Data Privacy Policy

The purpose of this Data Privacy Policy is to inform you about how your personal data are processed when using HAW’s Moodle-based teaching and learning platform EMIL and the Panopto media server.

■ Data Privacy Policy for the use of EMIL/Moodle

The purpose of this Data Privacy Policy is to inform you about how your personal data are processed when using HAW’s Moodle-based teaching and learning platform EMIL.

Controller responsible for data privacy

The data processing controller as defined by the GDPR (EU General Data Protection Regulation), the Hamburg Universities Act (Hamburgisches Hochschulgesetz, HmbHG) and other relevant data protection provisions is:

Hamburg University of Applied Sciences
(HAW Hamburg) Berliner Tor 5
D-20099 Hamburg

Phone +49 40 42875 0
Fax +49 40 42875 91 49

Official Data Protection Officer

datenschutz nord GmbH
Konsul-Smidt-Straße 88
28217 Bremen

Responsibility for the EMIL platform

N.N. (E-learning officer appointed by the HAW Hamburg Executive Board):

Log files and duration of storage


You transmit data to our web server via your Internet browser each time you access the EMIL platform and retrieve a file.

The following data are temporarily recorded in a log file via an active connection that is established for communication purposes between your Internet browser and our web server:

  • The IP address of the requesting computer
  • The date and time of access
  • The name, URL and the size of the retrieved file that has been transferred
  • Access status (the requested file was transferred, not found, etc.)
  • Identification data about the used browser and operating system (if transmitted by the requesting web browser)
  • Referring website (if transmitted by the requesting web browser)

The data in this log file are processed as follows:

The log entries are continuously and automatically evaluated in order to detect attacks on the web server and to be able to determine an appropriate response. In individual cases, i.e. in response to reported faults, errors, and security incidents, a manual analysis is performed.
Log entries that are older than seven days are anonymised by shortening the IP address, saved as a backup for three months, and then deleted.


Log files are also created by Moodle. The following data are recorded in the form of a database entry when Moodle is accessed by administrators and users:

  • Name of the person accessing the data
  • Time of data access
  • Description of data access
  • Nature of data access
  • Purpose of data access

The IP address needs to be temporarily stored by the system to enable the platform’s contents to be sent to your computer. This means that your computer’s IP address must remain stored for the duration of the session. The data are stored in log files to safeguard the website’s functionality, to optimise the website’s contents and to ensure the security of the IT systems.

Your data will be erased as soon as they are no longer required to fulfil the purpose for which they were collected.

All Moodle log data are erased 90 days after the respective date of access.

Login credentials/user data and duration of storage

An EMIL account is created on the basis of your HAW identifier when you sign in for the first time. The user data are obtained from HAW Hamburg’s IDM server.
Guest accounts are set up for external users by the ITSC as required and attributed a fixed end date.

Supplementary to the information already available in the system with the user ID, such as semester and programme of study, additional information can be entered voluntarily in the user profiles. The visibility of the e-mail address can be set in the user profile. The user profile, including first and surname, description, email address (optional) and other details having been freely given, is visible to teachers and other participants in the courses attended.

EMIL accounts are deactivated upon de-registration from the university, end of employment or expiry of the guest account.

The data and materials provided by you are conditional or personal/freely given depending on the nature of the tasks or activities carried out.

Learning rooms (courses) are reserved for a period of eight semesters, subject to longer archiving periods for examination papers as stipulated by the examination regulations; users remain registered in the course for this period of time. User activities (such as homework submitted) are retained until the respective EMIL account is deleted. Forum posts and wiki pages are retained and deleted together with the respective course room.

It is your responsibility to back up any data required before the stipulated erasure deadlines. HAW Hamburg is entitled, subject to your rights under Article 22 GDPR, to irretrievably erase all data stored during the term of the user relationship.

