Processing Personal Data | National Library of Estonia

Processing Personal Data

Contact details of the data protection specialist at the National Library of Estonia:  

E-mail: andmekaitse@nlib.ee 

Telephone: (from abroad add +372) 630 7131 

Postal address: Data Protection Officer, National Library of Estonia, Tõnismägi 2, 15189 Tallinn, Estonia

1. Personal data and legislation governing their processing

1.1. Personal data are any data that enables to identify a natural person. Processing of personal data at the National Library of Estonia (hereinafter National Library) is any act performed with personal data, except for the operations carried out with the data of legal persons and the processing of personal data on the web pages that have been cited on the library’s web pages (external links). 

1.2. Special categories of personal data include personal data that reveal racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data for the purposes of uniquely identifying a natural person, data concerning heath, and data concerning a natural person’s sex life or sexual orientation. 

1.3. The National Library processes personal data to the extent necessary for the achievement of purposes of processing personal data in compliance with the Personal Data Protection Act of the Republic of Estonia and the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation). 

2. Processing the personal data of registered users

2.1. The Rules for Users of the National Library regulate the registration of its users.  

2.2. The National Library receives the personal data of its user personally from the user, dependent on the used service, and from the Population Register in the case of contractual penalty or other legal claim. Dependent on the service and the choices of the user of the service, the National Library may process, inter alia, the following data: 

2.2.1. the data for identifying the person, including the person’s name, personal identification code or the date of birth, user identifier or the number of library card, username of the social media account, the number of ID card, and password; 

2.2.2. contact details, including e-mail address, telephone number, and postal address; 

2.2.3. the data on the accounts generated in electronic databases and the data that are recorded while logging in to the accounts and using the functions therein, including the records saved and searches performed by the user, and other similar data; 

2.2.4. if the user of the service is a minor, the data about his or her parent or guardian, including the data for identifying the parent or the guardian and his or her contact details; 

2.2.5. the data on the area of activity and hobby of the user of the service (if he or she wants to disclose them); 

2.2.6. employment data or the data related to the academic studies of the researcher who applies for accessing the personal archives maintained by the National Library, including the name of the educational or employing institution, and the research theme and the academic degree of the researcher. 

2.2.7. the data on communication, including data on requests, feedback, and the contents of complaints that have been delivered by e-mail or letter, on social media, or over the telephone; 

2.2.8. the data on the use of the services and user satisfaction, including the data on used services and the activity of using services, and also the net promoter scores and the answers to other feedback questionnaires, if the user of the service has decided to deliver such information to the National Library; 

2.2.9. the data collected to perform duties pursuant to law, including the data on contractual penalties;  

2.2.10. the data on the participation in games and campaigns, including prizes won in games or campaigns; 

2.2.11. photographic or video images that have been recorded at the public events held at the National Library and/or caught on security cameras; 

2.2.12. the data on the offences of the Rules for Users of the National Library; 

2.2.13. special categories of personal data: the data on the categories and duration of disabilities for using the services available for disabled persons, for instance, entering the National Library’s building with a guide dog. 

2.3. The National Library may process the personal data of its registered users, inter alia, for the following purposes and on the following legal bases: 

2.3.1. in order to manage user accounts to create a user record in the database of users, to enable to log in to different databases and IT systems, and to provide all the services that the user has requested from the National Library – the processing shall be carried out to perform a duty of public interest, to perform a concluded contract, or to prepare a contract; 

2.3.2. in order to provide services, send notifications and communicate with the user of the service, including for answering the requests, managing bookings, and informing of the expiration of user’s rights or the arrival of the due date – the processing shall be carried out to perform a duty of public interest, to perform a concluded contract, or to prepare a contract; 

2.3.3. in order to provide the services available for disabled persons, including entering the National Library’s building with a guide dog – the processing shall be carried out with the consent of the user of the service; 

2.3.4. in order to control access to the personal archives maintained by the National Library  

and the copying of items therein  – the processing shall be carried out to perform a duty of public interest or to perform a concluded contract; 

2.3.5. in order to administer contractual penalties, including for collecting the fines – the processing shall be carried out to perform a concluded contract or to perform the duties pursuant to law; 

2.3.6. in order to assure and improve the quality of services, and to develop and enhance the services by asking for feedback and responding to it at the request of the user of the service – the processing shall be carried out with the consent of the user of the service; 

2.3.7. in order to send the newsletter, inform of recent additions, promote the services provided and the events organised by the National Library, carry out campaigns and prize games, inform the winners of their prizes and deliver the awards to the winners – the processing shall be carried out with the consent of the user of the service; 

