Version: 18.03.2020
“Onleihe” is a service provided by divibib GmbH (hereinafter referred to as “divibib” or also “we” for the purposes of this data protection notice) for users of public libraries. Divibib takes the protection of your
personal data (hereinafter also referred to as “data”) very seriously. This data protection notice therefore aims to inform you about how and to what extent we process your data when you use Onleihe via a browser, our Onleihe App for mobile devices, the Onleihe eReader (for instance, the tolino eReader) or eCircle, and when you use any services provided by these facilities. You can view this information at any time at http://cms.onleihe.de/opencms/opencms/divibib customer/common/en/AllgemeineDatenschutzerklaerung.pdf.
The following company is directly responsible for data processing when our website and the Onleihe services provided therein are used and is the controller within the meaning of the European Union Data Protection Regulation (GDPR):
divibib GmbH | Controller’s Data Protection Officer: |
Bismarckstraße 3 | Lars-Holger-Krause |
72764 Reutlingen | as data protection officer of divibib GmbH |
c/o Tercenum AG | |
vertreten durch Dr. Jörg Meyer als Geschäftsführer | Eschenallee 32 |
14050 Berlin | |
Telefax: + 49 (0) 7121 144-280 | Telefax: +49 7121 147 88-99 |
E-Mail: info@divibib.com | E-Mail: lars-holger.krause@tercenum.de |
We recommend that you contact our data protection officer directly if you have any questions or suggestions relating to data protection.
1. What are personal data
The subject of data protection is personal data. Personal data means any information relating to an identified or identifiable natural person (“data subject”) (Art. 4 (1) GDPR).
2. Summary of key aspects of this data protection notice
We want to begin by summarising the key information in this data protection notice, to provide a basic overview of the personal data that we collect and use. Detailed information on the processing of
specific data and the relevant legal bases for such processing is at figure 3ff.
2.1 Data processing when you visit our website
When you visit our website, we collect and use the data referred to in Point 3.1. In summary, this is firstly basic data relating to your usage of our website (such as the date of your visit and the sub-page
you visit). It also includes basic technical data relating to the device and the browser you have used for your visit (such as the IP address and operating system of your device and the browser you have
used).
We need these data in order to ensure that our website is technically suitable and user-friendly, to optimise data security and to support the authorities as necessary with the prosecution of offences
committed on the internet.
We have delegated the technical suitability of our website to a host provider, Plus Server GmbH. To the extent that the latter is involved with data processing as described above, it acts as a processor
and solely in accordance with our instructions.
2.2 Data processing when you use the Onleihe app
When you use our Onleihe app, we collect and use the data referred to at Point 3.2. In summary, this is firstly basic data relating to your usage of our website (such as the date of your visit and the
services you have used). It also includes basic technical data relating to the device and the browser you have used for your visit (such as the IP address and operating system of your device and the
browser you have used).
We need these data in order to ensure that our Onleihe app is technically suitable and user-friendly, to optimise data security, and to support the authorities as necessary with the prosecution of offences
committed on the internet.
In order to ensure we have the necessary information and general access statistics to optimise the user-friendliness of the Onleihe app, we also undertake range measurement and usage analysis
where appropriate with the two Google analytical tools referred to in Point 3.2.2. However, these tools are deactivated by default and only become active if activated by you as described in that Point. In
activating these tools, you give us your consent to the data processing tha tthey entail. In the event of activation, Google LLC acts as a processor and is bound exclusively by our instructions.
2.3 Data processing when you use general communications channels
When you contact us via the general communications channels provided in connection with our Onleihe services, in particular via our contact form or the email addresses and fax numbers provided,
we collect and use the data referred to in Point 3.3. In summary, this is data that we need in order to enable us to process your enquiry or request (such as the time and nature of your enquiry, your name
or email address), including your IP address.
We need this information in order to process your enquiry or request. We collect your IP address in order to enable us to prevent or shed light on any misuse or infringement in the context of our
services.
2.4 Data processing when you register as a user
You have the option to register as a user of our Onleihe services, which allows you to borrow digital media (ebooks, emagazines etc.) from our Onleihe selection.
Since we provide the Onleihe service to participating libraries that in turn provide the service to their users, the use of Onleihe services initially requires library users to register as such. Please note that
we have no influence on user data collected by your library, such as your name, address etc. Only your library decides what data to collect when you register. Please contact your library for the data
protection notice that covers such data.
