Joining the BnL is dependent on providing the following information and supporting documents: surname, first name, date of birth, private address, e-mail address, and copy of an ID document or a digital signature. The BnL reserves the right to require provision of proof of residency and/or proof of enrolment at a secondary- or higher-education establishment approved by the State of Luxembourg.

This information (the “personal data”) is necessary to validate the registration and to open a personal reader account. A printed copy of the registration form is retained in the BnL archives. The registration period with the BnL is two years, unless extended. Twenty-four months after expiry of all the user’s enrolments with libraries in the bibnet.lu network, the personal data will be erased automatically. The loans history will be retained in an anonymised fashion for the statistical reporting to be given by the library. The personal data will be recorded in the “shared file of readers” of the integrated system for management of the network of Luxembourgish libraries bibnet.lu, which is jointly shared by the member libraries in the network. The list of member libraries can be viewed at www.bibnet.lu.

The username and password are common to all libraries in the bibnet.lu network where the user is registered or can join. The personal data is liable to be processed by a limited number of persons duly authorised and trained for the purposes set out below.

Personal data is gathered and processed for:

• Joining the BnL and updating the data on the reader account;
• Reservations for loans and for viewing documents at the library, and for reproduction of documents;
• Requests for international loans;
• Contacting the user for reservations, reminders and fines on loans;
• Use of IT tools provided by the BnL;
• Access to and viewing online resources provided for the user by the BnL;
• Preparation of anonymised statistics to improve the services offered by the BnL;
• Detection of frauds and abuses whilst using the digital resources provided for the user by the BnL;
• Managing requests under the right to access, to rectification, to object to processing and other rights in relation to personal data by the BnL;
• Subscribing to the BnL newsletter, managed with the assistance of the subcontractor Mailjet, Paris.

When the user accesses the digital resources of the BnL’s digital library, their personal data are processed by the BnL. The BnL manages an infrastructure for authentication and access to its digital resources.

The processed data are:

• A session cookie containing a unique identifier (deleted after 120 minutes of inactivity) to manage the user’s access to digital resources.
• An access log including the user’s IP address and the resources consulted to establish usage statistics. The IP address is anonymised after 18 months.
• A user log including the username and the resources consulted (kept for 30 days) to identify improper use of the resources (such as systematic or automated downloading of data).

For data processed by publishers of digital resources, please consult their respective data protection policies.

Lawfulness of data processing

The BnL processes your data in order to comply with a legal obligation to which it is subject (Article 6(1)(c) GDPR) and, on a subsidiary basis, for the performance of a task carried out in the public interest or in the exercise of official authority vested in it (Article 6(1)(e) GDPR), on the basis of the following legal provisions:

• Law of 19 March 1988 concerning security in state administrations and services, in public establishments and in schools (Articles 4(c)(d)(e) and 7).
• Law of 25 June 2004 on the reorganisation of the State’s cultural institutes.
• Amended Grand-Ducal Regulation of 13 June 1979 concerning safety guidelines in the civil service (Chapter 20).

The BnL processes the following categories of data:

• Your identification data (surname, first name, and the company for which you work).
• Information relating to the date of your visit as well as entry and exit times.
• The purpose of your visit.
• For external contractors, a mobile phone number for contact purposes, if needed.

Purposes of processing

Your data are processed for the following purposes:

• Ensuring and managing the physical security and access control of the building, in order to guarantee that only authorised visitors enter the premises.
• Protecting persons and property.
• Identifying visitors and accompanying them within the premises.
• Ensuring the swift evacuation of staff and visitors in the event of an incident.
• Alerting, in due time, emergency, fire, or police services and facilitating their intervention.

Sources of data and recipients

The data processed by the BnL are obtained directly from the information you provide to the reception staff when visiting a BnL agent.

In the performance of its public-interest missions and its legal obligations, the BnL may transmit your data to the following categories of recipients:

• Reception staff.
• In the event of the exercise of your rights, the Data Protection Officer (DPO) and the Head of Administration.
• In an emergency, the building’s security team and emergency, fire, or police services.
• Where applicable, the competent authorities.

Collection of data from the data subject: mandatory nature and consequences of refusal

Providing visitor identification data is mandatory. Refusal to provide the requested data will result in a denial of access to the BnL premises.

Retention period

Your data will be stored in an identifiable form for a period of three months from the date of collection.

The above retention periods apply without prejudice to any further processing for compatible purposes, in particular for statistical purposes or in the context of ongoing legal proceedings.