GDPR Data Request

All requests should go from the data subject to the Data Controller, who in turn may or may not use our functionality or ask itslearning for help to exercise the right for the itslearning platform. Each individual request needs consideration and processing before action is taken. The rights of the data subject are described in Chapter 3 of GDPR (if you are unable to click the link, copy and paste this url in the search bar: https://gdpr-info.eu/chapter-3/). These rights are not absolute, and should be processed in the context of both GDPR and local regulations.  

Please note that according to GDPR there are exceptions to exercising the rights of the data subject when the data is considered necessary… 

  • … to exercise right of freedom of expression and information of other data subjects 

  • … to comply with legal obligations or the performance of a task carried out in public interest 

  • … for archiving, historical or statistical purposes 

Under GDPR, the data subject rights are between him and the Data Controller. Any data subject requests from end users to itslearning will be handed over to the customer. itslearning will cooperate in good faith with customers to ensure they can exercise the rights of the data subjects in a prompt manner.  

In addition to administrative and other functionality already available in the itslearning system, the itslearning DPO and our service team are available to help our customers as Data Controllers satisfy the right of the data subject. 

Below is a description of how some of the rights can be exercised with the help of itslearning functionality. 

Performing actions to satisfy the rights of the data subject 

When a request from a data subject is received and accepted by the Data Controller, they should contact itslearning Support.

To help our customers satisfy the rights of the data subject, we have added a “GDPR tool” to assist administrators perform the necessary actions. This tool will be enabled after the initial contact with Support. The tool will then be available to the system administrator. The actions available will help with giving access to what data are stored related to a data subject, restrict or delete data. Details for each action can be found below.

When you click the icon, you will first be asked for confirmation that the correct user is selected (in case there are multiple users with the same name):  

To access the GDPR assistance tool, the administrator (once initial contact has been established with itslearning Support) should go to Admin -> Users and access rights, search for the data subject in question, and click the shield icon to the right, as indicated in the screenshot below: 

After confirming that it is in fact the correct user, options will be available to help with the next steps.  

Each of these actions will require the administrator to enter a reason for performing the action, which will be logged.  

In general, this tool is “instant” meaning the actions performed will be processed without delay. Some actions might however take some time to complete. This is to ensure that performance of the system is maintained should the request include extensive amounts of data.

The right to access and data portability

The data subject has the right to obtain information from the Data Controller about what personal data are processed, how and why. In some cases, the data subject may also have a right to transmit those data to another Data Controller. This is described in the Data Processor Agreement, and categories are listed below for easy reference. 

After confirming that it is in fact the correct user, options will be available to help with the next steps.  

Each of these actions will require the administrator to enter a reason for performing the action, which will be logged.  

In general, this tool is “instant” meaning the actions performed will be processed without delay. Some actions might however take some time to complete. This is to ensure that performance of the system is maintained should the request include extensive amounts of data.

The right to access and data portability

The data subject has the right to obtain information from the Data Controller about what personal data are processed, how and why. In some cases, the data subject may also have a right to transmit those data to another Data Controller. This is described in the Data Processor Agreement, and categories are listed below for easy reference.

CategoryExample
Personal information (contact information User name
Email
Phone number
Contact details of parent/guardian
IP addresses
Activity logs
Communication 

Messages (IM / Old messages) 

Discussion (could also be considered a student response or course material) 

Bulletins + comments

Course material (producer by user in the context of teaching) Assignments
Tests
Notes
Uploaded documents
Assessments (given by teacher to student)

Assessments (grades, descriptive feedback) 

Attendance comments 

Behavior comments 

Calendar entriesEvents
Student responses

Answers to assignment (including uploaded files) 

Test attempts 

Internal logicLast used selection in select dropdown menu
Personal settings: Languages, simplified tree structure, accessibility ++
Cookies

More details can be found in GDPR Article 15 (https://gdpr-info.eu/art-15-gdpr/) and Article 20 of GDPR (https://gdpr-info.eu/art-20-gdpr/). 

To access the specific information stored in itslearning related to a data subject, the administrator should access the GDPR tool and select PREVIEW/DOWNLOAD. This will create a file in xml format. The file will be available for download once it is generated.

Data in the “Internal logic” category will not be included.  

The right to rectification 

Should there be inaccurate, incomplete or erroneous personal data concerning a data subject, he or she has the right to have the Data Controller rectify it.  

More details about this right can be found in GDPR Article 16 (https://gdpr-info.eu/art-16-gdpr/). 

