Embedding from H5P.org and the GDPR
The purpose of the testdrive feature(where H5P content may be created) on H5P.org is to provide those who consider installing H5P or installing an upgraded version of H5P a place to try it out before installing. It is not built or maintained to be used as a free hosting provider, and we do not recommend using H5P.org for anything but testing.
Still, several community members does use it for more than testing. We some times are asked if it is OK to embed content from H5P.org according to the GDPR. The simple answer is that we don't know, we're not lawyers and we don't think lawyers would know for sure at the moment either. Any comments appreciated.
Usually we don't store any personal information about the user except that the IP is stored here and there, but there are some exceptions making it less straight forward. Also, our privacy policy is not available through the embedded H5P content which might be problematic.
If an H5P from H5P.org is embedded in an LMS we do not know who the user is, provided that the user doesn't happen to be logged in on H5P.org. If the user is logged in we know who it is and we store the score, maybe without the user realizing it. We do not know if this is a problem, but it might be. We also use Google Analytics on H5P.org, including in the embedded pages. In addition to storing the normal things Google Analytics stores we store xAPI data in Google Analytics. If the user is not logged in to H5P.org and does not provide data about themselves in their answers the data is anonymous. If they type in personal information in the H5P content it will be stored in our Google Analytics account. Using multiple choice or similar is unproblematic. Using Documentation tool or other free text questions may be problematic.
We don't provide legal advice, but I have to repeat that the purpose of the content creation features on H5P.org is to try out H5P, not to use it professionally.