Legal basis

The legal basis for processing log files as well as the registration and user data is point (e) of Art. 6(1) GDPR in conjunction with section 4 of the Hamburg Universities Act (Hamburgisches Hochschulgesetz, HmbHG) in conjunction with sections 3 and 111 HmbHG:

Data processing is required for the performance of a task carried out in the public interest or while exercising official authority conferred to the controller. The university’s task here is to provide a digital teaching and learning platform for members of the university and authorised third parties to teach and learn using modern methods.


Cookies must be enabled in the Internet browser used to access EMIL. Cookies are small text files that are stored on the hard disk of your computer, attributed to the browser you are using, and through which certain information is conveyed to the site that sets the cookie (here HAW Hamburg). A cookie may be stored on your computer’s operating system when you access this website. Cookies contain a characteristic character string that allows the browser to be uniquely identified when the website is requested again.

Transient and persistent cookies are used.

Transient cookies are automatically deleted when you close the browser. This includes the session cookie (“Moodle session”). This stores what is referred to as the session ID, with which various requests from your browser can be attributed to the shared session. The session cookie is deleted when you log out or close the browser.

Persistent cookies are automatically deleted after a defined period of time, which may vary depending on the nature of the cookies used.

The Moodle ID cookie is intended to make the platform easier to use. It stores the login name in the web browser and is retained even after logging out. This means that your login name is already entered the next time you log in. You can block this cookie using the corresponding settings, but then you will need to re-enter your details every time you log in.

As a user, you have full control over the use of cookies. By changing the settings in your internet browser, you can disable or restrict the transmission or storage of cookies. Already saved cookies can be deleted at any time. This can also be done automatically. You need to allow the Moodle session cookie to be able to use EMIL.

The legal basis for this data processing is point (e) of Art. 6(1) GDPR in conjunction with section 4 of the Hamburg Data Protection Act (HmbDSG): Processing is required for the performance of a task carried out in the public interest or while exercising official authority conferred to the controller. A cookie is needed to make the registration process and the use of the learning platform as user-friendly as possible.

Posts and evaluations

Additional data may be collected or stored in the courses through using EMIL, such as posts made as part of forum, wiki, work assignment, testing and voting activities. Forum and wiki posts are only visible to the participants of a course.

Solutions and evaluations of work assignments and tests as well as voting activities can only be viewed by the submitters themselves and the teachers or tutors concerned. Work assignments, tests and votes are completely deleted and are no longer visible and available when participants are removed from a course.
Forwarding of data

Processed data are not forwarded to third parties, except in cases where this is required to pursue legal claims or for compliance with a legal obligation as per point (c) of Art. 6(1) GDPR.

Data security

An encrypted connection is used for logging in to EMIL as well as for communication and the transfer of data within the platform.

Data are backed up every day, with this backup copy being stored for a period of one week, to be able to restore the system if necessary.
It is not possible to index course rooms in search engines by changing the appropriate settings.


Administrators generally have access to all data collected within EMIL. They may only use such data, however, within the scope of their responsibilities, taking into account the role/authorisation concept, and are not permitted to pass any data on to third parties.

Duration of processing

The data stored in connection with the use of EMIL will only be stored for the purposes stated above and only for as long as required for the respective purpose or under statutory regulations.

  • EMIL user accounts: for students after de-registration from the university; for employees after leaving; an expiry date is generated for guests
  • EMIL access log data (procedure and server level): after 1 year
  • Content data for course rooms: after 8 semesters

Data subjects’ rights

Pursuant to the GDPR, you as the data subject have various rights concerning the processing of your personal data.

a)      You are entitled to obtain  information cornering the personal data stored about you (Art. 15 GDPR).
b)      You have the right to request  rectification of any inaccurate personal data that have been processed (Art. 16 GDPR).
c)       If the legal requirements are met, you may request that your data be erased or that processing of your personal data be restricted, or you may  object to the processing of your personal data (Art. 17, 18 and 21 GDPR).
d)       If you have consented to data processing or a data processing agreement exists and data processing is carried out by automated means, you have the right to  data portability (Art. 20 GDPR).

