Da­ta pri­va­cy

Data privacy statement

The German National Library takes the protection of your personal data very seriously. You have the right to know which data is collected, when it is collected, and how it is processed. We have implemented technical and organisational measures to ensure that data protection regulations are complied with.
Amendments to this data protection declaration may become necessary as we develop our website and implement new technologies in order to improve the service we offer you. For this reason, we recommend you reread this data protection declaration from time to time.

I. Name and address of data controller

Data controller within the meaning of the General Data Protection Regulation (GDPR), the Federal Data Protection Act (BDSG), and other data protection legislation:

German National Library
Federal institution with legal capacity under public law, represented by its Director General
Frank Scholze
Adickesallee 1
60322 Frankfurt am Main
Germany
Telephone: +49 69 1525-0
E-mail: postfach@dnb.de
www.dnb.de

II. Contact information of the data protection officer

Adickesallee 1
60322 Frankfurt am Main
Germany
Telephone: +49 69 1525-0
E-mail: datenschutzbeauftragter@dnb.de
www.dnb.de

III. General information on data processing

1. Scope of personal data processing

In general, we only process personal data collected from our users insofar as this is necessary for the provision of a functional web presence and our content and services. As a rule, personal data provided by our users is only processed with their consent. Exceptions apply in cases where the user’s prior consent cannot be obtained on factual grounds and statutory regulations permit the processing of personal data.


2. Legal basis for the processing of personal data

Art. 6 para. 1 lit. a GDPR serves as the legal basis whenever we obtain a data subject's consent to the processing of his/her personal data.
Art. 6 para. 1 lit. b GDPR serves as the legal basis when processing personal data for the performance of a contract to which the data subject is a party. The same applies to any processing measures that are required if steps are to be taken before entering into a contract.
Art. 6 para. 1 lit. e GDPR serves as the legal basis when the processing of personal data is necessary for the performance of a task carried out in the public interest; this includes the law regarding the German National Library.
Art. 6 para. 1 lit. f GDPR serves as the legal basis when processing is necessary to safeguard the legitimate interests of the German National Library or a third party, and provided these legitimate interests are not outweighed by the data subject’s interests and fundamental rights and freedoms.


3. Data erasure and storage period

The data subject's personal data is erased or blocked as soon as the purpose for which it was stored ceases to apply. Personal data may also be stored if so specified by European or national legislators in EU regulations, laws or other provisions to which the data controller is subject. In such instances, personal data is blocked or erased when a storage period specified in any of the above-named legislation expires, unless the data has to be retained for longer in order to conclude or execute a contract.


IV. Provision of web presence and generation of log files

1. Description and scope of data processing

Every time our website is accessed, our system automatically collects data and information from the accessing computer system. The following data is collected:

(1) Information about the browser type and version used
(2) The user's operating system
(3) The user's internet service provider
(4) The user's IP address
(5) Date and time at which the website was accessed
(6) Web pages accessed through our website by the user's system

This data is also stored in our system’s log files. However, it is not stored together with any other personal data pertaining to the user.

2. Legal basis for the processing of data

The legal basis for the temporary storage of data and log files is Art. 6 para. 1 lit. f GDPR.

3. Purpose of data processing

Temporary storage of the user’s IP address by the system is necessary in order to facilitate website transmission to the user's computer. The user’s IP address accordingly has to be stored for the duration of the session.
This data is stored in log files in order to safeguard the functionality of the website. We also use the data to optimise our web presence and safeguard the security of our information technology systems. Data collected in this context is not evaluated for marketing purposes.

The purposes specified above also constitute our legitimate interest in processing the data pursuant to Art. 6 para. 1 lit. f GDPR.

4. Storage period

The data is erased as soon as it is no longer required to fulfil the purpose for which it was collected. When data is collected in order to provide a website, this is the case when the respective session ends.
Data stored in log files is erased after no more than 14 days. However, data can be stored for longer periods. In such cases, the user’s IP address is erased or masked so that it can no longer be associated with the accessing client.

5. Right to object and right to erasure

The collection of data for web presence provision and the storage of data in log files are absolutely essential to the operation of the website. The user is therefore unable to exercise any right to object in this context.


V. Use of cookies

1. Description and scope of data processing

Our web presence uses cookies. Cookies are text files stored in the user’s web browser or by the web browser on the user’s computer system. Whenever a user accesses a website, a cookie can be stored on the computer’s operating system. This cookie contains a typical string of characters that enables the browser to be clearly identified when the user returns to the web presence at a future time.
We use cookies to make our website more user-friendly. Some elements on our web presence require the accessing browser to be identified after the user has moved to another web page.
The following data is stored and transmitted in the cookies:
(1) Language settings
(2) Log-in information (ID no.)

