Privacy policy

System:

• CCTV.
• Visitor registration.

Purpose:
Safety of staff, visitors and materials in the National Library’s collections.

Data processing:

• Storage of moving images.
• Storage of external meeting participants.

Personal data categories:

• Moving images of visitors.
• Moving images of staff.
• Moving images of entrance.
• Names of visitors.
• Names of visitors’ organisations.
• Time of meeting.
• Name of employee.

Basis for processing:
Article 6(1) f – The processing is necessary for a legitimate interest that overrides privacy concerns.

Period of storage:
Video materials will be stored for 7 days.

Information about the visitor is deleted once the visit has been completed.

System:

• Eduroam
• Guest network

Purpose:
Offer visitors access to the internet on their own devices.

Data processing:

• Storage of contact information (phone number)
• Storage of MAC address
• Storage of time stamp
• Storage of provider
• Storage of username (eduroam)

Personal data categories:

• Mobile phone number
• Time and date
• MAC address
• Telephony provider
• Username (eduroam)

Basis for processing:
Article 6(1) b – The processing is necessary for the performance of a contract.

Period of storage:
All personal data is deleted or anonymised once the contract has been fulfilled.

System:
Mitt bibliotek (My Library) – www.nb.no

Purpose:
Offer storage and administration of favourites in the online library for ease of retrieval.

Data processing:

• List view of your chosen favourites
• Use of copyrighted material to which you have been granted access (access roles) where relevant

Personal data categories:

• Name.
• Email.
• Unique ID from an authentication service where relevant.
• Password if you choose the National Library as your authentication service.
• List of favourites.
• Time of last login.
• Any available access roles.

Basis for processing:
Article 6(1) b – The processing is necessary for the performance of a contract.

Period of storage:
Personal data on the user must be deleted when the user cancels the contract or when the user has been inactive for three years.

System:

• PureService
• Email
• Letter
• Telephone

Purpose:
Maintain communication with external parties where the communication is initiated externally.

Data processing:

• Storage of contact information.
• Storage of communication content.

Personal data categories:

• Contact information (email, name, telephone number).
• Communication content.

Basis for processing:
Article 6(1) c – The processing is necessary for compliance with a legal obligation, cf. the Public Administration Act – duty to provide guidance.

Period of storage:
Personal data is deleted or anonymised once the guidance has been completed.
Information that is of no value as documentation or as a subject of processing will be deleted.

System:
Websites – www.nb.no, lokalhistoriewiki.no, www.bibliotekutvikling.no.

Purpose:
Provide information about the National Library’s services, locations, events etc.

The National Library’s public websites do not store personal data.

Read more about the National Library’s use of cookies and privacy.

System:

• Alma
• Bibliofil –  does not apply to the online store
• Biblioteksøk
• National library card

Purpose:
Solutions that allow you to borrow and reserve media from the National Library.

Interlibrary lending for all Norwegian libraries and library users.

Standardised solution for national registration of library users.

Data processing:

• Storage of user’s contact information.
• Storage of orders.
• Storage of information about borrowed media.
• Sharing between Norwegian libraries of user’s contact information.

Personal data categories:

• Contact information: name, address, email address, telephone number.
• Information about any guardianships.
• National identity number.
• Gender.
• Library card number.
• Local library.
• PIN/password.
• Message to the borrower.
• Lending and ordering information (active loans (including any reminders), active orders, active interlibrary orders).
• Any outstanding balances (reminders and bills) and the media to which the balance pertains.
• Borrowing history (requires explicit consent).
• Messages to user (reminders issued, bills, reservation letters).

Basis for processing:
Article 6(1) b – The processing is necessary for the performance of a contract.
Article 6(1) e – The processing is necessary for the performance of a task carried out in the public interest. Cf. the Public Libraries Act Section 9.

Period of storage:
Information about orders and loans must be deleted or anonymised as soon as possible after the loan has been completed and no later than after 72 hours.

Personal data on the user must be deleted when the user cancels the contract or when the user has been inactive for three years.

System:
Webcruiter recruitment system – webcruiter.no

Purpose:
Process applications for advertised positions and practice placements at the National Library.

Data processing:

• Registration of the job applicant’s personal details.
• Storage of the job applicant’s personal details.
• Application processing.

Personal data categories:

• Applicant’s contact information, e.g. name, address, telephone number, email address.
• Personal data provided in the application.

Basis for processing:
Article 6(1) b – The processing is necessary for the performance of a contract.

Period of storage:
Personal data is stored for up to two years after the application has been processed.

Purpose:
Collect, store, and make available the National Library’s collections.

Data processing:

• Collection
• Cataloguing
• Digitalisation
• Collation
• Analysis
• Research
• Submission

Personal data categories:

• Unstructured data in the form of text, audio, images, video etc. may contain both personal data and sensitive personal data.

