Privacy Policy

Moodle LMS – KreativEU Consortium
(GDPR & KVKK Compliant)

Last updated: Feb 2026

This Privacy Policy explains how the 11 universities of the KreativEU Consortium (“we”, “our”, “the Consortium”) collect, process, store, and protect personal data when users (students, faculty, administrators) access the shared Moodle Learning Management System (LMS) and its integrated authentication services via Microsoft Entra ID.

Our processing complies with the EU General Data Protection Regulation (Regulation (EU) 2016/679 – GDPR) and the Turkish Personal Data Protection Law No. 6698 (KVKK), which applies to data processing activities involving Turkish institutions and users.

1. Data Controller Structure

Because the Moodle platform is shared across 11 partner universities, the parties operate as Joint Controllers, as defined under GDPR Art. 26.
Each university determines how its users’ personal data is created, maintained, and exported.
Under KVKK, each participating Turkish institution is an individual Data Controller responsible for its users’ data.

A Joint Controller Agreement (JCA) details responsibilities for security, access controls, incident response, and data subject request handling.

2. Categories of Personal Data Processed

2.1 Data stored in Moodle LMS

Per the Moodle GDPR documentation, Moodle stores information that can be associated with an identifiable natural person, including:

  • Account profile data (name, email, username, institution) [docs.moodle.org]
  • Course enrollments and grades
  • Activity logs, submissions, forum posts, quiz attempts
  • System log files (IP addresses and system access metadata) [docs.moodle.org]

Moodle treats all LMS user activity as personal data.

2.2 Data processed via Microsoft Entra ID

Authentication uses delegated Microsoft Graph permissions. The minimum baseline permissions needed to sign in are openid, profile, email, and offline_access, which allow the system to authenticate users and read minimal profile attributes.

The Entra‑registered authentication app also uses:

  • User.Read – read basic profile
  • Calendar.ReadWrite – read/write the user’s calendar
  • Files.ReadWrite – read/write user files
  • Sites.ReadWrite.All – edit/delete SharePoint site collections

These are delegated permissions acting on behalf of the signed‑in user, with access restricted to what the user can already access. Delegated permissions do not grant tenant‑wide access unless the user themselves holds such privileges.

3. Purpose of Processing

We process personal data for:

3.1 LMS educational delivery

  • Identity verification and login (via Entra ID)
  • Enrollment in courses
  • Delivery of teaching, assessment, and grading
  • Activity tracking for pedagogical and administrative needs
    (GDPR lawful basis: public interest, contract, legitimate interest) [docs.moodle.org]

3.2 Collaboration and educational communication

Certain Microsoft Entra delegated permissions enable Moodle plugins or integrations that:

  • Synchronize calendar events between Moodle and Microsoft 365 (Calendar.ReadWrite)
  • Exchange course files with OneDrive or SharePoint (Files.ReadWrite, Sites.ReadWrite.All)

These are optional integrations and apply only where enabled by the university.

3.3 Legal and institutional compliance

  • Audit logs for academic integrity
  • Security monitoring
  • Compliance with GDPR and KVKK obligations
  • Responding to lawful requests from authorities

4. Legal Bases (GDPR & KVKK)

Under GDPR

The Consortium relies on:

  • Art. 6(1)(b) – performance of a contract (LMS service delivery)
  • Art. 6(1)(e) – performance of tasks in public interest (education)
  • Art. 6(1)(f) – legitimate interests (platform security, fraud prevention)
  • Art. 6(1)(a) – consent (optional analytics, cookies, third‑party tools)

Under KVKK

KVKK primarily requires explicit consent, except where processing is necessary for:

  • Legal obligations
  • Protection of life/safety
  • Establishment or exercise of rights

5. Data Minimization & Retention

Both GDPR and KVKK require strict data minimization: data must be adequate, relevant, and limited. GDPR specifically highlights purpose limitation and retention controls.

Retention periods are defined by academic and legal obligations of each university. Logs, submissions, and grades are stored only as long as necessary for academic and auditing purposes.

6. Data Subject Rights

Under GDPR

Users have the right to:

  • Access their data
  • Rectification
  • Erasure (“right to be forgotten”)
  • Restrict or object to processing
  • Data portability

Moodle supports these via its Policies and Data Privacy plugins (standard since Moodle 3.5). [docs.moodle.org]

Under KVKK

Users have rights to:

  • Learn whether their data is processed
  • Request information
  • Request correction, deletion
  • Object to unfavorable outcomes of automated processing

Requests are handled jointly by the Consortium Data Protection Office.

7. International Transfers

When data moves between EU partners and Turkish universities, GDPR Chapter V transfer rules apply, requiring:

  • Standard Contractual Clauses (SCCs)
  • Supplementary technical measures
  • Lawful basis and accountability controls

The KVKK may additionally require VERBIS registration for Turkish controllers and explicit cross‑border consent where applicable.

8. Security Measures

Moodle implements security by design, referencing:

  • OWASP & CWE secure coding frameworks
  • SOC2 Type 2 certified development pipelines
  • Multi‑factor authentication support
  • Password peppering, secure tokens, customizable security settings [moodle.com]

The platform is continuously monitored by the global open‑source security community. [moodle.com]

Universities must additionally implement:

  • Local access control policies
  • Data encryption and network security
  • Regular security audits (required by GDPR and strongly recommended for KVKK)

9. Use of Entra ID Delegated Permissions

Delegated permissions act only within the rights of the signed‑in user. Risk arises only if:

  • A high‑privilege user signs in (e.g., Global Administrator), or
  • An app is over‑permissioned

The Consortium enforces:

  • Least‑privilege design
  • Restrictive consent policies
  • Permission classification using Entra ID capabilities (Low/Medium/High) [learn.microsoft.com]

No tenant‑wide access is granted to Moodle under any circumstance.

10. Sharing of Data

We may share user data only with:

  • Consortium universities (Joint Controllers)
  • Cloud service providers (Microsoft 365)
  • Accreditation and regulatory bodies (when legally required)

All third‑party processors operate under GDPR‑ and KVKK‑compliant Data Processing Agreements.

11. Cookies and Tracking

Moodle uses cookies strictly for session handling, access control, and user preferences.
Analytics cookies (if enabled) require explicit consent in GDPR jurisdictions.

12. Data Protection Officers (DPOs)

GDPR requires DPOs in many cases; KVKK does not formally require a DPO, but recommends accountability officers.

Each university appoints:

  • A local GDPR/KVKK contact
  • A Consortium‑level DPO for cross‑institution governance

13. Incident Response

All security incidents are:

  • Logged
  • Investigated promptly
  • Reported to supervisory authorities within 72 hours under GDPR
  • Reported per KVKK breach notification requirements

14. Changes to This Policy

We will publish updates on the LMS login page and within the site policy versioning system supported by Moodle. [docs.moodle.org]

Ostatnia modyfikacja: piątek, 6 marca 2026, 10:58