Privacy notice regarding electronic remote examinations
Here you can find out how Hochschule München processes your personal data in connection with examinations in the 2020/2021 winter semester, which are being held online rather than in person due to the SARS-CoV-2 pandemic.
Data protection is a key priority for Hochschule München (HM) and a legal obligation. To ensure that personal data is adequately protected during transmission, HM uses state-of-the-art encryption methods (e.g. SSL/TLS) and secure technical systems.
Wherever the term ‘data’ is used in the text, it refers exclusively to personal data as defined by the GDPR.
Data controller
HM Hochschule München University of Applied Sciences
Lothstraße 34
D-80335 München
Tel.: +49 89 12 65 - 0
Fax: +49 89 12 65 - 3000
Email: kommunikation@hm.edu
Website: www.hm.edu
HM Hochschule München University of Applied Sciences is a public-law body. It is legally represented by its President, Prof. Dr Martin Leitner.
Government Data Protection Officer
The Data Protection Officer at Hochschule München can be contacted by email at datenschutzbeauftragter@hm.edu and by telephone on +49 9951 99990-500.
Purpose and scope of processing
Purpose
We process your personal data for the purpose of conducting electronic remote examinations. This may take the form of examinations with grading at the end of the semester or assessments carried out throughout the semester.
The types of examination affected are:
- Written examination on paper at home, supervised via video conference
- Oral examination via video conference
- Presentations / seminars via video conference
- Moodle exams on a home computer; supervised via video conference
- Remote EXaHM; with video conference supervision (for registered users only)
The categories of people affected are:
- lecturers
- students
- Supervisors
- other participants in the online examination
Scope of data processing
When using a video conferencing system for remote electronic examinations, various types of data are processed. The scope of the data also depends on what data is generated before or during participation in a remote electronic examination.
The following personal data is subject to processing:
Personal data of the organiser of an electronic remote examination
- Details of the user of the relevant tool: email address and password, as well as first name and surname; and, optionally, if provided voluntarily by the user, a profile picture and telephone number.
- Meeting metadata for the relevant examination: subject, IP address, device and hardware information, and, optionally, if provided by the organiser, a description.
Personal data of students
taking part in an online remote examination. In order to take part in an online remote examination, students are required to provide the following information:
a. To log in to the tool being used:
Different video conferencing systems require different minimum details when logging in. As a rule, however, the email address and password are processed as the minimum details required to log in to the tool. After logging in, profile data is also processed: this usually consists of the first name and surname, as well as, optionally, a profile picture and telephone number, if provided by the user.
- Zoom requires the user’s name as the minimum information upon registration.
- BigBlueButton (BBB) is integrated via Moodle, so the name stored in Moodle is displayed here.
b. To sit an electronic remote examination:
The exact scope of the data required depends on what the examiners deem necessary for participation in an online remote examination. In order to take part in an online remote examination, students must, in all cases, provide the following information:
- The supervisor verifies the student’s identity either by checking their student card, which is held up to the webcam, or by comparing the examinees with the photographs submitted during enrolment for the production of student cards.
- Audio and video data: Video and audio data are processed during the examination in order to ensure that students complete the examination themselves throughout the entire duration of the examination and to prevent cheating (such as copying answers). To enable the display of video and the playback of audio, data from the end device’s microphone and from any video camera on the end device or connected to it will be processed throughout the entire duration of the remote electronic examination. No recording takes place. The video camera used for examination supervision merely shows the examinee’s workspace. There is no further monitoring of the room in which the examinees are located, in particular no 360° surveillance. Room scans or camera pans before the start of the examination, or for any other reason, are prohibited. Candidates must remain visible from the side throughout the entire duration of the electronic remote examination, so that their head, upper body, hands, writing materials, keyboard and computer are visible to the invigilator.
- Text data: To ensure accessibility and communication during the examination, particularly in the event of technical problems, it is possible to use the chat and question functions – and, in some cases, the survey function – during an electronic remote examination. In this regard, the text entered will be processed in order to display it during the electronic remote examination and, where necessary, to log it.
