Onleihe. Data protection

Seitenbereiche:

Data protection notice

Version: 05.04.2023

“Onleihe” is a service provided by divibib GmbH (hereinafter referred to as “divibib” or also “we” for the purposes of this data protection notice) for users of public libraries. Divibib takes the protection of your 
personal data (hereinafter also referred to as “data”) very seriously. This data protection notice therefore aims to inform you about how and to what extent we process your data when you use Onleihe via a browser, our Onleihe App for mobile devices, the Onleihe eReader (for instance, the tolino eReader) or eCircle, and when you use any services provided by these facilities. You can view this information at any time at http://cms.onleihe.de/opencms/divibib-customerV2/common/de/Allgemeine-Datenschutzerklaerung.pdf

The following company is directly responsible for data processing when our website and the Onleihe services provided therein are used and is the controller within the meaning of the European Union Data Protection Regulation (GDPR):

divibib GmbH  Controller’s Data Protection Officer:
Bismarckstraße 3    Lars-Holger-Krause
72764 Reutlingen as data protection officer of divibib GmbH
c/o Tercenum AG
vertreten durch Dr. Jörg Meyer als Geschäftsführer Eschenallee 32
14050 Berlin
Telefax:   + 49 (0) 7121 144-280 Telefax:       +49 7121 147 88-99
E-Mail:    info@divibib.com  E-Mail:        lars-holger.krause@tercenum.de

We recommend that you contact our data protection officer directly if you have any questions or suggestions relating to data protection.

1. What are personal data

The subject of data protection is personal data. Personal data means any information relating to an identified or identifiable natural person (“data subject”) (Art. 4 (1) GDPR). 

2. Summary of key aspects of this data protection notice

We want to begin by summarising the key information in this data protection notice, to provide a basic overview of the personal data that we collect and use. Detailed information on the processing of 
specific data and the relevant legal bases for such processing is at figure 3ff.

2.1 Data processing when you visit our website

When you visit our website, we collect and use the data referred to in Point 3.1. In summary, this is firstly basic data relating to your usage of our website (such as the date of your visit and the sub-page 
you visit). It also includes basic technical data relating to the device and the browser you have used for your visit (such as the IP address and operating system of your device and the browser you have 
used).

We need these data in order to ensure that our website is technically suitable and user-friendly, to optimise data security and to support the authorities as necessary with the prosecution of offences 
committed on the internet.

We have delegated the technical suitability of our website to a host provider, Plus Server GmbH. To the extent that the latter is involved with data processing as described above, it acts as a processor 
and solely in accordance with our instructions.

2.2 Data processing when you use the Onleihe app

When you use our Onleihe app, we collect and use the data referred to at Point 3.2. In summary, this is firstly basic data relating to your usage of our website (such as the date of your visit and the 
services you have used). It also includes basic technical data relating to the device and the browser you have used for your visit (such as the IP address and operating system of your device and the 
browser you have used).

We need these data in order to ensure that our Onleihe app is technically suitable and user-friendly, to optimise data security, and to support the authorities as necessary with the prosecution of offences 
committed on the internet.

In order to ensure we have the necessary information and general access statistics to optimise the user-friendliness of the Onleihe app, we also undertake range measurement and usage analysis
where appropriate with the two Google analytical tools referred to in Point 3.2.2. However, these tools are deactivated by default and only become active if activated by you as described in that Point. In 
activating these tools, you give us your consent to the data processing tha tthey entail. In the event of activation, Google LLC acts as a processor and is bound exclusively by our instructions.

2.3 Data processing when you use general communications channels

When you contact us via the general communications channels provided in connection with our Onleihe services, in particular via our contact form or the email addresses and fax numbers provided, 
we collect and use the data referred to in Point 3.3. In summary, this is data that we need in order to enable us to process your enquiry or request (such as the time and nature of your enquiry, your name 
or email address), including your IP address.

We need this information in order to process your enquiry or request. We collect your IP address in order to enable us to prevent or shed light on any misuse or infringement in the context of our 
services.

2.4 Data processing when you register as a user

You have the option to register as a user of our Onleihe services, which allows you to borrow digital media (ebooks, emagazines etc.) from our Onleihe selection.
Since we provide the Onleihe service to participating libraries that in turn provide the service to their users, the use of Onleihe services initially requires library users to register as such. Please note that 
we have no influence on user data collected by your library, such as your name, address etc. Only your library decides what data to collect when you register. Please contact your library for the data 
protection notice that covers such data.

