Privacy Statement Originality Check by Turnitin

Version 08-05-2025

In this privacy statement, we explain what happens to your personal data when they are processed by the Originality Check system of Turnitin.

Who is responsible for data processing?

Utrecht University, located at Heidelberglaan 8, 3584 CS Utrecht, is responsible for the processing described in this Privacy Statement.

For what purposes will my personal data be processed?

Your personal data is processed to check your submitted works against public sources, scholarly sources and previously submitted work by other students. The plagiarism detection software checks whether you have used unregistered sources in your submitted work. The guiding principle in grading tests is that students should be be assessed on their own work and understanding of the material. If you pretend someone else’s work is your own, this assessment is not possible; this is therefore considered fraud or plagiarism.

The plagiarism detection software produces a report with a probability outcome that the student has used unregistered sources. This report by itself is never sufficient to impose sanctions. The work is always also checked by your professor and/or the Examination Board of your program to determine whether plagiarism has indeed occurred.

Your program’s Education and Examination Regulations (EER) set out the formal course of action when fraud/plagiarism is suspected and what sanctions may be imposed. The strongest sanction is to remove a student from the program.

Which personal data are processed?

Originality Check always processes the work itself, including the cover sheet which often includes your name, student number or SolisID, course, and email address. In addition, this data is also included as “metadata” to link your submitted work to your account in the LMS and Osiris.

How long are these personal data retained?

The plagiarism report is kept for 22 months.

The submitted work is added to Originality Check’s international database. Thus, new works submitted in the coming years can also be checked for plagiarism using the most up-to-date database.

Will my personal data be shared with third parties?

Your data is shared with the supplier of Originality Check, Turnitin.

Will my data be transferred to third countries?

Turnitin is an American company. Your data will be transferred to, and stored in, the United States. Turnitin is registered with the Data Privacy Framework, with which they promise to meet the same level of protection as offered within the European Union.

What is the legal basis for this data processing?

The basis for this processing is ‘Public interest’. The legal basis for this is Article 7.10 WHW, which states that “every examination includes an investigation of the knowledge, insight and skills of the examinee.” An examination is any form of knowledge assessment, and thus may include an essay. The Education and Examination Regulations (EER) of each program set out the formal course of action when fraud/plagiarism is suspected and what sanctions may be imposed.

What rights do I have under the GDPR and how can I exercise them?

As a data subject you have certain rights. Namely the right to access, the right to rectification and the right to erasure.

Should you wish to exercise these rights, please submit your request using this form. We will then have one month to respond to your request. For very complex requests (or if there are a lot of requests coming in at the same time), we sometimes need more time (up to two months extra). We will let you know within that first month.

When exercising your rights, we first need to establish your identity. We do this in a way that suits the situation at hand and the right you want to exercise.

Is there automated decision-making or profiling?

There is no automated decision-making. That is, decisions are never made without human intervention. The plagiarism score established by Originality Check is never sufficient to establish actual plagiarism, the plagiarism report and sources used must always be interpreted by a professional before further steps are taken. There is also no profiling.

Questions

If you have any questions about this privacy statement, please send them to privacy@uu.nl. Would you like to file a complaint? If so, please contact Utrecht University’s data protection officer, which can be reached at fg@uu.nl. You are also always free to file a complaint with the Dutch Data Protection Authority here.