In order to register as a user of our Onleihe service, however, you will only ever have to enter your library ID number (and where applicable your library user number) and your password. This data is
required to identify you as a user who is entitled to borrow items. The details entered by you will either be sent to the library where you are registered as a user and checked there, or verified against a
library user database provided to us by your library.
Once your details have been checked or verified, your library or the user database will inform us of whether the user account that is linked to the registration data is entitled to borrow media. We will also
be provided with information on FSK approval (for instance “entitled to borrow media for individuals of 16 and over” etc.) and where appropriate the age recorded at the library in relation to the user
account; this is required because some digital content is subject to age restrictions.The technical details of the registration process are set out at Point 3.4.1.
2.5 Data processing when you borrow media
When you borrow digital media from our Onleihe selection, we collect and process the data set out at Point 3.5. In summary, these are the data relating to the item in question (such as the title of the item
and how long it is being borrowed for). We assign these to you as the borrowing user.
We need to collect these data and assign them to you in order to enable us to loan you the item in question.
2.6 Data processing when you use media that you have borrowed
Digital media, in particular ebooks, are protected against unauthorised use and dissemination by technical safety mechanisms, such as embedded digital watermarks. These safety mechanisms,
known in technical terms as DRM systems, are provided to us by third party suppliers. In the context of Onleihe services we use DRM systems provided by VIVLIO and Adobe.
When you use an item that you have borrowed, for instance when you want to read an ebook, you have to identify yourself on the DRM system as an authorised user. The VIVLIO DRM system creates
an encrypted data set for this purpose from your user name and password. This is passed on to VIVLIO for authentication and identifies you as an authorised user who is entitled to use the medium
in question. Apart from this data, which cannot be decrypted by VIVLIO, no other data is sent to VIVLIO. VIVLIO acts as a processor and is thus solely instructed by us. The Adobe DRM system, on
the other hand, is completely separate from the Onleihe service and requires you to register independently with Adobe. We do not pass any data to Adobe.
You will find a detailed description of the DRM systems at Point 2.5.
2.7 Data processing when you reserve an item
When you reserve a title that we offer, the reservation is assigned to you as a user as set out in Point 3.5. If you would like to be notified when the item you have reserved is available to borrow, you can also provide your email address for this purpose.
It is necessary to assign items to you in order to enable you to use them. We use your email address solely to notify you that your reserved item is available.
2.8 Data processing when you review items
When you take the opportunity provided in the catalogue to review items you have borrowed, we assign your feedback to you as a user, as set out at Point 3.5.
Assigning reviews in this way is necessary in order to prevent the same individual leaving multiple reviews.
2.9 Data processing when you use elearning provided by third parties
Being an Onleihe user gives you access to certain third party elearning services, depending on the services on offer in your library.
If you would like to make use of a third party elearning service, we will collect and process the data set out at Point 3.6 and assign them to you as a user. In summary these data relate to the use you make of the service (such as the specific service you want to access).
We need to collect these data and assign them to you in order to enable you to use the services in question.
divbib will then forward you to the relevant third party service. The third party in question will receive your user data in an encrypted format that cannot be decrypted by them, to prove that you are authorised to use their services.
Use of such services is independent of our Onleihe services and no further data is exchanged between ourselves and the third party in question.
2.10 Duration of data storage
We store the data referred to only for as long as is necessary to achieve the stated purpose. Data may be stored for longer in individual cases, for instance for evidentiary purposes. Further details are at Point 5.
3. What data do we collect, what is it for, and what happens to it?
3.1 Data we process when you visit our website
3.1.1 Operation of the website
When you visit our website, even in the context of a simple visit to our website where you do not log in or use our individual services, the following data will always be collected and processed, without specifically identifying you:
- the websites previously visited by you (referrer URLs),
- the individual pages of our website accessed by you,
- the date and time you accessed our website,
- the Internet Protocol Address (IP address) of the accessing device,
- the type and, where applicable, model name of your device used by you to access our website (e.g. HP Touchpad, iPhone X, etc.)
- the browser and operating system used by you to access our website, including the respective version number and configured language.
This information is required in order to:
- deliver our website content correctly,
- optimise our website content, e.g. adapting content for viewing on a mobile device,
- ensure the ongoing functionality of our information technology systems and our website
technology, and
- provide law enforcement agencies with the information required to secure a prosecution in the
event of a cyber-attack.
