Privacy Policy: Library customer register

Updated 21 May 2018

Controller Geological Survey of Finland
P.O. Box 96, FI-02151 Espoo, Finland
Tel. +358 29 503 0000, gtk@gtk.fi
Contact person for register matters Merja Mehtälä
Contact details of the data protection officer tietosuojavastaava@gtk.fi
Register name Library customer register
Purpose of and legal grounds for processing personal data Data subjects are customers of libraries. Libraries use the register for monitoring borrowed material, collecting debts, compiling statistics and communication purposes. The register is part of the library system. Statistical data does not include any personal data. The customer register is a necessary tool for libraries for monitoring borrowed material, collecting debts, compiling statistics and communication purposes. Some registered data is available online to customers at gtk.verkkokirjasto.fi.

An explicit intent to borrow material, i.e. the consent of data subjects, provides the legal grounds for processing (article 6.1a of the GDPR).

Data content of the register and groups of personal data The customer register is part of the library system. It includes the name, customer identifier, encrypted PIN code, address, telephone number, email address, date of birth, customer group (GTK personnel, other, libraries) of data subjects. Data collected for statistical purposes: Gender (not mandatory), native language. Data collected for sending customer messages: Language (Finnish, Swedish, English) and sending method (post, email). Transaction data for monitoring borrowed material, data about currently borrowed and reserved material. The data is confidential, and the register is not linked to any other personal data registers. The borrowing history is saved, if the customer so desires. Some registered data is available online to customers at gtk.verkkokirjasto.fi. Data subjects need a customer identifier and personal PIN code to view their data.
Storage period for personal data or, if this is not possible, criteria for defining the storage period Personal data is erased if the customer has no unreturned material or payments, and the customer has not borrowed any library material during the past three years. The customer can enter into a new customer relationship. Data is checked every year.
Regular sources of data Personal data is collected from personal notifications of data subjects. At the same time, they need to prove their identity by using an official photo ID, such as a passport or driving licence. If required, the library obtains contact information from other generally available sources (e.g. public address registers and telephone directories). New library customers must sign the library’s rules (date, name and clarification of signature). The rules require that customers must prove their identity and provide their contact information.
Recipients of personal data or groups of recipients Library staff. The library notifies the provider of the system and operating service (Axiell Finland Oy) of the IP addresses of its staff. In addition, each user of the register has a personal username and password for the system. All actions taken by each user are recorded in log files. The library staff are bound by a secrecy obligation.
Information about the transfer of data to third countries and protection used (including information about the existence or nonexistence of the Commission’s decision on the sufficiency of data protection), and opportunities to obtain a copy or information about content. No data is transferred.
Principles of register protection (manual material and electronic processing) Manual material: Library rules that data subjects must sign. The signature, together with the date and clarification of signature (no other personal data), is stored in a locked locker in the library facilities.

Electronic processing: According to the agreement signed with the provider of the operating service for the library system, the supplier sees to the technical protection of data. The use of the system requires a username and password. User rights are cancelled when a person is no longer in the service of the library. The staff are bound by a secrecy obligation.

The customer register is protected against any unauthorised use. Under section 24(1) of the Act on the Openness of Government Activities, the register contains confidential customer data, such as material reserved and borrowed by customers (section 32). Some personal data about data subjects is available online at gtk.verkkokirjasto.fi. To view and process data, customers need a customer identifier and personal PIN code. The aforementioned data is SSL protected.

Rights of data subjects

  • Right to access personal data
  • Right to have data rectified
  • Right to have data erased
Data subjects have the right to view their data in the GTK library (Espoo or Kuopio) and request it to be rectified after they have proven their identity. Data subjects can view and update their data through the online library. Furthermore, data subjects have the right to request their data to be erased if they withdraw their consent to processing their personal data. Data subjects can, at any time, refuse the use of their data for direct marketing purposes.
If processing is based on consent (article 6.1a) or explicit consent (article 9.2a), information about the right to withdraw consent at any time If a data subject has no unfinished obligations, they can request their data to be erased from the register by visiting the GTK library and proving their identity.
Right to file a complaint with the supervisory authority Data subjects have the right to file a complaint with the supervisory authority of the member state in which their permanent place of residence or business is or in which the suspected breach of the GDPR has taken place.

If the data controller refuses the right of data subjects to access personal data or have the data rectified, data subjects have the right to file a complaint with the Finnish Data Protection Ombudsman.

Is the provision of personal data a statutory or contractual requirement or a requirement needed to enter into an agreement? Do data subjects need to provide personal data? What are the consequences of any nonprovision of personal data? Personal data must be provided in order to obtain the right to borrow material.
Information about the existence of automated decision-making, including profiling, and significant information about the processing-related logic, at least in these cases, and the significance of specific processing and any consequences for data subjects No automated decision-making or profiling is used.