eLABa Personal Data Processing and Privacy Notice

Updated: 02/06/2026

We respect your privacy and are committed to ensuring that your personal data is processed lawfully, fairly, transparently, and securely. This Privacy Notice provides information on what personal data is processed within the Lithuanian Academic Electronic Library Information System (hereinafter – eLABa), the purposes for which it is used, the legal bases relied upon, the sources from which the data is obtained, the retention periods applied, the recipients to whom the data may be disclosed, and the rights you have as a data subject.

Personal data within the eLABa Information System is processed in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (the General Data Protection Regulation, hereinafter – GDPR), the Law on Legal Protection of Personal Data of the Republic of Lithuania, the Law on Higher Education and Research of the Republic of Lithuania, the Law on Electronic Communications of the Republic of Lithuania, the Law on Cyber Security of the Republic of Lithuania, the Law on the Management of State Information Resources of the Republic of Lithuania, the Regulations of the Lithuanian Academic Electronic Library Information System, the Data Security Regulations of the Lithuanian Academic Electronic Library Information System, and other applicable legislation governing the operation of eLABa, the management of state information resources, information security, cybersecurity, and personal data protection.

The processing of personal data within eLABa is generally based on Article 6(1)(c) of the GDPR, where processing is necessary for compliance with a legal obligation to which the controller is subject; Article 6(1)(e) of the GDPR, where processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; and, where applicable, Article 6(1)(b) of the GDPR, where processing is necessary for the performance of a contract; Article 6(1)(f) of the GDPR, where data is processed on the basis of legitimate interests; and Article 6(1)(a) of the GDPR, where processing is based on the data subject’s consent.

Personal data is processed for the purposes of carrying out functions established by applicable legislation, administering research and study documents, registering, evaluating, and recording research and study outputs, providing eLABa services, ensuring the operation and security of the eLABa Information System, verifying user identities, ensuring the traceability of actions, and fulfilling other lawful purposes of personal data processing.

Data Controllers and Administration of the eLABa Information System

Lithuanian higher education and research institutions using eLABa act as data controllers, within the scope of their competence and functions established by applicable legislation, when processing the personal data of their employees, students, or other individuals associated with the institution in the eLABa system. Each institution is responsible for ensuring the accuracy and lawfulness of the personal data it processes and for facilitating the exercise of data subjects’ rights in accordance with the applicable legal requirements.

The controller of the eLABa Information System is the Ministry of Education, Science and Sport of the Republic of Lithuania, located at A. Volano St. 2, LT-01516 Vilnius, Lithuania.

The principal processor of the eLABa Information System is Vilnius University, located at Universiteto St. 3, LT-01513 Vilnius, Lithuania. Within Vilnius University, the security and technical implementation functions of the eLABa Information System are performed by the Information Technology Services Centre.

If you wish to request the rectification of inaccurate data, exercise your rights as a data subject, or obtain additional information regarding the processing of your personal data, we recommend that you first contact your institution or its designated Data Protection Officer.

Sources of Personal Data

Personal data processed within eLABa may be obtained from the data subjects themselves, from higher education and research institutions using eLABa, from their information systems, registers, document management systems, study administration systems, and other related systems, as well as from other data sources established by applicable legislation where necessary for the performance of eLABa functions.

Where personal data is not obtained directly from the data subject, the data subject shall be informed about the processing of their personal data in accordance with the GDPR and other applicable legal requirements, except in cases where the provision of such information is not required by law.

Requirement to Provide Personal Data and Consequences of Failure to Provide Data

The provision of personal data within the eLABa Information System may be required by law, on the basis of contractual or other legal relationships, or in order to make use of services provided through eLABa. Failure to provide the necessary personal data may result in the inability to grant access to eLABa, administer research and study documents, maintain records of research and study activities and outcomes, use library services or other eLABa functionalities, or perform functions assigned to eLABa under applicable legislation.