2.3.8. in order to settle disputes on contested complaints and decisions, and to prove, exercise and protect legal claims, including those involving the damage caused by the user of the service who is a minor – the processing shall be carried out to perform a duty of public interest, to perform a concluded contract, or to perform the duties pursuant to law; 

2.3.9. in order to enforce the internal rules of the National Library in its territory and reading area, to prevent the misuse of and protect the assets of the National Library, to ensure the security of the employees and other users of the service – the processing shall be carried out to perform the duties pursuant to law, to perform a concluded contract, or to protect the legitimate interests of the National Library; 

2.3.10. in order to perform duties arising from other legislation, e.g. at the request of law enforcement authorities, bailiffs, tax authorities, or courts. 

3. Processing the personal data of unregistered users of the service

3.1. In addition to processing the personal data of registered users (see clause 2), the National Library also processes the personal data of other unregistered users of the service: the users of free services, the users of fee-charging services, self-employed publishers, the representatives of corporate publishing houses, and the persons who have approached the National Library with an application, a request for information or explanation, or a memorandum. 

3.2. The National Library receives the personal data of the user of the service personally from the user, dependent on the used service, and from the Population Register in the case of contractual penalty or other legal claim. In addition to the personal data referred to in clause 2.2, the National Library may, dependent on the service and the choices of the user of the service, process the following data: 

3.2.1. the name of the representative of the legal person and his or her connection with the legal person; 

3.2.2. the publications issued by the self-employed publisher and the data about these publications; 

3.2.3. the data collected to perform duties pursuant to law, including the data on paying the service fee and arrears, and on the monitoring of the service provided at authorised workstations;  

3.3. In addition to the purposes and legal bases referred to in clause 2.3, the National Library processes the personal data of the users of the service, inter alia, for the following purposes and on the following legal bases: 

3.3.1. in order to manage the accounts of the representatives of publishers that enables them to log in to the Publisher’s Portal and perform the duties imposed on them by the Legal Deposit Copy Act – the processing shall be carried out to perform a duty of public interest and in the legitimate interest to enhance the user-friendliness of the service; 

3.3.2. in order to provide services, including for administering requests and communicating with the requester – the processing shall be carried out to perform a concluded contract or to prepare a contract; 

3.3.3. in order to organise and deliver training – the processing shall be carried out to perform a concluded contract or to prepare a contract; 

3.3.4. in order to manage data on paying the service fee and arrears, including for collecting the arrears – the processing shall be carried out to perform a concluded contract or to perform the duties pursuant to law. 

4. The personal data of the users of the web pages of the National Library

4.1. While using its web pages, the National Library processes the IP addresses of its users, the dates and time of visits, the addresses of these web pages from where the web pages of the National Library have been visited and what has been visited, and information on the used web browser and operating system. 

4.2. The National Library uses cookies on its web pages in order to make the use of web pages convenient to the visitor and develop its web-based services. 

4.2.1. A cookie is a text file that is stored on the computer of the person who visits the web page. 

4.2.2. The visitor of the web page can independently manage the cookie notification and storage settings in his or her web browser settings and delete cookies that have been already stored. 

4.3. The National Library may process the personal data for the following purposes and on the following legal bases: 

4.3.1. in order to personalise visits to the web pages – the processing shall be carried out to protect the legitimate interest of the National Library and with the consent of the visitor for making the web pages as user-friendly as possible; 

4.3.2. in order to collect statistics on the use of the web pages for acquiring information what is and what is not functional on the web pages of the National Library – the processing shall be carried out to protect the legitimate interest and with the consent of the visitor for making the web pages as user-friendly as possible; 

4.3.3. the National Library keeps the activity and system logs in order to solve problems that have occurred in the course of using its systems – the processing shall be carried out in the legitimate interest for enhancing the user-friendliness of the service; 

4.3.4. the National Library regularly makes backups of electronic databases, web pages and the data on their use in order the preserve data – the processing shall be carried out to perform the duties pursuant to law and to protect the legitimate interest of the National Library. 

5. Processing personal data for the purposes of librarianship and determining copyright status

5.1. Your personal data shall be processed for the purposes of librarianship and determining copyright status, if you have been treated in a publication or you have authored a publication. These data are retrieved from the publications, publishers, and public sources, including the Succession Register or the Population Register. The National Library may process, inter alia, the following personal data: 

5.1.1. the data for identifying the person, including the person’s name, pseudonym (if the person or his or her successor have previously disclosed it or have given the National Library written consent for disclosing it), dates of life, title, clerical status or noble rank, patronymic in the case of Russian names, the personal identification code of the copyright holder; 

code or the date of birth, user identifier or the number of library card, username of the social media account, the number of ID card, and password; 

5.1.2. contact details, including e-mail address, telephone number, and postal address of the copyright holder; 

5.1.3. connections to Estonia; 

5.1.4. publications issued by the author; 

5.1.5. in the case of determining copyright status, the information about the transfer of copyright by succession; 

5.1.6. professional status or area of activity, and gender; 

5.1.7. membership in organisations; 

5.1.8. other data about the person, including special categories of personal data that may be disclosed in publications. 

