Privacy statement: Library and information services

Data controller

Diaconia University of Applied Sciences Ltd
PO Box 12, 00511

Contact person for matters related to data protection

Liisa Leppänen, tietosuojavastaava
Kyläsaarenkuja 2, 00580 Helsinki

Name of privacy statement

Register relating to the library and information services of Diaconia University of Applied Sciences

Purpose of the processing of personal data

The library and information service uses the data stored in the system for customer relationship management purposes.

The data controller processes the data independently and uses subcontractors to process personal data on behalf of and for the controller.

Legal basis of processing of personal data

According to Article 6 of the General Data Protection Regulation, data processing is lawful only if, and only to the extent that, at least one of the following conditions is met:

a) The data subject has given their consent
b) The processing is necessary for implementing an agreement to which the data subject is a party
c) The data processing is necessary for compliance with the statutory obligations of the data controller
d) The data processing is necessary for safeguarding the vital interests of the data subject or some other natural person
e) The data processing is necessary for performance of some duty in the public interest, or the processing is necessary for the data controller ‘s exercise of their public power
f) The processing is necessary for fulfilment of the legitimate interests of the data controller or of a third party

The conditions to be met are a, c, e and f.

The aforementioned legitimate interest of the controller is based on the meaningful and appropriate relationship between the data subject and the data controller arising from the use of the library services by the data subject, and for data processing for purposes that could be reasonably expected by the data subject at the time of and during the collection of personal data.

Data content of the register, personal data groups to be processed and storage periods for personal data

Personal data groups are basic information about the person and the customer relationship.

Personal data to be processed: Name, Address, Telephone, Email address, Personal ID number.

Other data to be processed relating to the customer relationship:

  • Library card number
  • Tuudo information
  • PIN code
  • Customer group and statistical group
  • Reservation ID
  • Information on payments and measures related to non-returnable material
  • Exceptional loan period
  • Dates for updating customer information
  • The customer’s current loans and reservations
  • Loan and reservation history
    • Change log

Periods for which data is stored:

Personal data collected in the register will be stored only for the length of time and to the extent that is necessary for fulfilling the purpose for which the personal data is processed by personal data group. In addition, personal data will be stored in accordance with applicable legislation on storage periods.

Customer information is removed from the register every year as needed. Customer data are held for a maximum period of two (2) years after the date of the last loan transaction.

The controller regularly assesses the need for data storage in accordance with the controller’s internal code of conduct.

Whether sensitive information (race/ethnicity, origin, political opinion, religious or philosophical belief, membership of a trade union, health-related information, sexual orientation or behaviour) is processed. Article 9: No

Information systems used and system-specific privacy statements

  • KOHA library system and customer register
  • MyDiak study management system (privacy statement of student services)
  • Webropol forms
  • Finna data search portal
  • Financial administration services
  • Tuudo application

Regular sources of information

  • Personal data is primarily collected from the data subject themselves.
  • Register data is also collected from other publicly available sources (for example, public address registers and telephone directories).
  • In addition, other registers of the data controller (e.g. the student administration register) can be used as data sources for the register.
  • The data controller also collects personal data that is generated during the customer relationship.

Regular data disclosure

Personal data contained in the registry will be disclosed to partners of the controller with which the data controller has a contractual relationship, or to other similar entities that have a relevant relationship with the data controller, such as:

  • Debt collection company used by Diaconia University of Applied Sciences (Intrum Justitia Oy)
  • E-forms (Equix Oy, Webropol Oy)
  • Tuudo Oy
  • Data is transferred to the joint statistics of scientific libraries; the statistics do not contain personal data.

Information is disclosed in accordance with the Diaconia University of Applied Sciences’ data security guidelines.

Transfer of information outside the EU or the European Economic Area

The data is not transferred outside the EU or the European Economic Area.

Principles of protecting registers

Access to databases and systems, and to the use of the registry, will be limited to those employees of the data controller or its sub-contractors that have the right to process the information contained in the registry for their work. Each user of the registry has a personal username and password for the systems.

A) Manual material

Is there manual data? Yes.

If yes, how is the material stored and protected? Manual materials containing personal data are destroyed immediately when the data has been entered in the register in accordance with the archive creation plan of the Diaconia University of Applied Sciences.

B) Digitally processed data

Is there data in electronic form? Yes.

If yes, how is the material stored and protected?

  • The data will be stored in accordance with Diaconia University of Applied Sciences’ archive creation plan (AMS).
  • The server containing personal data is kept in locked facilities on the premises of the IT Center for Science Ltd, where it is accessible only to designated and authorised personnel. The server is protected by an appropriate firewall and other technical protection.

Rights and responsibilities of data subjects

The data subject has the right to request access to personal data concerning him or her, the right to request correction or erasure of such data and the right to request restriction of the processing of it, the right to oppose processing or it, and the right to transfer from one controller to another.

The data subject has the right to withdraw their consent at any time without this affecting the lawfulness of the processing carried out prior to this withdrawal, if the processing of personal data is based on the consent of the data subject.

Upon request, the data subject may use the Diaconia University of Applied Sciences’ own model form.

The data subject has the right to file a complaint with the Office of the Data Protection Ombudsman.

Profiling is not carried out on the basis of personal data contained in the register.

If personal data is processed for direct marketing purposes, the data subject has the right at any time to oppose the processing of their personal data for such marketing, including profiling when it is related to such direct marketing.

The data protection officer is the contact person in matters relating to the rights and obligations of the data subjects. The contact details of the data protection officer are given at the beginning of the privacy statement.