Home Privacy policy Privacy notice: Processing of customer data of Häme University of Applied Sciences Library

Privacy notice: Processing of customer data of Häme University of Applied Sciences Library

Privacy notice: Processing of customer data of Häme University of Applied Sciences Library: joint informative document for data subjects (Articles 13 and 14 of the General Data Protection Regulation [2016/679]).

Purposes of processing personal data

The purpose of the register is managing customer relations. The register is used for:

monitoring borrowing activities and borrowing rights
statistical purposes which do not include individual-level data
sending customer notifications
recovering unreturned material
interlibrary loan services.

Legal basis for processing

The processing of personal data is based on the execution of a contract / an agreement.

Personal data content and retention periods of the register

Data category name	Retention period
Customer name	Customer validity period
Customer’s e-mail address	Customer validity period
Customer’s personal identity code	Customer validity period
Customer’s library card number	Customer validity period
Customer’s PIN code	Customer validity period
Customer’s contact details (postal address, phone number)	Customer validity period
Customer’s active loans	For the loan period. The loan data will be removed: – when the loan is returned – after lost material has been compensated.
Customer’s active reservations	Validity period of the reservation. The reservation data will be removed: – when the reservation is picked up – when the reservation is cancelled – when the validity period of the reservation expires.
Customer’s pending charges	The data will be removed when the customer has paid the pending charges.
The most recent contact and update date	The data will be removed when the customership terminates and the customer data related to it is deleted.
The name and e-mail address of customers who have made interlibrary loan requests	2 years. Until the end of the following academic year

The library will remove any customer data relating to customers who have not borrowed any material for more than seven (7) years and who have no pending payments to the library.

Data subjects

The register contains the following:

HAMK students who are customers of the library or who have given their permission to transfer their data from the student register to the customer register of the library
HAMK and HAMI personnel who are customers of the library
external customers of the library.

Regular sources of data

data provided by the customer him/herself
the student register of Häme University of Applied Sciences
data stored in the database in connection with borrowing activities

Basic data concerning new students are transferred with students’ consent from the HAMK student register to the HAMK Library register.

Before becoming a customer, the library personnel will verify the customer’s identity with a ID card (including a photograph). The customer is responsible for notifying of any changes.

If a customer cannot be reached using the contact details contained in the customer register, the personnel may, where necessary, check the customer’s contact details from the student register, the Population Register Centre or from another address or telephone service.

Regular disclosures of data

In connection with invoicing, the necessary data will be disclosed to the financial administration department of Häme University of Applied Sciences.

Statistical information is collected for libraries’ joint statistics from the register. Häme University of Applied Sciences Library performs the recording in the joint statistics. The statistics do not include individual-level data.

Principles of data protection of the register

A Manual material

The customer information form will be immediately destroyed when the data has been recorded in the register. No confidential information is disclosed to third parties.

B Data processed through automated data processing

Data is stored in an information system or network drive. Users have personal user IDs. Access is granted only to those designated persons of the data controller with a password who are entitled to access and use the data in the system in order to perform their duties. Only admins who have personal user IDs can access the server environment.

The lawful processing of personal data is ensured by categorisation of data and with operating methods that are in compliance with the data handling rules concerning data set.

Standardised methods are used in technical data protection.

Automated decision-making

No automated decision-making is performed on the recorded data.

Transfer of data outside the EU or EEA

No data is transferred outside the EU or EEA.

Rights of the data subject

The EU General Data Protection Regulation (2016/679) provides the data subject with the following rights:

The data subject shall have the right to withdraw his or her consent at any time. (Article 7)

The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed. The data subject shall have the right to access to the personal data concerning him or her. Where requests are manifestly unfounded or excessive, in particular because of their repetitive character, the data controller may charge a fee or refuse to act on the request. (Article 12 and Article 15)

The data subject shall have the right to obtain from the data controller the rectification of inaccurate personal data concerning him or her contained in the register (Article 16). A request for rectification shall be submitted in writing. Persons in an employment relationship (with HAMK or HAMI) are able to do rectification suggestions concerning their recorded working hours, which are then approved by their supervisor or salary administration personnel.

The data subject shall have the right to request the erasure of personal data concerning him or her where one of the following grounds applies (Article 17):

the personal data is no longer necessary in relation to the purposes for which it was collected or otherwise processed;
the data subject withdraws consent on which the processing is based and there is no other legal ground for the processing;
the data subject objects to the processing, and there are no overriding legitimate grounds for the processing (Article 21);
the personal data have been unlawfully processed;
the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject.

The data subject shall have the right to obtain restriction of processing where one of the following applies (Article 18):

the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data;
the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims;
the data subject has objected to processing pursuant to Article 21(1) pending the verification whether the legitimate grounds of the controller override those of the data subject.

Where the processing is based on consent and carried out by automated means, the data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a data controller, in a machine-readable format. (Article 20)

Requests to exercise these rights are to be submitted:

Häme University of Applied Sciences Ltd
Data protection officer
P.O. Box 230 (Visamäentie 35A)
FI-13101 Hämeenlinna, Finland

email: tietosuojavastaava@hamk.fi. You can also send the message via secured e-mail https://www.securedmail.eu/ .

The data subject shall have the right to lodge a complaint with the Office of the Data Protection Ombudsman.