Basis for processing:
Article 6(1) e – The processing is necessary for the performance of a task carried out in the public interest, cf. the Legal Deposit Act with associated regulations.
Article 6(1) e – The processing is necessary for the performance of a task carried out in the public interest, cf. the Personal Data Act Section 8.
Article 9(2) j, cf. the Personal Data Act Section 9.

Period of storage:
As a general rule, materials held in the National Library’s collections should not be deleted. However, in the case of the online archive, a request may be made to restrict access to or delete personal data contained in the materials if the information has been placed in the public domain in error. Information not in the public domain or information which concerns minors or persons under guardianship must be restricted or deleted on request.

Purpose:
Make available and maintain a catalogue of materials/publications.

Data processing:

• Registration.
• Publication of bibliographical indices.
• Compilation of bibliographical data.
• Storage.
• Submission.

Personal data categories:

• Author’s name.
• Year of birth/death.
• Gender.
• Publications.
• Biographical data.

Basis for processing:
Article 6(1) e – The processing is necessary for the performance of a task carried out in the public interest, cf. the Legal Deposit Act with associated regulations.
Article 6(1) e – The processing is necessary for the performance of a task carried out in the public interest, cf. the Personal Data Act Section 8.

Period of storage:
As a general rule, the National Library’s catalogues should not be deleted.

System:
Oria

Purpose:
Ensure consistency in the use of names and renditions in order to facilitate reuse of library data and increase precision when searching library catalogues.

Data processing:
Collection, storage and publication.

Personal data categories:

• Name and preferred rendition
• Year of birth/death
• Gender
• Country
• Profession
• Other renditions of name
• References to other authority files

Basis for processing:
Article 6(1) e – The processing is necessary for the performance of a task carried out in the public interest, cf. the Public Libraries Act Section 9: “The central government tasks include library objectives that do not naturally form part of the individual municipality’s area of responsibility or which are of special importance to the maintenance of a national library system.”

The processing of personal data is necessary to be able to create and publish a well functioning national index of authority records.

Period of storage:
As a general rule, entries in the National Authority Index should not be deleted.

System:
Application for research workspace – https://www.nb.no/forskning/forskarplassar/soknad-om-forskarplass/

Purpose:
Enable researchers to reserve workspaces in the National Library’s premises in Oslo.

Data processing:

• Storage of contact information.
• Storage of national identity no.
• Storage of free-text fields associated with the application.

Personal data categories:

• Contact information (name, surname, address, email address, telephone number).
• Position.
• Project title.
• Information about the type of materials requested.
• Time frame for the project.
• Publication plan for the project.

Basis for processing:
Article 6(1) b – The processing is necessary for the performance of a contract.

Period of storage:
The personal data is deleted when an application is rejected or when the time frame for the project has been reached.

System:
Apply for standard serial number – https://www.nb.no/standardnummerering/

Purpose:
Enable publishers to apply for a unique ID for their publication.

Data processing:

• Storage of contact information.
• Storage of information about the publication.

Personal data categories:

• Name of publisher.
• Contact information.
• First publication.
• Planned publication.

Basis for processing:
Article 6(1) b – The processing is necessary for the performance of a contract.

Period of storage:
Contact information required solely for the purposes of allocating a standard serial number must be deleted once a contract has been entered into.

System:
Orders placed with the newspaper service – https://www.nb.no/samlingen/aviser/bestill-fra-avistjenesten/

Purpose:
Offer copies of the collection either digitally or on paper.

Data processing:

• Storage of contact information.
• Storage of ordering information.
• Sharing with billing system.

Personal data categories:

• Name.
• Address.
• Information about the order.

Basis for processing:
Article 6(1) b – The processing is necessary for the performance of a contract.

Period of storage:
All personal information is deleted once the contract has been fulfilled.
Information about billing is filed according to the provisions of the Accounting Act.

1)    For the public

System: Questback
Purpose: Facilitate registration for events
Data processing: Collection and storage of personal data
Personal data categories: Email address, name, place of work / institution, food allergies (if food is being served at the event)
Basis for processing: Article 6(1) a – Consent
Period of storage: The personal data is deleted when the event has been completed

2)    For participants on stage during events

System: Mediasite
Purpose: Ensure streaming and permanent recording of events (audio, images, video)
Data processing: Storage and publication of personal data
Personal data categories: Name of participant on stage, audio/images/video
Basis for processing: Article 6(1) a – Consent
Period of storage: Streaming is only available at the time the seminar/event is taking place, but the recording will be stored for as long as it remains relevant or for as long as it needs to be stored for historical, statistical or scientific purposes.