We process these data for as long as is necessary for the aforementioned purposes. They are subsequently anonymised and analysed by us, on the one hand statistically, and on the other with a
view to improving data protection and data security at our organisation, in order ultimately to ensure an optimum level of protection for personal data processed by us. Data processing is undertaken in
order to enable us to provide our services and is therefore based on Art. 6(1)(b) of GDPR. It also serves to ensure our services are of as high a quality and have the greatest possible integrity;
processing is therefore also in our legitimate interests and is based on GDPR Art 6(1)(f).
In addition, when users visit the website hilfe.onleihe.de, a cookie is set that is required to deliver the technical aspects of the website (“JSESSIONID”). This saves the current session and its settings, in
order to avoid having to adjust settings and inputs repeatedly in the course of the session. The cookie expires as soon as the browser session is ended.
Our host provider, Plus Server GmbH, Hohenzollernring 72, 50672 Cologne, handles data processing
on our behalf and is therefore a processor within the meaning of GDPR Art. 28 ff.
3.1.2. Range measurement and usage analysis
We of course want to design our services to meet our users’ needs and offer you the best possible user experience. We therefore continually check the functionality of our services and correct any
functions that we find to be faulty or user-unfriendly. A further aim is to discover whether or to what extent our services are reaching our intended target group, and to this end we need to understand
where, how and to what extent you are using our services. This also enables us to adapt our hardware to increased usage, for example, in order to keep our Onleihe services as trouble-free and
speedy as possible.
In order to obtain the above information, we create pseudonymised usage profiles using cookies, which enable us to collect information about what users are clicking on and browsing when they use
our services. In this context, the following data are processed:
- IP address and geolocation based on IP address
- device, operating system/browser
- scrolling and clicking behaviour
- type and frequency of faults when they occur
Data processing in this context is undertaken in our legitimate interests as mentioned above and is therefore based on Art. 6 (1) (f) of GDPR. Data processing in the context of the use of cookies is dependent on your consent and is therefore based on Art. 6 (1) (a) of GDPR.
3.2 Data processed by us when our Onleihe App is used
3.2.1 Basic functionality
When our Onleihe app is used, we always process the following personal data, without specifically identifying you:
- the individual app pages and/or functions you have accessed or used;
- the date and time our was accessed;
- the type of end device on which the app is installed
- the IP address of the end device on which the app is installed;
This information is required in order to:
- deliver our app correctly;
- optimise the content of our app, e.g. adapting content for viewing on your end device;
- ensure the ongoing functionality of our information technology systems and our app
technology, and
- provide law enforcement agencies with the information required to secure a prosecution in the event of a cyber-attack.
We process these data for as long as is necessary for the aforementioned purposes. They are subsequently anonymised and analysed by us, on the one hand statistically, and on the other with a
view to improving data protection and data security at our organisation, in order ultimately to ensure an optimum level of protection for personal data processed by us. Data processing is undertaken in
order to enable us to provide our services and is therefore based on Art. 6(1)(b) of GDPR. It also serves to ensure our services are of as high a quality and have the greatest possible integrity;
processing is therefore also in our legitimate interests and is based on GDPR Art 6(1)(f).
To the extent that usage of our app establishes a connection to our servers, data processing is undertaken by our host provider, Plus Server GmbH, Hohenzollernring 72, 50672 Cologne, which is a processor within the meaning of GDPR Art 28 ff.
3.2.2 Range measurement and usage analysis
We of course want to design our services to meet our users’ needs and offer you the best possible user experience. We therefore continually check the functionality of our services and correct any
functions that we find to be faulty or user-unfriendly. A further aim is to discover whether or to what extent our services are reaching our intended target group, and to this end we need to understand
where, how and to what extent you are using our services. This also enables us to adapt our hardware to increased usage, for example, in order to keep our Onleihe services speedy and as
trouble-free as possible.
In order to obtain the above information, we use the range measurement and usage analysis tools referred to in the present Point, 3.2.2. Data processing in this context is undertaken in our legitimate
interests as mentioned above and is therefore based on Art. 6 (1) (f) of GDPR.
Further details of specific data processing procedures can be found in the section below. Unless otherwise provided for, the data processing procedures described therein are undertaken by service
providers commissioned and instructed by us on the basis of a processing contract (Art. 28 ff. of GDPR):
a) Google Firebase for Mobile Apps
When you activate the features described below, we will use Google Firebase for Mobile Apps, a web analysis service from Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA, hereinafter referred to as “Google”).This service is deactivated by default. Only upon activation will it create pseudonymised usage profiles for the use of our mobile apps, which enable us to collect information about what users are clicking on and browsing when they use our services.
