H5P Guides

GDPR compliance

The General Data Protection Regulation (GDPR) leaves many people puzzled. This page is intended to provide you with information that might be relevant for you if you’re using one of the H5P plugins on your own systems.

Please keep in mind though: This page offers advice to help you in your efforts to become GDPR compliant. Following this advice doesn't mean your site becomes GDPR compliant automatically. GDPR affects the whole organization, is quite complex and you should consult a lawyer to make sure that you become GDPR compliant.

Data Privacy Policy

If you’re hosting a platform that’s capable of using one of the H5P plugins, it is very likely that you are required to present a data privacy policy. Please check which of the following aspects might be relevant for you and should be covered by your privacy policy.

Cookies

There are some content types that may use external services, and those may process personal data. You will want to make this use transparent in your data privacy policy, and you will have to provide grounds for using them as demanded by Art. 6 GDPR.

In some content types, you can embed videos from YouTube. YouTube will set cookies that can be used to identify/track your users.

In some content types, you can embed feeds from Twitter. Twitter will set cookies that can be used to identify/track your users.

Voice

In some content types, you can offer speech recognition. This service is currently possible using Chrome, which will use the Google Cloud services to convert voice to text. Other browsers that may be supported in the future may use different services.

Results

H5P will store data about your users’ interactions on your host system. You will want to make this use transparent in your data privacy policy, and you will have to provide legal grounds for using them as demanded by Art. 6 GDPR.

It may be in your interest to process these data to learn something about your users, which may in turn help you to improve their learning outcome.

For each interaction that a user completes, H5P may store the user’s account identifier of your host system, the start time, the finish time, the score that was achieved and the maximum score possible.

Saved content state

H5P offers to save the content state of an interaction. If you decide to make use of this option, H5P will store the state of content type that a user is interacting with in regular intervals and when it is completed. You will want to make this use transparent in your data privacy policy, and you will have to provide legal grounds for using them as demanded by Art. 6 GDPR.

It may be in your interest to save the content state. It may be used to provide your users with the opportunity to interrupt their interactions and continue where they took off at a later point in time. It may also be used to provide your users with the option to review their interactions (e.g. their answers given) at a later point in time.

For each content/sub-content that a user interacts with, H5P will store the current state (e.g. answers given, if a tutorial has already been watched, etc.), when the state was saved, and some technical information (should it be preloaded, should the data be reset when the content is changed by the author).

xAPI statements

H5P offers to process xAPI statements. If you’re using the H5P plugin for moodle, this will be activated by default. If you decide to make use of this option, either by processing the statements yourself or by transferring this task to a processor, you will want to make this use transparent in your data privacy policy, and you will have to provide legal grounds for using them as demanded by Art. 6 GDPR.

It may be in your interest to process xAPI statements. The xAPI statements may be used to collect information about your users’ learning experience. Thus, the xAPI statements may be used to learn more about the design of your interactions and improve them. Also, you may use the xAPI statements to learn something about your users, which may in turn help you to improve their learning outcome.

You will find more details about the data that’s processed within xAPI statements in the official documentation. In particular, they will hold a user’s full name (if retrievable) and a unique identifier (email address, openID or account identifier of your host system).

Access to, rectification of, erasure of, and export of data

You may be requested to retrieve (Art. 15 GDPR), export (Art. 20 GDPR), rectify (Art. 16 GDPR) or erase (Art. 17 GDPR) personal data. This section describes how you can comply with these requests.

WordPress

Our H5P plugin for WordPress supports the privacy functions that have been introduced with WordPress version 4.9.6. They support you with retrieval, export and erasure of personal data. If you are using an earlier version of WordPress or if you need to rectify data, please ask your system administrator to check the following database tables:

  • For user results: h5p_results
  • For saved content states: h5p_contents_user_data
  • For contents they have created: h5p_contents
  • For events they have triggered: h5p_events

Moodle

Our H5P plugin for moodle supports the Privacy API provided by moodle. It supports you with retrieval, export and erasure of personal data. If your moodle version does not support the Privacy API or if you need to rectify data, please ask your system administrator to check the following database tables:

  • For results/xAPI statements: hvp_xapi_results
  • For saved content states: hvp_content_user_data
  • For contents they have created: hvp
  • For events they have triggered: hvp_events

Drupal

For Drupal, we do not yet support a solution for handling requests related to the GDPR. If you need to retrieve, export, rectify or erase data, please ask your system administrator to check the following tables:

  • For results/xAPI statements: h5p_points
  • For saved content states: h5p_content_user_data
  • For contents they have created: h5p_nodes
  • For events they have triggered: hvp_events

Anonymous usage tracking

It is not related to the GDPR, but we know that many people are concerned about any data transfer to 3rd party servers. If you are using the H5P plugin, it may send anonymized statistical information to us. This data helps us to learn about problems with H5P that will in turn help us to improve the software. It does not contain personal data. You will find more details in a separate description. If you’re still concerned, you can deactivate sending statistics to us in the plugin settings, of course.