5.2. The National Library processes personal data, inter alia, for the following purposes in librarianship: 

5.2.1. in order to describe publications and their parts, to register publications in the database of the Estonian National Bibliography, and to collect, preserve and make available publications and personal archives – the processing shall be carried out to perform the duties of public interest pursuant to the National Library of Estonia Act and the Legal Deposit Copy Act; 

5.2.2. in order to collect, preserve and make available digital publications – the processing shall be carried out to perform the duties of public interest pursuant to the Legal Deposit Copy Act; 

5.2.3. in order to digitise or reproduce publications or their parts and to enable text and data mining in digitised publications or parts of the publications in accordance with the Copyright Act – the processing shall be carried out to perform the duties of public interest; 

5.2.4. in order to determine copyright and access matters and the holders of rights – the processing shall be carried out to perform the duties pursuant to the Copyright Act; 

5.2.5. in order to make open data available – the processing shall be carried out to perform the duties pursuant to the Public Information Act; 

5.2.6. in order to answer to the requests and to introduce collections – the processing shall be carried out to perform the duties of public interest pursuant to the National Library of Estonia Act; 

5.2.7. in order to assign international standard numbers to books, serials, and printed music – the processing shall be carried out to perform the duties of public interest pursuant to the National Library of Estonia Act. 

6. Processing the personal data of employees, job applicants and other persons who work with the National Library

6.1. The National Library processes the personal data of employees who work for the library on the basis of employment contract or authorisation agreement, trainees, job or traineeship applicants and volunteers. 

6.2. The National Library receives the personal data of the persons referred to in the clause 6.1 personally from the user and on the basis of his or her work, and partially from the third persons. The National Library may process personal data, inter alia, for the following purposes: 

6.2.1. the data for identifying the person, including the person’s name, personal identification code or the date of birth, and the number of ID card; 

6.2.2. contact details, including e-mail address, telephone number, and postal address; 

6.2.3. family-related data, including the names and personal identification codes of dependents; 

6.2.4. financial data, including bank account number, the amount of salary and benefits, and other related data; 

6.2.5. the place of work; 

6.2.6. professional or educational data, including data on education and/or previous jobs, and other information that is written in the CV and cover letter and shall be evident during the job interview or communication with referees; 

6.2.7. employment-related data, including the position, working and rest time and vacations, information about training and business trips, the summaries of performance appraisal as well as probational interviews, information about work results; 

6.2.8. images caught on security cameras and other information gained by electronic means, including while using key cards; 

6.2.9. photographic or video images that have been recorded at the events held at the National Library; 

6.2.10. the image and name on the personnel ID card and on the intranet of the National Library; 

6.2.11. the logs of the use of IT systems; 

6.2.12. the data on the breaches of the terms of the employment contract; 

6.2.13. the special categories of personal data, including the data concerning heath such as information on healthy days and days of sickness, the results of medical examination, information on the incapacity for work, pregnancy and the state of intoxication, and the data on trade union membership. 

6.3. The National Library may process the personal data of the persons referred to in the clause 6.1, inter alia, for the following purposes and on the following legal bases: 

6.3.1. in recruitment process – the processing shall be carried out to conclude a contract and to perform the duties pursuant to the Employment Contracts Act; 

6.3.2. in order to decide the terms of the employment contract, including work duties and obligations – the processing shall be carried out to conclude and perform a contract and to perform the duties pursuant to the Employment Contracts Act; 

6.3.3.  in order to pay remuneration, benefits and taxes – the processing shall be carried out to perform a contract and to perform the duties pursuant to the Employment Contracts Act; 

6.3.4. in order to evaluate work performance, to define training and development needs, to make a decision whether to promote an employee, and to monitor compliance with the Employment Contracts Act and the rules of work organisation of the National Library – the processing shall be carried out to perform a contract, and to perform the duties and obligations pursuant to the Employment Contracts Act, the rules of work organisation of the National Library, and the job description for the position. 