Recipients of Personal Data

Personal data may be disclosed to members of the eLABa consortium, providers of eLABa maintenance, support, and development services, state and municipal authorities, law enforcement agencies, auditors, institutions providing archiving services or performing archival functions, and other recipients who are entitled to receive such data under applicable legislation.

Where provided for by law or necessary for the performance of eLABa functions, personal data may be transferred to other information systems, registers, or institutions in accordance with the procedures established by applicable legislation.

Personal data shall be transferred outside the European Economic Area only where such transfers comply with the requirements of the GDPR and appropriate safeguards for the protection of personal data are in place.

Automated Decision-Making

eLABa does not carry out automated decision-making or profiling that produces legal effects concerning data subjects or similarly significantly affects them.

What Personal Data Do We Process and for What Purposes?

Personal data within the eLABa Information System is processed for the purposes of administering research and study documents, establishing authorship, registering, evaluating, and recording the research and artistic outputs of employees and students of higher education and research institutions, carrying out graduation procedures, collecting, storing, and providing access to research and study documents, as well as ensuring the operation of eLABa, information security, and user support functions.

The scope of personal data processed is determined in accordance with the Regulations of the Lithuanian Academic Electronic Library Information System (eLABa) and other applicable legislation governing the operation of eLABa. Personal data is processed only to the extent necessary to achieve specific, explicit, and legitimate purposes, in compliance with the principles of data minimisation, accuracy, storage limitation, integrity, confidentiality, and accountability.

For the Purposes of Establishing Authorship, Recording Research Activities, and Administering Research and Study Documents

For the purposes of establishing authorship of research outputs, registering and evaluating the research and artistic activities of employees and students, conducting graduation procedures, administering final theses, dissertations, and other research and study documents, the following categories of personal data may be processed:

  • Name and surname;
  • Contact details, where necessary for achieving a specific purpose;
  • Information concerning the institution and its organisational unit;
  • Information relating to studies and employment relationships;
  • Position, academic status, and academic degree;
  • Study commencement and completion information;
  • Information relating to publications, final theses, dissertations, and other research and study documents;
  • Information relating to document authors, co-authors, supervisors, reviewers, defence committee members, and other persons involved in document evaluation processes;
  • Metadata relating to final theses, dissertations, and other research and study documents;
  • Document title, abstract, language, keywords, publication details, and access information;
  • Information regarding similarity checks performed on documents and the results of such checks;
  • Document files and related information.

These personal data are processed for the performance of functions established by applicable legislation, the execution of tasks carried out in the public interest, the administration of research and study documents, the recording of academic activities, ensuring the legal evidential value of records, and archiving in the public interest.

eLABa Data Retention Periods

Data processed within eLABa is retained for the periods established by the Regulations of the Lithuanian Academic Electronic Library Information System (eLABa) and other applicable legislation.

Research and study documents and/or their metadata referred to in Sections 20, 22.1, 23.1, and 24–29 of the Regulations are retained for the entire period during which eLABa operates.

The personal data of eLABa users specified in Section 21 of the Regulations is retained throughout the period of use of eLABa and for two years following the expiration of the last active record relating to the user in eLABa, or until the information is removed at the user's request, except in the case referred to in Section 40.2.2 of the Regulations. Upon expiry of this period, the personal data of eLABa users specified in Section 21 of the Regulations is permanently deleted.

The validity of an active record concerning an eLABa user expires on the date when the user last used eLABa, except where a longer validity period has been established during user registration or specified by the individual within eLABa. In such cases, the active record is deemed to expire on the last day of the applicable period. Where eLABa contains records relating to outstanding obligations of a user, such records remain valid until those obligations have been fulfilled.

The personal data specified in Sections 22.2 and 23.2 of the Regulations is retained, in accordance with the Law on Higher Education and Research of the Republic of Lithuania and other applicable legislation, for ten years from the date of completion of studies where the individual is a student or course participant, or from the date of termination of the individual’s contractual relationship with the eLABa processor where the individual is an employee. Upon expiry of this period, the personal data referred to in Sections 22.2 and 23.2 is automatically transferred to the eLABa database archive. Such personal data is retained in the archive for fifty years. Upon expiry of this retention period, the archived personal data is permanently deleted.