2. Legal basis for the processing of data

The legal basis for the processing of personal data using cookies is Art. 6 para. 1 lit. f GDPR.

3. Purpose of data processing

The use of technically necessary cookies is intended to simplify website use. Some of the functions on our website cannot be provided unless cookies are enabled. In these cases, it is essential that the browser is also recognised after accessing another page. The user data collected by these technically necessary cookies is not used to generate user profiles.
These purposes also constitute our legitimate interest in processing personal data pursuant to Art. 6 para. 1 lit. f GDPR.

4. Storage period, right to object and right to erasure

Cookies are stored on the user’s computer, from where they are sent to our website. This means that you as the user have complete control over the use of cookies. You can deactivate or restrict the transfer of cookies by changing your web browser settings. Cookies already stored can be deleted at any time. This can also be effected automatically. If cookies are deactivated for our web presence, it may no longer be possible to use all the web presence’s functions in full.


VI. Newsletter

1. Description and scope of data processing

Our website offers you an opportunity to subscribe to a free newsletter. When registering for the newsletter, the data entered into the registration form (the user's e-mail address is mandatory) is sent to our service provider. You can also choose to enter your name.
In all, the following data is stored when you subscribe:

(1) E-mail address
(2) Date and time of registration
(3) IP address of the accessing computer

In order to facilitate the processing of your data, your consent is obtained during the registration procedure and you are referred to this data protection declaration.
Your data is used solely for the purpose of sending the newsletter.

2. Legal basis for the processing of data

The legal basis for processing the user's personal data after the user has subscribed to the newsletter and consented to this processing is Art. 6 para. 1 lit. a GDPR.

3. Purpose of data processing

The user’s e-mail address is collected for the purpose of delivering the newsletter.
The collection of additional personal data during the registration process is intended to prevent the improper use of services and/or of the e-mail address provided.

4. Storage period

The data is erased as soon as it is no longer required to fulfil the purpose for which it was collected. All data collected from the user is accordingly stored for as long as the newsletter subscription is active.

5. Right to object and right to erasure

Users can unsubscribe from the newsletter at any time. Each newsletter contains a link for this purpose.


VII. Registration as a deliverer of Online Publications/for the utilisation of services

1. Description and scope of data processing

We offer users the possibility to register on our website by entering their personal data. In doing so, the data is entered into an input mask, transmitted to us and stored. This data is only transmitted to third parties whenever this is necessary. The following data is collected during the registration process:

(1) First name, surname
(2) Address
(3) Telephone number
(4) E-mail address
(5) User ID number if applicable

The following data is also stored at the time the user registers:

(6) Name of the institution/company if applicable
(7) Date and time of registration
(8) User's IP address

The user's consent to the processing of this data is obtained during the registration process.

2. Legal basis for the processing of data

The legal basis for processing the user's personal data after the user has given his/her consent is Art. 6 para. 1 lit. a GDPR.

3. Purpose of data processing

User registration is necessary for the provision of certain content and services on our web presence.

4. Storage period

The data is erased as soon as it is no longer required to fulfil the purpose for which it was collected.
For the data collected during the registration process, this is the case when the user’s registration on our website is cancelled or modified.

5. Right to object and right to erasure

Users can cancel their registration at any time. You can also have the data stored in connection with your registration amended at any time.


VIII. Contact form and e-mail contact

1. Description and scope of data processing

Our web presence contains contact forms that can be used to contact us electronically. Whenever a user makes use of this function, the data entered into the form is transmitted to us and stored. This data comprises the following:

(1) First name, surname
(2) E-mail address

Alternatively, users can contact us using the e-mail address provided. In such cases, the personal data transmitted with the e-mail is stored.

Data collected in this context is not transmitted to third parties. It is used solely for the purpose of dealing with correspondence.

2. Legal basis for the processing of data

The legal basis for processing the user's personal data after the user has given his/her consent is Art. 6 para. 1 lit. a GDPR.
The legal basis for processing data that is transmitted when sending an e-mail is Art. 6 para. 1 lit. f GDPR.

3. Purpose of data processing

Personal data entered into the input mask is processed solely for the purpose of responding to correspondence. This also constitutes the required legitimate interest in processing the data in cases where contact is made by e-mail.
Additional data is processed during transmission in order to prevent improper use of the contact form and safeguard the security of our information technology systems.

4. Storage period

The data is erased as soon as it is no longer required to fulfil the purpose for which it was collected. In the case of personal data entered into the contact form's input mask and personal data sent by e-mail, this is the case when the correspondence with the user is terminated. The correspondence is deemed to have been terminated when it can be inferred from the circumstances that the facts in question have been clarified once and for all.