6.3.5. in order to evaluate the state of health necessary for working and work ability and to manage the days of sickness – the processing shall be carried out to perform a contract, and to perform the duties pursuant to the Employment Contracts Act; 

6.3.6. in order to communicate with the person both in the process of him or her applying for the position or traineeship as well as during the employment or traineeship, or in the relationship with the person acting as a voluntary helper – the processing shall be carried out to perform a contract and to perform the duties pursuant to the Employment Contracts Act; 

6.3.7. in order to provide the benefits, vacations and retirement related to the employment relationship – the processing shall be carried out to perform a contract; 

6.3.8. in order to prepare documents for a business trip – the processing shall be carried out to perform a contract and to perform the duties pursuant to the Employment Contracts Act; 

6.3.9. in order to take evidence on a breach of the rules of work organisation or the Employment Contracts Act – the processing shall be carried out to perform a contract and to perform the duties pursuant to the Employment Contracts Act; 

6.3.10. in order to make a decision to continue or terminate the employment relationship – the processing shall be carried out to perform a contract and to perform the duties pursuant to the Employment Contracts Act; 

6.3.11. in order to referee someone and to write a reference letter – the processing shall be carried out with the consent of the person; 

6.3.12. in order to prevent the misuse of and protect the assets of the National Library and to ensure the security of the employees and the users of the service – the processing shall be carried out to protect the legitimate interest of the National Library; 

6.3.13. other cases of processing personal data, of which the National Library shall notify the data subject in advance and ask for prior consent, if these are not arising from a contract or the law. 

6.4. The National Library processes the special categories of personal data for the following purposes and on the following legal bases: 

6.4.1. the data on the state of health are used at work for creating working environment that conforms to special needs – the processing shall be carried out to perform duties pursuant to law; 

6.4.2. the data on the trade union membership are used for paying the trade union membership fee, for ensuring the protection arising from the collective agreement and legislation – the processing shall be carried out to perform duties pursuant to the collective agreement and law. 

7. Preserving personal data

7.1. The National Library preserves personal data as long as it is necessary to attain the objective for which purpose these data were collected or in compliance with the requirements pursuant to law, and up to the extinguishment of the right of claim that is up to three years in the case of a contract and up to ten years in other cases. 

7.2. The National Library preserves the personal data of its registered user for three years. The user of the service can renew his or her registration and thereby the preservation time of his or her personal data. 

7.3. Photographs and videos of the events held at or related to the National Library shall be archived and made available as record items for the purposes of historical and scientific research.  

7.4. Pursuant to the Security Act, the National Library preserves security camera recordings for a month, whereupon they are deleted. 

7.5. The National Library permanently preserves the answers to capacious reference questions; the personal data therein remain confidential. 

7.6. The National Library preserves the data of the employees and job applicants as follows: 

7.6.1. The National Library deletes or destroys (on paper) the data of job applicants not later than a year after the competition for the position has ended, when the possible right of claim extinguishes. 

7.6.2. The National Library preserves the documentation related to the employees and the data therein up to ten years after the expiry of the employment relationship and, in the case of the employment relationships that have been entered into before 1 July 2009, up to fifty years after the expiry of the employment relationship. After that, this documentation shall be archived pursuant to the Archives Act and made available solely for the purposes of historical and scientific research. 

7.6.3. The National Library permanently preserves the staff ID cards of the employees, unclaimed employment record books, and the registration journals of employment record books. 

7.7. The preservation of personal data to be processed in connection with the use of the databases and web pages of the National Library depends on the purposes for preserving the personal data: 

7.7.1. automated logs related to the use of web pages preserve from 25 minutes up to 45 days, dependent on the type of the log; however, their backups shall be preserved up to two years; 

7.7.2. the user of the web page can any time delete the cookies that the web pages of the National Library have stored in his or her web browser; 

7.7.3. while creating an account on the web pages, the user can himself or herself delete his or her personal data. If the backup copy of the data has already been made, the backup may be preserved up to two years. 

7.8. The National Library permanently preserves the data collected for the purposes of librarianship, in determining copyright status and providing access to digital objects, and in determining the holders of rights. 

8. Disclosure of personal data to third persons

8.1. The access to personal data is granted only to these employees of the National Library, who need it for performing their work duties in order to provide service that has been requested. For instance, customer service providers have access to the database of users. 

8.2. The employees of the National Library, whose work involves dealing with personal data, have a contractual obligation to maintain the confidentiality of personal data that have been disclosed to them during their employment and not to make these data accessible to third parties. 

