Data Privacy Policy

The purpose of this Data Privacy Policy is to inform you about how your personal data are processed when using HAW’s Moodle-based teaching and learning platform EMIL.

Controller responsible for data privacy

The data processing controller as defined by the GDPR (EU General Data Protection Regulation), the Hamburg Universities Act (Hamburgisches Hochschulgesetz, HmbHG) and other relevant data protection provisions is:

Hamburg University of Applied Sciences
(HAW Hamburg) Berliner Tor 5
D-20099 Hamburg

Phone +49 40 42875 0
Fax +49 40 42875 91 49

Official Data Protection Officer

datenschutz nord GmbH
Konsul-Smidt-Straße 88
28217 Bremen


Responsibility for the EMIL platform

N.N. (E-learning officer appointed by the HAW Hamburg Executive Board):

Log files and duration of storage


You transmit data to our web server via your Internet browser each time you access the EMIL platform and retrieve a file.

The following data are temporarily recorded in a log file via an active connection that is established for communication purposes between your Internet browser and our web server:

  • The IP address of the requesting computer
  • The date and time of access
  • The name, URL and the size of the retrieved file that has been transferred
  • Access status (the requested file was transferred, not found, etc.)
  • Identification data about the used browser and operating system (if transmitted by the requesting web browser)
  • Referring website (if transmitted by the requesting web browser)

The data in this log file are processed as follows:

The log entries are continuously and automatically evaluated in order to detect attacks on the web server and to be able to determine an appropriate response. In individual cases, i.e. in response to reported faults, errors, and security incidents, a manual analysis is performed.
Log entries that are older than seven days are anonymised by shortening the IP address, saved as a backup for three months, and then deleted.


Log files are also created by Moodle. The following data are recorded in the form of a database entry (TXT file) when Moodle is accessed by administrators and users:

  • Name of the person accessing the data
  • Time of data access
  • Description of data access
  • Nature of data access
  • Purpose of data access

The IP address needs to be temporarily stored by the system to enable the platform’s contents to be sent to your computer. This means that your computer’s IP address must remain stored for the duration of the session. The data are stored in log files to safeguard the website’s functionality, to optimise the website’s contents and to ensure the security of the IT systems.

Your data will be erased as soon as they are no longer required to fulfil the purpose for which they were collected.

All Moodle log data are erased one year after the respective date of access.

Login credentials/user data and duration of storage

An EMIL account is created on the basis of your HAW identifier when you sign in for the first time. The user data are obtained from HAW Hamburg’s IDM server.
Guest accounts are set up for external users by the ITSC as required and attributed a fixed end date.

Supplementary to the information already available in the system with the user ID, such as semester and programme of study, additional information can be entered voluntarily in the user profiles. The visibility of the e-mail address can be set in the user profile. The user profile, including first and surname, description, email address (optional) and other details having been freely given, is visible to teachers and other participants in the courses attended.

EMIL accounts are deactivated upon de-registration from the university, end of employment or expiry of the guest account.

The data and materials provided by you are conditional or personal/freely given depending on the nature of the tasks or activities carried out.

Learning rooms (courses) are reserved for a period of eight semesters, subject to longer archiving periods for examination papers as stipulated by the examination regulations; users remain registered in the course for this period of time. User activities (such as homework submitted) are retained until the respective EMIL account is deleted. Forum posts and wiki pages are retained and deleted together with the respective course room.

It is your responsibility to back up any data required before the stipulated erasure deadlines. HAW Hamburg is entitled, subject to your rights under Article 22 GDPR, to irretrievably erase all data stored during the term of the user relationship.

Legal basis

The legal basis for processing log files as well as the registration and user data is point (e) of Art. 6(1) GDPR in conjunction with section 4 of the Hamburg Universities Act (Hamburgisches Hochschulgesetz, HmbHG) in conjunction with sections 3 and 111 HmbHG:

Data processing is required for the performance of a task carried out in the public interest or while exercising official authority conferred to the controller. The university’s task here is to provide a digital teaching and learning platform for members of the university and authorised third parties to teach and learn using modern methods.


