Data protection description

This is a description of what personal data is processed by Nordic Culture Point and how the data is processed. Nordic Culture Point complies with Finnish legislation and the EU’s General Data Protection Regulation 2016/679 (GDPR) regarding data protection.

Person responsible for register matters

Fredrik Lundin
IT Manager
PO Box 231, FI-00171 Helsinki, Finland
fredrik.lundin@nordiskkulturkontakt.org
+358 10 583 1004

Names of the registers

  1. Borrower register for the Nordic Culture Point special library
  2. Administration of Nordic Culture Point’s digital survey system
  3. Nordic Culture Point media archive
  4. Nordic Culture Point newsletter
  5. Web browser cookies on the website www.nordiskkulturkontakt.org
  6. Nordic Culture Point camera surveillance

Purpose of the registers

Nordic Culture Point collects and processes personal data:

  1. in order to maintain a borrower register and manage the library’s customer relations,
  2. when arranging events and meetings, and for the payment of fees, and
  3. to document the business. The material may be used in Nordic Culture Point’s annual report, on the website, in social media and other digital marketing, for internal needs (e.g. presentations), and for future archiving,
  4. to send information to subscribers to our newsletters, and
  5. to develop the web service, measure visitor numbers, and target marketing about our events or funding programmes on Facebook on the basis of which pages are visited via the website, and
  6. in connection with camera surveillance at the library. The purpose of camera surveillance is to: protect property, protect customers and staff, prevent crime, and help solve any crimes that do occur.

Content of the registers

  1. The borrower register contains:
    • borrower name, address, gender, phone number, and e-mail address
    • information on the borrower type for borrowing functions
    • information on the borrower´s mother tongue and communication language for customer service purposes
    • library card numbers and borrower IDs
    • password (pin code) for identification
    • civil registration number
    • information about the borrower’s current loans
    • information about the borrower’s current reservations
    • information about the borrower’s unpaid fees
    • information about outdated contact details, any powers of attorney, contact details of guardians, and measures taken due to unreturned loans and unpaid fees, as well as notification settings, registration date, and most recent loan dates

    The following are used as data sources:

    • information provided by the borrower and stored on the computer system
    • public address and phone number services
    • information stored through the library’s activities

    The borrower is responsible for giving notice of any changes. Should there be a need for recovery measures, address information can be checked via the authority for digitalisation and population data (DVV).

  2. Digital survey systems (data collected through the web services Webropol, Zoom, Microsoft Teams, Microsoft Forms, or Zef). What data is collected depends on the purpose of use but may include:
    • Personal data (first name, surname, organisation, supervisor, address, e-mail address, phone number, civil registration number, country, allergies, dietary requirements)
    • Bank details (only for payment of remuneration)
    • Employment and positions of trust
    • Events
  3. Media archive
    The register contains pictures and video material created during Nordic Culture Point’s events or to document the organisation’s other activities.
  4. Newsletters
    E-mail addresses and names (collected through/using the web service Mailchimp)
  5. Browser cookies
    The nordiskkulturkontakt.org website uses Google Analytics and Facebook Pixel cookies. Google Analytics is a service provided by Google for the collection of statistical information on visitors to a website. This information usually includes IP addresses, the geographical location of an IP address, pages visited, how the visitor arrived at the website, and computer information such as operating system and browser details.
    Facebook Pixel is a service provided by Facebook that collects the following information:
    • HTTP headers – everything found in the HTTP header field. HTTP headers include IP addresses and information about the browser, site location, document, reference, and person using the website.
    • Pixel-specific data – includes the Pixel ID and the Facebook cookie.
    • Button click data – includes all buttons clicked on by visitors to the website, the labels on those buttons, and all pages visited as a result of button clicks.
  6. Camera surveillance
    The register contains recorded visual material created by way of surveillance cameras located in the Nordic Culture Point library.

Regular disclosure and transfer of data within the EU or EEA

  1. Borrower register
    • Borrowers’ personal data, loan data, and payment data may be transferred to third parties for invoicing and recovery.
    • Borrower information, including borrowers’ personal data, loans, and reservations, is displayed but not stored when logging into the online library. Borrowers’ card numbers, PIN codes, and e-mail addresses are stored in the online library.
  2. Digital survey systems
    Information may be transferred to third parties for the administration of events, invoicing, and the payment of fees.
  3. Media archive
    No personal data is regularly disclosed or transferred from the register.
  4. Newsletters
    No personal data is regularly disclosed or transferred from the register.
  5. Browser cookies
    No personal data is regularly disclosed or transferred from the register.
  6. Camera surveillance
    Material is only transferred to an authority when investigating a crime.

Transfer of data outside the EU or EEA

To a limited extent, information is transferred outside the EU/EEA to sub-suppliers engaged by the data controller in respect of digital survey systems, newsletters, and browser cookers. When data is transferred outside the EU/EEA, the European Commission’s standard contractual clauses or any other transfer mechanism permitted by law is used.

Principles for the protection of the registers

The personal data in these registers is protected by technical and organisational means against unauthorised and/or illegal access, destruction, changes or other processing, including the unauthorised disclosure and/or transfer of the data in the register. The information is stored in an electronic system that is protected by firewalls, encryption technology, passwords, and other appropriate technical solutions. Forms with borrower information that borrowers fill in are destroyed once the information has been entered into the digital library system

Access to the register is limited to certain employees of Nordic Culture Point and other specified persons who need the information in order to carry out their duties. Those who have access to the information in the register are bound by a duty of confidentiality. User rights are regularly checked and unnecessary rights are removed. Nordic Culture Point and the service providers have drawn up data processor agreements.

The rights of the data subject

The EU’s General Data Protection Regulation protects several rights of data subjects. Data subjects have the following rights:

  • right of access: the data subject has the right to know which of their personal data is being stored. The data subject can check some of the information in the library system’s online library themselves.
  • right to have information corrected: the data subject has the right to have incorrect information corrected and incomplete information completed.
  • right to be forgotten: if there is no legal basis for the processing of personal data, the data subject has the right to demand that data relating to them be deleted.
  • right to object to or limit processing: in some situations, the data subject also has the right to request that the processing of personal data be limited or to otherwise object to the processing of personal data.
  • right to withdraw consent: the data subject can withdraw their consent to the processing of their personal data at any time.

The data subject may prevent the use of browser cookies by adjusting the settings of their browser.
If the data subject considers that the processing of their personal data is not lawful, the data subject has the right to submit a complaint to the data ombudsman.

Storage period for personal data

Nordic Culture Point stores personal data only for as long as is necessary for the purposes specified in this data protection description or to fulfil statutory obligations.
Recordings from surveillance cameras are automatically deleted every 30 days.

Notification of changes to personal data

The data subject can notify Nordic Culture Point of a change to their personal data by writing to Nordic Culture Point, PO Box 231, FI-00170 Helsinki, Finland or by e-mailing gdpr@nordiskkulturkontakt.org.
The borrower can notify Nordic Culture Point or the library of a change to their contact details by writing to Nordic Culture Point, PO Box 231, FI-00170 Helsinki, Finland, by e-mailing bibba@nordiskkulturkontakt.org, or by logging in and changing their details in the online library.

Amendment of the data protection description

Nordic Culture Point reserves the right to update and amend this data protection description by announcing the same on its website.