If the processing of your personal data is based on your consent, you can revoke this consent at any time. This does not affect the legality of the processing carried out on the basis of your consent until it is revoked.

If you make use of the rights referred to above, HAW Hamburg will check whether the relevant statutory requirements have been fulfilled.

e)     Right to lodge a complaint with a supervisory authority if you are of the opinion that the processing of your personal data violates the GDPR (Art. 77 GDPR).
f)     Right of objection, revocation and correction. You can assert this right with our data protection officer: office (@)


If you would like further information on how your personal data is processed, please send an email to:

■ Privacy policy for the use of Panopto media server

In the following, we inform you about the processing of personal data in connection with the use of Panopto at HAW Hamburg, regardless of whether you are employed, teach, study at HAW Hamburg or access public or linked content as an external person.
With this data protection notice, HAW Hamburg complies with its duty to inform in accordance with Articles 13, 14 of the EU General Data Protection Regulation (EU-DSGVO) for the above-mentioned processing of personal data.
With regard to the further terms used, "personal data", "processing", "controller", "third party", etc., please refer to the definitions in Article 4 of the EU Data Protection Regulation.See also: Data Protection HAW Hamburg
See also: Data protection HAW Hamburg
According to §3 "Law for coping with the effects of the COVID-19 pandemic in higher education" (HSchulCovid19AuswG HA) (valid from 19.2.2022 to 31.3.2023), live online lectures may be recorded by means of video and audio recordings by the lecturers and made accessible to the participants of the course for the purpose of follow-up. Recording of images and spoken contributions by the participants is not permitted.

Basically excluded are recordings of examination situations. These are prohibited by law according to § 111 para. 3 HmbHG.

1. Contact details

Contact details of the responsible person

The responsible party within the meaning of the General Data Protection Regulation, other national data protection laws of the EU member states, the HmbHG and other data protection regulations is:

Hamburg University of Applied Sciences (HAW Hamburg).
Berlin Gate 5
20099 Hamburg
T: +49.40.42875-0
F: +49.40.42875-9149
​​​​​​​datenschutz (@)​​​​​​

HAW Hamburg is a corporation under public law. It is legally represented by Prof. Dr. Micha Teuscher, President of HAW Hamburg, Berliner Tor 5, 20099 Hamburg.

Contact details of the data protection officer at HAW Hamburg:

datenschutz nord GmbH
Konsul-Smidt-Strasse 88
28217 Bremen

Technical contact persons:

Management: Sabine Rasch

2. Personal data processed and purposes

Panopto is a complete system for recording, live streaming, editing, publishing, searching and managing video and audio content for studies, teaching, further education and administration at HAW Hamburg, which is integrated into the learning management system EMIL/ Moodle.
The offer of Panopto contributes to the fulfillment of the tasks in the area of study, teaching, research, further education as well as the administration of HAW Hamburg, especially digitally supported teaching.
The central component of Panopto is a cloud-based web application in which the video content recorded by users can be uploaded, edited and shared with other users or the public. Through the integration into the learning platform EMIL/ Moodle of HAW Hamburg, recordings of events can be shared directly with the participants of an event.
Personal data is processed to provide the above functions and to ensure proper technical operation and system security. This includes:

Personal registration information

  • HAW user name (HAW identifier)
  • Last name, first name
  • HAW e-mail address

Content data

Text, audio, and video content including interactive content and edits (e.g., cut marks, embedded quizzes, chapter marks, comments), Uploaded files (e.g., PDF attachments).

In groups

The creator of the group sees the first and last names of the group members.

Comments on videos

are public and are marked with first and last name.

Notes on videos

are generally not public. Users can create and share their own notes on the videos.

Uploaded files in the personal folder

are generally not public, but can be shared with other users or the public.

Uploaded files in shared folders are

are visible to everyone who sees that folder.