In order to register as a user of our Onleihe service, however, you will only ever have to enter your library ID number (and where applicable your library user number) and your password. This data is 
required to identify you as a user who is entitled to borrow items. The details entered by you will either be sent to the library where you are registered as a user and checked there, or verified against a 
library user database provided to us by your library.

Once your details have been checked or verified, your library or the user database will inform us of whether the user account that is linked to the registration data is entitled to borrow media. We will also 
be provided with information on FSK approval (for instance “entitled to borrow media for individuals of 16 and over” etc.) and where appropriate the age recorded at the library in relation to the user 
account; this is required because some digital content is subject to age restrictions.The technical details of the registration process are set out at Point 3.4.1.

2.5 Data processing when you borrow media

When you borrow digital media from our Onleihe selection, we collect and process the data set out at Point 3.5. In summary, these are the data relating to the item in question (such as the title of the item 
and how long it is being borrowed for). We assign these to you as the borrowing user.

We need to collect these data and assign them to you in order to enable us to loan you the item in question.

2.6 Data processing when you use media that you have borrowed

Digital media, in particular ebooks, are protected against unauthorised use and dissemination by technical safety mechanisms, such as embedded digital watermarks. These safety mechanisms, 
known in technical terms as DRM systems, are provided to us by third party suppliers. In the context of Onleihe services we use DRM systems provided by VIVLIO and Adobe.
When you use an item that you have borrowed, for instance when you want to read an ebook, you have to identify yourself on the DRM system as an authorised user. The VIVLIO DRM system creates 
an encrypted data set for this purpose from your user name and password. This is passed on to VIVLIO for authentication and identifies you as an authorised user who is entitled to use the medium 
in question. Apart from this data, which cannot be decrypted by VIVLIO, no other data is sent to VIVLIO. VIVLIO acts as a processor and is thus solely instructed by us. The Adobe DRM system, on 
the other hand, is completely separate from the Onleihe service and requires you to register independently with Adobe. We do not pass any data to Adobe.

You will find a detailed description of the DRM systems at Point 2.5.

2.7 Data processing when you reserve an item

When you reserve a title that we offer, the reservation is assigned to you as a user as set out in Point 3.5. If you would like to be notified when the item you have reserved is available to borrow, you can also provide your email address for this purpose.

It is necessary to assign items to you in order to enable you to use them. We use your email address solely to notify you that your reserved item is available.

2.8 Data processing when you review items

When you take the opportunity provided in the catalogue to review items you have borrowed, we assign your feedback to you as a user, as set out at Point 3.5.
Assigning reviews in this way is necessary in order to prevent the same individual leaving multiple reviews.

2.9 Data processing when you use elearning provided by third parties

Being an Onleihe user gives you access to certain third party elearning services, depending on the services on offer in your library. 

If you would like to make use of a third party elearning service, we will collect and process the data set out at Point 3.6 and assign them to you as a user. In summary these data relate to the use you make of the service (such as the specific service you want to access).

We need to collect these data and assign them to you in order to enable you to use the services in question.

divbib will then forward you to the relevant third party service. The third party in question will receive your user data in an encrypted format that cannot be decrypted by them, to prove that you are authorised to use their services.

Use of such services is independent of our Onleihe services and no further data is exchanged between ourselves and the third party in question.

2.10 Duration of data storage 

We store the data referred to only for as long as is necessary to achieve the stated purpose. Data may be stored for longer in individual cases, for instance for evidentiary purposes. Further details are at Point 5.

3. What data do we collect, what is it for, and what happens to it?

3.1 Data we process when you visit our website

3.1.1 Operation of the website

When you visit our website, even in the context of a simple visit to our website where you do not log in or use our individual services, the following data will always be collected and processed, without specifically identifying you:

- the websites previously visited by you (referrer URLs),
- the individual pages of our website accessed by you,
- the date and time you accessed our website,
- the Internet Protocol Address (IP address) of the accessing device,
- the type and, where applicable, model name of your device used by you to access our website (e.g. HP Touchpad, iPhone X, etc.)
- the browser and operating system used by you to access our website, including the respective version number and configured language.

This information is required in order to:

- deliver our website content correctly,
- optimise our website content, e.g. adapting content for viewing on a mobile device,
- ensure the ongoing functionality of our information technology systems and our website
technology, and
- provide law enforcement agencies with the information required to secure a prosecution in the 
event of a cyber-attack.