5. Right to object and right to erasure

As the user, you are entitled to withdraw your consent to the processing of your personal data at any time. Users who contact us by e-mail can object to the storage of their personal data at any time. If this right is exercised, it will no longer be possible to continue the correspondence.
In this instance, all personal data stored during the correspondence will be erased.


IX. Web analysis by etracker

1. Scope of personal data processing

We use services provided by etracker GmbH from Hamburg, Germany, to analyse usage data. These services use cookies that facilitate a statistical analysis of the use of this web presence together with the display of usage-related content or advertising. Cookies are small text files that are stored by the web browser on the user’s terminal device. etracker cookies contain no information that would enable the user to be identified.

The data generated by etracker is processed and stored by etracker on our behalf. It is exclusively stored and processed in Germany and is thus subject to the strict data protection legislation and standards enforced in Germany and the EU. Moreover, etracker has been independently audited, certified, and awarded the data protection seal of quality.

Our legitimate interest is the optimisation of our online services and web presence. Since the privacy of our visitors is particularly important to us, etracker anonymises user IP addresses as early as possible, while log-in and device ID information is converted into a unique code that cannot be identified with any specific person. etracker does not utilise this data in any other way, amalgamate it with other data, or transmit it to any third party.

You have the right to object to the data processing described above at any time insofar as your personal data is involved. Your objection will not place you at any disadvantage.

The following information is stored whenever individual pages on our website are accessed:

(1) Anonymised IP address of the user's access system
(2) The web page accessed
(3) The website from which the user accessed this web page (referrer)
(4) The subpages accessed from this web page
(5) The time spent on the web page

The software runs on our web servers, which are in turn hosted by a contractor.

2. Legal basis for the processing of personal data

The legal basis for processing the user's personal data is Art. 6 para. 1 lit. f GDPR.

3. Purpose of data processing

Processing personal data enables us to analyse the browsing behaviour of our users. Evaluations of the data collected allow us to compile information about the use of individual components on our web presence. This helps us to continue improving our website and make it more user-friendly. These purposes also constitute our legitimate interest in processing the data pursuant to Art. 6 para. 1 lit. f GDPR. The user’s interest in the protection of his/her personal data is duly taken into account by anonymising the IP address.

4. Storage period

The data is erased as soon as we no longer need it for recording purposes.

5. Right to object and right to erasure

Cookies are stored on the user’s computer, from where they are sent to our website. This means that you as the user have complete control over the use of cookies. You can deactivate or restrict the transfer of cookies by changing your web browser settings. Cookies already stored can be deleted at any time. This can also be effected automatically. If cookies are deactivated for our website, it may no longer be possible to use all the web presence’s functions in full.


X. Use of social media services

Functions provided by Twitter are integrated into our web pages. These functions are made available by Twitter Inc., 795 Folsom St., Suite 600, San Francisco, CA 94107, USA. By using Twitter and the "Retweet" function, the websites you visit are linked to your Twitter account and made known to other users. Data is also transmitted to Twitter.

Please note that as the provider of these web pages, we have no knowledge of the content of this data or how it is used by Twitter. You will find further information in Twitter’s data protection declaration (https://twitter.com/privacy).

You can change your Twitter data protection settings in your Twitter account settings (http://twitter.com/account/settings).

Our web presence also contains links to the external social network Facebook. The Facebook website is operated solely by Facebook Inc., 1601 S. California Ave, Palo Alto, CA 94304, USA (Facebook). On our website, these links are identified by the Facebook logo (no Facebook plug-ins are used).

If you follow the links while visiting our web presence and are logged in to Facebook via your personal user account, the information that you have visited our website will be forwarded to Facebook. Facebook can assign your visit to our website to your account.

This information is sent to Facebook and stored there. If you wish to prevent this, you must log out of your Facebook account before clicking on the link.
The functions assigned to the Facebook links, in particular the transmission of information and user data, are not activated by visiting our website, but only by clicking on the corresponding links.

Please refer to Facebook's data protection declaration for information concerning the purpose and scope of Facebook's data collection activities, the way in which Facebook processes and uses your data, your rights in this context, and how you can change your settings to protect your privacy.

XI. Rights of data subject

Whenever your personal data is processed, you are a data subject as defined in the General Data Protection Regulation and you have the following rights vis-à-vis the controller:

1. Right to information

You can request the data controller to confirm whether your personal data is being processed.
If this is the case, you can request the controller to provide the following information:

(1) the purposes for which the personal data is being processed;
(2) the categories of personal data that are being processed;
(3) the recipients or categories of recipient to whom your personal data has been or is to be disclosed;
(4) the envisaged period for which your personal data will be stored, or, if no specific information can be provided, the criteria used to determine that period;
(5) the existence of a right to request the controller to rectify or erase your personal data, to restrict the controller’s processing of your personal data, or to object to such processing;
(6) the existence of a right to complain to a supervisory authority;
(7) where the personal data is not collected from the data subject, any available information as to its source. You also have the right to request information as to whether your personal data is to be transferred to a third country or an international organisation. If this is the case, you can also request information concerning the safeguards provided for the transfer of personal data in accordance with Art. 46 GDPR.

