GDPR information notice
GDPR information notice
Registration and user account
Joining the BnL is dependent on providing the following information and supporting documents: surname, first name, date of birth, private address, e-mail address, and copy of an ID document or a digital signature. The BnL reserves the right to require provision of proof of residency and/or proof of enrolment at a secondary- or higher-education establishment approved by the State of Luxembourg.
This information (the “personal data”) is necessary to validate the registration and to open a personal reader account. A printed copy of the registration form is retained in the BnL archives. The registration period with the BnL is two years, unless extended. Twenty-four months after expiry of all the user’s enrolments with libraries in the bibnet.lu network, the personal data will be erased automatically. The loans history will be retained in an anonymised fashion for the statistical reporting to be given by the library. The personal data will be recorded in the “shared file of readers” of the integrated system for management of the network of Luxembourgish libraries bibnet.lu, which is jointly shared by the member libraries in the network. The list of member libraries can be viewed at www.bibnet.lu.
The username and password are common to all libraries in the bibnet.lu network where the user is registered or can join. The personal data is liable to be processed by a limited number of persons duly authorised and trained for the purposes set out below.
Personal data is gathered and processed for:
- Joining the BnL and updating the data on the reader account;
- Reservations for loans and for viewing documents at the library, and for reproduction of documents;
- Requests for international loans;
- Contacting the user for reservations, reminders and fines on loans;
- Use of IT tools provided by the BnL;
- Access to and viewing online resources provided for the user by the BnL;
- Preparation of anonymised statistics to improve the services offered by the BnL;
- Detection of frauds and abuses whilst using the digital resources provided for the user by the BnL;
- Managing requests under the right to access, to rectification, to object to processing and other rights in relation to personal data by the BnL;
- Subscribing to the BnL newsletter, managed with the assistance of the subcontractor Mailjet, Paris.
Access to digital ressources
When the user accesses the digital resources of the BnL’s digital library, their personal data are processed by the BnL. The BnL manages an infrastructure for authentication and access to its digital resources.
The processed data are:
- A session cookie containing a unique identifier (deleted after 120 minutes of inactivity) to manage the user’s access to digital resources.
- An access log including the user’s IP address and the resources consulted to establish usage statistics. The IP address is anonymised after 18 months.
- A user log including the username and the resources consulted (kept for 30 days) to identify improper use of the resources (such as systematic or automated downloading of data).
For data processed by publishers of digital resources, please consult their respective data protection policies.
Visitors and external contractors
Lawfulness of data processing
The BnL processes your data in order to comply with a legal obligation to which it is subject (Article 6(1)(c) GDPR) and, on a subsidiary basis, for the performance of a task carried out in the public interest or in the exercise of official authority vested in it (Article 6(1)(e) GDPR), on the basis of the following legal provisions:
- Law of 19 March 1988 concerning security in state administrations and services, in public establishments and in schools (Articles 4(c)(d)(e) and 7).
- Law of 25 June 2004 on the reorganisation of the State’s cultural institutes.
- Amended Grand-Ducal Regulation of 13 June 1979 concerning safety guidelines in the civil service (Chapter 20).
The BnL processes the following categories of data:
- Your identification data (surname, first name, and the company for which you work).
- Information relating to the date of your visit as well as entry and exit times.
- The purpose of your visit.
- For external contractors, a mobile phone number for contact purposes, if needed.
Purposes of processing
Your data are processed for the following purposes:
- Ensuring and managing the physical security and access control of the building, in order to guarantee that only authorised visitors enter the premises.
- Protecting persons and property.
- Identifying visitors and accompanying them within the premises.
- Ensuring the swift evacuation of staff and visitors in the event of an incident.
- Alerting, in due time, emergency, fire, or police services and facilitating their intervention.
Sources of data and recipients
The data processed by the BnL are obtained directly from the information you provide to the reception staff when visiting a BnL agent.
In the performance of its public-interest missions and its legal obligations, the BnL may transmit your data to the following categories of recipients:
- Reception staff.
- In the event of the exercise of your rights, the Data Protection Officer (DPO) and the Head of Administration.
- In an emergency, the building’s security team and emergency, fire, or police services.
- Where applicable, the competent authorities.
Collection of data from the data subject: mandatory nature and consequences of refusal
Providing visitor identification data is mandatory. Refusal to provide the requested data will result in a denial of access to the BnL premises.
Retention period
Your data will be stored in an identifiable form for a period of three months from the date of collection.
The above retention periods apply without prejudice to any further processing for compatible purposes, in particular for statistical purposes or in the context of ongoing legal proceedings.
Rights
The Director of the BnL, under the authority of the Minister with Culture under their responsibilities, together with the other libraries in the bibnet.lu network, is the data controller under the EU’s GDPR Directive of 27 April 2016 (2016/679).
The user has a right of access to and a right of rectification of the personal data concerning him or her. Any modification to the personal data can be made directly at the reception desk at the BnL or online, via the reader account on the site www.a-z.lu.
The user has the right to unsubscribe from the newsletter via a link provided in each e-mail or by contacting the BnL. The retention period for the user’s e-mail address in the newsletter database shall not exceed that of their subscription.
The user similarly has the right to withdraw their consent to inclusion of their personal data in the shared file of readers for the network bibnet.lu, to object to processing of their personal data, to request erasure of personal data, to request restriction of processing, and to request portability of the personal data relating to them.
The user also has the option to lodge a complaint, in the event of failure(s) to respect the applicable rules with regard to protection of personal data, to a supervisory body such as the Luxembourg Data Protection Commission (Commission nationale pour la protection des données, CNPD).
In certain cases envisaged under Directive (EU) 2016/679, the BnL can contest these rights. Deleting personal data causes the user to lose access to the loans service and to the IT services of the BnL.
For further information on the contents or the manner of exercising rights, or of exercising the said rights, the user can contact the BnL via e-mail to dpo@bnl.etat.lu or by writing to the following postal address.
Last update