Invite people

This function can be used when a user (e.g. teacher or student) wants to share a video with others. After entering the first 2 letters in the name field, a selection of possible matches (first and last name) is displayed. This will be concretized when entering more letters.

3. Usage data from media content

Usage data of media content is collected for analysis purposes. System administrators or media content creators can view statistics about the content created or viewed by a user. While administrators can access the statistics of all users, content creators can only access the statistics of users who have viewed at least one of their contents.

In addition, other third-party content such as videos on YouTube or external graphics may be embedded in the media. This always assumes that the providers of this content are aware of your IP address. Because without the IP address, the third-party providers could not send the content to your browser. The IP address is thus necessary for the display of this content. We have no influence on any further use of your data (e.g. if the third-party providers store the IP address for statistical purposes).

4. Log file data/ log files

Each time pages are called up, the web server collects a series of general data and information that is stored in the server's log files.
At the time of login, the following data is collected:

  • The IP address of the user
  • Date and time of the login
  • Information about the browser type
  • Pages accessed and the name of the file accessed in each case
  • Message as to whether the retrieval was successful.

The information on the transfer of data is given when the login page is called up. We do not draw any conclusions about the users from this data. This information is used to ensure the correct technical functioning of our web server.
The temporary storage of the IP address by the system is necessary to enable delivery of the web application to the user's computer. For this purpose, the IP address of the user must remain stored for the duration of the session.
The storage in log files is done to ensure the functionality of the application, to optimize the content and to ensure the security of our information technology systems.

The log files are deleted as soon as they are no longer necessary to achieve the purpose of their collection. In the case of the collection of data for the provision of the web application, this is the case when the respective session has ended. Log files are deleted when users* are deleted or the respective video is deleted.

5. Use of cookies

Panopto uses cookies or similar technologies to analyze trends, administer services, track users' movements and interactions on the Platform and Website, and gather demographic information about the user base as a whole.
Cookies are text files that are stored in the Internet browser or by the Internet browser on the user's computer system. When a user accesses a website, a cookie may be stored on the user's operating system. This cookie contains a characteristic string of characters that enables the browser to be uniquely identified when the website is called up again. They do not contain information that personally identifies the user. However, they do contain personal information stored about a user.
In order to use Panopto, the user must agree to the use of essential cookies.  This is done through a cookie banner that is displayed on the EMIL/Moodle login page. Here, users can consent to the data processing.
In addition, third-party providers may also create cookies that they can use for their own analysis purposes. No user data is provided to these services, so the cookies do not contain any user information. These cookies are not necessary for the website to function as expected.

Cookies of the users are used for:

  • User authentication
  • Authentication between Panopto and the learning management system EMIL/ Moodle of HAW Hamburg.

Other website settings of the user:

  • Preferred sorting method for folder and video lists. 
  • Saving of sorting of search results by the user and optimization of results based on previous searches
  • Preferred viewing method of folders and videos (list or thumbnails).
  • User's preferred bitrate selection for smoother streaming sessions
  • Hiding the website's notification banner after the user has hidden it
  • Starting the recorder if the user has previously downloaded the recorder and clicked "Record" in the "Create" menu.

6. Use of tracking

For analysis purposes, such as collecting media viewing time, individual, unauthenticated (anonymous) users are tracked. This data is collected:

  • IP address
  • Access, usage and event details
  • Location, date and timestamp
  • Actions performed
  • Operating system, browser and device type for platform performance metrics
  • Referring and last visited pages

7. Camera and screen recordings

Who can make a recording?

Authorization to make video and screen captures is reserved for Moodle users who are enrolled as instructors in an EMIL course room or who have similar responsibilities in their role.

What happens when I make a recording?

To create videos or screen recordings, users must allow the Panopto platform to use the respective recording devices. During the recording process, the resulting media files are temporarily cached on the local device to be automatically uploaded to the Panopto platform after the recording is finished.

What data is processed?