- To ensure communication between the recipient and the sender, and to detect, isolate and rectify faults, as well as to prevent fraudulent activities (under-reporting), log files are stored on the examination servers during the examination.
- The examination documents are processed for the purpose of marking the examination. No automated decision-making within the meaning of Article 22 of the GDPR takes place.
Legal basis for processing
Legal basis for the processing of electronic end-of-semester distance examinations and evidence of work completed during the semester
a. Processing of students’ personal data for the purposes of authentication and identity verification:
The student’s identity may be verified either by means of a photo ID (usually a student card with a photograph), which the student must present upon request before the start of an online examination (the legal basis for data processing is Section 5(1), first sentence, of the Bavarian Examination Regulations (BayFEV) in conjunction with Article 84(6), second sentence, No. 3, of the Bavarian Higher Education Act (BayHIG), Article 6(1), first subparagraph, point (e), and paragraphs 2 and 3 of the GDPR) or by cross-referencing the examination candidates with the photographs submitted to the Student Administration Office for the production of student cards, provided that this is clearly in the interests of the examination candidates and there is no reason to believe that they would withhold their consent to this (Article 6(2)(1) of the Bavarian Data Protection Act (BayDSG)). Students may object to the latter authentication method at any time. Data processed in connection with authentication is not stored beyond what is technically necessary for temporary storage.
b. Processing of students’ personal data for the purpose of preventing fraudulent acts
In order to prevent cheating, students’ audio and video data is processed via video conferencing.
If the video conference is conducted in such a way that the examination candidate’s audio and video data are transmitted only to the relevant invigilator, then the legal basis for the data processing is Section 6 of the Bavarian Examination Regulations (BayFEV) in conjunction with Article 84(6), second sentence, No. 4 of the Bavarian Higher Education Act (BayHIG), Article 6(1), first subparagraph, point (e), and paragraphs 2 and 3 of the General Data Protection Regulation (GDPR).
If, on the other hand, the examination workstation is visible during the video conference not only to the invigilator but also to all examination candidates, then the processing of audio and video data takes place on the legal basis of consent under data protection law, in accordance with Article 6(1), first subparagraph, point (a), in conjunction with Article 7 of the GDPR. Participation in the remote electronic examination is not compulsory under examination regulations but is voluntary; consequently, it must be assumed here that consent is given voluntarily under data protection law as a prerequisite for the validity of consent to the processing of audio and video data for the purpose of preventing acts of deception. Consent is, in principle, voluntary if the person giving consent has a genuine and free choice and is therefore able to refuse or withdraw consent without suffering any disadvantages. There is no risk of disadvantage to students if they do not give or withdraw their consent, as Hochschule München offers in-person examinations on the same dates (i.e. examinations within the same examination period) without supervision via a video conferencing system (Section 8 BayFEV).
c. Processing of log files, cookies and security updates:
- Log files, cookies and security updates are technically necessary for the ‘Electronic Remote Examination Service’, for the testing and/or maintenance of the systems, and to ensure the network and information security of Hochschule München. The processing of personal data is carried out in accordance with the BayFEV in conjunction with Article 84(6) of the Bavarian Higher Education Act (BayHIG), Article 6(1), first subparagraph, points (c) and (e) of the GDPR, in conjunction with Article 6(1) of the Bavarian Data Protection Act (BayDSG).
- To prevent cheating (plagiarism), the log files generated both during registration on the Moodle examination server and during the examination are stored on the examination servers and analysed. The legal basis for this is Section 4(1) and (2) of the Bavarian Examination Regulations (BayFEV) in conjunction with Article 6(1), first subparagraph, points (c) and (e) of the General Data Protection Regulation (GDPR), in conjunction with Article 4(1) of the Bavarian Data Protection Act (BayDSG).
Legal basis for voluntary, ungraded examinations held during the semester
The processing of personal data for the purpose of sitting voluntary, unmarked examinations held during the semester (practice examinations in accordance with Section 10 of the Bavarian Examination Regulations (BayFEV)) is carried out on the legal basis of consent in accordance with Article 6(1)(a) in conjunction with Article 7 of the GDPR.
