Data protection information
Data protection information for users of and parties interested in the services, including marketing, of the Austrian National Library.
The Austrian National Library, Josefsplatz 1, 1015 Vienna, federal scientific institution under public law under company register number 221029v of the Vienna Commercial Court, P.O. Box 25, Tel.: +43 1 534 10, Fax: +43 1 534 10-280, e-mail: onb@onb.ac.at, respects and protects the data protection and privacy rights of its users and interested parties and takes all legally required measures to protect their personal data. The Austrian National Library is the “controller” under data protection law with regard to the processing activities of personal data presented below. The Data Protection Officer of the Austrian National Library can be reached at datenschutz@onb.ac.at and by post to Österreichische Nationalbibliothek, Josefsplatz 1, 1015 Vienna, FAO the Data Protection Officer.
As a result, you can quickly and easily obtain an overview of which personal data of you as the user of and/or party interested in the services (both online and offline) of the Austrian National Library are processed for what purposes and on what legal basis. Furthermore, we will inform you about the (possible) recipients of your data and your data protection rights, the so-called rights of data subjects.
1. Management of users of library facilities (library at the Heldenplatz and collections) of the Austrian National Library, including reading room orders, local loans, interlibrary loans, Wi-Fi registration and special authorisations
1.1. Interested parties and eventual users can register for the use of the library at Heldenplatz and the collections of the Austrian National Library. According to the library and museum regulations of the Austrian National Library on the basis of the Federal Museums Act 2002 and the rules of use of the Austrian National Library, special permits are required for the use of certain services, e.g. for the use of the researcher’s reading room or for the authorisation for local loans.
1.2. The Austrian National Library processes the data provided by the users (including photo, proof of place of residence and photo ID, proof of academic degree and research projects) as well as their change history, the user ID (generated in the management system), in the area of the library at the Heldenplatz and special area researcher reading room also entrance and exit (hub), special permits, order and borrowing data (in the case of lending valuable objects, under certain circumstances, also the signature), including deposit and related payment details (bank details and document dates including dunning dates, if any) and any evidence of necessity, as well as other billing data, for the fulfilment of contractual obligations or for carrying out pre-contractual measures, which take place at the request of the user, namely the registration (Art. 6 (1) (b) GDPR in connection with the library and museum regulations of the Austrian National Library). The provision of the data is required for the conclusion of the contract and, if not provided, registration may not be carried out, nor may the services be used or orders be placed.
1.3. In order to provide the service, the Austrian National Library uses the IT service providers Amepheas GmbH and LG Nexera Business Solutions AG, both domiciled in Vienna, for user management, and the payment service provider WireCard AG, domiciled in Graz, for credit card payment processing, which are given access to the above-mentioned data in the context of maintenance services or WireCard for payment processing. In the library area, user data are transferred during registration for the purpose of ordering holdings online via interface from the master data management to Amepheas, as well as to the library system Alma, operated by the IT service provider ExLibris GmbH, domiciled in Germany. The Austrian National Library has concluded corresponding data protection agreements with all service providers, thus ensuring that user data are lawfully and securely processed.
1.4. Personal data of users are stored for up to three years after the end of the user authorisation (annual pass) and, in connection with payment and thus tax-relevant data, for seven years (Art. 6 (1) (c) GDPR in conjunction with Sec. 132 BAO and also the Accounting Guidelines for Federal Museums). Access to the library will be automatically deleted after eight weeks at the latest.
2. Online orders of reproductions
2.1. Interested parties and then users can register online to order reproductions of holdings of the Austrian National Library (picture archive, other reproductions).
2.2. The Austrian National Library processes the data provided by users and the billing data and related payment data (bank details and document dates including dunning dates, if any) and any correspondence data in this connection required for contractual fulfilment or for carrying out pre-contractual measures, which are performed at the request of the users, namely the registration (Article 6 (1) (b) GDPR in conjunction with the library and museum regulations of the Austrian National Library). The provision of the data is required in connection with the conclusion or the execution of the contract and, if not provided, neither registration nor an order nor the contract itself can be carried out.