We process these data for as long as is necessary for the aforementioned purposes. They are subsequently anonymised and analysed by us, on the one hand statistically, and on the other with a 
view to improving data protection and data security at our organisation, in order ultimately to ensure an optimum level of protection for personal data processed by us. Data processing is undertaken in 
order to enable us to provide our services and is therefore based on Art. 6(1)(b) of GDPR. It also serves to ensure our services are of as high a quality and have the greatest possible integrity; 
processing is therefore also in our legitimate interests and is based on GDPR Art 6(1)(f).

In addition, when users visit the website hilfe.onleihe.de, a cookie is set that is required to deliver the technical aspects of the website (“JSESSIONID”). This saves the current session and its settings, in 
order to avoid having to adjust settings and inputs repeatedly in the course of the session. The cookie expires as soon as the browser session is ended.

Our host provider, Plus Server GmbH, Hohenzollernring 72, 50672 Cologne, handles data processing 
on our behalf and is therefore a processor within the meaning of GDPR Art. 28 ff.

3.1.2. Range measurement and usage analysis

We of course want to design our services to meet our users’ needs and offer you the best possible user experience. We therefore continually check the functionality of our services and correct any 
functions that we find to be faulty or user-unfriendly. A further aim is to discover whether or to what extent our services are reaching our intended target group, and to this end we need to understand 
where, how and to what extent you are using our services. This also enables us to adapt our hardware to increased usage, for example, in order to keep our Onleihe services as trouble-free and 
speedy as possible.

In order to obtain the above information, we create pseudonymised usage profiles using cookies, which enable us to collect information about what users are clicking on and browsing when they use 
our services. In this context, the following data are processed:

- IP address and geolocation based on IP address
- device, operating system/browser
- scrolling and clicking behaviour
- type and frequency of faults when they occur

Data processing in this context is undertaken in our legitimate interests as mentioned above and is therefore based on Art. 6 (1) (f) of GDPR. Data processing in the context of the use of cookies is dependent on your consent and is therefore based on Art. 6 (1) (a) of GDPR.

3.2 Data processed by us when our Onleihe App is used

3.2.1 Basic functionality

When our Onleihe app is used, we always process the following personal data, without specifically identifying you:

- the individual app pages and/or functions you have accessed or used;
- the date and time our was accessed;
- the type of end device on which the app is installed 
- the IP address of the end device on which the app is installed;

This information is required in order to:
- deliver our app correctly; 
- optimise the content of our app, e.g. adapting content for viewing on your end device;
- ensure the ongoing functionality of our information technology systems and our app 
technology, and
- provide law enforcement agencies with the information required to secure a prosecution in the event of a cyber-attack.

We process these data for as long as is necessary for the aforementioned purposes. They are subsequently anonymised and analysed by us, on the one hand statistically, and on the other with a 
view to improving data protection and data security at our organisation, in order ultimately to ensure an optimum level of protection for personal data processed by us. Data processing is undertaken in 
order to enable us to provide our services and is therefore based on Art. 6(1)(b) of GDPR. It also serves to ensure our services are of as high a quality and have the greatest possible integrity; 
processing is therefore also in our legitimate interests and is based on GDPR Art 6(1)(f).

To the extent that usage of our app establishes a connection to our servers, data processing is undertaken by our host provider, Plus Server GmbH, Hohenzollernring 72, 50672 Cologne, which is a processor within the meaning of GDPR Art 28 ff.

3.2.2 Range measurement and usage analysis

We of course want to design our services to meet our users’ needs and offer you the best possible user experience. We therefore continually check the functionality of our services and correct any 
functions that we find to be faulty or user-unfriendly. A further aim is to discover whether or to what extent our services are reaching our intended target group, and to this end we need to understand 
where, how and to what extent you are using our services. This also enables us to adapt our hardware to increased usage, for example, in order to keep our Onleihe services speedy and as 
trouble-free as possible.

In order to obtain the above information, we use the range measurement and usage analysis tools referred to in the present Point, 3.2.2. Data processing in this context is undertaken in our legitimate 
interests as mentioned above and is therefore based on Art. 6 (1) (f) of GDPR.