In many cases the user can correct information themselves in the itslearning interface. In other cases, and most commonly, information about a person like name, email address and such should be edited in the external student information system and synchronized with itslearning. Other types of data can be corrected by teachers or administrators in the itslearning system. We have included a link to more help on rectification in the GDPR tool.

The right to restriction of processing 

More details about this right can be found in Article 18 of GDPR (https://gdpr-info.eu/art-18-gdpr/). 

Restriction will be performed as a “soft delete” when the administrator selects RESTRICT in the GDPR tool. The effect will be the same as if the user was moved to the trashcan in itslearning. All information about a user will be removed from the UI, but not irreversibly erased.  

This might in some cases mean that the user name is anonymized while content is kept available (pseudonymization). The table below outlines how this is handled in the different categories of personal data:

CategoryEffect of RESTRICT
Personal information (contact information)Not visible
Communication Anonymized
Course material (producer by user in context of teachingAnonymized, unless the material exists so that it is only available to the data subject in question
Assessments (given by teacher to student)Still visible and not anonymous if the teacher is restricted, as the assessments are still of value and affecting the rights of the student.
Calendar entriesPersonal events are no longer visible, shared events are anonymized
Student responses Not visible
Internal logicNot visible 

Restriction is reversible and can be performed by restoring the data subject (user) from the trashcan. When restriction of processing is lifted, the Data Controller is obligated to inform the data subject.

The right to erasure (“right to be forgotten”)

In almost all cases, deleting a user and their related data, will be done because the purpose for processing this data is no longer valid. Most commonly this is because a student has left the school, a teacher has changed jobs, or because the customer has terminated the contract with itslearning. In these cases, we recommend that the normal flow for deleting users is used. Move the user(s) to the trashcan or mark them as deleted in the external system. Complete the process by emptying the trashcan, after which the user(s) and their data will be permanently deleted from itslearning. 

Deleting information related to a specific data subject request based on the right to erasure as defined in GDPR, can be done by accessing the GDPR tool and selecting DELETE. More details about this right can be found in Article 17 of GDPR (https://gdpr-info.eu/art-17-gdpr/). This will completely erase any information related to the data subject from the itslearning platform, with some exceptions mentioned above. 

As an example, this will include assessments given by a teacher to a student. If the teacher is deleted, these data will still remain in the system to retain the rights of the student.

Please note that this action is not reversible.  

CategoryEffect of DELETE
Personal information (contact information)Permanently deleted
Communication Permanently deleted when all affected users are deleted. For example, a group conversation in the message system is deleted when all participants of that conversation are deleted.


Bulletins and discussions are deleted when the course they belong to is deleted.

Course material (produced by user in context of teaching)Anonymized, unless the material exists so that it is only available to the data subject in question (in which case it is permanently deleted)
Assessments (given by teacher to student)NOT removed if the teacher is deleted, as the assessments are still of value and affecting the rights of the student.
Calendar entriesPermanently deleted if personal, anonymized if shared
Student responses Permanently deleted
Internal logicPermanently deleted

There are three possible outcomes when a user is deleted:

  1. The information is completely removed
  2. Data/content is kept, but name of user is anonymized- this is new compared to previous functionality!
  3. Data/content is kept, and the name of the deleted user is still visible

The decision on what happens in the case of each piece of information we store, is taken on the basis of GDPR guidelines. We cannot delete data that affects the rights of other users, and in some cases that also includes the name of the user that is deleted. This is the type of data we store, and what happens to it in each situation: 

CategoryExamplesSoft deletePermanent delete
Student responses
  • Answer to assignment (including uploaded files)
  • Test attempt

Removed from UIRemoved permanently
Person profile information
  • User name
  • Email
Information is removed from UIRemoved permanently
Internal logic
  • Last used selection in select dropdown menu
  • Cookies

Not visible in UIRemoved permanently
Content produced by user in context of teaching
  • Note
  • Assignment
  • Uploaded document

Name of user is anonymized, except on shared content in Library. Content is kept if it is shared with other users (courses/projects with other participants, Library).Content is removed permanently if it is not available to other users. Deleted when course/project is deleted.
Communication 
  • Messages 
  • Bulletins

Messages: Name of user is anonymized

Bulletins and comments: Name of user is anonymized.


Messages: deleted when all users in thread are deleted.

Bulletins and comments: Deleted when course is deleted.


Assessment given by a teacher
  • Assessments (grades)
  • Attendance comments

Kept and visible, including the name of the userKept and visible until the student it affects is also deleted


Did you find it helpful? Yes No

Send feedback
Sorry we couldn't be helpful. Help us improve this article with your feedback.