Minu Raamatukogu (MIRKO)

Procedure for processing personal data on lending platform Minu Raamatukogu (MIRKO) (Privacy policy)

The term “web pages of the service” used in this document refers to both the web pages and the MIRKO mobile application.

The following applies to both adults and minors (children) who use MIRKO services. In both cases, the same data is collected and processed when using the service. The only difference is that in the case of a child, we also process the data of his/her parent or guardian.


1. Personal data and legislation governing their processing

1.1. The chief processor of personal data in the service Minu Raamatukogu (hereinafter: service) is the National Library of Estonia (hereinafter: RaRa).

1.2. Personal data are any data that enable to identify a natural person. Processing of personal data means any act performed with personal data, except for the acts carried out with the data of legal persons and the processing of personal data on web pages that have been referred to on the web pages of the service  (external links). 

1.3. Special categories of personal data include personal data that reveal racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data for the purposes of uniquely identifying a natural person, medical data, and data concerning a natural person’s sexual life or sexual orientation. 

1.4. Data subject is a natural person whose data is processed by RaRa when providing the service.

1.5. The National Library processes personal data to the extent necessary for achieving the purposes of processing personal data in compliance with the Personal Data Protection Act of the Republic of Estonia and the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation). 

2. Processing personal data when providing service

2.1. RaRa receives the personal data of users personally from the user or via their activities on the web pages of the service. The local government of the user’s registered residence shall be inquired from the population register, and the legal relationship of the minor with the guardian shall be checked from the population register.

2.2. Depending on the choices of the user of the service, RaRa  may process, for the said purposes and on legal grounds, the following data:

2.2.1. the data for identifying the person, including the person’s name, personal identification code, user identifier 

2.2.1.1.purpose: to enable the person to log in to the web page of the service to borrow publications and manage the data linked with their account

2.2.1.2. legal grounds: upon creating an account, the consent, and upon lending, an agreement to give the publications for use for free

2.2.2. contact details, including email address, telephone number, and location data, including delivery address 

2.2.2.1. purpose: required for delivering the order to the user

2.2.2.2. legal grounds: an agreement to give the publications for use for free

2.2.3. educational institution related to the person

2.2.3.1. purpose: required for establishing the right to borrow study literature

2.2.3.2. legal grounds: an agreement to give the publications for use for free

2.2.4. financial and bank information, including the cost of delivering the orders, potential arrears, account number

2.2.4.1. purpose: required for allowing the delivery of orders, conducting payments and compensating for any possible damage;

2.2.4.2. legal grounds: an agreement to give the publications for use for free;

2.2.5. Local government registered in population register

2.2.5.1. purpose: required for local governments to demonstrate the extent of benefits from the service received by their residents;

2.2.5.2. legal grounds: agreement with libraries who participate in providing the service

2.2.6. data on the parent or guardian of the minor, including data on identifying the parent or guardian, and contact information

2.2.6.1. for creating an account for the minor

2.2.6.1.1. purpose: required for creating an account for a child aged under 13 years

2.2.6.1.2. legal grounds: consent

2.2.6.2. giving the minor the right to borrow the publication

2.2.6.2.1. purpose: required for minors under 18 years for obtaining the right to borrow

2.2.6.2.2. legal grounds: an agreement to give the publications for use for free

2.2.7. data which the user has saved on their account, including the wish list, handing over a borrowed publication to another person (lending „from friend to friend“), reading history, etc., and communication data, including the content of messages submitted via the web page, email, letter, social media, web chat or telephone;

2.2.7.1. purpose: enable the user to personalise the service and find a solution to possible problems

2.2.7.2. legal grounds: consent

2.2.8. data on the use of the service and on the satisfaction with the service

2.2.8.1. purpose: continual improvement of the service

2.2.8.2. legal grounds: consent

2.2.9. information on connections, including IP-address and traces of the user’s activity saved in the log;

2.2.9.1. purpose: required for managing the website and ensuring its security, including ensuring the protection of rights of the data subject;

2.2.9.2. legal grounds: legal obligation

2.2.10. analytical data on the usage of the lending platform, including moving on web pages, duration of visits

2.2.10.1. purpose: continual improvement of the service;

2.2.10.2. legal grounds: consent

2.3. All the abovementioned data may be processed for the following purposes and on the following legal grounds:

2.3.1. in order to ensure the preservation of the data, RaRa regularly makes backup of its information systems and the data included therein – processed for the fulfilment of a task in public interest

2.3.2. to execute the rights of data subjects related to the protection of personal data – processed to fulfil obligations as required by law.

3. Usage of cookies on web page

3.1. Information related to cookies is available on the web page.

3.2. Users may regulate, at any time, the usage of cookies on the web page.

4. Processing personal data on purposes necessary for library work and identification of copyright

4.1. For purposes necessary for library work, personal data is processed in cases when the person is treated in any publication or the person is connected to the issue of any publication. These data shall be obtained from the publication, publisher and public sources.

4.2. While providing the service, the following personal data is processed for the purpose of describing and distinguishing between works meant for lending 

4.2.1. data on the author and other persons connected with the work, including the connection with the work, name, pseudonym, birth and death dates;

4.2.2. other data that can be published in the publication about the person, including personal data of different categories.

5. Personal data of employees of libraries participating in the providing of the service

5.1. RaRa obtains the personal data of the employees of libraries participating in the providing of the service from the persons themselves, their employees or via the persons’ activities in the information system of the service. 