Further details of specific data processing procedures can be found in the section below. Unless otherwise provided for, the data processing procedures described therein are undertaken by service 
providers commissioned and instructed by us on the basis of a processing contract (Art. 28 ff. of GDPR):

a) Google Firebase for Mobile Apps

When you activate the features described below, we will use Google Firebase for Mobile Apps, a web analysis service from Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA, hereinafter referred to as “Google”).This service is deactivated by default. Only upon activation will it create pseudonymised usage profiles for the use of our mobile apps, which enable us to collect information about what users are clicking on and browsing when they use our services.

In this context, the following data are processed:

- IP address and geolocation based on IP address
- device, operating system/browser
- scrolling and clicking behaviour

The information generated in the context of this data processing is transferred to a Google server in the USA and processed and stored there. Google is Privacy Shield certified and has therefore undertaken to comply with the Privacy Shield Framework on the collection, use and storage of personal data from EU member states published by the US Department of Commerce and agreed between the EU and the US.

You can activate data processing by Google Firebase for Mobile Apps- by going to the “Info” section of our app, clicking on the “Data protection” tab and deactivating Google Analytics by selecting the “Switch on tracking” option. Activation will only apply to the device on which you select this option. 

Since Google Firebase for Mobile Apps is deactivated by default and the setting is saved on your device, you will need to repeat the process whenever you reinstall the app. 
Further information on data processing by Google is available in Google’s Privacy Policy at https://policies.google.com/. Answers from Google to frequently asked questions on data protection are available from https://support.google.com/analytics/answer/6004245?hl=de.

b) Google Analytics for eReader

Our eReader app uses Google Analytics for eReader, a web analysis service by Google which is deactivated by default. Only upon activation will it create pseudonymised usage profiles for the use of our mobile apps, which enable us to collect information about what users are clicking on and browsing when they use our services. Tracking is deactivated by default.

If Analytics are activated, the following data are processed:

- IP address and geolocation based on IP address
- Device, operating system/browser 
- Scrolling and clicking behaviour
- Type and frequency of errors when they arise

The information generated in the context of this data processing is transferred to a Google server in the USA and processed and stored there. Google is Privacy Shield certified and has therefore undertaken to comply with the Privacy Shield Framework on the collection, use and storage of personal data from EU member states published by the US Department of Commerce and agreed between the EU and the US.

You can activate data processing by Google Analytics for eReaders by going to the “My Account” section of our app, clicking on the “Data protection” tab and deactivating Google Analytics by selecting the “Switch on tracking” option. 

Further information on data processing by Google is available in Google’s Privacy Policy at https://policies.google.com/. Answers from Google to frequently asked questions on data protection are available from https://support.google.com/analytics/answer/6004245?hl=de.

3.3 Data processed by us when you contact us

When you contact us via the contact options available on the website or in our Onleihe App, in  particular the contact form or email addresses and fax numbers given there, we process, in addition to the date and time of your query, such data that you voluntarily provide us with. We will let you know on a case-by-case basis whether information is essential or can be provided on a voluntary basis. These include, for example, your form of address, (academic) title, name, (mobile) telephone number  and, if not already required for answering your electronic query, your email address, as well as other information that you provide voluntarily. We use these data for processing your contact query. Your  data are processed on the basis of your request and such processing is based on Art. 6 (1) (b) GDPR  in this respect. To the extent that you provide information on a voluntary basis, we will process it on  the basis of your consent pursuant to GDPR Art 6(1)(a). 


If you make use of our website services where you must log in with a user account (see Point 3.4), then we will match the data transferred as part of the contact query with your (temporary) user profile.  Your data is processed in this way for the correct handling of our query and in order to identify you when you make queries about our products and services and for documenting your queries in  connection with our contractual relationship. Processing is based on GDPR Art. 6 (1) (b) and on our  legitimate interest under GDPR Art  (1)(f) in this respect. When you use our contact form, your internal protocol address (IP address) will also be stored. This is  to ensure the provision of our services and prevent their misuse. Where necessary, it makes it  possible for crimes committed to be  nvestigated and enforce third-party private rights. In this respect,  storing your IP address is necessary for our protection. These data are not passed on to third parties  in principle, apart from when there is a corresponding statutory obligation to pass them on or when 
passing them on is used for criminal prosecution. The legal basis for the processing of these data is Art. 6 (1) (f) GDPR. If the query is made in connection with the use of the services stated in Points 2.5 to 2.8 or within the  framework of our contractual relationship including its initiation, then the data transferred or collected when the query is made will be stored for the duration of our contractual relationship. Otherwise, in principle data is only stored for as long as is necessary to answer your query. Storing these data beyond this period of time is however possible in the cases stated in Point 5.

