Privacy Statement Originality Check by Turnitin

In this privacy statement, we explain what happens to your personal data when they are processed by the Originality Check system of Turnitin.

Who is responsible for data processing?

Utrecht University, located at Heidelberglaan 8, 3584 CS Utrecht, is responsible for the processing described in this Privacy Statement.

For what purposes will my personal data be processed?

Your personal data is processed to check your submitted works against public sources, scholarly sources and previously submitted work by other students. The plagiarism detection software checks whether you have used unregistered sources in your submitted work. The guiding principle in grading tests is that students should be be assessed on their own work and understanding of the material. If you pretend someone else’s work is your own, this assessment is not possible; this is therefore considered fraud or plagiarism.

The plagiarism detection software produces a report with a probability outcome that the student has used unregistered sources. This report by itself is never sufficient to impose sanctions. The work is always also checked by your professor and/or the Examination Board of your program to determine whether plagiarism has indeed occurred.

Your program’s Education and Examination Regulations (EER) set out the formal course of action when fraud/plagiarism is suspected and what sanctions may be imposed. The strongest sanction is to remove a student from the program.

Which personal data are processed?

Originality Check always processes the work itself, including the cover sheet which often includes your name, student number or SolisID, course, and email address. In addition, this data is also included as “metadata” to link your submitted work to your account in the LMS and Osiris.

How long are these personal data retained?

The plagiarism report is kept for 22 months.

The submitted work is added to Originality Check’s international database. Thus, new works submitted in the coming years can also be checked for plagiarism using the most up-to-date database.

Will my personal data be shared with third parties?

Your data is shared with the supplier of Originality Check, Turnitin.

Will my data be transferred to third countries?

Turnitin is an American company. Your data will be transferred to, and stored in, the United States. Turnitin is registered with the Data Privacy Framework, with which they promise to meet the same level of protection as offered within the European Union.

What is the legal basis for this data processing?

The basis for this processing is ‘Public interest’. The legal basis for this is Article 7.10 WHW, which states that “every examination includes an investigation of the knowledge, insight and skills of the examinee.” An examination is any form of knowledge assessment, and thus may include an essay. The Education and Examination Regulations (EER) of each program set out the formal course of action when fraud/plagiarism is suspected and what sanctions may be imposed.

What rights do I have under the GDPR?

The GDPR gives you a number of rights with regard to your personal data. You have the right to access your data and to have it corrected or deleted.

How can I exercise these rights?

If you want to exercise one or more of the above rights, you can submit a request using the privacy request form. We will then have one month to respond to your request. For very complex requests (or if a lot of requests come in at the same time), we sometimes need more time (up to two months extra). We will let you know within that first month.

Is there automated decision-making or profiling?

There is no automated decision-making. That is, decisions are never made without human intervention. The plagiarism score established by Originality Check is never sufficient to establish actual plagiarism, the plagiarism report and sources used must always be interpreted by a professional before further steps are taken. There is also no profiling.

Questions? Complaints?

Do you have any specific questions regarding the above information or do you have any comments regarding  this privacy statement? Feel free to contact us. You can send a message to privacy@uu.nl.

The UU has appointed a Data Protection Officer (DPO). This is an internal advisor and supervisor who may also be important to you, namely if you want information about our processing of personal data or if you want to file a complaint about it. You can contact our DPO via fg@uu.nl.

We would like to point out that you also have the right to file a complaint with the supervisory authority, the Dutch Data Protection Authority.

Contact details Utrecht University

Heidelberglaan 8

3584 CS Utrecht

Tel. (030) 253 35 50

Privacy Statement: Version and Policy Document

This Privacy Statement was last modified on 14 July 2025. From time to time, we will make changes to this Privacy Statement.