These retention periods are established to ensure the long-term preservation of study and research results, qualifications, academic and scientific activity records, their legal evidential value, archiving in the public interest, and the performance of functions established by applicable legislation.

Documents are transferred to archives or destroyed within three months after the end of the calendar year in which their retention period expires, unless otherwise provided by applicable legislation.

Administration of User Accounts and Identity Verification

For the purposes of user account administration and identity verification, the following personal data may be processed: name, surname, personal identification number, academic degree, student identification card number (where the user is a student), employee identification number (where the user is an employee), email address, telephone number, institution, assigned username, and authentication data related to account security.

These personal data are processed throughout the entire validity period of the user account. Where contractual or other legal relationships forming the basis for a user’s access to the eLABa Information System are terminated, the account is blocked immediately, and in any event no later than fourteen calendar days from the date on which information regarding the termination of such relationship is received.

Account-related data is retained for six months following the blocking of the account in order to ensure information system security, facilitate the investigation of potential incidents, unlawful activities or disputes, protect legal rights, and ensure the traceability of actions. Upon expiry of this period, the account data is deleted or anonymised in such a manner that the identity of the data subject can no longer be determined.

For the Provision of Services, Information System Security, and Monitoring of Electronic Communications

For the purposes of ensuring the operation of eLABa, maintaining information system security, ensuring the traceability of user activities, preventing and investigating security incidents, and complying with legal requirements, eLABa system log data is processed automatically.

System logs may record information relating to a user’s login and logout times, session duration, username, device or network IP address, actions performed within the system, the entry, modification, updating or deletion of electronic information, and other activities necessary to ensure system operation, security, and accountability.

Log data is protected against unauthorised use, disclosure, alteration, destruction, or any other unlawful processing. Such data may be used for information security purposes, the detection and investigation of security incidents, the protection of legitimate interests, monitoring compliance with legal requirements, and auditing activities.

Data stored in the primary system logs is retained for no less than sixty (60) calendar days. Archived copies of system logs used for information security incident investigations, auditing, and ensuring traceability are retained for no less than one (1) year, unless a longer retention period is required by applicable legislation or competent authorities.

Where required by law, and for the purpose of ensuring the availability of data necessary for the investigation, detection, and prosecution of criminal offences, electronic communications data specified in the Law on Electronic Communications of the Republic of Lithuania and other applicable legislation may also be processed and retained. Such data is retained for the period established by law and, upon expiry of the retention period, is deleted or anonymised, unless competent authorities require its continued retention in accordance with applicable legal procedures.

For Ensuring the Safety of Library Users and the Protection of Library Property

For the purposes of ensuring the safety of library users and the protection of library property, the following personal data relating to library employees, students, and other library users may be processed: name, surname, residential address, telephone number, email address, and personal identification number.

These data are processed for the purposes of identifying library users, maintaining records of borrowed documents and other library assets, monitoring their return, preventing losses, recovering unreturned property, asserting or defending legal claims, and ensuring the safety of library property and visitors.

Personal identification numbers and residential addresses are processed only where such data are necessary to accurately identify a library user, administer unreturned property, recover losses, or establish and enforce legal claims. These data are not used for any other purposes unrelated to the provision of library services, the protection of library property, or the enforcement of legal claims.

The data is retained within the information system for no less than three (3) years, unless a longer retention period is required by applicable legislation or a specific legal basis. Upon expiry of this period, documents related to the processing of such data are transferred to the archive within three months following the end of the calendar year in which the retention period expires and are retained in the archive for five (5) years, after which they are destroyed in accordance with applicable legal requirements.

