Processing of personal data The order register of the Borrow a Librarian service

The system enables the clients of Espoo City Library to place orders for private IT and other guidance appointments by email. The system is also used for forwarding the orders to the libraries in question.

Date of publication: 30 September 2020

1. Data controller

City of Espoo

2. Person responsible for the register

Oili Sivula Library Services Manager PB 36 02070 City of Espoo tel. 046 877 2096

3. Contact person of the register

Reetta Voutilainen Customer Service Manager PB 36 02070 City of Espoo tel. 043 827 0986

4. Data Protection Officer

5. For what purpose will personal data be processed?

The system enables the clients of Espoo City Library to place orders for private IT and other guidance appointments by email. The system is also used for forwarding the orders to the libraries in question. The orders do not form a permanent client register. Instead, the information associated with each order is deleted from the register after an appointment has been scheduled between the client and a suitable guide, or within three months of this date at the latest.

Personal data will not be used for statistical purposes or for analysing the responses. Espoo City Library may compile statistics of the guidance appointments it provides without including any personal data.

6. On what grounds will personal data be processed?

Article 6, paragraph 1, point c of the EU’s General Data Protection Regulation: processing is necessary for compliance with a legal obligation to which the controller is subject, i.e. for the purpose of organising library services in accordance with the section 6 of the Public Libraries Act.

PUBLICITY AND CONFIDENTIALITY OF DATA:

The data contained in the register is partly confidential.

GROUNDS FOR CONFIDENTIALITY:

The data is confidential in accordance with section 24 of the Act on the Openness of Government Activities.

7. What data will be processed?

The web form requires the client’s name and telephone number to enable the library to contact them. The client may voluntarily enter their email address to facilitate communication. When it comes to the guidance appointment that the client requests, the client must specify a library where the appointment should take place, its time and a more detailed description of their need for guidance, part of which can be written freely.

8. What are the sources of data?

Personal data is collected from clients themselves. The client’s name, telephone number and the requested library are the only mandatory fields in the web form.

9. Will data be disclosed or transferred outside the city?

The client requests a library as the location of their guidance appointment. Based on this information, the client’s order is automatically forwarded to the email address of the library in question. The orders are usually sent to the official email address of the library and the personal email address of the person in charge of guidance appointments in that library. The technical service behind the web form is provided by Webropol oy. The technical service behind the email service is provided by Microsoft.

10. Will data be transferred outside the EU/EEA?

The technical service provider of the web form, Webropol Oy, will not transfer data contained within the system outside the EU or the EEA. The email messages handled by the email service provided by Microsoft are stored within the EU. Microsoft operates and develops Office 365 from locations outside Europe, and data is considered to be transferred outside the EU for example in a situation where an administrator establishes a remote connection from the United States to a data centre in Europe, for example to solve a technical problem. In such circumstances, standard contractual clauses of the European Union.

Basis for transfer:

The terms of Microsoft Online services, including standard contractual clauses approved by the European Commission (Attachment 3), are available on Microsoft’s website(extrernal link)

11. How long will data be stored?

Personal data does not need to be stored after the requested guidance session has been scheduled between the guide and the client. In practice, old orders accumulated in the register are deleted every three months at the latest.

12. How will data be protected?

Data processing is regulated by the General Data Protection Regulation (e.g. the principles of purpose limitation, necessity and accuracy). Personal data is processed in a manner that ensures appropriate security of the personal data, including protection (Article 5(1)(f) of the General Data Protection Regulation). Personal data is protected against unauthorised access and unlawful processing, such as loss, alteration or disclosure. Each employee can only process the data they need to conduct their work. Each employee who processes data are under an obligation of secrecy and confidentiality, which remains in force even after the employee’s employment relationship has ended.

A. ELECTRONIC MAINTENANCE SYSTEMS: The library grants user rights to the administrators of the web form on a task-specific basis, and the administrators must sign an end user license agreement and a non-disclosure agreement. B. MANUAL MATERIALS: In practice, no manual materials exist. Potential printouts will not be stored.

13. Rights of the data subject

Further instructions on submitting information requests referred to in the General Data Protection Regulation: Data protection/Client rights

13.1 How can I access my data?

You have the right to obtain from the controller a copy of the personal data that is subject to processing. The controller shall provide the data without undue delay and in any event within one month of receipt of the request. That period may be extended by two further months where necessary, taking into account the complexity and number of the requests.

If the controller does not take action on the request of the data subject, the controller shall inform the data subject without delay, and at the latest within one month of receipt of the request, of the reasons for not taking action and on the possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy.

Requests from the data subject and any resulting actions are free of charge. Where requests from a data subject are manifestly unfounded or excessive, in particular because of their repetitive character, the controller may either charge a reasonable fee taking into account the administrative costs of providing the information or communication or taking the action requested, or refuse to act on the request.

13.2 When can I request rectification of my data?

You have the right to have inaccurate, incomplete, outdated or unnecessary personal data that we store either rectified or completed by us.

13.3 When can I request erasure of my data?

You have the right to have the controller erase your personal data without undue delay under certain conditions. The data subject does not have the right to erasure if the processing of data is necessary for compliance with a legal obligation or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. In these cases, the data will only be erased after the statutory time limit.

13.4 When can I request restriction of processing of my data?

If the data concerning you is inaccurate, you have the right to request that its processing be restricted until its accuracy has been verified.

14.5 Right to lodge a complaint

You have the right to lodge a complaint with a supervisory authority if you feel that the processing of your personal data is in infringement of data protection legislation. You can lodge a complaint with the Office of the Data Protection Ombudsman: www.tietosuoja.fi(extrernal link).