Data Protection Policy
1. Introduction
1.1. These data protection terms explain the processing of personal data and information related to individuals' privacy at the University of Tartu Library (hereinafter: the library).
1.2. Personal data refers to data about a physical person that is identified or identifiable, reflecting their physical, mental, physiological, economic, cultural, or social characteristics, relationships, and affiliations.
1.3. A data subject is a natural person whose personal data is processed by the library. In these data protection terms, the data subject is described in different roles depending on the service being used, such as library user, client, user, representative of a legal entity, employee, author, etc.
1.4. Processing of personal data is any operation performed with personal data, including the collection, recording, organisation, storage, alteration, disclosure, granting access to personal data, consultation and retrieval, use and communication of personal data.
1.5. The library processes personal data only if there is a legal basis for it and only as long as necessary to achieve the objective of processing or to comply with legal obligations. The library applies all relevant organisational, physical and technical security measures to protect the personal data that is at the library’s disposal from unauthorised and non-compliant use, disclosure or damage.
1.6. The library processes personal data only in full compliance with legislation governing personal data protection, including upon communication of personal data to processors located in non-European Union countries.
1.7. As the University of Tartu Library is a research library within the University of Tartu, the processing of electronic and paper documents (including the terms of storage) and the rights of access are governed at the university by the following bylaws:
1.7.3. Documentary Procedure Rules,
1.8. The data protection policy does not deal with the way the library processes the data of legal persons or how other persons process personal data. Nor does the policy cover the processing of personal data on external websites to which there are links on the library’s web pages.
2.1. The library, as the controller of data, processes the personal data of those registered as library users in order to create and manage their user accounts both on paper and digitally in the ESTER e-catalogue. Library staff, who need access to personal data to perform their duties and provide the requested services to library users, can access this data. They must also comply with the personal data processing principles provided by ESTER.
2.2. When submitting an electronic application to create a user account, library users can identify themselves via the state authentication service provided by the Estonian Information System Authority or the Estonian Academic Authentication and Authorization Infrastructure (TAAT) between Estonian educational and research institutions. After identification, part of the form is pre-filled with the library user’s existing data.
2.3. The library user provides their personal data in the application to create a user account. Depending on the chosen service, the library processes the following data:
2.3.1. first and last name, personal identification number, or date of birth, user ID, or library card number, which are necessary for registration as a library user, creating and managing the user account, and granting access to databases and IT systems intended for the library user. These data are processed based on the library user’s consent;
2.3.2. contact details, including postal address, phone number, and email address, which are necessary for providing services and communicating with the library user, including responding to inquiries, managing reservations, and notifying about library user rights or the expiration of loan periods. These data are processed based on the library user’s consent;
2.3.3. data identifying the guardian and contact details, which are necessary for providing services to a library user under guardianship, resolving complaints, and proving, enforcing, and protecting legal claims. These data are processed based on the Family Law Act;
2.3.4. educational data, including educational institution and field of study, level of study, and academic degree, which are necessary for granting different library user rights. These data are processed based on the library user’s consent;
2.3.5. data provided via email, web chat, or phone, which are necessary for communication with the library, including the content of notifications and recommendations. These data are processed based on the library user’s consent;
2.3.6. data necessary for the use of individual and group study rooms, including reservations and usage time. These data are processed based on the library user’s consent;
2.3.7. data related to the use of services and satisfaction with them, including information on the services used, service usage activity, and library user feedback. These data are processed based on the University of Tartu Library Rules;
2.3.8. data related to violations of the library’s rules, debts, and other legal claims. These data are processed based on the Law of Obligations Act;
2.3.9. special types of personal data, such as information on disabilities, disorders, or illnesses that prevent reading printed text, to enable access to copyrighted works. These data are processed based on the Copyright Act.
2.4. the library user’s personal data is transferred to third parties only based on legal grounds, contract, or the library user’s consent.