In this context, the following data are processed:
- IP address and geolocation based on IP address
- device, operating system/browser
- scrolling and clicking behaviour
The information generated in the context of this data processing is transferred to a Google server in the USA and processed and stored there. Google is Privacy Shield certified and has therefore undertaken to comply with the Privacy Shield Framework on the collection, use and storage of personal data from EU member states published by the US Department of Commerce and agreed between the EU and the US.
You can activate data processing by Google Firebase for Mobile Apps- by going to the “Info” section of our app, clicking on the “Data protection” tab and deactivating Google Analytics by selecting the “Switch on tracking” option. Activation will only apply to the device on which you select this option.
Since Google Firebase for Mobile Apps is deactivated by default and the setting is saved on your device, you will need to repeat the process whenever you reinstall the app.
Further information on data processing by Google is available in Google’s Privacy Policy at https://policies.google.com/. Answers from Google to frequently asked questions on data protection are available from https://support.google.com/analytics/answer/6004245?hl=de.
b) Google Analytics for eReader
Our eReader app uses Google Analytics for eReader, a web analysis service by Google which is deactivated by default. Only upon activation will it create pseudonymised usage profiles for the use of our mobile apps, which enable us to collect information about what users are clicking on and browsing when they use our services. Tracking is deactivated by default.
If Analytics are activated, the following data are processed:
- IP address and geolocation based on IP address
- Device, operating system/browser
- Scrolling and clicking behaviour
- Type and frequency of errors when they arise
The information generated in the context of this data processing is transferred to a Google server in the USA and processed and stored there. Google is Privacy Shield certified and has therefore undertaken to comply with the Privacy Shield Framework on the collection, use and storage of personal data from EU member states published by the US Department of Commerce and agreed between the EU and the US.
You can activate data processing by Google Analytics for eReaders by going to the “My Account” section of our app, clicking on the “Data protection” tab and deactivating Google Analytics by selecting the “Switch on tracking” option.
Further information on data processing by Google is available in Google’s Privacy Policy at https://policies.google.com/. Answers from Google to frequently asked questions on data protection are available from https://support.google.com/analytics/answer/6004245?hl=de.
3.3 Data processed by us when you contact us
When you contact us via the contact options available on the website or in our Onleihe App, in
particular the contact form or email addresses and fax numbers given there, we process, in addition to
the date and time of your query, such data that you voluntarily provide us with. We will let you know
on a case-by-case basis whether information is essential or can be provided on a voluntary basis.
These include, for example, your form of address, (academic) title, name, (mobile) telephone number
and, if not already required for answering your electronic query, your email address, as well as other
information that you provide voluntarily. We use these data for processing your contact query. Your
data are processed on the basis of your request and such processing is based on Art. 6 (1) (b) GDPR
in this respect. To the extent that you provide information on a voluntary basis, we will process it on
the basis of your consent pursuant to GDPR Art 6(1)(a).
If you make use of our website services where you must log in with a user account (see Point 3.4),
then we will match the data transferred as part of the contact query with your (temporary) user profile.
Your data is processed in this way for the correct handling of your query and in order to identify you
when you make queries about our products and services and for documenting your queries in
connection with our contractual relationship. Processing is based on GDPR Art. 6 (1) (b) and on our
legitimate interest under GDPR Art 6(1)(f) in this respect.
When you use our contact form, your internal protocol address (IP address) will also be stored. This is
to ensure the provision of our services and prevent their misuse. Where necessary, it makes it
possible for crimes committed to be investigated and enforce third-party private rights. In this respect,
storing your IP address is necessary for our protection. These data are not passed on to third parties
in principle, apart from when there is a corresponding statutory obligation to pass them on or when
passing them on is used for criminal prosecution. The legal basis for the processing of these data is
Art. 6 (1) (f) GDPR.
If the query is made in connection with the use of the services stated in Points 2.5 to 2.8 or within the
framework of our contractual relationship including its initiation, then the data transferred or collected
when the query is made will be stored for the duration of our contractual relationship. Otherwise, in
principle data is only stored for as long as is necessary to answer your query. Storing these data
beyond this period of time is however possible in the cases stated in Point 5.
3.4 Data processed by us when you log in as a user
You have the option of logging in as a user of our website by entering personal data. Logging in is a
condition for the digital borrowing of content within the framework of the “Onleihe” set out in Point 3.5
and requires you to register as a user with a participating library.
