Turnitin & GDPR

Having stood at the forefront of academic integrity solutions for 20 years, we are committed to holding our processes and practices to the highest possible standards. Complying with the General Data Protection Regulation (GDPR) is no exception.

Defending and protecting the privacy of our customer data is at the heart of the work we do at Turnitin. With the GDPR coming into effect on 25 May 2018, we’ve dedicated our efforts to evaluating and refreshing our procedures around data privacy.

Data processing by third parties

By acting as a data processor under both current data protection laws and the upcoming GDPR, Turnitin must ensure that any personal data processed by third-party suppliers (sub-processors) as part of the Turnitin solution is done so solely for the purposes expected by our customers, and in accordance with a written contract between Turnitin and the supplier.

As Turnitin suppliers must also be compliant with GDPR, we have conducted due diligence to confirm that the GDPR readiness of all our third-party suppliers is acceptable. To date, we have determined that our suppliers are demonstrating a satisfactory GDPR readiness plan or are already compliant.

The impact of GDPR on Turnitin customers

In the event of any data being transferred outside of the European Economic Area (EEA), adequate mechanisms, safeguards and technical measures are in place or planned for when the GDPR comes into effect on 25 May 2018.

As a Turnitin customer based in the EEA, you are a data controller and, therefore, bound by GDPR. All Turnitin customers must ensure that their own suppliers, like Turnitin, are GDPR compliant.

Turnitin paper storages

Papers submitted to Turnitin are compared against a vast and secure database of licensed source material, including billions of periodicals, academic journals, books, and web pages.

Turnitin maintains an encrypted repository of student papers. Storage of student papers in this repository is determined by both Turnitin administrator and educator. Students can also opt out of having their papers stored.

We do not (and will not) assert or claim copyright ownership of any works submitted to or through our services. Your property is your property, and we will not use it for any other purpose than to deliver, support, and develop our services, which are designed to protect and strengthen your copyright.

An institution’s administrator can contact the Turnitin Support team at any time to request that their student papers be removed from the standard repository.

Want to find out more? Register for our GDPR readiness webinar on May 10.

Register Here


The EU General Data Protection Regulation (GDPR) is a direct replacement of the Data Protection Directive 95/46/EC. The GDPR has been designed to harmonise Europe’s data privacy laws. It aims to protect and empower the data privacy of all EU citizens, as well as being a method for remodeling the way in which data privacy is approached by different organisations.

The GDPR comes into effect in the EU on 25 May 2018. As the GDPR is a regulation, it will apply automatically to all Member States from this date.

The GDPR applies to any Data Controller or Data Processor in the EU; it also applies to anyone who processes the Personal Data of EU residents anywhere in the world.

A Data Controller states how and why Personal Data is processed, and can be any organisation. A Data Processor could be an IT firm, just like Turnitin, who actually processes the data.

Both Data Controllers and Data Processors must abide by the GDPR. As a Turnitin customer, you are a Data Controller.

If you or your Data Processors (such as Turnitin) are based in the EU, or are processing the Personal Data of EU residents, then the GDPR will apply to you.

As a Data Controller, institutions must use the criteria in the GDPR to decide who their national Supervisory Authority is. This Supervisory Authority is the organisation you will liaise with in the event of any data breaches.Turnitin’s Supervisory Authority is the Information Commissioner’s Office (ICO) in the UK. For reference, the ICO has prepared this guidance on GDPR compliance. The European Union website has also prepared guidance on upcoming new data protection rules across the EU.

If you do not have a legal department, you must appoint someone (or a committee) to be responsible for your organisation’s GDPR compliance.

The GDPR states that you must have a contract in place with Turnitin that is GDPR compliant. You are required to ensure that all your suppliers who act as data processors are GDPR compliant. Turnitin is involved in the same process with its suppliers.

To make this process as easy as possible for customers, Turnitin will amend its Registration Agreement to incorporate all relevant changes from 25 May on your behalf. This means that you won’t need to send us a contract amendment, and no further action is required from you as far as your Turnitin contract is concerned. The updated Terms of Service can be viewed in our new Privacy Centre here

Because Turnitin currently transfers Personal Data outside the EU to the USA only, Turnitin transfers data securely using appropriate safeguards, as required in the GDPR. Turnitin is Privacy Shield certified. Privacy Shield is a data transfer mechanism approved by the European Commission, and will continue to be an adequate data transfer mechanism under GDPR. You can view Turnitin’s certification at privacyshield.gov.

Turnitin also accepts European Commission approved model EU contract clauses, and in 2018/2019, Turnitin plans to give customers the option to have their submissions stored in the EU.

A student submitting a paper through the Turnitin service provides their first name, surname and email address. This is all Personal Data. Any identification numbers generated by you, which a student includes in their submission, is also classed as Personal Data.

Turnitin continuously reviews its technological and organisational infrastructure to ensure that stringent security measures are in place. These currently include (but are not limited to) the following:

  • TrustArc collaboration (see www.trustarc.com)
  • Sophisticated firewalls
  • Redundant data centres
  • SSL network encryption
  • The encryption of Personal Data (in transit and at rest)
  • SOC2 data centre certification (in place by May 25)
  • Appropriate policies and physical security measures
  • Companywide employee training on the GDPRv
  • While not required, Turnitin has appointed a Data Protection Officer who can be contacted via DPO@turnitin.com

You can view our current privacy policy at: https://guides.turnitin.com/Privacy_and_Security

No. The British government has confirmed that GDPR will continue to be adhered to, so its UK office will be compliant.

Copyright © 2018 Turnitin, LLC. All rights reserved. Privacy Pledge