2.4.1. In managing user accounts, the library’s partner, as an authorized processor, is Innovative Interfaces Inc., which manages the Sierra library software. Innovative Interfaces Inc. adheres to its data protection principles when providing the service.
2.4.2. The library uses debt collection services for collecting fines. They are provided with data necessary for identifying the individual, their contact details, and information about the financial claim. These data are processed based on the Law of Obligations Act.
3.1. The library, as the data controller, processes personal data for the purpose of providing services. Library services include, for example, the use of public Wi-Fi, participation in events and training, use of the online store, restoration and binding work, digitization, room rental, and consultations.
3.2. Services are provided to both clients and individuals registered as library users. Personal data provided when registering as a library user is not processed during service provision.
3.3. The library processes the personal data of the data subject during service provision based on their consent and in compliance with legal obligations. Depending on the selected service, the library processes the following data:
3.3.1. data that allows identification of the person, such as first and last name, personal identification number, or date of birth, necessary for providing or purchasing services, for example, for managing orders, communicating with the contract partner, organizing training and other events, and issuing training certificates;
3.3.2. contact details, including postal address, phone number, and email address, which are necessary for providing services and communicating with the client, such as responding to inquiries and sending invoices;
3.3.3. communication data, including inquiries, requests, and information requests sent via email, letters, social media, web chat, or phone;
3.3.4. data related to legal entities, such as the representative’s first and last name and their connection to the legal entity, or the data of a self-employed person;
3.3.5. data on the services provided and related financial information;
3.3.6. data on the use of services provided via a web meeting platform, including information on the meeting duration, chat history, etc.;
3.3.7. data necessary for publicizing library events, (e-)training, and other activities in (social) media, including photos and other recordings;
3.3.8. data related to participation in competitions and campaigns, including information on prizes won;
3.3.9. data on service usage and satisfaction, including information on the services used, their usage activity, and feedback from readers and clients;
3.3.10. data on the use of the library e-shop, including purchase history. More detailed privacy policy is available on the library’s e-shop website.
4.1. The personal data of job applicants is restricted information to which third persons (including competent authorities) gain access only in cases provided by law. The recruitment process is coordinated by the Personnel Department of the University of Tartu in cooperation with the library. Recruitment documents may only be reviewed by employees involved in the hiring process.
4.2. As the controller, the library processes mainly the following data of a person applying for a job at the library:
4.2.1. Identification data, primarily first and last name and personal identification number;
4.2.2. contact details: postal address, phone number, and email address;
4.2.3. information necessary for employment, such as education, additional training, and work experience;
4.2.4. information on citizenship and, if necessary, the legal basis for residence and work in Estonia.
4.3. If the job applicant has provided the required data, including references, the library assumes they consent to the processing of their personal data and that the library may contact the references.
4.4. The personal data of applicants is processed using the recruitment software Recrur.
4.5. If an applicant who is rejected gives separate consent, the library may propose the applicant take part in another competition when the university announces a suitable job. The library will keep the documents of unsuccessful applicants, based on legitimate interest, to resolve possible legal disputes for one year, starting from the negative decision.
5.1. The library, as the data controller, processes the personal data of employees to fulfil obligations arising from employment contracts and legal acts (e.g., tax laws, laws related to employment, accounting laws, etc.). The personal data processed includes:
5.1.1. data required to identify the person: name and surname, personal identification number and citizenship;
5.1.2. contact details necessary for entry into and performance of the employment contract: email address, telephone number and postal address;
5.1.3. family and social data; for example, data regarding the employee’s children for providing child-related leave, death certificate of an employee or employee’s next of kin to pay funeral grant, documents certifying the duty to serve in the Defence Forces or participate in reservist training;
5.1.4. data on qualifications and professional training;
5.1.5. financial data; for example, bank account number, application for calculation of basic exemption and information on pension;
5.1.6. data regarding the employment relationship, for example, documents of appraisal interviews and evaluation;
5.1.7. data on the employee’s state of health; for example, health certificates, decisions of medical examinations, radiation monitoring data, data on accidents at work and occupational diseases.