5.2. For the said purposes and on legal grounds, RaRa may process the following personal data:

5.2.1. data for identifying a person, including name, personal ID-code and password

5.2.1.1. purpose: required for identifying the employee when they log in to the information system of the service and thus ensuring the rights of data subjects

5.2.1.2. legal grounds: contract of employment concluded with the employee

5.2.2 work-related data, including the position of the employee as well as their role and rights in the information system of the service

5.2.2.1. purpose: required for determining the rights of the employee in the information system of the service and thus ensuring the rights of data subjects

5.2.2.2.legal grounds: contract of employment concluded with the employee

5.2.3. information related to connections and activities, including traces of the user’s activity saved in the logs

5.2.3.1. purpose: required for ensuring the operation and security of the website, including the protection of the rights of data subjects

5.2.3.2. legal grounds: legal obligation.

6. Storage of personal data

6.1. In the course of providing the service, RaRa stores personal data as long as it is necessary for achieving the purpose the data had been collected for, or in accordance with requirements as required by law:

6.1.1. the personal data of any user shall be stored by RaRa generally for three years as of the last usage of the service, except

6.1.1.1. personal data on invoices that have to be stored for seven years as required by accounting rules

6.1.1.2. data related to the right of representation of a minor that shall stored until the minor attains the age of majority

6.1.1.3. upon handing over a borrowed publication to another person (lending „from friend to friend“), the name and email address of the friend that are stored for 24 hours

6.1.1.4. data in the activity logs that shall be stored for ten years as required by the Electronic Identification and Trust Services for Electronic Transactions Act;

6.1.1.5. the usage statistics of the web page which shall be stored for 50 months

6.1.2. the data of any library employee shall be deleted immediately after the corresponding library deletes the employee from the information system of the service

6.1.3. data collected for the purposes of library work shall be stored permanently by RaRa.

7. Forwarding personal data to third persons

7.1. Employees of RaRa and libraries participating in the providing of the service who have access to personal data have a contractual obligation to maintain the confidentiality of personal data that has become known to them during their work, and not to disclose the data to third persons.

7.2. The forwarding of personal data to third persons shall only be carried out on the basis of law or agreement, or with the consent of the person in question:

7.2.1. any library participating in the providing of the service – the name and order are forwarded, and where necessary, data regarding debt

7.2.2. the provider of postal service – the name, contact information and delivery address are forwarded

7.2.3. the provider of payment service – the data identifying the person, the amount paid by them are forwarded

7.2.4. the provider of authentication and digital signature service – the data identifying the person is forwarded

7.2.5. the shared information system of educational institutions – the data identifying the person and the educational institution related to them

7.2.6. the population register – the data identifying the person, the local government registered for them, confirmation of the right of representation of a parent or guardian

7.2.7. the provider of user database service – the data indentifying the person and the person’s contact information

7.2.8. the provider of web analytics service – the usage statistics of the web page

7.2.9. the provider of email service – the content of emails and their metadata

7.2.10. the provider of accounting service – the data required by accounting rules is forwarded

7.2.11. the manager of chat application – the contents of the inquiry and the name and email address of the person

7.2.12. the provider of IT-service – all data are forwarded that are collected for the usage of the information systems

7.2.13. provider of debt collection service – the data for identifying the person, the contact information of this person and information on the financial claim are forwarded

7.2.14. national authorities, including law enforcement authorities, enforcement agents or courts if they have legal grounds for making the claim – data that can be claimed under legal grounds are forwarded.

8. The rights of an individual in relation to their data

8.1. In relation to personal data that are processed when providing the service, the data subject shall have the following rights:

8.1.1. The data subject shall have the right to view their personal data that are collected on them, and to demand the transfer of the personal data whose processing is carried out automatically on the grounds of a concluded agreement or the consent of the data subject (see clauses 2 to 5). In this case RaRa will deliver the data to the data subject or, should it be technically possible, to the organisation referred to by the data subject in a structured, commonly used format and in a machine-readable form.

8.1.2. The data subject shall have the right to demand that inaccurate data be corrected or their data be deleted. The user can do it on their own by logging in to the web page of the service under the user account „My account“.

8.1.3. Where the data subject considers that their personal data are inaccurate, or that RaRa processes their personal data unlawfully, they shall be entitled to demand that the processing of their personal data be limited until RaRa has formed its opinion.

8.1.4. Where the processing of personal data is based on consent, the data subject shall have the right to withdraw it at any time.

8.1.5. The data subject shall have the right to submit objections to the processing of their personal data if this processing is based on legitimate interest or the fulfilment of a task in public interest (see clauses 2 to 5).

8.1.6. The data subject shall have the right to receive explanations on the processing of their personal data and on their rights.

8.2. In order to exercise their rights, the individual must turn to the customer support or  the Data Protection Specialist at RaRa (see clause 9) and submit an application on paper or a digitally signed application, taking into account that the rights referred to in subclauses 8.1.2 and 8.1.4 can be exercised on their own.

8.3. RaRa shall reject the application referred to in subclause 8.2 where the claim of the data subject is clearly unreasonable or where the rejection is based on law.

8.4. To protect their rights, the data subject shall have the right to turn to the Data Protection Inspectorate or initiate legal proceedings.

9. Contact information of Data Protection Specialist

9.1. Email address: [email protected]

9.2. Tel.: +372 630 7131

9.3. Postal address: Data Protection Specialist, National Library of Estonia, Narva mnt 11, 15015, Tallinn

Approved on 6 February 2023

Uudiskiri

Igakuine värske info Rahvusraamatukogu tegemiste ja ürituste kohta mugavalt otse postkasti.

Aitäh! Oled uudiskirjaga liitunud!

Palun täida kohustuslikud väljad korrektselt!

Minu Raamatukogu (MIRKO)

Minu Raamatukogu (MIRKO) teenust hoiab töös Eesti Rahvusraamatukogu.