8.3. The disclosure of personal data to third persons shall take place solely pursuant to law, in the cases of a justified need, or with the consent of the person: 

8.3.1. net promoter score platform – in order to ask for feedback, the e-mail address of the user of the service is transferred; 

8.3.2. newsletter platform – in order to send the newsletter, the e-mail address of the user of the service is transferred; 

8.3.3. the platform of the Search Portal of the National Library – IP address and, if the person uses „My Library Card“ function, also his or her e-mail address and telephone number are transferred; 

8.3.4. provider of postal services – name and postal address are transferred; 

8.3.5. e-learning environment – the name, e-mail address and other data of e-learner that he or she has voluntarily provided are transferred; 

8.3.6. Google Analytics – the visitor statistics of the web pages of the National Library, including IP addresses are transferred;  

8.3.7. provider of accounting and human resources services – the data required by the accounting and human resources management rules are transferred; 

8.3.8. provider of debt collection services – the data for identifying the person, his or her contact details, and data on the financial claim are transferred; 

8.3.9. the social media platforms of the National Library – photographs and video recordings of the public events, held at the National Library, are transferred; 

8.3.10. Estonian Tax and Customs Board, Estonian Health Insurance Fund, Estonian Unemployment Insurance Fund, Estonian National Social Insurance Board – name, personal identification code, the amount of salary, and information on benefits and taxes are transferred; 

8.3.11. security service provider – the recordings of security cameras and the personal data of the persons related to the breaches of the internal rules of the National Library, including the data on the breaches are transferred; 

8.3.12. publishing an application, a request for information, a memorandum, or a contract concluded with the National Library in the document register of the National Library pursuant to the Public Information Act – the data required by the Public Information Act are transferred; 

8.3.13. the Trade Union of the National Library – the data related to employment relationships are transferred; 

8.3.14. authorities, including law enforcement authorities, bailiffs, or courts, if they have legal grounds for lodging the application – the personal data which may be requested on legal basis are transferred. 

8.4. The data collected for the purposes of librarianship, including the data related to copyright are disclosed to third persons, inter alia, in the following cases: 

8.4.1. Estonian and international databases that aggregate data on publications, persons related to these publications and copyright matters; 

8.4.2. in the course of other activities of librarianship nature, including interlibrary lending. 

9. Person’s rights concerning his or her personal data

9.1. You have the following rights as for your data that the National Library processes: 

9.1.1. You have the right to access your personal data that the National Library collects about You as well as to require the transference of the personal data that has been automatically processed and which processing is based on a concluded contract or on your consent (see clauses 2–7). In such cases, the National Library shall transfer your data either to You or, if it is technically possible, at your request to the organisation specified by You in a structured, widely used file format and in machine-readable form.  

9.1.2. You have the right to demand the correction of inaccurate data. You can exercise this right via your personal user account „My ESTER“ or via the settings of your user accounts on the web pages of the National Library. 

9.1.3. If You are of the opinion that your personal data are inaccurate or the National Library unlawfully processes your personal data, You have the right to demand the restriction of processing your personal data until the National Library has made a relevant decision. 

9.1.4. You have the right to demand the deletion of data. You can exercise this right via your personal user account „My ESTER“ or via the settings of your user accounts on the web pages of the National Library. 

9.1.5. If the processing of your personal data is based on your consent, You have the right to withdraw it at any time.  

9.2. To exercise the rights referred to in clause 9.1, You must submit an autographic application on paper to the information specialist or a digitally signed electronic application to the data protection specialist on the e-mail address: andmekaitse@nlib.ee, keeping in mind that You can exercise the rights referred to in clauses 9.1.2 and 9.1.4 by yourself.  

9.3. You have the right to file objections against the processing of your personal data, if the processing is based on legitimate interest or on the performance of a duty of public interest (see clauses 2–7). To file the objections, You must submit an autographic application on paper to the information specialist or a digitally signed electronic application to the data protection specialist on the e-mail address: andmekaitse@nlib.ee

9.4. The National Library shall deny the application submitted on the basis of clause 9.2, if your request is clearly unfounded or excessive, or the basis for the denial of the application are pursuant to law. 

9.5. You have the right to recourse to the Estonian Data Protection Inspectorate or to the courts in order to protect your rights. 

10. Explanations and further information

10.1. You have the right to receive explanations of the processing of your personal data and your rights. To get these explanations, the National Library asks You to contact its information specialist or, if your thorough questions need more detailed answers, send a letter to the data protection specialist at the National Library to the email address: andmekaitse@nlib.ee

10.2. Data protection specialist at the National Library of Estonia: 

e-mail: andmekaitse@nlib.ee; telephone: (from abroad add +372) 630 7131; 
postal address: Data Protection Officer, National Library of Estonia, Tõnismägi 2, 15189 Tallinn, Estonia