5.2. The library employees’ email addresses, telephone numbers and office locations, intended for work-related communication, are made public on the library’s website based on legitimate interest so customers can contact the employees.
5.3. The library processes personal data to comply with obligations arising from the employment contract and from legislation processes and to ensure security, including when registering employees' data in databases.
6.1. The library uses various information systems to carry out work-related tasks.
6.1.1. The library processes personal data in major information systems used in academic work, such as the Study Information System, Office 365, the document management system, and e-learning environments such as Moodle, Zoom, and Panopto. Participants in the library’s courses have the opportunity to use platforms like Zotero, Mendeley, etc., within the scope of their studies. Users of e-learning environments may add voluntary information to their user profiles (e.g., photos, city, interests). The legal basis for processing such data is the user’s consent. Users have the right to modify or delete this data at any time.
6.1.2. The library also processes the data of users and user accounts of electronic databases (ESTER, the University of Tartu digital archive in DSpace, DataDoi, the scientific journal publishing platform OJS). This includes data stored when logging into and using the functions of these databases, as well as records, searches, and other similar types of data saved by the user. The legal basis for processing this data is the user’s consent. Users of the database have the right to modify this data at any time. To delete a user account, contact the University of Tartu Library.
6.1.3. Individuals with a university user account can, if they wish, use scientific databases from outside the university network via a proxy server or a virtual private network (VPN).
6.1.3.1. For the use of scientific databases via a proxy server, the user must identify themselves with the university's user credentials or via the state authentication service provided by the Estonian Information System Authority. The user’s first and last name, their connection to the university, their role within the university, and the university’s email address are transmitted to the database. The personal data transmitted depends on the database, and the legal basis for processing this data is the user’s consent.
6.1.3.2. For using scientific databases via VPN, the user can download VPN software to their device, but this is optional. When using a VPN, the library processes the user's university user credentials, and the legal basis is the VPN user’s consent.
6.1.4. Logs are generated during the use of information systems, containing the IP address, visit date, and time; when printing from a library’s computer, the name of the print job, quantity, and time of printing are recorded. Additionally, information is collected about the browser used, operating system, and device, MAC address, and the time of connection and disconnection to Wi-Fi. Logs are processed in accordance with the University of Tartu’s IT standards for the performance of tasks of public interest and legal obligations.
7.1. The library processes the personal data of users of its website based on their consent.
7.2. The library uses the following types of cookies on its website:
7.2.1. necessary cookies ensure the proper functioning and more convenient use of the website. These cookies are temporary and cannot be disabled in our systems;
7.2.2. statistical cookies keep track of the user and measure how long and which web pages are visited and which device is used. The gathered information cannot be linked to a specific person;
7.2.3. functional cookies are stored on the visitor’s device after the browser is closed. Functional cookies are not applied on the university’s websites;
7.2.4. authentication cookies, which are used to identify logged-in users.
7.3. If the user wishes to limit the acceptance and storage of cookies on their device or delete cookies already stored, this can be done in the browser settings. By limiting or refusing cookies, the user may have restricted access to the services and functions offered on the library's website.
7.4. The library website uses the FB Pixel and Google Analytics services.
8.1. For library purposes, personal data is processed in library software and added to the nationwide e-catalogue if the author is mentioned in a publication or is associated with the publication. Such data is obtained from the publication itself, the publisher, or public sources (e.g., inheritance register, population register).
8.2. Metadata collected for library purposes is processed for the performance of public tasks arising from the Legal Deposit Copy Act and is retained permanently. The data is published in the ESTER e-catalogue without prior consent. If books are recommended or donated to the library, the donor's or recommender's first and last name is published in the ESTER e-catalogue based on their consent or a donation agreement.
