Date 23.7.2019

Privacy notice

This privacy notice explains how the Aalto University library resource services process personal data.

1. Why and on what basis does Aalto University resource services process personal data?

Library resource services processes personal data in order to be able to manage purchase requests and orders, deliver the requested resources to customers, and notify those who have placed a purchase request that the requested item has been purchased. In addition, personal data are processed in order to handle requests and arrangements related to teaching given on using library resources.

The legal basis for processing personal data is the performance of a task carried out for reasons of public interest.

2. What personal data does Aalto University resource services collect?

We collect the names and email addresses of all our customers.

Depending on the service type and customer group, we also collect the customer’s telephone number, customer group details for statistical purposes, student number, library card number, area of responsibility/cost pool code/project number/unit and address.

Depending on the service type, we also store details on the resource requested or to be ordered, details concerning the delivery of the resource, details of the interlibrary loan items held by customers and details on the teaching given on library resource use.

The data are obtained from the following sources:

3. Recipients of the personal data

Customer data are processed mainly by the members of the library resource services team. In addition, personal data may be disclosed to the following parties:

I) Aalto University parties

The contact details and customer group details of the customer may be updated to the customer database of the Aalto University Learning Centre. The customer’s personal data and order data may be disclosed for billing purposes to the Aalto University billing system as needed. The customer’s personal data may be entered into the Aalto University online learning environment as necessary

II) Parties processing your personal data on our behalf

The customer’s personal data and order data may be disclosed for debt collection purposes to the debt collection agency used by Aalto University as needed.

4. Transfer of personal data to third countries

The data protection policy of the university is to exercise particular care if transferring personal data outside the EU and the EEA to countries that do not offer the data protection required by the European General Data Protection Regulation (GDPR). Transfers of personal data outside the EU and EEA are done in accordance with the requirements of the GDPR, utilising, for instance, standard agreement clauses and following other data protection measures in accordance with the GDPR.

5. How does Aalto University protect personal data?

Protecting personal data is important to Aalto University. Aalto University has implemented appropriate technical, organisational and administrative measures to ensure data security and to protect all personal data against loss, abuse, unauthorised use, disclosure, alteration or destruction.

6. What is the storage period of the personal data?

Personal data are stored for as long as is necessary in relation to the purposes for which it was collected and processed or for as long as is required by law or regulation. Details on the resources and related teaching ordered are retained until the orders and their billing have been handled appropriately and the collection period for annual statistics is over. Details on the purchase requests are retained for a max-imum of 3 years, after which the personal data of the customer will be erased from them.

7. Updates to the privacy notice

When the service contents change, the privacy notice may be updated. You can find the most recent version at https://web.lib.aalto.fi/c/web/img/lc_docs/tietosuoja/Tietosuojailmoitus_kirjastoaineistopalvelut_eng.html, and on the website of each service.

8. Rights of the data subject

The customer has rights over the personal data in Aalto’s possession. The extent of the rights depends on the legal basis of processing personal data and the current data protection legislation.

A) Right of access

The customer has the right to acquaint himself/herself with his or her personal data that is in the possession of Aalto University.

B) Right to rectification

The customer has the right to rectify inaccurate or incomplete data.

C) Right to erasure

The customer has the right to request erasure of their personal data in the following cases:

D) Right to restriction of processing

If the customer contests the accuracy of the personal data or the lawfulness of the processing, or has exercised his or her right to object to the processing, the customer may request that Aalto University restrict the processing of the personal data to storage only. The processing of the data is then confined to its storage only until, for example, the accuracy of the data is verified.

If the customer does not have the right to request erasure of the data, the customer may request instead that Aalto University limit its processing to storage only.

E) Right to object to the processing of data on the basis of our legitimate interest

The customer always has the right to object to the processing of his or her personal data for direct marketing purposes, which includes profiling to the extent that it is related to such direct marketing.

F) Right to data portability

The customer has a right to receive in a machine-readable format the personal data concerning him or her that he or she has provided us with. This applies to personal data processed only by automated means when the processing is based on consent or necessary for the performance of a contract.

If you wish to exercise your above-mentioned rights, your request will be evaluated according to the situation as requests are evaluated on a case-by-case basis. Please be aware that we may also store and use your personal data when necessary for compliance with legal obligations, dispute resolution or the performance of contracts.

9. Exercise of customer rights

The controller is Aalto University.
The contact person in questions related to library resource services is Mari Aaltonen.
Email: e-resources@aalto.fi

Customers who have questions regarding this privacy notice, or questions or requests regarding the processing of personal data, may contact the Aalto University data protection officer.
Data protection officer: Jari Söderström
Tel. (exchange): 09 47001
Email: dpo@aalto.fi

Customers who consider the processing of their personal data to be an infringement of data protection legislation have the right to lodge a complaint with the data protection ombudsman (https://tietosuoja.fi/en/home), which is the supervisory authority.