Please be aware that we have no influence over the inventory data collected by your library, such as
your name, address, etc. Your library alone decides which data to collect when you register. Please
contact your library for the relevant data protection notice.
Logging in as a user on our website is carried out with the participation of the participating libraries
pursuant to the following information. Session cookies are required for the technical implementation of
the user login (see Point 2).
3.4.1. Authentication process
When you log in as a user, different authentication processes will apply as explained below,
depending on the channel you use (web Onleihe or Onleihe App) and the interfaces provided by
libraries. The icons visible on the respective display are also displayed when using the login, which
means you can always recognise which authentication method is being used when you log in.
1. Library authentication with embedded or external login (library customers from |a|S|tec|
angewandte Systemtechnik GmbH, Paul-Lincke-Ufer 7 c, 10999 Berlin.)
When using library authentication with embedded login (iFrame) or external login, an encrypted
channel to the library user database is created in the background and a login form for your library is
created. You therefore send your entries in the login form directly to your library which carries out the
authentication under its own responsibility.
After successful authentication, we receive information from your library on your login status (e.g. a
numerical value for “user may borrow” or “query invalid”) and a pseudonym in the form of a hash
value created via a hash function that is not known to us; it is not possible to identify you on the basis
of these details.
When you use library authentication via the Onleihe app, an encrypted channel to the library user
database is created in order to authorise you as a library user directly via your library. For the
purposes of authentication we send your library the ID number you entered in the registration form
and where appropriate your library user number.
After successful authentication, we receive information from your library on your login status (e.g. a
numerical value for “user may borrow” or “query invalid”), details of you FSK approval and where
appropriate your age. We also receive from the library a pseudonymised hash value created via a
hash function that is not known to us, which identifies you as an individual in our system and which is
used to assign your use of Onleihe services to you.
2. Divibib online authentication
An encrypted channel to the library user database is created to enable your library to authenticate you
directly as a library user. For the purposes of authentication, we send your library the ID number you
entered in the registration form and where applicable your library user number and password.
After successful authentication, we receive information from your library on your login status (e.g. a
numerical value for “user may borrow” or “query invalid”), your library ID and library number as well as
information on your FSK approval and, if applicable, your age. We also receive a hash value of your
library password generated using an encryption algorithm.
3. Divibib offline authentication
You can enquire about libraries not participating in the above authentication procedures and which
offer offline authentication procedures by email via support@divbib.com.
For the divibib offline authentication procedure the libraries concerned regularly provide us with data
records containing all users entitled to use Onleihe intervals. The data records transferred by libraries
contain the library ID number and where applicable the library user number, a hash value for the
corresponding library password generated using an encryption algorithm and information on FSK
approval and where applicable the age of all library users with usage authorisation. As a rule, we
store such data until the relevant library provides updated data records informing us that individual
records are no longer current and can by deleted.
When you use the divibib offline authentication procedure, we collect the information provided by you
in the login form, namely your library user ID and library password (in an encrypted format) and match
these with the data records available to us. After successful authentication, we save information on
the login status (e.g. a numerical value for “user may borrow” or “query invalid”).
We process your data – including the data supplied by the libraries concerned – in order to verify your
entitlement to use our services as part of our contractual performance. This processing is therefore
based on Art. 6 (1) (b) GDPR.
4. Library authentication by means of redirection (Goethe Institut library customers)
When using library authentication by means of redirection, you will be redirected from our website to
your library’s login form. Authentication is therefore carried out directly by the library and under its
responsibility.
After successful authentication, we receive information from your library on your login status (e.g. a
numerical value for “user may borrow” or “query invalid”), your library ID and library number as well as
information on your FSK approval and, if applicable, your age. We also receive a hash value of your
library password generated using an encryption algorithm.
Authentication using Onleihe App
The above-mentioned authentication procedures are also used in the Onleihe App.
4.2 After finalisation of authentication
If authentication is successful, we use the ID number and where applicable user number obtained
from your library in accordance with the above information in order to generate a pseudonymised user
ID with an encryption algorithm (“hash function”) which we require for providing the Onleihe services.
Because of the encryption algorithm used, this user ID contains no characteristics which would allow
us to infer your identity. This data processing is based on Art. 6 (1) (b) GDPR.
In addition, along with the aforementioned user ID we use the information obtained from your library
on your FSK approval and, where applicable, information obtained on your age, to be able to comply
with the requirements of the Youth Media Protection Agreement (the German
‘Jugendmedienschutzstaatsvertrag’ or ‘JMStV’) when loaning out the digital content. The data are
thus processed in order to comply with a legal obligation to which divibib is subject and such
processing is based on Art. 6 (1) (c) GDPR.