8.3. When entering data into the nationwide e-catalogue, the following personal data is processed for the purpose of describing and distinguishing works:
8.3.1. data on the author and other persons associated with the work, including their connection to the work, first and last name, pseudonym, and lifespan;
8.3.2. the data that may be published about the person in the publication, including special types of personal data;
8.3.3. data on the copyright holder, publisher, and their representatives, including first and last name and personal identification number;
8.3.4. data to identify the donor and recommender, including first and last name;
8.3.5. contact details of the copyright holder, publisher, and their representative, donor, and recommender, including email address and phone number;
8.3.6. communication data with the copyright holder, publisher, their representative, donor, and recommender.
9.1. Requests for explanations, notices, information requests, inquiries, and other letters submitted to the library by institutions or individuals may contain personal data. Documents created and received in the course of library work, including those containing personal data, are registered by the library in the university's document registry.
9.2. The library has established access restrictions for documents containing personal data. Documents with access restrictions, including those containing personal data, are only disclosed by the library to institutions and individuals who have a direct legal right to obtain them (e.g., pre-trial investigators or courts). If a third party submits an information request to access restricted information, the library will decide on a case-by-case basis whether the document can be released partially or in full.
The security of the University of Tartu Library premises is the responsibility of the University of Tartu. The processing of personal data through the use of the video surveillance system is described in Section 7 of the University of Tartu's Data Protection Policy.
11.1. Depending on the legal basis for processing personal data, the data subject has the right to:
11.1.1. receive confirmation as to whether the library processes their personal data and access the data collected about them. If the data subject submits a request in which they do not wish to be aware of the processing or control its legality, the library, as the data controller, may refuse the request;
11.1.2. demand the rectification of inaccurate personal data collected regarding them, or the completion of incomplete personal data;
11.1.3. request the library to erase, without undue delay, their personal data, which no longer has a legal basis for processing or is no longer needed for the purpose for which the library collected or otherwise processed the data;
11.1.4. withdraw their consent at any time if the processing of personal data is based on consent. This does not affect the lawfulness of the data processing carried out before the consent was withdrawn;
11.1.5. request the library to restrict the processing of personal data if:
11.1.5.1. the data subject has contested the accuracy of the personal data. The library restricts the processing for the time needed to verify the accuracy of the personal data;
11.1.5.2. the processing of personal data is illegal, but the data subject does not request the deletion of personal data;
11.1.5.3. the library no longer needs the personal data for processing, but the data subject needs them for preparing, filing or defending a claim;
11.1.5.4. the data subject has filed an objection to processing personal data. The library will restrict the processing until it is verified whether the library’s lawful reasons outweigh the data subject’s reasons;
11.1.6. to receive the personal data which they have submitted to the library and communicate them to another controller. The right to transfer data applies solely to the personal data that the persons themselves have provided to the library and which the library processes by automated means and on the basis of consent or a contract. For example, the right to transfer data does not apply to job applicants, because their data are not processed by automated means;
11.1.7. to file an objection against processing their personal data if the processing of data is based on legitimate interest or if the processing is necessary for the performance of public duties or in the public interest.
11.2. For questions related to the processing of personal data and rights, the data subject can contact the University of Tartu Library via email at library@ut.ee or the University of Tartu’s Data Protection Specialist via email at andmekaitse@ut.ee. Upon receiving a request from a data subject, the library may ask for clarifications regarding which information or data processing activities the request relates to. The library will respond to the request within 30 days of its receipt. If it becomes clear that more time is needed to respond, the library may extend the response period by a reasonable amount. A copy of the processed personal data will be provided to the data subject free of charge, but the library may charge a reasonable fee to cover administrative costs for additional copies.
11.3. If the data subject believes that the way the library processes their personal data is contrary to data protection regulations, they have the right to contact the Data Protection Inspectorate (email: info@aki.ee, phone: 627 4135).
12.1. The library reserves the right to unilaterally amend the data protection terms. The most current version of the data protection terms is always available on the website https://www.utlib.ut.ee.
12.2. The terms were last updated in 22 October 2024.