2.3. In order to provide the service, the Austrian National Library uses, in particular, the IT service providers Mesonic Datenverarbeitung Ges.mbH and LG Nexera Business Solutions AG, both domiciled in Vienna, and the payment service provider WireCard AG, domiciled in Graz, for credit card payment processing, which in the context of maintenance services under certain circumstances, or Wirecard for credit card payment processing, are given access to the above-mentioned data. The Austrian National Library has concluded corresponding data protection agreements with all service providers, thus ensuring that user data are lawfully and securely processed.
2.4. Personal data of users are stored in connection with registration in the system and in connection with the contract for the duration of the contract and seven years thereafter (Art. 6 (1) (c) GDPR in conjunction with Sec. 132 BAO and also the Accounting Guidelines for Federal Museums).
3. Website of the Austrian National Library, including information services (“LibraryH3lp”, “OTRS”) and WebApp
3.1. Interested parties and users can access information from and about the Austrian National Library on its website at https://www.onb.ac.at/. The following cookies are used in this respect:
Session cookies:
In order enable you to use our Internet services, we use so-called session cookies that are stored in the memory of your computer. A randomly generated identification number (session ID) is stored in a session cookie. It also contains details about its origin and storage period. However, session cookies cannot store any other data.
Session cookies are required by our server so as to make a distinction between the enquiries of various visitors. Blocking these cookies may result in some functions of our website not working properly. Session cookies do not enable us to see data on your computer. Moreover, they are automatically deleted at the end of your session, i.e. after closing of the browser window.
Persistent cookies:
Persistent (permanent) cookies are not deleted after closing your browser but remain on your computer. These cookies cannot be used either to read data on your computer. A persistent cookie is used by our website to restore the settings you made once (e.g. regarding your screen display) next time you return. We do not use this cookie for analysing or tracking purposes. Other persistent cookies are used by various other providers (exlibrisgroup.com, wikipedia.org, google.com, obvsg.at) if you make use of their additional services also offered on our websites. We have no influence over these providers and do not use these cookies for our own ends.
Your IP (internet protocol) address is submitted every time you connect to our website or our mobile app. It is required for the server to know where to send its replies to.
When connecting to our website, all IP addresses and the associated enquiries are logged by us in order to be able to investigate attacks on our website if required. Moreover, all access operations are analysed for statistical purposes. These logs are deleted after four weeks at the latest.
The following details are recorded:
• IP address
• Date and time of enquiry
• Internet browser and operating system used
• Access method
• URL requested
• Page from which the file was requested
• Access status (file transferred, file not found, etc.)
• Data volume transferred
We use data from registrations and enquiries to better tailor our content and websites to the needs of our visitors. The data are summarised and anonymised by means of statistical methods. No individual user profiles are created or personal data forwarded to third parties. The data are processed on the basis of the legitimate interests of the Austrian National Library, although the interests or fundamental rights and freedoms of the visitors – already on account of the summarised or anonymised further processing (Art. 6 (1) (f) GDPR) – do not predominate, although with the predominant interest of the visitors the latter have a right to object (see below on the rights of data subjects).
3.2. As an information service, the Austrian National Library also offers a chat service (“LibraryH3lp”) and request forms (“OTRS”). As part of this, the data provided by the requesting parties, as well as the IP address and website of access, guest number, time and duration are processed in order to fulfil the service (Art. 6 (1) (b) GDPR). The provision of such data is necessary for being able to provide the service; the service cannot be used in the event of said data not being provided.
In order to provide the “LibraryH3lp” service, the Austrian National Library uses the IT service provider Nub Games, Inc, domiciled in the USA, which may be granted access to the above-mentioned data in the context of maintenance services. Since there is no European Commission data protection adequacy decision for the USA, the Austrian National Library has concluded individual data protection agreements with the service provider (so-called “Standard Contractual Clauses – SCC” adopted by the European Commission), which ensure appropriate and adequate data protection guarantees, meaning that the data of the users are processed lawfully and safely. A copy of the SCC concluded with the service provider may be requested at datenschutz@onb.ac.at.
3.3. To provide the “OTRS” service, the Austrian National Library uses the IT service provider graz4u, domiciled in Graz, which may be given access to the above-mentioned data in the context of maintenance services. The Austrian National Library has concluded corresponding data protection agreements with the service provider, thus ensuring that the data of the interested parties are processed lawfully and securely. The data are stored until further notice, at the most for a maximum of seven years.
