Data Protection Statement for Library Customer Data

Articles 13 and 14 of the EU General Data Protection Regulation. Informing a data subject. Drawn up on 2019-02-21

1. Controller

University of the Arts Helsinki

Telephone: +358 294 47 2000 (exchange)

Postal address: P.O. Box 1, FI-00097 UNIARTS

2. Entity and person in charge of processing personal data

Library Director Tommi Harju
E-mail address: firstname.lastname@uniarts.fi, telephone: +358 40 701 4243

3. Contact persons for handling personal data

Senior Advisor Erkki Huttunen
E-mail address: firstname.lastname@uniarts.fi, telephone: +358 50 514 7818

Online Service Designer Erkki Nurmi
E-mail address: firstname.lastname@uniarts.fi, telephone: +358 40 710 4222

4. Data protection officer

Specialist Antti Orava works as Data Protection Officer at the University of the Arts Helsinki.

E-mail address: privacy@uniarts.fi

Telephone: +358 294 47 3568

Postal address: P.O. Box 1, FI-00097 UNIARTS

5. Name of register

Library customer register

The Library of the University of the Arts Helsinki is a central support service for the teaching, research, and artistic activities of the University. Apart from students and staff members, the Library also caters for outside users who may register as Library customers. The Library customers can i.e. borrow books and reserve materials.  The Library also tracks down overdue loans and collects overdue fees. The Library additionally provides a possibility to use third-party service providers’ e-materials within the framework of the licences acquired by the Library. Use of e-materials is available for everybody in the Library’s premises and for University students and staff members also elsewhere. For these reasons, the Library has its own customer register. Customer data are also used for establishing statistics. 

Processing personal data is based on a contractual relationship with Library customers, on the legitimate interest of the University, and on public interest as regards statistics for instance.

7. What data do we process?

In conjunction with the customer register, we process the following personal data of a data subject: 

  • basic information about the data subject: name*, date of birth*, social security number*, customer number and/or any other person-specific ID, and password;
  • the data subject’s contact information:e-mail address, telephone number, and address information*;
  • information about the account and agreement: information about past and current loans, payments, requests, and agreements, and correspondence;
  • statistical data: relationship with the University* and number of loans and requests
  • basic and contact information about a data subject under the age of 15: name*, e-mail address, telephone number, and address information

Providing the personal data marked with an asterisk is a prerequisite for establishing our contractual and/or customer relationship. Without the necessary personal data, we are unable to provide services. 

The processing of social security numbers is based on the need for reliable customer identification as regards the loaning activities of the Library as well as claiming and collecting unreturned materials.

8. Where do we get information?

We primarily obtain information from the data subjects themselves and, where students and staff members of the University of the Arts Helsinki are concerned, from the user and access management register of the University. If needed, data can also be updated from the Population Information System.

9. To whom do we disclose and transfer data, and do we transfer data outside the EU or the EEA?

In case a user logs in the Finna search service maintained by the National Library via the Haka login, a user ID, a name, and an e-mail address are entered in the Finna service.

If a user logs in the Finna search service with the IDs on his or her Arsca library card or connects his or her Arsca library card with a user account he or she has previously created in Finna, the library card’s ID, PIN code, and the user’s first and last name, e-mail address, and home library are entered in the Finna service.

In case a customer uses the universal borrowing system of the National Repository Library via the Arsca database or the Finna search service, basic information about him or her and his or her contact information are temporarily copied also in the customer register of the National Repository Library. The National Repository Library keeps the customer’s data on file for as long as the customer has current loans from or requests to the National Repository Library.

In processing personal data, we use subcontractors working for us. We have outsourced IT administration to third-party service providers administering and protecting the server on which personal data are saved. We also have outsourced financial services and debt collection activities. We have taken steps with our subcontractors to ensure your data protection by concluding data-processing agreements for the processing of personal data.

We do not transfer personal data beyond the EU or outside the EEA.

10. How do we protect data and how long will we keep them?

Only those of our employees who are authorized to process customer information in their line of work are entitled to use the system containing personal data. Each user has a personal user ID and a password into the system. The data are gathered in databases protected with firewalls, passwords, and other technical means. The databases and their backup copies are situated in locked spaces, and the data can only be accessed by certain pre-named persons.

We keep personal data for as long as is necessary for the intended use of personal data. Customer data are valid for a period of three years at a time, after which the customer must update his or her data. If the data are not updated, they will expire and use of the service is prohibited. Customers whose customer data has last been updated at least three years ago are deleted from the customer register.  

We regularly evaluate the need to preserve data in keeping with the applicable legislation. In addition, we will take such reasonable steps as are necessary to ensure that no personal information on data subjects that is incompatible with the purposes of data processing, outdated, or erroneous is kept in the register. We will rectify or erase such information without delay.

11. What are your rights as a data subject?

Data subjects are entitled to check the data concerning them and stored in the personal data register and require erroneous, outdated, unnecessary, or unlawful data to be rectified or erased. In case a data subject has personal access to their data, they can modify their data himself or herself. In case processing is based on a consent, a data subject also has the right to withdraw his or her consent or to alter it.

As of May 25, 2018, data subjects have, according to the Data Protection Regulation, the right to object to processing or to request restriction of processing of data as well as to lodge a complaint with a supervisory authority on processing personal data.

For specific reasons of personal nature, data subjects also have the right to object to processing activities concerning them when processing data is based on our legitimate interest. In conjunction with the request, the data subject shall specify the particular situation on the basis of which he or she objects to processing. We may refuse to execute an objection-related request only on the basis of grounds stated in law.

Should the data subject not be satisfied with the way the University has processed his or her personal data, he or she may demand the national data protection authority (in Finland, the Data Protection Ombudsman whose contact information is available in the web address http://www.tietosuoja.fi/en/) to look into the matter.

12. With whom can you get in touch?

All questions on the processing of personal data as described in this data protection statement are to be asked by getting in touch with the contact person named in Point three who will, in case of need, forward the matter to the data protection officer. In case you feel that your rights as mentioned in Point 11 are not respected, you may get directly in touch with the University Data Protection Officer named in Point four.