2. Right to rectification

You have the right to request the controller to rectify and/or complete your personal data insofar as that of your personal data being processed is incorrect or incomplete. If this is the case, the controller must rectify the data immediately.

3. Right to restriction of processing

You are entitled to request restrictions on the processing of your personal data in the following circumstances:
(1) if you contest the accuracy of your personal data for a period enabling the controller to verify its accuracy;
(2) if your personal data is being processed unlawfully, you refuse to have it deleted and instead demand restrictions on the processing of your personal data;
(3) if the controller no longer needs the personal data for the purposes for which it was processed but you still need it for the establishment, exercise, or defence of legal claims; or
(4) if you have objected to the processing of your data pursuant to Article 21 para. 1 GDPR and it has not yet been established whether the legitimate grounds of the controller override yours.

If the processing of your personal data has been restricted, this data may – with the exception of storage – only be processed with your consent, or to establish, exercise, or defend legal claims, or to protect the rights of another natural or legal person, or for reasons of important public interest within the EU or an EU member state.
If you have obtained restriction of processing under the conditions specified above, you will be informed by the controller before the restriction of processing is lifted.

4. Right to erasure

a) Erasure obligation

You may request the controller to erase your personal data without delay, in which case the controller is obliged to erase the data without delay where one of the following grounds applies:

(1) Your personal data is no longer necessary for the purposes for which it was collected or otherwise processed.
(2) You withdraw the consent on which the processing is based pursuant to Art. 6 para. 1 lit. a or Art. 9 para. 2 lit. a GDPR, and there are no other legal grounds for the processing.
(3) You object to the processing of your data pursuant to Art. 21 para. 1 GDPR and there are no overriding legitimate grounds for the processing, or you object to the processing of your data pursuant to Art. 21 para. 2 GDPR.
(4) Your personal data has been processed unlawfully.
(5) Your personal data has to be erased for compliance with a legal obligation in EU or member state law to which the controller is subject.
(6) Your personal data has been collected in connection with the offer of information society services referred to in Art. 8 para. 1 GDPR.

b) Information to third parties

If the controller has made your personal data public and is obliged pursuant to Art. 17 para. 1 GDPR to erase it, the controller, taking account of the technology available and the cost of implementation, must take reasonable steps, including technical measures, to inform controllers who are processing your personal data that you, as the data subject, have requested the erasure of any links to, or copy or replication of, your personal data.

c) Exceptions

The right to erasure does not exist insofar as processing is necessary
(1) for exercising the right of freedom of expression and information;
(2) for compliance with a legal obligation according to which processing is required by EU or member state law to which the controller is subject, or for the performance of a task carried out in the public interest, or in the exercise of official authority vested in the controller;
(3) for reasons of public interest in the area of public health pursuant to Art. 9 para. 2 lit. h, i and Art. 9 para. 3 GDPR;
(4) for archiving purposes in the public interest, for scientific or historical research purposes, or for statistical purposes pursuant to Art. 89 para. 1 GDPR, insofar as the right referred to in point a is likely to render impossible or seriously impair the achievement of the objectives of the processing; or
(5) for the establishment, exercise or defence of legal claims.

5. Right to notification

If you exercise your right to rectification or erasure of personal data or restriction of processing, the controller is obliged to communicate this to all recipients to whom your personal data has been disclosed unless this proves impossible or involves disproportionate effort.
The controller is obliged to inform you about these recipients if so requested.

6. Right to object

You have the right to object at any time, on grounds relating to your particular situation, to any processing of your personal data effected on the basis of Art. 6 para. 1 lit. e or f GDPR.
If this right is exercised, the controller will cease processing your personal data unless he/she can demonstrate compelling legitimate grounds for the processing that override your interests, rights and freedoms, or if the data has to be processed for the establishment, exercise, or defence of legal claims.
In the context of the use of information society services, and notwithstanding Directive 2002/58/EC, you may exercise your right to object by automated means using technical specifications.

7. Right to withdraw the declaration of consent provided in compliance with data protection legislation

You have the right to withdraw your declaration of consent under data protection law at any time. The withdrawal of your consent will not affect the lawfulness of processing effected on the basis of your consent before it is withdrawn.

8. Right to complain to a supervisory authority

Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the member state of your habitual residence, place of work, or place of the alleged violation, if you consider that the processing of your personal data violates the GDPR.
The supervisory authority with which the complaint has been lodged will inform the complainant on the progress and the outcome of the complaint including the possibility of a judicial remedy pursuant to Article 78 GDPR.