LabSchool Exams

Privacy Policy

This Privacy Policy describes how the LabSchool Exams application processes personal data, in accordance with Regulation (EU) 2016/679 (GDPR), applicable Greek law, and the guidance of the Greek School Network.

1. Data Controller

The data controller is the organisation, school unit, or educator who uses the application for educational purposes. Where applicable, you may also contact the Data Protection Officer (DPO) of the organisation using the application.

2. Categories of Data

The application processes only the data that is strictly necessary:

  • Educator account data: name and account email
  • Student / participant data: full name or pseudonym or participation code
  • Assessment results such as scores and answers
  • Technical data such as IP address, browser, timestamps, and session data
The use of pseudonymisation, such as codes instead of real names, is recommended wherever possible.

3. Purposes of Processing

Data is used exclusively for:

  • Creating and managing knowledge assessment quizzes
  • Delivering educational activities and assessments
  • Monitoring student progress
  • Managing user accounts
  • Maintaining the security and proper operation of the application
No commercial exploitation or unrelated secondary processing of the data takes place.

4. Legal Basis

Processing is based on:

  • The performance of a task carried out in the public interest in the field of education
  • Compliance with legal obligations
  • Legitimate interest in maintaining the security of the application
Where required, consent is obtained, for example when real student names are used.

5. Recipients and Processors

Access to the data is limited to:

  • The educator or application administrator
  • Technical system administrators where necessary
If a hosting provider is used, it acts as a processor and must be bound by a data processing agreement (DPA). No transfer of personal data outside the EU takes place without appropriate safeguards.

6. Retention Periods

Data is retained only for as long as necessary:

  • Assessment data: until deleted by the user or administrators
  • User accounts: until deleted by administrators
  • System logs: for a limited period for security reasons
After the relevant retention period, data is deleted or anonymised.

7. Data Subject Rights

Users have the right to:

  • Access their personal data
  • Request correction of inaccurate information
  • Request erasure where legally permitted
  • Request restriction of processing
  • Object to processing
Exercising these rights requires verification of the requester's identity. Users may also lodge a complaint with the Hellenic Data Protection Authority (www.dpa.gr).

8. Security Measures

The application applies technical and organisational security measures:

  • Access control and user roles
  • Encrypted communication (HTTPS)
  • Secure sessions
  • Rate limiting and protection against abusive activity
  • Activity logging (audit logs)
Measures are taken to prevent unauthorised access, loss, or misuse of data.

9. Policy Updates

This policy may be updated from time to time. Users will be informed of significant changes through the application. Last updated: Friday, April 10, 2026.

This policy provides a general compliance framework and does not replace legal review or a Data Protection Impact Assessment (DPIA) where one is required.