Recipients or categories of recipients of personal data
Student cards, video and audio data are processed solely for the purpose of conducting electronic remote examinations and are shared internally within the university with the following departments:
- Examination invigilation
- Where applicable, other examination candidates, provided that the examination is supervised via Zoom. If the examination is supervised via BBB, other examination candidates will not, as a rule, be able to view the video feed of the students taking the examination.
Examination papers will be forwarded for marking and, where necessary, for review to:
- Examiners (first examiner, and second examiner where applicable)
- Members of examination bodies appointed on an ad hoc basis (Section 3 of the RaPO)
- as required: Legal Department / Legal Service
The following parties have access to the log files and the analyses carried out to prevent fraudulent activities:
- System administrators
- Examiners (first examiner, and second examiner where applicable)
- Members of examination bodies appointed on an ad hoc basis (Section 3 of the RaPO)
- as required: Legal Department / Legal Service
Data will only be disclosed to third parties as follows:
- on a case-by-case basis in relation to parties to the proceedings in the context of legal proceedings (examination documents and minutes)
- possibly to the relevant service provider for the maintenance of the examination server
Planned retention period for personal data
Data processed in connection with authentication is not stored beyond the technically necessary temporary storage period. The personal data held in temporary storage is deleted immediately. It is therefore deleted at the latest upon submission of the remote exam or at the end of the marking period.
The names and examination records of students taking part in electronic remote examinations are generally deleted after the retention period for examinations specified in Section 12 of the RAPO. Accordingly, examination records must be retained for two years. The retention period begins at the end of the calendar year in which the students were notified of the result of the relevant module examination. The retention period is extended if legal proceedings are pending. As no video or audio recordings are made, this data is not stored.
Rights of those affected
Under the General Data Protection Regulation, you have the following rights:
- Where personal data is processed, data subjects have the right to obtain information about the data held about them (Article 15 of the GDPR).
- If inaccurate personal data is processed, you have the right to have it rectified (Article 16 of the GDPR).
- Where the legal conditions are met, data subjects may request the erasure or restriction of processing (Articles 17 and 18 of the GDPR).
- Where consent has been given for data processing, or where a contract for data processing exists and the data processing is carried out using automated means, data subjects may have a right to data portability (Article 20 of the GDPR).
- Data subjects have the right to withdraw their consent under data protection law at any time. Withdrawal of consent does not affect the lawfulness of processing carried out on the basis of that consent prior to its withdrawal (Article 7 of the GDPR).
- Data subjects have the right to request information as to whether automated decision-making, including profiling, is taking place (Article 22 of the GDPR).
- Data subjects have the right to object at any time to the processing of their data on grounds relating to their particular situation, where the processing is carried out solely on the basis of Article 6(1)(e) or (f) of the GDPR (Article 21(1), first sentence, of the GDPR).
Should the rights set out above be exercised, the public authority will check whether the legal requirements for doing so have been met.
Furthermore, you have the right to lodge a complaint with a supervisory authority. The authority responsible for Hochschule München is the Bavarian State Commissioner for Data Protection.
You can contact them using the following contact details:
Postal address:
Postfach 22 12 19
80502 München
Address:
18 Wagmüllerstraße
80538 München
Tel.: +49 89 212672 - 0
Fax: +49 89 212672 - 50
Email: poststelle@datenschutz-bayern.de
Website: https://www.datenschutz-bayern.de/
Further information regarding our Privacy Policy
Hochschule München reserves the right to amend the Privacy Policy from time to time to ensure that it always complies with the latest legal requirements or to reflect changes to the services described in the Privacy Policy, for example when new services are introduced. The new Privacy Policy will then apply to any subsequent visits to the website.
If you have any questions, please feel free to contact the Data Protection Officer (datenschutzbeauftragter@hm.edu) or send an email to: kommunikation@hm.edu.
Last updated: 27 April 2023
The information on this page was translated into English for your convenience. In case of any discrepancies between the English and German versions, the German version shall prevail.