Cookies Used by eLABa

To ensure the proper functioning of the eLABa website, the provision of services, system security, and the improvement of user experience, we use cookies and other similar technologies.

eLABa uses essential technical cookies that are necessary for the proper operation of the website, user authentication, the transmission of information over electronic communications networks, and the maintenance of information system security. These cookies collect only the information necessary for the operation of the website and are not used for user profiling or marketing purposes. Disabling or deleting essential cookies may result in certain website functions operating improperly or becoming unavailable.

Subject to the user’s consent, eLABa may also use analytical cookies for the purposes of evaluating website traffic, analysing user behaviour trends, monitoring the use of the website and its services, and improving the services provided. Data used for analytical purposes is processed in a manner designed to minimise the possibility of directly identifying individual users.

Certain analytical cookies may be placed by third-party service providers, such as Google. Information regarding the cookies used, their purposes, retention periods, and data recipients is provided through the cookie settings interface. Users may modify their preferences at any time and choose whether to consent to the use of non-essential cookies.

If you leave the eLABa website and access websites operated by other organisations or third parties, we recommend that you review their privacy and cookie policies, as eLABa is not responsible for the data processing practices applied by such websites.

More detailed information about the cookies used by the Lithuanian Virtual Library (LVB) can be found at the: https://www.lvb.lt/primo_library/libweb/static_htmls/cookiepolicy/index.html.

Your Rights Regarding the Processing of Personal Data

When your personal data is processed, you are entitled to the rights granted under the GDPR, the Law on Legal Protection of Personal Data of the Republic of Lithuania, and other legislation governing the protection of personal data.

You have the right to:

  • Obtain information about the processing of your personal data;
  • Access the personal data being processed about you;
  • Request the rectification of inaccurate personal data or the completion of incomplete personal data;
  • Request the erasure of personal data where such a right applies under the GDPR;
  • Request the restriction of the processing of personal data where the conditions set out in the GDPR are met;
  • Object to the processing of personal data where the processing is based on the performance of a task carried out in the public interest or on legitimate interests;
  • Receive the personal data that you have provided in a structured, commonly used, and machine-readable format and transmit that data to another controller where the right to data portability applies;
  • Withdraw your consent at any time where personal data is processed on the basis of consent. Withdrawal of consent does not affect the lawfulness of processing carried out prior to the withdrawal;
  • Lodge a complaint with the State Data Protection Inspectorate if you believe that your personal data is being processed in violation of applicable legal requirements.

These rights may be restricted only in cases prescribed by law where such restriction is necessary for the prevention, investigation, and detection of criminal offences, the investigation of professional or official misconduct, the protection of national or public security, or the protection of the rights and freedoms of others.

To exercise your rights, you may first contact your institution or its designated Data Protection Officer.

Contact Information for Questions and the Exercise of Data Subject Rights

If you have any questions regarding the processing of your personal data or wish to exercise your rights under applicable legislation, you may contact your institution or its designated Data Protection Officer.

You may also contact the Data Protection Officer of the principal eLABa processor:

  • By post: Universiteto St. 3, LT-01513 Vilnius, Lithuania;
  • Via the National Electronic Delivery Information System (E. pristatymas);
  • By email: dap@vu.lt.

If you believe that your personal data is being processed in violation of applicable legal requirements, you have the right to lodge a complaint with the State Data Protection Inspectorate, located at L. Sapiegos St. 17, LT-10312 Vilnius, Lithuania, by email at ada@ada.lt or through the electronic channels specified on the Inspectorate’s website.

Processing of Personal Data for Other Purposes

Where personal data is intended to be processed for a purpose other than those specified in this Privacy Notice or required by applicable legislation, data subjects will be informed before such processing commences, in accordance with the GDPR and other applicable legal requirements, where such notification is required.

Updates to This Privacy Notice

This Privacy Notice may be updated periodically to reflect amendments to legislation, changes in the operation of eLABa, or changes in personal data processing activities. We recommend that you review the current version of this Privacy Notice from time to time to remain informed about how your personal data is processed.