General developer forum

Moodle GDPR Implementation Question

Picture of Michael Hughes
Moodle GDPR Implementation Question
Core developersParticularly helpful MoodlersPlugin developers

I've been having a play with Moodle's Privacy framework for the GDPR (it's looking good BTW) and have a question that has come up that I've not been able to answer either through the tracker issues or the Google Doc ( about it.

It's a self-service model, so a Data Subject can make the request to a DPO, who will approve / deny it (or a DPO can make a request on behalf of someone else).

In the case of an export, it looks like the data is emailed to the DS and can be downloaded via the My Requests page.

However I can't find evidence of the data being made available to a DPO user.

In our scenario all DP requests are to be fielded by our central Data Protection Office, so they should be routed the request (the SAR should work nicely for this), collect the data (again nicely handled by the approve / deny option) but then they would want to control the return of the resulting data set to the Data Subject, typically to set it in context to the request.

In addition the SAR may *not* come through Moodle as we have a complex IT environment and Moodle may only be 1 part of the SAR target, so the DPO ability to make a request on someone else's behalf works nicely, but DP Office needs to be in control of the release of the materials (separate from the assembly of the materials) or the collation of all of the pertinent materials together.

This would suggest that there should be:

  1. a mechanism to prevent the automatic distribution of the exported data to the Data Subject.
  2. a "Download Option" on the DPO actions, 
  3. a "refresh/re-export" mechanism. 

Any way just my 2 cents, I think for covering GDPR requirements in a simple context the implementation is looking really good.


Average of ratings: Useful (4)
Picture of Andrew Nicols
Re: Moodle GDPR Implementation Question
Core developersMoodle HQParticularly helpful MoodlersPlugin developersTesters

Hi Michael,

Thank you for the feedback - it's really valuable to us to get this kind of information and we really do appreciate it.

I've added this to our epic as MDL-61652. I imagine we'll probably classify it as one of our higher-priority, easy-to-implement, ice-cream features and I expect that it will be present come the May release.

We do also plan to create web services for the SAR functionality which may be useful for the purposes you describe too. These are described in MDL-61653 and are a part of our MVP.

Thank you again,


Average of ratings: -
Picture of Ralf Hilgenstock
Re: Moodle GDPR Implementation Question
Core developersParticularly helpful MoodlersTranslators

Hi Michael

I'm stumpling about the description of DPO as the user who handles this. From my understanding the controller or a named processor has to handle this processes. The DPO controlls that the controler has organized all well and the practice is good. If the DPO himself organises the processes he can't control himself effectively. In consequence the wording should be changed.


Average of ratings: -