1. In short, what does this policy entail?
The Lucian Blaga Central University Library (“CUL”) is the operator of your personal data under the terms of the General Data Protection Regulation (henceforth, “GDPR”).
This policy describes the means through which CUL collects and processes your personal data and the reasons for which this data is collected when you use our services or you visit our website – www.bcucluj.ro – hereinafter referred to as “Website”.
2. What type of personal data do we collect?
In order for you to more easily interact with us, on our website, we provided you with a series of forms. Among other things, these forms require you to offer personal data, insofar as we need it to answer your message/request. This data is as follows:
- Email address
- Email address
- Shipping address
- Library card barcode (if you have one)
- Phone number
Online request for books and periodicals:
- Library card barcode (if you have one)
When you access our website, certain data is collected automatically. This data is anonymous and they cannot reveal your identity. The information we refer to is as follows:
- Your IP address or the IP address of the proxy server (if you are using one)
- The name of the domain you accessed (ex. bcucluj.ro)
- The name of your internet provider (this data is sometimes collected depending on the settings the internet provider established)
- The date and time you accessed the website
- The duration of your visit
- The pages you accessed on our website
- The website from which you accessed our website (if you did not access it directly)
- The operating system, the browser and the display resolution of the equipment you used to access our website
3. How do we use this information and what is the legal basis for collecting it?
CUL processes your personal data with the following purposes, when CUL or its commissioners have a legitimate interest, in accordance with Art. 6 (1) (f) of GDPR:
- Communicating with you when you send a message through the contact form
- Processing your requests
- Monitoring the website activity in order to avoid fraudulent actions, for example
- Providing an improved experience on our website
- Analysing the website traffic
4. To whom do we reveal your personal data? Categories of commissioners
CUL reveals your personal data to the following commissioners:
- IT services providers
- Courier companies through which we ship the items you requested
- State authorities in connection with the legal obligations by which we must abide
- A third party, in order to respond to requests regarding an investigation or a suspicion of illegal activity
- A third party, in order to protect our rights or to counter financial or reputation risks
- Other recipients when we are allowed or we are required by the law
The transmission of data is made depending on concrete situations, limited to the objective of the processing and, based on the contracts signed with the commissioners, we ensure to abide by the GDPR provisions. Furthermore, the commissioners abide by the GDPR provisions in a similar way to the operators (including as regards the requirement of deleting or returning the data).
Please note: The use of commissioners is justified by business purposes; they are often specialised, professional services that can manage the necessary volumes and can provide the technology by which the operator can carry out its duties.
The data is not transmitted to all commissioners at the same time.
5. Your rights
GDPR confers more rights to those whose personal data is processed. In short, we shall explain these rights as follows:
- The right to be informed is your right to know what type of personal data we collect from you and how we use it
- The right of access is your right to receive a confirmation from us regarding whether or not we processed your data. If we processed your data, we must provide you with access to your data and with information regarding the ways in which it was processed
- The right to data portability is your right to receive your personal data in a structured format that can be read automatically and that can be directly transmitted to another operator
- The right to object is your right to object to the processing of your personal data when it disserves a public interest or a legitimate interest of ours
- The right to rectification is your right to correct, with no unjustified delays, your inexact personal data
- The right to erasure / the right to be forgotten is your right to have us erase the collected data with no unjustified delays, in any of the following situations: the data is no longer necessary to fulfil the purpose for which it had been collected; you withdrew your consent and there is no other judiciary basis for processing; you oppose processing; your data was collected illegally; the data must be erased in order to abide by a legal obligation; the data was collected by offering services from the information society
- The right to restrict processing can be exercised if the accuracy of the data is contested on a certain period of time that is enough to verify the data; if the processing is illegal but the user does not wish to erase the data, but to restrict it; if we no longer need the personal data for processing purposes, but the user requests the data in order to defend a right in court; if the user opposed the processing in the time period when it is verified if the legitimate rights prevail over the user’s rights
- Rights in relation to automated decision making and profiling – the right to not be subjected to a decision when it is based on automatic processing. GDPR defines profiling as any automatic form of processing with the purpose of evaluating certain personal aspects, such as work performance, health, personal preferences, financial situation, location and others. If an organisation uses profiling, it must take certain security measures, the personal data must be secured and there must be certain measures that allow for the anomalies to be corrected with a minimum risk of error.
6. How long is your personal data stored?
The personal data collected through forms is NOT stored on the website. It is sent directly via email to those who handle your message/request.
The statistical data collected on your equipment is stored for 14 months.
7. How do we keep your data safe?
The safety of your personal data is very important to us. Therefore, we pledge to apply all technical and organisational measures to ensure the safety of your personal data, its protection from destruction, modification, disclosure or unauthorised access. The communication between your browser and the server is secured, using SSL.
8. Contact and support for your data
You can exercise all of your rights through a written, dated and signed request, sent to us via:
- Post office, address: Clinicilor Street, No. 2, Cluj-Napoca, Cluj County, Romania
- Email: firstname.lastname@example.org
In addition, starting with 25 May 2018, if you believe that we violated any of your rights in this respect, you can address The National Supervisory Authority For Personal Data Processing.