Information to the data subject in accordance with the EU General Data Protection Regulation (2016/679) articles 13-14

1. Controller

Arcada University of Applied Sciences Ltd
Jan-Magnus Janssonin aukio 1
00560 Helsinki
Business ID: 2553871-2

2. The controller’s representative

Head of Library Maria von Hertzen
Tel. 0294 282 691
E-mail address:

3. Contact person for the register

System designer Tomas Rönn
Tel. 0294 282 695
E-mail address in the format

4. Data protection officer

Data protection officer, legal counsel Anna Härmä
Tel. 0294 282 888
E-mail address

5. Purposes of processing personal data

The data is used for administration of loans from Arcada’s library, for communication between the library and the borrowers and for statistical purposes.

6. Legal basis for processing personal data

The legal basis for processing personal data is the existence of a contract between Arcada and the borrower.

7. Categories of personal data and the duration of storage

  1. Name, social security number and contact information
  2. Library card number
  3. Customer and statistics category
  4. The borrower’s current loans, reservations and possible late fees and compensations

The data is deleted from the register according to the following, provided that there are no current loans or unpaid fees:

  • Degree students’ data when the student graduates
  • Exchange students’ data when the exchange period ends
  • Other borrowers’ data when the borrower has been inactive for the past four years

8. IT systems used when processing personal data

Voyager – library system (until 31.12.2019)
KOHA - library system (from 1.4.2019)
Arcada-Finna library catalogue - interface

9. Data sources

Data regarding students is transferred from the student register when the student has given his or her consent in the study administrative system ASTA to the data transfer to the library.

Data regarding other borrowers is received from the borrower when he or she applies for a library card. The data requested is necessary for Arcada to be able to grant borrowing rights. The paper form with which the borrower provides data about him- or herself is stored for six months.

10. Recipients of the personal data

Data can be disclosed to other companies within the corporate group or to external companies in order to collect unpaid fees.

11. Transfer of personal data outside the EU and the EEA and the basis for the transfer

Personal data is not transferred outside the EU or the EEA without the data subject’s consent. However, for maintenance and service of the used IT services, it may be necessary to give providers of such services located outside the EU or the EEA access to the IT systems. In such cases, Arcada will make sure that the supplier meets the requirements for adequate level of protection or that appropriate safeguards are provided in accordance with the data protection regulation articles 44-50.

12. Principles for the protection of personal data

Material in electronic format is stored in IT systems and on computers protected from unauthorized use with security measures including firewalls and passwords. The systems have different user levels, and users are granted access to the data only to the extent the user’s work tasks require.

Material in paper format is stored in locked rooms with limited access and access control.

13. Automated decision-making

Automated decisions and profiling are not made based on personal data within the register.

14. The data subject’s rights

Information about the data subject's rights can be found here.