Data Protection Statement

Data file controller National Library of Finland
PO Box (Unioninkatu 36)
00014 University of Helsinki
Phone: +358 2941 23196
Data file contact person Inkeri Hakulinen
Phone: +358 2941 44627
Name of data file
Purpose and justification for handling personal data
The National Library of Finland uses the client register to monitor library loans (including debt collection and communication relating to loan monitoring) as well as statistics. Loan monitoring also comprises handling cases of error. The handling of personal data is based on an agreement between the customer and the library (loans) or customer consent (customer releases the information or indicates that they consent to information being transferred from the student register). The data is handled by customer service staff of the libraries as well as the system administrators.
Content of the data file  Types of customer data in the data file:
- Name
- Personal identity code
- Home address
- Email address
- Phone number (a phone number is not required)
- User identifier
- PIN code
- Service language
- Customer group (eg. student, staff, international guest, external)
- Statistical group (eg. faculty)
- Notes if necessary, e.g., agreed-upon replacement books, special services granted
- Transaction data, e.g., loans and fees

Types of customer service staff data in the data file:
- Name - Email address
- Expiration date of employment contract (if fixed-term)
- Username and password

6. Regular sources of data
New customers:
- directly from customer
- When registering at the University, new students may consent to their personal data being transferred from the student register of the University of Helsinki to the National Library’s library system. The personal data is activated when the customer concludes an agreement on the customer relationship with the Library (National Library card).
Updating existing customer data:
If the customer has outstanding obligations (loans which have not been returned or unpaid fees), erroneous contact details can be updated from University systems, data provided by a debt collection agency or data from the Population Register Centre. (Grounds: agreement between the Library and the customer). Erroneous data can be removed from the data file.
Library staff:
- the supervisor or contact person can request an administrator to create a new username (Justification: legitimate interest, as the carrying out of work duties requires the handling of data).

Handling and protecting personal data
The data file contains no sensitive data.
Duration of personal data storage and removal of unnecessary personal data
Once a year, the data of any customers without outstanding obligations or loans or reservations for three years are removed from the system. Staff usernames are deactivated at the end of employment, but personal data will be retained in the system for three years.
Automated processing of personal data and profiling
Regular disclosure of information
Data are not disclosed outside systems required to provide library services. The website of the library system uses the Finna service: for the data protection statement of Finna, see Register Details. Information on unreturned loans and unpaid fees as well as related customer data may be transferred to a debt collection agency. Data is disclosed to Finnish officials according to existing legislation.
Disclosure of data outside the EU or EEA
Principles of data file protection
Customer service staff have been trained to handle data in accordance with legislation. Usernames are deactivated when the employee’s employment ends. The Library’s technical administrators and the CSC have access to all data directly through the database.
Right to data inspection
Customers can review their data at the National Library’s customer service desk. Requests to review must be submitted in writing to the contact person mentioned above.
Right to request correction or removal of data
The National Library’s customer service can be notified of any erroneous data, and they will be immediately amended. If the customer has no outstanding obligations, the customer data can be removed within approximately one week of receiving the request to remove data.
Other rights regarding the handling of personal data