As part of the library authentication procedures referred to in points 2 and 3, we store your library ID
number and where applicable library user number as a hash value for a period of eight weeks
following successful authentication so that we are able to continue to provide you with Onleihe access
in the event of a failure in the library authentication system. In this respect, we are processing data in
order to comply with our contractual obligation to provide Onleihe and such processing is based on
Art. 6(1)(b) of GDPR and on our legitimate interest in being able to provide you with reliable user
login, as provided for in GDPR Art. 6(1)(f). In principle, we only use the user ID and information on
your FSK approval and age respectively (hereinafter referred to as “user data”) while this is necessary
for contractual performance. As a rule, these data are therefore deleted once your online session has
ended if you do not use any other services (in accordance with Points 3.5 to 3.7).
Your user data is stored beyond your respective online session and, where necessary, beyond the
“stay logged-in” option period if you use our Onleihe features to borrow or reserve a title) (see Point
3.5).
3.5 Data processed by us when you use Onleihe
We provide you with a service allowing you to borrow digital content (“Onleihe”). In order to use
Onleihe, you must log in as a library user beforehand in accordance with Point 3.4 of our data
protection notice.
Borrowing
During a loan transaction, we collect data necessary for the loan process (transaction number of the
loan transaction, information on the title borrowed, date and time of the loan and length of the loan)
and match these with your user data (see Point 3.4). Processing these data is necessary for the
contractual performance and such processing is based on Art. 6(1)(b) of GDPR.
Moreover, we provide you with a rating interface with which you can rate the borrowed titles in a
points system. If you use this feature, we match your rating with your user data (see Point 3.4). This is
undertaken in our legitimate interest, in order to prevent multiple ratings by the same person and is
thus based on Art. 6 (1) (f) of GDPR.
The data processed as part of the respective loan is stored along with your user data (see Point 2.4)
until the end of the loan. Storage beyond this period of time is possible in the cases stated in Point 5.
In order to protect copyright in accordance with Sections 3(3) and (4) of the General Terms and
Conditions of Use, technical protection measures and rights management information are provided
(e.g. digital water marks) to enable the electronic medium to be connected with the data processed as
part of the loan. For statistical purposes, divibib discloses to your library and where applicable to
licensors and the libraries associated with Onleihe the number of times individual media are
borrowed, without any references to individuals.
If divibib provides “integrated readers” as a software application for the use of “Onleihe”, please be
aware that integrated readers use either the Adobe or the VIVLIO DRM system.
The Adobe DRM System requires you to enter into an agreement with Adobe Systems Inc. (Adobe)
concerning the provision of an Adobe ID. If you use the Adobe DRM system and your Adobe ID within
the framework of integrated readers, personal data, independent of divibib, will be collected,
processed and passed on to third parties. The functionalities of the Adobe DRM system and Adobe ID
within the framework of integrated readers require such use of your personal data. If you do not want
this, do not use integrated readers, since their functionality requires a corresponding use of your
personal data. For more details, please see Adobe’s data protection notice
(www.adobe.com/privacy.html).
If you use the VIVLIO DRM system we create a random value, known as a “token”, from your user
name and password. This token is passed on to VIVLIO and used for authentication, and for the
download and ongoing use of the eBook in question. The token will also be stored on your device.
Should it not be possible to establish a connection between the server and the VIVLIO DRM system,
you will be asked to enter your user name and password. These data will be used as usual (see Point
3.4.1) to generate a hash value pseudonym using an encryption algorithm, which will then be
transmitted to VIVLIO.
Reservations
When using Onleihe, you have the option of reserving individual titles and registering for an email
notification service. Since in principle we only process user data in a pseudonymised way within the
framework of the registration (see point 3.4) and therefore cannot match them to specific persons, we
also require your email address for this purpose.
If you choose to use the reservation feature and provide your email address for this purpose, we will
match this to your user data in order to carry out the reservation. In this respect, the data is processed
for the contractual performance and such processing is based on Art. 6 (1) (b) of GDPR.
Your email address is stored along with your user data (see Point 3.4) until the title made available
through the reservation feature is borrowed by you or the reservation expires.
3.6 Data processed when using e-learning content provided by a third-party
As a user of Onleihe you have the option, where applicable, of using certain third-party provider elearning content if offered by your library. You can make use of this via your access to Onleihe. This
third-party provider content is only available to Onleihe users within the presented scope.
