If you would like to use tools from our tool collection above that are marked with “[on the web]” or also other tools that you may have received as a tip, we recommend making an assessment with regard to data protection before using the tool.

We would like to provide you with a guideline for this – combined with the NOTE that we are not legal experts and the following information cannot be understood as legal advice. In case of doubt, please ask the TU's data protection team.

How can I assess digital tools in terms of data protection?

The following approach applies: the risk of possible damage that could result from the use of the tool should be kept as low as possible. In order to obtain an orienting assessment, the following questions can help:

Step 1: origin of the tool provider and its service providers?

• Is the tool provider a European company?
  • This can be found out, for example, via the imprint.

• Does the tool provider use services from other companies to run its tool (e.g., cloud storage, (social media) plugins, and analytics tools)? Where do these subcontractors operate their services?
  • This can be found out, for example, in a detailed privacy policy explaining where and how the data collected via the tool is further processed.

If both the company offering the digital tool and its service providers who further process the data collected by the tool are NOT European companies, this should be viewed more critically (especially if they are US companies).

Step 2: type and scope of data collected by the tool?

• Is a login necessary for your students when you use the tool in your teaching?
  • Tools that require registration/login with real data (e.g., email address) or only work via app should be viewed more critically than those that can be used simply by accessing a web URL.
  • Even with web tools that do not require a login, data such as the IP address is collected. However, this can be masked by using the VPN with the profile setting “Campus”.
• How sensitive (in terms of individuals) is the data?
  • The more detailed and personal a person's data are (e.g. political views, sexual orientation, biological characteristics), the more sensitive and worthy of protection they are!
  • Take a look at the privacy policy. It must state what data is collected, what happens to it and when it is deleted. Likewise, every user has the right to information and deletion of their own personal data. This should also be stated there.

Conclusion:

If you come to a rather critical assessment of all questions or if you do not receive any corresponding information from the tool provider, e.g., due to an inadequate data protection declaration, the use of the tool is not advisable from a data protection point of view.

If you arrive at a rather critical assessment in step 1, but in step 2 the assessment is relatively uncritical because, for example, it is a web tool that does not require a login or can also be used with a fantasy name, the risk for tool use appears manageable. Use is even more justified here if

• no adequate tool alternatives are known that fulfil the same purpose but would be less objectionable from a data protection perspective,
• the didactic purpose of the tool use is clearly evident,
• students' participation in the use of the tool is voluntary and not an obligation within the framework of the course,
• it is made transparent to the students what data is collected by the tool and how they can make it anonymous themselves, e.g. via VPN.