3.4 Data processed by us when you log in as a user


You have the option of logging in as a user of our website by entering personal data. Logging in is a condition for the digital borrowing of content within the framework of the “Onleihe” set out in Point 3.5 and requires you to register as a user with a participating library.
Please be aware that we have no influence over the inventory data collected by your library, such as your name, address, etc. Your library alone decides which data to collect when you register. Please 
contact your library for the relevant data protection notice. Logging in as a user on our website is carried out with the participation of the participating libraries  pursuant to the following information. Session cookies are required for the technical implementation of 
the user login (see Point 2). 


3.4.1. Authentication process


When you log in as a user, different authentication processes will apply as explained below, depending on the channel you use (web Onleihe or Onleihe App) and the interfaces provided by libraries. The icons visible on the respective display are also displayed when using the login, which means you can always recognise which authentication method is being used when you log in. 


1. Library authentication with embedded or external login (library customers from |a|S|tec| angewandte Systemtechnik GmbH, Paul-Lincke-Ufer 7 c, 10999 Berlin.)
When using library authentication with embedded login (iFrame) or external login, an encrypted  channel to the library user database is created in the background and a login form for your library is created. You therefore send your entries in the login form directly to your library which carries out the authentication under its own responsibility. After successful authentication, we receive information from your library on your login status (e.g. a numerical value for “user may borrow” or “query invalid”) and a pseudonym in the form of a hash value created via a hash function that is not known to us; it is not possible to identify you on the basis of these details.When you use library authentication via the Onleihe app, an encrypted channel to the library user database is created in order to authorise you as a library user directly via your library. For the purposes of authentication we send your library the ID number you entered in the registration form and where appropriate your library user number.After successful authentication, we receive information from your library on your login status (e.g. a numerical value for “user may borrow” or “query invalid”), details of you FSK approval and where appropriate your age. We also receive from the library a pseudonymised hash value created via a hash function that is not known to us, which identifies you as an individual in our system and which is used to assign your use of Onleihe services to you.


2. Divibib online authentication
An encrypted channel to the library user database is created to enable your library to authenticate you directly as a library user. For the purposes of authentication, we send your library the ID number you entered in the registration form and where applicable your library user number and password. After successful authentication, we receive information from your library on your login status (e.g. a numerical value for “user may borrow” or “query invalid”), your library ID and library number as well as information on your FSK approval and, if applicable, your age. We also receive a hash value of your library password generated using an encryption algorithm.

3. Divibib offline authentication
You can enquire about libraries not participating in the above authentication procedures and which offer offline authentication procedures by email via support@divbib.com. For the divibib offline authentication procedure the libraries concerned regularly provide us with data records containing all users entitled to use Onleihe intervals. The data records transferred by libraries contain the library ID number and where applicable the library user number, a hash value for the corresponding library password generated using an encryption algorithm and information on FSK approval and where applicable the age of all library users with usage authorisation. As a rule, we store such data until the relevant library provides updated data records informing us that individual records are no longer current and can by deleted. When you use the divibib offline authentication procedure, we collect the information provided by you in the login form, namely your library user ID and library password (in an encrypted format) and match these with the data records available to us. After successful authentication, we save information on the login status (e.g. a numerical value for “user may borrow” or “query invalid”).We process your data – including the data supplied by the libraries concerned – in order to verify your entitlement to use our services as part of our contractual performance. This processing is therefore based on Art. 6 (1) (b) GDPR. 


4. Library authentication by means of redirection (Goethe Institut library customers)
When using library authentication by means of redirection, you will be redirected from our website to your library’s login form. Authentication is therefore carried out directly by the library and under its responsibility. After successful authentication, we receive information from your library on your login status (e.g. a numerical value for “user may borrow” or “query invalid”), your library ID and library number as well as information on your FSK approval and, if applicable, your age. We also receive a hash value of your 
library password generated using an encryption algorithm.

Authentication using Onleihe App

The above-mentioned authentication procedures are also used in the Onleihe App. 