System: Mailchimp
Purpose: Distribution of newsletter
Data processing: Storage of personal data
Personal data categories: Email
Basis for processing: Article 6(1) b – The processing is necessary for the performance of a contract
Period of storage: The data is deleted when the registrant cancels their subscription

System: WordPress with Event Ticket Plus from Modern Tribe
Purpose: Enable reservations for our events
Data processing: Storage of personal data
Personal data categories: Email
Basis for processing: Article 6(1) b – The processing is necessary for the performance of a contract.
Period of storage: The data is stored for statistical purposes for one week, commencing once the event has been completed.

www.nb.no uses certain external providers to give its users a better service. Please note that these providers may have their own policies determining how they run their websites and how they collect and use personal information.

This applies to the following websites:

• Sharing of information with Google Maps if you visit www.nb.no/besok. (Privacy policy)

You can also read more about our use of cookies here.

The National Library has a presence on some external platforms. Please note that these providers have their own terms of use and that the end user must familiarise themselves with these terms before using the service.

This applies to the following platforms:

• Facebook – Social platform
• Twitter – Social platform
• YouTube – Social platform and video-sharing site
• SoundCloud – Audio-sharing
• iTunes Connect – Audio-sharing
• Instagram – Picture-sharing site / social platform
• Mediasite – Event streaming etc.

Personal data is any information about an identified or identifiable natural person.

Personal data processing is any use of personal data, e.g. collection, registration, collation, storage, disclosure or a combination of these.

The registrant’s rights:

The right to be informed
As a registrant you are entitled to receive information when your personal data is being processed. Information about personal data processing must be provided by the data controller (the National Library) both when the data is collected and when the registrant otherwise requests it. The National Library has provided this information in this document and will refer to the document in the event of an information request.

Right of access
Persons registered in the National Library’s systems are entitled to view the information held on them.

Right to rectification
You are entitled to contact the National Library and request that incorrect information be rectified. This also means that you have the right to supplement incomplete personal data that is relevant to the purpose of the processing.

Right to erasure, “right to be forgotten”
You are entitled to contact the National Library and ask that personal data linked to you be erased. The data must be erased in the following instances:

• If the personal data is no longer needed for the purpose for which it was collected.
• If the processing is based on consent and your consent has been revoked.
• If you object to processing under Art. 21(1) of the GDPR and there are no compelling legitimate grounds for the processing, or you object to direct marketing in accordance with Article 21(2).
• If the personal data has been processed unlawfully.
• If deletion is necessary in order to fulfil a legal obligation.
• If the data was collected when offering information society services to children.

Please note that the right to erasure does not apply where the processing is necessary, including:

• In order to exercise the right to freedom of expression and information
• In order to comply with a legal obligation that requires processing under EU law or Norwegian legislation or to perform a task that is in the public interest or to exercise official authority vested in the National Library
• For archiving purposes in the public interest, scientific research, historical research or statistical purposes where erasure is likely to render impossible or seriously impair the achievement of the purpose of that processing
• For the establishment, exercise or defence of legal claims

Right to restrict processing
You have the right to request restricted processing of your personal data. Restriction means that your data is labelled with a view to restricting its future use. The right to restrict processing applies where you believe that the data being processed is incorrect and have requested a rectification, for example.

Right to object
You have the right to object to personal data on you being processed when the data is processed pursuant to GDPR Art. 6(1) letters e and f, or if the personal data is being processed for the purpose of direct marketing or profiling related to direct marketing. For reasons relating to your personal situation, you may also object to the processing if the personal data is being processed for the purposes of scientific or historical research or statistical purposes, unless the processing is necessary for the performance of a task carried out for reasons of public interest.

Automated individual decision-making including profiling
You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or that similarly significantly affect you.

Please note that there are certain exceptions from these rights in addition to the exceptions listed consecutively above:

Exceptions to the right to be informed and the right of access
The right to be informed and the right of access under the general data protection regulation do not apply to information which:

• under the law or pursuant to the law is subject to confidentiality

Exceptions to the registrant’s rights when processing personal data for archiving purposes in the public interest, scientific or historical research purposes and statistical purposes
The right of access under GDPR Article 15 does not apply to processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, insofar as

a) it would involve a disproportionate effort, or
b) right of access is likely to render impossible or seriously impair the achievement of the objectives of that processing.

The right to rectification and restriction of processing does not apply to processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes insofar as this right is likely to render impossible or seriously impair the achievement of the objectives of that processing.

However, the exemptions do not apply if the processing will have a legal effect or actual direct effect on the registrant.

Requests from registrants must be answered free of charge and within 30 days.

Whom do we share our information with?

Your personal data will be made available to employees who need to access it in order to fulfil their functions at the library in respect of the services you have requested or agreed to use. The library uses third-party suppliers to fulfil certain functions or to offer certain services on our behalf. The National Library has entered into data processing agreements with all its data processors to ensure that your personal data is processed correctly.