude that the legitimate interest of Utrecht University takes precedence.

What rights do I have according to the GDPR and how can I exercise these rights?

As a data subject, you have the following rights: right of access, right to rectification, right to erasure (‘right to be forgotten’), right to restriction of processing, and the right to object to data processing. If you want to exercise these rights, you can direct your request to Privacy@uu.nl. During this procedure, you could be asked for personal identification.

When you file an objection, a decision will be made on a case-by-case basis on whether it will be sustained or rejected. Utrecht University will stop processing your data unless there are urgent legal reasons that outweigh your interests, rights, and freedoms.

 

Is automated profiling or decision-making used?

The UU does not use automated profiling or automated decision-making. This means that decisions will never be made without human intervention.

Questions

If you have questions about this privacy statement, please direct them towards  privacy@uu.nl. Do you want to file a complaint? You can send your complaint to the data protection officer of Utrecht University, who can be contacted via fg@uu.nl. You can also file a complaint at the Autoriteit Persoonsgegevens, the national regulatory authority for privacy and the GDPR.