3.4.2. After finalisation of authentication


If authentication is successful, we use the ID number and where applicable user number obtained from your library in accordance with the above information in order to generate a pseudonymised user ID with an encryption algorithm (“hash function”) which we require for providing the Onleihe services. Because of the encryption algorithm used, this user ID contains no characteristics which would allow us to infer your identity. This data processing is based on Art. 6 (1) (b) GDPR. In addition, along with the aforementioned user ID we use the information obtained from your library on your FSK approval and, where applicable, information obtained on your age, to be able to comply with the requirements of the Youth Media Protection Agreement (the German ‘Jugendmedienschutzstaatsvertrag’ or ‘JMStV’) when loaning out the digital content. The data are thus processed in order to comply with a legal obligation to which divibib is subject and such processing is based on Art. 6 (1) (c) GDPR.


As part of the library authentication procedures referred to in points 2 and 3, we store your library ID number and where applicable library user number as a hash value for a period of eight weeks following successful authentication so that we are able to continue to provide you with Onleihe access in the event of a failure in the library authentication system. In this respect, we are processing data in order to comply with our contractual obligation to provide Onleihe and such processing is based on Art. 6(1)(b) of GDPR and on our legitimate interest in being able to provide you with reliable user login, as provided for in GDPR Art. 6(1)(f). In principle, we only use the user ID and information on your FSK approval and age respectively (hereinafter referred to as “user data”) while this is necessary 
for contractual performance. As a rule, these data are therefore deleted once your online session has ended if you do not use any other services (in accordance with Points 3.5 to 3.7). 


Your user data is stored beyond your respective online session and, where necessary, beyond the “stay logged-in” option period if you use our Onleihe features to borrow or reserve a title) (see Point 3.5).


3.5 Data processed by us when you use Onleihe


We provide you with a service allowing you to borrow digital content (“Onleihe”). In order to use Onleihe, you must log in as a library user beforehand in accordance with Point 3.4 of our data protection notice. 


Borrowing


During a loan transaction, we collect data necessary for the loan process (transaction number of the loan transaction, information on the title borrowed, date and time of the loan and length of the loan) and match these with your user data (see Point 3.4). Processing these data is necessary for the contractual performance and such processing is based on Art. 6(1)(b) of GDPR. Moreover, we provide you with a rating interface with which you can rate the borrowed titles in a points system. If you use this feature, we match your rating with your user data (see Point 3.4). This is undertaken in our legitimate interest, in order to prevent multiple ratings by the same person and is thus based on Art. 6 (1) (f) of GDPR. 


The data processed as part of the respective loan is stored along with your user data (see Point 2.4) until the end of the loan. Storage beyond this period of time is possible in the cases stated in Point 5. In order to protect copyright in accordance with Sections 3(3) and (4) of the General Terms and Conditions of Use, technical protection measures and rights management information are provided (e.g. digital water marks) to enable the electronic medium to be connected with the data processed as part of the loan. For statistical purposes, divibib discloses to your library and where applicable to licensors and the libraries associated with Onleihe the number of times individual media are borrowed, without any references to individuals.

If divibib provides “integrated readers” as a software application for the use of “Onleihe”, please be aware that integrated readers use either the Adobe or the VIVLIO DRM system. 


The Adobe DRM System requires you to enter into an agreement with Adobe Systems Inc. (Adobe) concerning the provision of an Adobe ID. If you use the Adobe DRM system and your Adobe ID within the framework of integrated readers, personal data, independent of divibib, will be collected, processed and passed on to third parties. The functionalities of the Adobe DRM system and Adobe ID within the framework of integrated readers require such use of your personal data. If you do not want this, do not use integrated readers, since their functionality requires a corresponding use of your personal data. For more details, please see Adobe’s data protection notice (www.adobe.com/privacy.html). If you use the VIVLIO DRM system we create a random value, known as a “token”, from your user 
name and password. This token is passed on to VIVLIO and used for authentication, and for the download and ongoing use of the eBook in question. The token will also be stored on your device. Should it not be possible to establish a connection between the server and the VIVLIO DRM system, you will be asked to enter your user name and password. These data will be used as usual (see Point 3.4.1) to generate a hash value pseudonym using an encryption algorithm, which will then be transmitted to VIVLIO.


Reservations


When using Onleihe, you have the option of reserving individual titles and registering for an email notification service. Since in principle we only process user data in a pseudonymised way within the framework of the registration (see point 3.4) and therefore cannot match them to specific persons, we also require your email address for this purpose. If you choose to use the reservation feature and provide your email address for this purpose, we will match this to your user data in order to carry out the reservation. In this respect, the data is processed for the contractual performance and such processing is based on Art. 6 (1) (b) of GDPR. Your email address is stored along with your user data (see Point 3.4) until the title made available through the reservation feature is borrowed by you or the reservation expires.


