Turnitin & GDPR

Having stood at the forefront of academic integrity solutions for over 20 years, we are committed to holding our processes and practices to high standards. Complying with the General Data Protection Regulation (GDPR) is no exception.

Since the GDPR came into force in 2018, we have enforced, maintained and continually improved our GDPR compliant privacy practices in order to reassure our customers and users of our services that their data will be processed lawfully, fairly and securely. Answers to some of our most frequently asked questions are below.


Yes. As an ed tech company, we work to ensure that our data protection practices are in line with the GDPR and other applicable global laws. Turnitin employs a Data Protection Officer to oversee the governance of our GDPR practices.

Yes. Under the GDPR, submission content itself is 'Personal Data'. Turnitin's database of submissions, which is used in conjunction with other internet sources for comparisons and text matching, is located in the United States. It is therefore necessary and consistent with the contracts and data processing addendums that we execute with customers, to transfer personal data outside the EU to the US in order to perform our services. Transferred data is in encrypted form. Where we use the AWS platform for hosting, data is stored exclusively in the EU (in Frankfurt), but in order to perform the services that data will be transferred to the US. Wholly owned group companies of Turnitin process data in 'third countries' (countries outside the EU or with no current adequacy decision like the US) and only Turnitin employees with the need for access to such data may process the data in order to perform the services (i.e., for engineering, security or customer support reasons).

The 2020 judgement in the Schrems II case dissolved Privacy Shield, a framework designed by the U.S. Department of Commerce and the European Commission under which transfers of data from the EU to the US were considered lawful. Notwithstanding this decision, however, there are other lawful methods of data transfer under Art.46 GDPR. After Schrems II, the European Commission provided updated Standard Contractual Clauses, or “SCCs”, which are pre-approved model clauses that parties can voluntarily use to comply with GDPR obligations. These SCCs can provide comfort to data exporters that “an 'essentially equivalent' level of data protection as the GDPR exists for data transferred to the US. The judgement of Schrems II stated that 'additional safeguards' should be applied to the data transferred. The SCCs with additional safeguards, including that all data transfers to the US are encrypted are included in Turnitin's Data Protection Agreements.

Please also see below regarding the new Proposed EU-US Data Privacy Framework.

Turnitin's SCCs are applicable to all Turnitin group companies that may process Personal Data. This means that our group companies also are parties to the SCCs and are bound by their provisions, which provide additional safeguards, risk management, and comfort for our customers. Turnitin includes the recommended 'additional safeguards' in the 'Technical & Organisational Measures' annex - these include industry-standard encryption which utilises a one-way, proprietary hashing technique and a detailed analysis of certain non-EU laws that may impact data security in the countries of transfer.

The UK retained GDPR through domestic legislation (the UK GDPR), but has replaced the EU SCCs with an International Data Transfer Agreement (IDTA) which satisfies the international data transfer mechanism under the UK GDPR. Turnitin has an IDTA, which is available upon request.

In October 2022, the President of the United States issued an Executive Order explaining the steps that the US will take to implement US commitments under the proposed EU-US Data Privacy Framework announced jointly by the US and European Commission in March 2022. It is hoped that the proposed framework will receive an adequacy decision from the EU when drafted. The Executive Order is a reassuring step towards such an adequacy finding. The Executive Order requires that US surveillance activities are only carried out: (1) solely in connection with defined national security objectives; (2) only when necessary to process a validated intelligence priority; and (3) only to the extent and in a manner proportionate to that priority. The Executive Order also creates a process under which EU based data subjects and/or EU nationals may obtain independent and binding review and redress of claims that their data was processed contrary to US law, including the safeguards provided in the Executive Order.

Surveillance laws in the US apply to any data that is processed in the US. The laws exist to counter criminal (especially terrorist) activities, and are practically applied to data suspected to be foreign intelligence information. In our opinion, the likelihood of a US law enforcement agency accessing the data our customers share and Turnitin processes is extremely low. No such requests have been made to Turnitin since Turnitin was founded over 20 years ago. Additionally, US state and regulatory bodies have taken previously unprecedented steps to enshrine the importance of data privacy, and have enacted new laws and regulations aimed at providing additional rights to consumers regarding their data. The previously-described Executive Order regarding EU-US data privacy agreements strictly limits US intelligence agencies to collecting data for specific, defined national security purposes.

Turnitin regularly updates its technical and organisational measures which exist to protect the security of the processed personal data, in accordance with Art.32 GDPR. These measures include: SOC2 certification, sophisticated firewalls, SSL network encryption, encryption of data (in transit and at rest), and appropriate policies, training,and physical security measures. Turnitin's current technical and organisational measures are available both in the applicable annex of the SCCs and upon request from your Account Manager.

Turnitin has implemented processes to handle a data subject's rights to access, deletion, and rectification of their Personal Data in accordance with the GDPR. Generally, the customer, as data controller, must approve (or deny) such requests subject to the provisions of the GDPR.

Turnitin implements and maintains a Data Breach Notification Policy that is consistent with GDPR requirements and will adhere to in the event of a breach.

Customer queries may be directed to Turnitin's Data Protection Officer at: DPO@turnitin.com

Copyright © 2022 Turnitin, LLC. All rights reserved. Privacy Pledge