The data of the individuals requesting the “LibraryH3lp” service will be made reconstructible in retrospect up to one month after the chat due to the legitimate interests of the Austrian National Library, where the interests or fundamental rights and freedoms of the requesting parties do not predominate (Art. 6 (1) (f) GDPR), although in the case of predominant interest of the requesting parties, they have a right to object (see below on the rights of data subjects).
4. Marketing and PR of the Austrian National Library, including information and events, e-newsletter and Facebook page
4.1. The Austrian National Library provides information about its services or events to interested parties and stakeholders and, in this context, processes their data, namely names and contact details, categories (interested party or stakeholder) and information history, on the legal basis of the legitimate interests of the Austrian National Library, in which the interests or fundamental rights and freedoms of the interested parties and stakeholders are not impaired (Art. 6 (1) (f) GDPR), otherwise the data subjects have a right to object – see below on the rights of data subjects. The provision of data by the interested parties and stakeholders may be necessary in order to make the information appropriately targeted. In order to send the information, the Austrian National Library uses a service provider who has access to sending data. The Austrian National Library has concluded corresponding data protection agreements to ensure that the data of the interested parties and stakeholders can be processed lawfully and securely. The data are stored until objection or for up to three years after the last contact.
4.2. Interested parties can register for newsletters from the Austrian National Library by providing their data, namely name and contact details, i.e. granting their consent (Art. 6, (1) (a) GDPR) to receive corresponding newsletters from the Austrian National Library, with the appropriate newsletter selection, dispatch history and possible erroneous deliveries also being processed. The provision of such data is required and, if not provided, the corresponding newsletters cannot be received. As part of the consent, the applicants will also be informed about the withdrawal process possible at any time, with a link to unsubscribe also being included in each newsletter. In order to manage and send the newsletter, the Austrian National Library uses the IT service provider eyepin GmbH, domiciled in Vienna, which may be given access to the above-mentioned data as part of maintenance services. The Austrian National Library has concluded corresponding data protection agreements, thus ensuring that the data of the interested parties are processed lawfully and securely. The data shall be stored until further notice.
4.3. Interested parties can follow the Austrian National Library’s Facebook page, comment on it, subscribe to it or even “like” it. Accordingly, the data published or shared by the interested party in Facebook shall be accessible on Facebook or the Austrian National Library. The legal basis shall be the consent of the interested party (Art. 6 (1) (a) GDPR). The provision of the data is not necessary to merely follow the Austrian National Library’s page. For the Facebook page, the Austrian National Library uses the service provider Facebook Ltd. located in Ireland, which has access to the above-mentioned data.
5. Contractual partners and cooperations
The personal data of our contractual partners and interested parties will be processed by the Austrian National Library on the legal basis of Art. 6 (1)(b) GDPR for the purpose of providing contractual or pre-contractual services or to safeguard legitimate interests (archiving and documentation purposes). Type and scope of the processed data depend on the purpose and necessity of its processing as well as on the underlying contractual relationship. The processed data will be deleted if it is no longer required for the pursuit of these purposes and for the fulfilment of contractual or statutory obligations.
Data will only be transferred to third parties if such transfer is necessary within the framework of a contract or is legally permissible. If the Austrian National Library uses service providers who work with personal data, it concludes agreements on data processing pursuant to Art. 28 GDPR in order to ensure that the date is treated confidentially.
With regard to the rights of data subjects (information, data rectification, data deletion, restriction of processing or objection to processing, data transferability, right of appeal), see item 6 below.
6. Information about data protection rights of data subjects
6.1. Right to withdraw your consent: To the extent that the processing of your data by the Austrian National Library is based on your consent, you have the right to withdraw your consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal. Your individual declarations of consent to the Austrian National Library contain processes for the declaration of withdrawal. You can also announce withdrawal of individual consents to the Austrian National Library as follows: by e-mail to datenschutz@onb.ac.at or by letter to Österreichische Nationalbibliothek, Josefsplatz 1, 1015 Vienna, FAO the Data Protection Officer.