3.6 Data processed when using e-learning content provided by a third-party


As a user of Onleihe you have the option, where applicable, of using certain third-party provider elearning content if offered by your library. You can make use of this via your access to Onleihe. This third-party provider content is only available to Onleihe users within the presented scope.


General liability information


When using a third-party provider e-learning service for the first time, you will either be permitted by this provider to immediately use its e-learning or other content, on the basis of the third-party provider’s General Terms and Conditions and privacy statement, or prompted to register separately and in this context asked to accept the third party provider’s General Terms and Conditions and privacy statement. divibib redirects you as a library user only to the content of the respective third party provider. The technical and administrative services and the granting of user rights of e-learning or other content thus chosen by you are only supplied by the respective third-party provider and not by divibib. divibib only enables you to be able to make use of this content through Onleihe. divibib is only the data protection controller in this respect. After transfer to the third-party provider, only this provider is responsible for the further data processing and is the controller within the meaning of the data protection law. For more information on the collection, storage and/or processing of personal data for which the respective third-party provider is solely responsible as well as your consent required for this, where applicable, can be found in the data protection notice of the respective third-party provider. 


divibib’s scope of liability and disclosure of your data


When you make a request to access a third-party supplier’s e-learning content, we collect the data necessary for providing this access (transaction number of the usage access, information on the selected e-learning content and the date and time of the selection process). The pseudonymous has value created during registration (see Point 3.4) is passed on to the respective third-party provider of the e-learning content chosen by you when your request concerning the e-learning content is transferred after further pseudonymisation so that this third-party provider can ensure that you are a library user authenticated beforehand by your library and are entitled to use Onleihe and the e-learning content of the third-party provider. This disclosure is only carried out with 
your prior consent and is therefore based on Art. 6 (1) (1) (a) of GDPR. In connection with the forwarding of your pseudonymous user ID to a third-party provider, it is possible that the third-party provider will collect personal data, e.g. if it requires additional registration 
from you. This also applies if it is additionally necessary to download an app of the respective third party provider for use of the respective content. In such a case, the third-party provider can connect the transmitted pseudonymous user ID with the personal data collected by it, e.g. in order to permit you to once again transfer from Onleihe to the e-learning content of the third-party provider without logging in to the relevant e-learning content again or save learning statuses. The respective third party provider carries out both the collection of the relevant personal data as part of the e-learning or other content as well as the connection of the personal data collected by it with your pseudonymous user ID under its own responsibility. 


4. How do we handle your data?


Within the framework of the respective usage purpose, we aim to always achieve the highest possible level of security when processing data. Although absolute protection cannot be guaranteed, we have taken security measures in order to protect your data. This includes, for example, the fact that we always transfer data in an encrypted format only. For this purpose we use the SSL (secure socket layer) coding system, which is meant to stop third parties from intercepting data streams and your data from being able to be viewed in plaintext. You can recognise the use of the SSL coding system by “https://” in the address bar of your browser as well as in common browsers with a corresponding lock symbol shown next to the address bar. You therefore know that your data is being passed on to us securely.


5. How long do we store your data for?


We process and store personal data for the period of time necessary for achieving the given purpose. You can find specific details on this in the information on the individual processing operations (see Point 3). Once the purpose for which you passed your personal data to us has been achieved, or at your request, we will delete these data, unless we are legally entitled or obliged to retain them (for instance, for evidentiary purposes in the context of the execution of our contractual relationship or for tax reasons). In the latter event, data may need to be stored for longer than required for the original intended use. We are required to retain invoices/bills, for instance, for a period of 10 years (Art. 147(3) of the German Fiscal Code (Abgabenordnung)) If the original usage purpose has been achieved or has expired, we will only continue to use the personal data within the framework of the statutory obligation or entitlement and conclusively delete them upon cessation of the statutory obligation or entitlement.


6. Do we disclose your data to third parties?
We may arrange for the disclosure of data to one or several persons or companies which process the data within the framework of the respective purposes described above for us as controllers (“processors”). The following persons and companies are currently appointed to handle data processing (processing in accordance with Art. 28 of GDPR):


- Plus Server GmbH, Hohenzollernring 72, 50672 Cologne (host provider, see Points 3.1.1 and 3.2.1)
- Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (web analysis, see Points 3.1.2 and 3.1.3)


These processors process your data with the necessary care. They are under our supervision and depend on our instructions. It is therefore ensured that the data will be processed with full protection of your rights, in particular those pursuant to Point 7 below.
Your data are disclosed for other purposes to the extent stipulated in Point 2 and for the purposes specified therein to the following persons and companies: 


- Your library and if applicable the libraries affiliated with Onleihe, see Points 3.4, 3.5 and 3.6,
- Third-party providers of e-learning content chosen by you, see Point 3.6,


7. What rights do you have?


Concerning the use of your data, you have the rights stipulated below. These rights may be asserted against us as the controller. You may of course contact our data protection officer directly.


