The National Library processes personal data, i.e. it is the controller. In this notice, we explain how the National Library, as a controller, processes personal data, in particular in the information systems used to provide services to organisational customers.

1. Controller 

University of Helsinki
National Library of Finland
P.O. Box 15 (Unioninkatu 36)
00014 Helsingin yliopisto
Tel: +358 (0)2941 911

Please contact us preferably by email: kk-it-tukipalvelut(at) 

The National Library of Finland is part of the University of Helsinki. University-level information about data protection is available on the university web pages. The email address of the Data Protection Officer is tietosuoja(at)

2. What This Document Covers

This statement applies to the following services and systems of the National Library:

  • Customer relationship management for services provided by the National Library to organisations;
  •, a wiki platform for collaboration between the National Library and its stakeholders;
  • The National Library's and its stakeholders' discussion platform; and
  • the authentication system used for logging into the National Library and

The National Library also has other personal data processing activities. Read more about data protection and data processing at the National Library.

The National Library is part of the University of Helsinki. Read more about data protection and data processing at the University of Helsinki.

3. Legal Basis of Data Processing

The National Library of Finland and its tasks are laid down in the Universities Act. According to Section 70 of the Act, the National Library is responsible for

  • the deposit, preservation and accessibility of the national cultural heritage within its field of activity;
  • developing and providing national services to university libraries, public libraries and special libraries; and
  • promoting national and international cooperation in the field of libraries.

Through the systems described in this report, the National Library carries out its statutory tasks.

Personal data are processed

  • to identify and authorise users of the collaborative platforms;
  • to manage customer relations; and
  • in connection with the resolution of incidents and security breaches.

The legal basis for processing personal data is

  • in the authentication system, and, the consent of the individual; and
  • for customer relationship management, the legitimate interest of the controller: the processing of contact data is necessary for the fulfilment of contractual and legal obligations.

4. Types of Personal Data Processed

Types of personal data processed are

  • username
  • password
  • name
  • email address
  • user group
  • organization that the person is related to
  • contract to which the person is related to
  • technical log data, see below
  • voluntarily given additional data, see below.

Technical log data

In order to provide the service and to ensure security, technical log information is collected from users of online services. This log information includes information such as timestamp, browser version, operating system and IP address that can be used to link the user to a natural person. This information is only used to investigate error situations or security breaches. The temporary storage of personal data contained in log files is necessary to provide the service.

The National Library uses the services of its contracted partner Cloudflare Inc. to improve the reliability of its information systems. They collect log data, such as timestamp and IP address, which can be used to link the user to a natural person.

Additional information provided voluntarily and on own initiative

On and, a person can complete their profile themselves, for example with their contact details. He/she can add, change and delete this information himself/herself and is therefore responsible for their correctness.

5. Regular Sources of Personal Data

The regular sources of personal data are.

  • the individual himself/herself;
  • the organisation that identifies the person as its representative in the customer relationship;
  • the Haka user authentication system, where the individual uses the Haka authentication of higher education institutions to authenticate; and
  • National Library employee who invites a person to become a user of

6. Transfer of Personal Data Outside of the EU or EEA

Slack: Messages posted on are automatically copied to Slack, through which the name of the author may be transferred outside the EU or EEA. These messages will be removed from Slack after one month. Slack is a service provided by Slack Technologies LCC, a contracted partner of the National Library, and has its own privacy policy.

Cloudflare: technical log data (see section 4) necessarily required for the services of Cloudflare Inc., the National Library's contract partner, may be transferred outside the EU or EEA. The National Library uses Cloudflare's services to ensure the functionality of its online services. For more information on its privacy policy, please see its own website

Otherwise, no personal data is transferred outside the EU or EEA.

7. Regular Disclousures of Personal Data

Personal data is not regularly disclosed outside the University of Helsinki.

8. Retention Period of Personal Data and Deletion of Unnecessary Personal Data

Personal data is deleted from the customer relationship management when the person no longer performs any role.

From and, personal data will be deleted when the user's authorisation to use the service expires, but no later than two years after the last login.

9. Cookies

Web services used in the browser store cookies on the user's terminal device. All cookies used by the systems covered by this statement are technical cookies that enable the online services to function and improve the user experience.

10. Principles of Register Protection

  • Data is stored only in electronic form.
  • Access to customer management data is restricted to those employees of the National Library whose work requires it.
  • The systems are logged in with a personal user name and password.
  • Only those employees of the National Library who are responsible for the operation of the systems have the right to be the main user.

11. Automatic Profiling in Decision Making

Automatic profiling is not performed by any of the systems covered by this document.

12. Sensitive Personal Data

Sensitive personal data is not handled in any of the systems covered by this document.

13. Reviewing, Correcting, and Removal of Personal Data

A person has the right to

  • review what personal data has been collected by systems and services covered by this document;
  • have an error in their personal data corrected; and
  • have their personal data deleted if there is no ground to process them.

In all these cases, they are requested to be in contact with the National Library, [email protected].

14. Legal Review of Processing of Personal Data

A person has right to have the legality of the personal data processing reviewd by the Data Protection Ombudsman: tietosuoja(at)

  • No labels