6.2. Right of access: You have the right to request confirmation from the Austrian National Library as to whether personal data relating to you are being processed; if this is the case, you have a right of access to these personal data (copy of personal data that is the subject of the processing) and to the following information provided by the Austrian National Library: (a) the processing purposes; (b) the categories of personal data being processed; (c) the recipients or categories of recipients to whom the personal data have been disclosed or are still to be disclosed; (d) if possible, the planned duration for which the personal data are stored or, if this is not possible, the criteria for determining that duration; (e) the right to rectification or erasure of personal data concerning them or restriction of processing by the Austrian National Library or the right to object to such processing; (f) the existence of a right to lodge a complaint with a supervisory authority; (g) if the personal data are not collected from you, all available information about the source of the data; (h) the existence of automated decision-making including profiling. The Austrian National Library will provide a copy of the personal data that are the subject of the processing. For all other copies you request, the Austrian National Library may be able to claim a reasonable fee based on the administrative costs. If you submit the application electronically, the information must be provided by the Austrian National Library in a standard electronic format, unless you specify otherwise.
6.3. Right to rectification and erasure: You have the right to demand the rectification of inaccurate personal data by the Austrian National Library without delay. Taking into account the purposes of the processing, the you have the right to have incomplete personal data completed, including by means of providing a supplementary statement. Furthermore, you have the right to request erasure of personal data concerning you from the Austrian National Library without delay, and the Austrian National Library shall be obliged to erase personal data without delay, if one of the following reasons applies: (a) The personal data are no longer required in relation to the purposes for which they were gathered or otherwise processed. (b) You withdraw your consent on which the information was based and there is no other legal basis for the processing. (c) You successfully object to processing (see below). (4) The personal data have been unlawfully processed. (e) The erasure of personal data is required to fulfil a legal obligation to which the Austrian National Library is subject. (f) The personal data have been collected in relation to information society services offered (consent of a child). The right to erasure does not exist, in particular, if processing is necessary for the fulfilment of a legal obligation by the Austrian National Library and/or for the establishment, exercise or defence of legal claims.
6.4. Right to restriction of processing: You have the right to request the Austrian National Library to restrict processing if one of the following conditions is met: (a) the accuracy of the personal data is/was contested by you for a period of time enabling the Austrian National Library to verify the accuracy of your personal data; (b) the processing is unlawful and you have objected to the erasure of personal data and instead required the restriction of the use of personal data; (c) the Austrian National Library no longer needs the personal data for the purposes of processing, but you need them according to your duly substantiated statement to establish, exercise or defend legal claims; or (d) you object to the processing, the restriction being made while it is still not clear whether the legitimate grounds of the Austrian National Library override yours. If the processing of personal data was restricted, these personal data, with the exception of storage, may only be processed with your consent or for the establishment, exercise or defence of legal claims or to defend the rights of another natural person or legal entity or for reasons of important public interest of the Union or a member state. If you have obtained a restriction on the processing, you will be informed by the Austrian National Library before the restriction is suspended.
6.5. Right to data portability: If processing is based on consent or on a contract and the processing is done by automated means, you have the right to receive the personal data relating to you provided to the Austrian National Library in a structured, standard and machine-readable format. In exercising your right to data portability, you have the right to ensure that the personal data are transmitted directly from the Austrian National Library to another controller, to the extent this is technically feasible.
6.6. Right to object: You have the right, for reasons arising from your particular situation, to object at any time to the processing of personal data relating to the performance of a task in the public interest or in the exercise of official authority assigned to the Austrian National Library,or that is required to protect the legitimate interests of the Austrian National Library or a third party The Austrian National Library will then no longer process personal data unless the Austrian National Library demonstrates compelling legitimate grounds for processing which override your interests, rights and freedoms or for the establishment, exercise or defence of legal claims. If personal data are processed to perform direct marketing, you shall have the right to object at any time to the processing of personal data concerning you for the purpose of such advertising. If you object to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.
6.7. Right to lodge a complaint with a supervisory authority: Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your normal place of residence, place of work or place of the alleged infringement if you consider that the processing of personal data concerning you infringes the statutory requirements. The Austrian Data Protection Authority can be reached at: Wickenburggasse 8, 1080 Vienna, Telephone: +43152152-0, e-mail: dsb@dsb.gv.at, website: https://www.dsb.gv.at .
Information status: October 2019