7.1 Right of access


You have the right to obtain information at any time free-of-charge from us on the personal data concerning you and a copy of this information. You also have the right to access the information set out in Article 15(1) of GDPR.


Moreover, you have the right to information on whether personal data has been passed on to a third country or international organisation. If this is the case, you also have the right to obtain information on suitable guarantees in connection with the transfer. 
Your right of access is based on Art. 15 of GDPR.


7.2 Right to rectify incorrect data and amend incomplete data


You have the right to request the immediate rectification of incorrect personal data relating to you. You also have the right, in the context of the purpose of processing, to request a supplementary declaration completing any incomplete personal data. Your right to the rectification of incorrect data and the amendment of incomplete data is based on Art. 16 of GDPR.


7.3 Right to the erasure of data (right to be forgotten)


You have the right to request that we erase personal data relating to you, provided that it is for one of the reasons set out in Art. 17(1) of GDPR and processing is not required for the reasons set out in Art. 17(3) of GDPR. Your right to the erasure of data is based on Art. 17 of GDPR.


7.4 Right to restriction of processing


You have the right to request that we restrict processing where one of the conditions set out in Art. 18(1) of GDPR applies.Your right to restriction of processing is based on Art. 18 of GDPR.


7.5 Right to data portability


Under the provisions of Art 20(1) of GDPR, you have the right to receive personal data with which you have provided us, in a structured, commonly used and machine-readable format. You also have the right to transmit this data to another controller without hindrance from us, unless the processing is necessary for the exercise of a task carried out in the public interest or within the context of exercising the official authority vested in us.Moreover, in exercising your right to data portability, you have the right to have the personal data 
transmitted directly from one controller to another, where technically feasible, provided that the rights and freedoms of others are not adversely affected.Your right to data portability is based on Art. 20 of GDPR.

7.6 Right to object


Under the conditions set out in Art. 21 of GDPR, you have the right to object at any time to the processing of personal data concerning you based on Art. 6 (1) (e) or (f) of GDPR. This also includes profiling based on these provisions. Your right to object is based on Art. 21 of GDPR


7.7 Automated individual decision-making, including profiling


You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or which similarly significantly affects you unless the decision is necessary for entering into or performance of a contract between you and us, or is authorised by European Union or Member State Law to which we are subject and which also lays down suitable measures to safeguard your rights and freedoms and legitimate interests or is based on your explicit consent. 
If the decision is necessary for entering into or performance of a contract between you and us, or is based on your explicit consent, we will implement suitable measures to safeguard your rights and freedoms and legitimate interests, at least the right to obtain human intervention on the part of our company, to express your point of view and to contest the decision. If you wish to assert rights to automated decision-making, please contact our data protection officer or another of our colleagues at any time. These rights are based on Art. 22 of GDPR.


7.8 Right to withdraw data protection consent


You have the right to withdraw your consent to the processing of personal data at any time in full or in part.Withdrawal of consent by you shall not affect the lawfulness of processing carried out on the basis of your consent prior to such withdrawal. Your right to withdraw data protection consent granted is based on Art. 7 (3) of GDPR.

7.9 Right to lodge a complaint with a supervisory authority


You have the right to lodge a complaint with a supervisory authority. This right is based on Art. 56 (2)  of GDPR.


8. Changes to this data protection notice


The use of data collected is explained in the data protection notice in force at the time such data are collected. We reserve the right to change this data protection notice in order to take account of changed circumstances and legal situations. In this case, we will publish the new and henceforward current version of this data protection notice on our website. We will indicate the places where any changes to this data protection notice have been made as appropriate. This applies in particular if we intend to 
use data already collected for a purpose other than was originally intended. If the use of your personal data is based on your consent, then we will only use your data to the extent that you have consented, regardless of any subsequent changes to this data protection notice. In the event of any changes, we will ask you to reconfirm your consent to any proposed changes in the way your data is used.