Skip to content

3UAS-libraries Privacy Notice for customer information

In compliance with the requirements of the EU General Data Protection Regulation (GDPR, Articles 13, 14 and 30) Created on: 20.8.2020 (updated on 16.6.2021)

Controllers of data file

Haaga-Helia University of Applied Sciences (y-number 2029188-8).
Ratapihantie 13, 00520 Helsinki

Laurea University of Applied Sciences (y-number 1046216-1).
Ratatie 22, 01300 Vantaa

Metropolia University of Applied Sciences (y-number 2094551-1).
Myllypurontie 1, 00920 Helsinki

Controllers’ contact persons

Eeva Klinga-Hyöty
Eeva.klinga-hyoty@haaga-helia.fi
Tel. 040 488 7501

Hanna Lahtinen
Hanna.lahtinen@laurea.fi
Tel. 040 573 8033

Hellevi Hakala
Hellevi.hakala@metropolia.fi
Tel. 040 6736 768

Controllers’ data privacy officers

Teija Aarnio
Teija.aarnio@haaga-helia.fi
Tel. 040 488 7001

Marjo Valjakka
Marjo.valjakka@laurea.fi
Tel. 046 856 7658

Tuulia Aarnio
Tuulia.aarnio@metropolia.fi
Tel. 040 844 0690

Requests concerning the exercising of the data subject’s rights should be addressed to the controller’s data privacy officer of the organization it may concern.

Name of data file

Data file for 3UAS-libraries

Purpose of processing of personal data

The 3UAS-library is a joint library of the following universities of applied sciences:

  • Haaga-Helia University of Applied Sciences
  • Laurea University of Applied Sciences
  • Metropolia University of Applied Sciences

Personal data is handled for the purpose of taking care of the controllers’ customer relationships. The controllers processes the data as well as subcontracting parties to process the data on the controllers’ behalf.

Lawfulness of processing of personal data

The lawfulness of processing personal data is based on the following principles of the EU General Data Protection Regulation:

  1. Processing is necessary for the production of library services and management of library services and library system users. Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract; (GDPR Art 6. (1)b;
  2. Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party (GDPR Art. 6 (1)f);


The aforementioned legitimate interests of the controller are based on a meaningful and appropriate relationship between the data subject and the controller, which arises when the data subject uses the services of the library, as long as the processing is done for purposes which the data subject can reasonably be assumed to have expected at the time of, and in conjunction with, the data being collected.

Content of data file and personal data categories processed

Groups of data subjects

  1. Clients of the library services
  2. System users (root users, users)

Groups of personal data

  1. Basic personal data:  name, identity number, address, telephone number, email address, student number, workplace
  2. Library customer information: library card number, PIN code, communication language, customer and statistical group, booking code,  information on charges and measures relating to unreturned material, long loan times, customer data update date as well as loans and provisions held by the customer.

Regular data sources and personal data generated as part of controller’s operation

Personal data is primarily collected from the data subjects themselves.

Additionally, data is obtained from other data files owned by the controller (e.g. the student administration data file).

Moreover, the controller stores personal data generated during the customer relationship.

Period of storage of personal data

The personal data in the data file is only stored for as long as and to the extent that each category of data is needed, proportionate to the purpose of processing of the personal data. Additionally, the duration of storage of personal data complies with possible statutory requirements.

Data subject's customer affiliation and related information will be deleted from library system client data three years after the last quote transaction unless there is any other justification for retentions of personal data e.g. if retention is necessary to deal with a legal claim or for filing reasons. The log data of the library system will then be kept for a further two years.

The controller of the data file regularly evaluates the need for storing data in accordance with its internal practices.

Regular disclosures of personal data

Personal data from the file is disclosed to third parties that are contractual parties of the controller, and to other similar parties that have a legitimate connection with the controller’s operations, such as:

  • Debt collection agency
  • Eduix Oy (e-forms)
  • Tuudo (mobile library card)

Transfers and disclosures of data to outside of the EU or EEA

Data from the data file is not habitually transferred outside the EU or EEA, nor processed outside the EU or EEA, unless it is necessary for the technical implementation of the processing (for example if the technical maintenance of systems is located outside the EU or EEA), or in order to manage international functions related to the purpose of use of the data file.

In transferring personal data, the controller complies with the standard contractual clauses approved by the European Commission in relation to the transfer of personal data to third-party countries, or alternatively implements other appropriate safeguards, or alternatively ensures that the third-party country can guarantee a sufficient level of the of data protection.

Data security principles

Access to databases and systems and use of the data file are only available to such employees of the controllers or of subcontractors working on the controllers’ behalf, whose work duties entitle them to handle the data contained in the data file. Every user of the data file has an individual username and password for the systems.

Materials containing personal data are stored in locked facilities that may only be accessed by specifically appointed persons whose work duties entitle them to do so.

The database containing personal data is stored on a server which is placed in a locked facility that may only be accessed by specifically appointed persons whose work duties entitle them to do so. The server is protected by an appropriate firewall and technical security systems.

Rights of the data subject

3UAS libraries have agreed to inform the data subjects with a joint privacy notice approved by all parties.

3UAS libraries are coomited to response to data subjects' rights according to data protection laws and this privacy notice. Requests for the rights of data subjects shall be processed by the library of the University of applied Sciences, which receives the request.

3UAS libraries undertake to comply with the request from the data subject to correct, transfer, restrict or delete personal data if the conditions for the request under data protections law are met.

The data subject has the following rights in accordance with the EU General Data Protection Regulation:

  1. The right to obtain from the controller confirmation as to whether or not personal data concerning them are being (is) processed, and, where that is the case, access to the personal data and the following information:
    • the purposes of the processing;
    • the categories of personal data concerned;
    • the recipients or categories of recipient to whom the personal data have been
      or will be disclosed, in particular recipients in third countries or international organisations;
    • where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
    • the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;
    • the right to lodge a complaint with a supervisory authority;
    • where the personal data is not collected from the data subject, any available information as to their source; and
    • the existence of automated decision-making, including profiling, and meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject. (GDPR Art. 15)

Additionally, the data subject has the following rights:

  1. The right to withdraw their consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. (GDPR Art. 7)
  2. The right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning them, as well as the right to have incomplete personal data completed, including by means of providing a supplementary statement. (GDPR Art. 16)
  3. The right to obtain from the controller the erasure of personal data concerning them without undue delay, where one of the following grounds applies:
    • the personal data is no longer necessary in relation to the purposes for which they were collected or otherwise processed;
    • the data subject withdraws consent on which the processing is based, and there is no other legal ground for the processing;
    • the data subject objects to the processing on grounds relating to their particular situation, and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing for direct marketing purposes;
    • the personal data has been unlawfully processed;
    • the personal data has to be erased for compliance with a legal obligation in The European Union or Member State law to which the controller is subject. (GDPR Art. 17)
  4. The right to obtain from the controller restriction of processing, where one of the following applies:
    • the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data;
    • the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
    • the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims; or
    • the data subject has objected to processing on grounds relating to their particular situation, pending the verification whether the legitimate grounds of the controller override those of the data subject. (GDPR Art 18)
  5. The right to receive the personal data concerning them, which they has provided to the controller, in a structured, commonly used and machine-readable format, and the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, as long as the processing is based on consent pursuant to the GDPR, and the processing is carried out by automated means. (GDPR Art. 20)
  6. The right to lodge a complaint with a supervisory authority if the data subject considers that the processing of personal data relating to their infringes the GDPR. (GDPR Art. 77)

Requests concerning the exercising of the data subject’s rights should be addressed to the controller’s data privacy officer of the organization it may concern.