Cookies must be enabled in the Internet browser used to access EMIL. Cookies are small text files that are stored on the hard disk of your computer, attributed to the browser you are using, and through which certain information is conveyed to the site that sets the cookie (here HAW Hamburg). A cookie may be stored on your computer’s operating system when you access this website. Cookies contain a characteristic character string that allows the browser to be uniquely identified when the website is requested again.

Transient and persistent cookies are used.

Transient cookies are automatically deleted when you close the browser. This includes the session cookie (“Moodle session”). This stores what is referred to as the session ID, with which various requests from your browser can be attributed to the shared session. The session cookie is deleted when you log out or close the browser.

Persistent cookies are automatically deleted after a defined period of time, which may vary depending on the nature of the cookies used.

The Moodle ID cookie is intended to make the platform easier to use. It stores the login name in the web browser and is retained even after logging out. This means that your login name is already entered the next time you log in. You can block this cookie using the corresponding settings, but then you will need to re-enter your details every time you log in.

As a user, you have full control over the use of cookies. By changing the settings in your internet browser, you can disable or restrict the transmission or storage of cookies. Already saved cookies can be deleted at any time. This can also be done automatically. You need to allow the Moodle session cookie to be able to use EMIL.

The legal basis for this data processing is point (e) of Art. 6(1) GDPR in conjunction with section 4 of the Hamburg Data Protection Act (HmbDSG): Processing is required for the performance of a task carried out in the public interest or while exercising official authority conferred to the controller. A cookie is needed to make the registration process and the use of the learning platform as user-friendly as possible.

Posts and evaluations

Additional data may be collected or stored in the courses through using EMIL, such as posts made as part of forum, wiki, work assignment, testing and voting activities. Forum and wiki posts are only visible to the participants of a course.

Solutions and evaluations of work assignments and tests as well as voting activities can only be viewed by the submitters themselves and the teachers or tutors concerned. Work assignments, tests and votes are completely deleted and are no longer visible and available when participants are removed from a course.
Forwarding of data

Processed data are not forwarded to third parties, except in cases where this is required to pursue legal claims or for compliance with a legal obligation as per point (c) of Art. 6(1) GDPR.

Data security

An encrypted connection is used for logging in to EMIL as well as for communication and the transfer of data within the platform.

Data are backed up every day, with this backup copy being stored for a period of one week, to be able to restore the system if necessary.
It is not possible to index course rooms in search engines by changing the appropriate settings.


Administrators generally have access to all data collected within EMIL. They may only use such data, however, within the scope of their responsibilities, taking into account the role/authorisation concept, and are not permitted to pass any data on to third parties.

Duration of processing

The data stored in connection with the use of EMIL will only be stored for the purposes stated above and only for as long as required for the respective purpose or under statutory regulations.

  • EMIL user accounts: for students after de-registration from the university; for employees after leaving; an expiry date is generated for guests
  • EMIL access log data (procedure and server level): after 1 year
  • Content data for course rooms: after 8 semesters

Data subjects’ rights

Pursuant to the GDPR, you as the data subject have various rights concerning the processing of your personal data.

a)      You are entitled to obtain information cornering the personal data stored about you (Art. 15 GDPR).
b)      You have the right to request rectification of any inaccurate personal data that have been processed (Art. 16 GDPR).
c)       If the legal requirements are met, you may request that your data be erased or that processing of your personal data be restricted, or you may object to the processing of your personal data (Art. 17, 18 and 21 GDPR).
d)       If you have consented to data processing or a data processing agreement exists and data processing is carried out by automated means, you have the right to data portability (Art. 20 GDPR).

If the processing of your personal data is based on your consent, you can revoke this consent at any time. This does not affect the legality of the processing carried out on the basis of your consent until it is revoked.

If you make use of the rights referred to above, HAW Hamburg will check whether the relevant statutory requirements have been fulfilled.

e)     Right to lodge a complaint with a supervisory authority if you are of the opinion that the processing of your personal data violates the GDPR (Art. 77 GDPR).
f)     Right of objection, revocation and correction. You can assert this right with our data protection officer: office (@)


If you would like further information on how your personal data is processed, please send an email to:

Last modified: Sunday, 28 March 2021, 4:24 PM