General liability information
When using a third-party provider e-learning service for the first time, you will either be permitted by
this provider to immediately use its e-learning or other content, on the basis of the third-party
provider’s General Terms and Conditions and privacy statement, or prompted to register separately
and in this context asked to accept the third party provider’s General Terms and Conditions and
privacy statement. divibib redirects you as a library user only to the content of the respective third party provider.
The technical and administrative services and the granting of user rights of e-learning or other content
thus chosen by you are only supplied by the respective third-party provider and not by divibib. divibib
only enables you to be able to make use of this content through Onleihe. divibib is only the data
protection controller in this respect.
After transfer to the third-party provider, only this provider is responsible for the further data
processing and is the controller within the meaning of the data protection law. For more information
on the collection, storage and/or processing of personal data for which the respective third-party
provider is solely responsible as well as your consent required for this, where applicable, can be
found in the data protection notice of the respective third-party provider.
divibib’s scope of liability and disclosure of your data
When you make a request to access a third-party supplier’s e-learning content, we collect the data
necessary for providing this access (transaction number of the usage access, information on the
selected e-learning content and the date and time of the selection process).
The pseudonymous has value created during registration (see Point 3.4) is passed on to the
respective third-party provider of the e-learning content chosen by you when your request concerning
the e-learning content is transferred after further pseudonymisation so that this third-party provider
can ensure that you are a library user authenticated beforehand by your library and are entitled to use
Onleihe and the e-learning content of the third-party provider. This disclosure is only carried out with
your prior consent and is therefore based on Art. 6 (1) (1) (a) of GDPR.
In connection with the forwarding of your pseudonymous user ID to a third-party provider, it is
possible that the third-party provider will collect personal data, e.g. if it requires additional registration
from you. This also applies if it is additionally necessary to download an app of the respective third party provider for use of the respective content. In such a case, the third-party provider can connect
the transmitted pseudonymous user ID with the personal data collected by it, e.g. in order to permit
you to once again transfer from Onleihe to the e-learning content of the third-party provider without
logging in to the relevant e-learning content again or save learning statuses. The respective third party provider carries out both the collection of the relevant personal data as part of the e-learning or
other content as well as the connection of the personal data collected by it with your pseudonymous
user ID under its own responsibility.
4. How do we handle your data?
Within the framework of the respective usage purpose, we aim to always achieve the highest possible
level of security when processing data. Although absolute protection cannot be guaranteed, we have
taken security measures in order to protect your data.
This includes, for example, the fact that we always transfer data in an encrypted format only. For this
purpose we use the SSL (secure socket layer) coding system, which is meant to stop third parties
from intercepting data streams and your data from being able to be viewed in plaintext. You can
recognise the use of the SSL coding system by “https://” in the address bar of your browser as well as
in common browsers with a corresponding lock symbol shown next to the address bar. You therefore
know that your data is being passed on to us securely.
5. How long do we store your data for?
We process and store personal data for the period of time necessary for achieving the given purpose.
You can find specific details on this in the information on the individual processing operations (see
Point 3).
Once the purpose for which you passed your personal data to us has been achieved, or at your
request, we will delete these data, unless we are legally entitled or obliged to retain them (for
instance, for evidentiary purposes in the context of the execution of our contractual relationship or for
tax reasons). In the latter event, data may need to be stored for longer than required for the original
intended use. We are required to retain invoices/bills, for instance, for a period of 10 years (Art.
147(3) of the German Fiscal Code (Abgabenordnung))
If the original usage purpose has been achieved or has expired, we will only continue to use the
personal data within the framework of the statutory obligation or entitlement and conclusively delete
them upon cessation of the statutory obligation or entitlement.
6. Do we disclose your data to third parties?
We may arrange for the disclosure of data to one or several persons or companies which process the
data within the framework of the respective purposes described above for us as controllers
(“processors”).
The following persons and companies are currently appointed to handle data processing (processing
in accordance with Art. 28 of GDPR):
- Plus Server GmbH, Hohenzollernring 72, 50672 Cologne (host provider, see Points 3.1.1 and
3.2.1)
- Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (web analysis,
see Points 3.1.2 and 3.1.3)
These processors process your data with the necessary care. They are under our supervision and
depend on our instructions. It is therefore ensured that the data will be processed with full protection
of your rights, in particular those pursuant to Point 7 below.
