Data Protection Statement for Library Customer Data
Articles 13 and 14 of the EU General Data Protection Regulation. Informing a data subject. Drawn up on 2019-02-21
1. Entity and person in charge of processing personal data
Library Director Tommi Harju
E-mail address: firstname.lastname@example.org, telephone: +358 40 701 4243
2. Contact persons for handling personal data
Senior Advisor Erkki Huttunen
E-mail address: email@example.com, telephone: +358 50 514 7818
Online Service Designer Erkki Nurmi
E-mail address: firstname.lastname@example.org, telephone: +358 40 710 4222
3. Name of register
Library customer register
4. What are the purpose and the legal basis for processing personal data?
The Library of the University of the Arts Helsinki is a central support service for the teaching, research, and artistic activities of the University. Apart from students and staff members, the Library also caters for outside users who may register as Library customers. The Library customers can i.e. borrow books and reserve materials. The Library also tracks down overdue loans and collects overdue fees. The Library additionally provides a possibility to use third-party service providers’ e-materials within the framework of the licences acquired by the Library. Use of e-materials is available for everybody in the Library’s premises and for University students and staff members also elsewhere. For these reasons, the Library has its own customer register. Customer data are also used for establishing statistics.
Processing personal data is based on a contractual relationship with Library customers, on the legitimate interest of the University, and on public interest as regards statistics for instance.
5. What data do we process?
In conjunction with the customer register, we process the following personal data of a data subject:
- basic information about the data subject: name*, date of birth*, social security number*, customer number and/or any other person-specific ID, and password;
- the data subject’s contact information:e-mail address, telephone number, and address information*;
- information about the account and agreement: information about past and current loans, payments, requests, and agreements, and correspondence;
- statistical data: relationship with the University* and number of loans and requests
- basic and contact information about a data subject under the age of 15: name*, e-mail address, telephone number, and address information
Providing the personal data marked with an asterisk is a prerequisite for establishing our contractual and/or customer relationship. Without the necessary personal data, we are unable to provide services.
The processing of social security numbers is based on the need for reliable customer identification as regards the loaning activities of the Library as well as claiming and collecting unreturned materials.
6. Where do we get information?
We primarily obtain information from the data subjects themselves and, where students and staff members of the University of the Arts Helsinki are concerned, from the user and access management register of the University. If needed, data can also be updated from the Population Information System.
7. To whom do we disclose and transfer data, and do we transfer data outside the EU or the EEA?
In case a user logs in the Finna search service maintained by the National Library via the Haka login, a user ID, a name, and an e-mail address are entered in the Finna service.
If a user logs in the Finna search service with the IDs on his or her Arsca library card or connects his or her Arsca library card with a user account he or she has previously created in Finna, the library card’s ID, PIN code, and the user’s first and last name, e-mail address, and home library are entered in the Finna service.
In case a customer uses the universal borrowing system of the National Repository Library via the Arsca database or the Finna search service, basic information about him or her and his or her contact information are temporarily copied also in the customer register of the National Repository Library. The National Repository Library keeps the customer’s data on file for as long as the customer has current loans from or requests to the National Repository Library.
In processing personal data, we use subcontractors working for us. We have outsourced IT administration to third-party service providers administering and protecting the server on which personal data are saved. We also have outsourced financial services and debt collection activities. We have taken steps with our subcontractors to ensure your data protection by concluding data-processing agreements for the processing of personal data.
We do not transfer personal data beyond the EU or outside the EEA.
8. How long will we keep data?
We keep personal data for as long as is necessary for the intended use of personal data. Customer data are valid for a period of three years at a time, after which the customer must update his or her data. If the data are not updated, they will expire and use of the service is prohibited. Customers whose customer data has last been updated at least three years ago are deleted from the customer register.
We regularly evaluate the need to preserve data in keeping with the applicable legislation. In addition, we will take such reasonable steps as are necessary to ensure that no personal information on data subjects that is incompatible with the purposes of data processing, outdated, or erroneous is kept in the register. We will rectify or erase such information without delay.
9. With whom can you get in touch?
All questions on the processing of personal data as described in this data protection statement are to be asked by getting in touch with the contact person named in Point two who will, in case of need, forward the matter to the data protection officer. In case you feel that your rights are not respected, you may get directly in touch with the Uniarts Data Protection Officer.