Data Protection in Teaching: Things to consider for Online Events

When it comes to legal issues in higher education, the focus is often on examination or general university law. However, data protection and data protection law should not be underestimated. Whenever personal data is involved, data protection law comes into play. This also applies to university teaching, which is the focus here.

The protection of personal data is derived from Article 8(2), Sentence 1 of the Charter of Fundamental Rights of the European Union. In Germany, the right to informational self-determination has been developed from Article 2(1) of the Basic Law (right to free development of personality) and Article 1(1) of the Basic Law (protection of human dignity). The General Data Protection Regulation (GDPR) directly regulates data protection, making it decisive for data processing at universities as well.

Dekobild

What is Personal Data?

According to Article 4, No. 1 of the GDPR, personal data includes any information that allows the identification of a person based on individual characteristics. In the context of higher education, particularly teaching, this often pertains to students in specific courses. Examples include names, email addresses, phone numbers, matriculation numbers, and other details that may identify a person. Additionally, voices and video recordings can also enable the clear identification of a student, making these cases fall under personal data as well.

In all such instances, data protection applies, along with the regulatory framework of the General Data Protection Regulation (GDPR). Other data protection laws also exist but typically play a secondary role in this context. 

Since instructors also interact with student data, it is important to remain mindful of certain aspects during teaching and to continually raise awareness among instructors about this topic. This is essential both to protect the personal rights and data of students and to avoid fines or other penalties. 

This issue becomes particularly relevant in online teaching settings, for example, when deciding whether lectures can be recorded. In case of uncertainties, it is always advisable to consult the responsible data protection officer. 

What Must Instructors Consider in Terms of Data Protection in Teaching? 

The collection and processing of personal data are only permissible if a legal basis exists to allow it. In the context of online teaching involving students or planned recordings, prior consent from students, as per Article 6(1)(a) of the GDPR, may be required. This is because, as noted earlier, personal data such as names, video images, voices, and other characteristics are being processed. 

Key point:

Whenever personal data is involved, the regulations of data protection law become relevant. These must be strictly observed to avoid potential sanctions.

What Legal Requirements Must Be Met?

If instructors want to hold an online session, it is recommended to use the online tools provided by the respective university to ensure data protection compliance regarding the tool itself. Generally, Big Blue Button is used, as it is currently considered one of the most legally secure tools.

No Student Participation:

If instructors choose to conduct their online session without active student participation, no explicit consent from students is required.

With Student Participation:

If the session involves active student engagement, consent may need to be obtained before the session begins. Ideally, this consent should be in writing or via a trackable opt-in option to provide proof later.

Alternatively, proof of registration for the session is sufficient if students have been clearly informed of the privacy policy in advance. In such cases, their implied consent through participation in the online session is legally valid.

 

Recording Sessions: 

If the session is to be recorded, care must be taken to ensure that students are not captured or identifiable in any way—neither through video, audio, nor text. If this cannot be avoided, explicit written consent must be obtained from the students. Interaction can take place during pauses in recording for those who have not given consent. 

Revocation of Consent: 

It is important to note that consent can be revoked at any time for future instances. If a student withdraws their consent after a recording, the affected parts of the video must be deleted or edited to anonymize the student’s data, making it impossible to trace them individually. 

How Do I Properly Inform Students?

Students must be informed through a privacy notice in accordance with Article 13 of the GDPR. This information should be provided in a timely manner, for example, when sending the invitation to the respective session. Comprehensive privacy information must be provided in compliance with Articles 13 and 14 of the GDPR.

The notice should specifically highlight the right to withdraw consent (Article 7(3) GDPR). Furthermore, students must be given a genuine choice, meaning that alternatives must be offered to those who do not wish to or cannot give consent, ensuring that they do not face any disadvantages.

 

 

h

Possible alternatives

  • Students could participate as silent listeners without active involvement.
  • The session could proceed without these students, and they may be provided with a recording afterward if necessary.

What Risks Are Associated with Recording Teaching Sessions? 

If instructors fail to obtain the necessary consent from students before recording or publishing a session, this can lead to legal consequences, including: 

Violation of the Confidentiality of the Spoken Word 

This may result in criminal liability for the instructor under § 201 of the German Criminal Code. 

Violation of the Right to One’s Own Image 

Affected individuals may claim damages and seek injunctions against HWR under §§ 823 and 1004 of the German Civil Code. 

Criminal Liability for Unauthorized Distribution of Images 

Instructors may face penalties under §§ 22 and 33 of the German Act on Copyright in Works of Art and Photography (Kunsturhebergesetz). 

Violation of Data Protection Regulations 

Breaches of GDPR or other data protection laws could lead to fines or sanctions. 

Key Takeaway:

Proper consent must be obtained to mitigate these risks and ensure compliance with legal and ethical standards.

Further Links

Website of the Data Protection Officer at HWR:

https://datenschutz.hwr-berlin.de/ 

Further information on data protection can be found on the website of the State Commissioner for Data Protection:

https://www.datenschutz-berlin.de

Haben Sie Fragen?

Do You Have Questions?

If you have questions or uncertainties, we are here to assist you as instructors.

rechtsinformation-padll[at]hwr-berlin.de