Your data are disclosed for other purposes to the extent stipulated in Point 2 and for the purposes
specified therein to the following persons and companies:
- Your library and if applicable the libraries affiliated with Onleihe, see Points 3.4, 3.5 and 3.6,
- Third-party providers of e-learning content chosen by you, see Point 3.6,
7. What rights do you have?
Concerning the use of your data, you have the rights stipulated below. These rights may be asserted
against us as the controller. You may of course contact our data protection officer directly.
7.1 Right of access
You have the right to obtain information at any time free-of-charge from us on the personal data
concerning you and a copy of this information. You also have the right to access the information set
out in Article 15(1) of GDPR.
Moreover, you have the right to information on whether personal data has been passed on to a third
country or international organisation. If this is the case, you also have the right to obtain information
on suitable guarantees in connection with the transfer.
Your right of access is based on Art. 15 of GDPR.
7.2 Right to rectify incorrect data and amend incomplete data
You have the right to request the immediate rectification of incorrect personal data relating to you.
You also have the right, in the context of the purpose of processing, to request a supplementary
declaration completing any incomplete personal data.
Your right to the rectification of incorrect data and the amendment of incomplete data is based on Art.
16 of GDPR.
7.3 Right to the erasure of data (right to be forgotten)
You have the right to request that we erase personal data relating to you, provided that it is for one of
the reasons set out in Art. 17(1) of GDPR and processing is not required for the reasons set out in Art.
17(3) of GDPR.
Your right to the erasure of data is based on Art. 17 of GDPR.
7.4 Right to restriction of processing
You have the right to request that we restrict processing where one of the conditions set out in Art.
18(1) of GDPR applies.
Your right to restriction of processing is based on Art. 18 of GDPR.
7.5 Right to data portability
Under the provisions of Art 20(1) of GDPR, you have the right to receive personal data with which you
have provided us, in a structured, commonly used and machine-readable format. You also have the
right to transmit this data to another controller without hindrance from us, unless the processing is
necessary for the exercise of a task carried out in the public interest or within the context of exercising
the official authority vested in us.
Moreover, in exercising your right to data portability, you have the right to have the personal data
transmitted directly from one controller to another, where technically feasible, provided that the rights
and freedoms of others are not adversely affected.
Your right to data portability is based on Art. 20 of GDPR.
7.6 Right to object
Under the conditions set out in Art. 21 of GDPR, you have the right to object at any time to the
processing of personal data concerning you based on Art. 6 (1) (e) or (f) of GDPR. This also includes
profiling based on these provisions.
Your right to object is based on Art. 21 of GDPR
7.7 Automated individual decision-making, including profiling
You have the right not to be subject to a decision based solely on automated processing, including
profiling, which produces legal effects concerning you or which similarly significantly affects you
unless the decision is necessary for entering into or performance of a contract between you and us, or
is authorised by European Union or Member State Law to which we are subject and which also lays
down suitable measures to safeguard your rights and freedoms and legitimate interests or is based on
your explicit consent.
If the decision is necessary for entering into or performance of a contract between you and us, or is
based on your explicit consent, we will implement suitable measures to safeguard your rights and
freedoms and legitimate interests, at least the right to obtain human intervention on the part of our
company, to express your point of view and to contest the decision.
If you wish to assert rights to automated decision-making, please contact our data protection officer or
another of our colleagues at any time.
These rights are based on Art. 22 of GDPR.
7.8 Right to withdraw data protection consent
You have the right to withdraw your consent to the processing of personal data at any time in full or in
part.
Withdrawal of consent by you shall not affect the lawfulness of processing carried out on the basis of
your consent prior to such withdrawal.
Your right to withdraw data protection consent granted is based on Art. 7 (3) of GDPR.
7.9 Right to lodge a complaint with a supervisory authority
You have the right to lodge a complaint with a supervisory authority. This right is based on Art. 56 (2)
of GDPR.
8. Changes to this data protection notice
The use of data collected is explained in the data protection notice in force at the time such data are
collected.
We reserve the right to change this data protection notice in order to take account of changed
circumstances and legal situations. In this case, we will publish the new and henceforward current
version of this data protection notice on our website. We will indicate the places where any changes
to this data protection notice have been made as appropriate. This applies in particular if we intend to
use data already collected for a purpose other than was originally intended.
If the use of your personal data is based on your consent, then we will only use your data to the
extent that you have consented, regardless of any subsequent changes to this data protection notice.
In the event of any changes, we will ask you to reconfirm your consent to any proposed changes in
the way your data is used.