It is up to media content producers to also create content with personal data and sensitive personal data. This may include photo, video and audio recordings, physical characteristics or descriptions, as well as images of or references to data subjects. In these cases, explicit consent must be obtained from the individuals depicted.

Where can the recordings be published?

Media content creators determine whether publication is private, course room-wide, organization-wide, or public.

8. Legal basis for data processing

The legal basis for the processing of personal data of students of HAW Hamburg for the purpose of carrying out teaching activities, further education measures and other study activities is Art. 6 para. 1 lit. e DSGVO in conjunction with. § Section 111 (1), (2) HmbHG and the current statutes of the Hamburg University of Applied Sciences on the processing of personal data dated 20.12.2019 last amended on 20.09.2021.
The legal basis for the processing of personal data of employees of HAW Hamburg is Art. 88 DSGVO in conjunction with § 10 HmbDSG, § 85 HmbBG, § 111 para. 6 HmbHG and the current statutes of the Hamburg University of Applied Sciences on the processing of personal data.
When displaying and reproducing Panopto content on public websites or in the case of a restricted release for external persons, connection- and content-related meta data are processed to ensure proper technical operation and system security, which may include personal data.

The legal basis for the use of tracking cookies is your consent voluntarily given to us in accordance with Art. 6 para. 1 lit. a) DSGVO by means of our cookie banner.

9. Data transfers

As Panopto is a cloud service, the personal data mentioned under No. 2 will be transmitted to the provider Panopto EMEA Limited , Unit 603, Highgate Studios, 53-79 Highgate Road, London NW5 1 TL, United Kingdom, or processed on servers of the provider in Ireland. Panopto EMEA Limited is a British subsidiary of Panopto Inc (USA).
HAW Hamburg has concluded a contract for commissioned processing with Panopto EMEA Limited within the framework of a license agreement in accordance with Art. 28 DSGVO.

In individual cases, data may also be transferred to third parties on the basis of legal permission, for example, transfer to law enforcement authorities for the purpose of investigating criminal offences within the framework of the provisions of the Code of Criminal Procedure (StPO).

10. Data deletion

In case of leaving HAW Hamburg or after not using the services of Panopto for 12 months, the request for deletion of all personal data will be forwarded to Panopto by administrators of HAW Hamburg. Thereupon, all master data and accounts of the corresponding users as well as their content, if not shared in a public folder, will be deleted there. After switching off the platform Panopto, own videos can be saved. All data will be deleted 60 days after shutdown.

11. your rights as a data subject

As a data subject, you may assert the rights granted to you by the EU GDPR at any time:

  • the right to be informed whether and which of your data is being processed (Art. 15 EU GDPR),
  • the right to request that the data concerning you be corrected or completed (Art. 16 EU GDPR),
  • the right to erasure of the data concerning you in accordance with Art. 17 EU GDPR, unless the processing is necessary for the exercise of the right to freedom of expression and information, for compliance with a legal obligation, for reasons of public interest, or for the establishment, exercise or defense of legal claims,
  • the right to request restriction of the processing of the data in accordance with Art. 18 EU-DSGVO,
  • the right to revoke a given consent to the collection, processing and use of their data at any time with effect for the future. This does not affect the lawfulness of the processing carried out on the basis of the consent until the revocation ( Art. 7 (3) EU-DSGVO),
  • the right to object to future processing of data concerning you in accordance with Art. 21 EU-DSGVO,
  • You can assert your right of objection, revocation and correction vis-à-vis the following office:

    Oliver Stutz
    datenschutz nord GmbH
    Konsul-Smidt-Straße 88
    28217 Bremen
    E-Mail: office[at]

Right to lodge a complaint with a supervisory authority if you consider that the processing of personal data concerning you infringes the GDPR (Art. 77 GDPR).

12. Final terms

Changes to the data protection notice

In order to always comply with current legal requirements, HAW Hamburg reserves the right to make appropriate changes to this privacy policy.


Status of the data protection declaration: 26.04.2022

Last modified: Thursday, 28 April 2022, 12:34 PM