The application of OC 11 is not dependent on the time when the data was collected.

It applies to all processing operations carried out since the introduction of the OC 11 on 1.1.2019, including data subject rights which are enforceable also for “old” data.

What does this mean in practice?

It means that everything that you do today with the data (even if it was collected years ago) must be compliant. This “everything” includes all kind of processing, also storage.

Examples:

• Personal data was collected in 2010 when a new staff member was hired.
  The collection was not subject to OC 11, however, if the data is still present today and it turns out that there is no legal basis and purpose for keeping it, you have to delete it (OC 11 obliges!).

• A transfer of this data to an external entity carried out in March 2018 was not subject to OC 11.
  However, when the data subject concerned submits today a data subject request to correct the data, CERN has to comply with OC 11 and inform this external entity and ask them to update the data, too.

Data anonymisation is an irreversible process by which all data that might allow the data subject to be identified is removed from the dataset in order to render the individual unidentifiable.

There are several anonymisation techniques, and your choice will depend on the context. As the result of the anonymisation process must be as permanent as the destruction, we advise you to check the reliability of the technique you have chosen on the basis of three criteria:

1. Is it still possible to single out an individual?
2. Is it still possible to link information to an individual?
3. Is it possible to deduce information about an individual?

If you can answer "no" to the three questions above, the chosen technique is reliable and will lead to complete anonymisation of the data. If in doubt, or if the chosen process does not meet all the criteria, you should carry out an in-depth analysis of the potential risks and consult the ODP.

Yes, according to the definition in OC 11, personal data includes also “online and device identifiers“.

Examples of such identifiers are:

• Internet protocol (IP) addresses;
• cookie identifiers; and
• other identifiers such as radio frequency identification (RFID) tags.

These identifiers refer to information that is related to an individual’s tools, applications, or devices, like their computer or smartphone. The above is by no means an exhaustive list. Any information that could identify a specific device, like its digital fingerprint, are identifiers.

And these identifiers can leave traces which may be used to create a profile of the device user and his identification, especially if combined with unique identifiers and other information received by servers.

Therefore, both dynamic and static IP addresses are considered personal data, as they allow the direct or indirect identification of the individual using the corresponding device.

Someone posts personal information on a social networking site, so its public and I can use it right?

Well, not exactly. Irrespective of the fact that these data are now known in the public domain, they can only be processed for the same purposes that they were originally made public.

The data subject always remains the owner of his/her personal data, whether publicy available or not.

Consequently, what is posted on a social networking site cannot be used for an employment evaluation for example.

The European Organization for Nuclear Research (“CERN”) is an Intergovernmental Organization with its seat in Geneva, Switzerland. By virtue of its particular legal status, the Organization enjoys certain privileges and immunities under international law.

CERN processes personal data solely in accordance with its internal legislation. CERN’s data privacy framework builds on principles established in its Member States and more generally the European Union, which are implemented through technical and organizational measures. CERN has designated a Data Privacy Adviser (DPA), who provides a competency centre for all issues related to data privacy at CERN.

In any event, as CERN is not subject to any national or similar jurisdiction, disputes in the context of personal data processing shall be resolved in accordance with CERN’s internal legislation or, that failing, by arbitration.

A statement regarding data privacy protection is available online https://home.cern/data-privacy-protection-statement.

CERN will respond to your request in accordance with its internal procedures.

No. Sharing personal data with you would be considered as data transfer, and Operational Circular no. 11 (OC 11) allows data transfers between services at CERN or between a service and an external entity, only. In addition, the data transfer must be for a legitimate purpose.

Data transfers to private persons, other than the data subject or a duly authorised representative, is not foreseen in OC 11.

Furthermore, granting a person different from the data subject access to his/her personal record would imply the processing of a significant amount of personal data, as well as sensitive data, of that person, also taking into account the technical limitations of extracting the relevant information from the records (mainly in pdf format).

However, we can suggest other ways to gather details for the farewell speech.

For example, by interviewing your leaving colleague, provided that she consents to the interview, or by asking her to exercise her right to request a copy of her personal data by submitting a corresponding request via the web form referenced at the bottom of the relevant privacy notice. Further information on how to exercise the data subject's right of access can be found on our web site.

No. CERN’s data protection framework allows CERN to process personal data only when it is required for the proper functioning of the Organization (see also § 3 OC 11).

Sharing of personal data with natural persons for their private purposes does not qualify as such.

This covers also circumstances where you feel having a legitimate interest, such as collecting an outstanding debt of a former colleague who left CERN without leaving his new address.

You might be asked to provide information about an individual or otherwise engage in the processing of information about an individual.

It would be useful then to consider: Why do I have this information in the first place? Is the processing requested compatible with the purpose for which I have the data?

Another test you might employ is: Would the individual be surprised by the processing I am about to perform?

For example, someone asks you for an individuals private phone number that you have for your own legitimate reasons. If now the individual receives a call from someone who you have given their phone number to, they may well be very surprised.

Avoid surprises!

To answer the question, we should first check the applicable provisions of Operational Circular no. 11 (OC 11):

As sharing of personal data between two services at CERN is allowed by OC 11 if it is in the interest of CERN and if the Office of Data Privacy (ODP) has approved the transfer, one could assume that the access to the personal record should be possible in this specific case.

The ODP considers that the purpose of publishing an obituary for a member of the personnel, who passed away during or after his or her contract with CERN, written by CERN is legitimate. The ODP generally approves such requests, provided that the next of kin of the deceased consent to the transfer.

So, our reply would be:

Yes, if the relatives of the deceased person agree with the edition and publication of an obituary, you may access the personal record of that person.

If the deceased person was an active member of the personnel, the Social Affairs Service of CERN is coordinating the procedure to be followed after a death of a member of the personnel and acting as the channel of communication between the family, the outside authorities and CERN’s internal services. Therefore, you should approach the Social Affairs Service to enquire whether an obituary is desired

In case the deceased person was a CERN retiree, since the Pension Fund Service will not handle such requests or the publication of obituaries, it is suggested to directly contact the relatives to ask for their consent.

The current standard privacy conditions in CERN’s commercial contracts expressively require the processing of personal data on behalf of CERN in our member states, only.

Consequently, the usage of cloud solutions that process personal data in the US, is no longer conform, neither by persons working at CERN nor by CERN’s suppliers.

This is a broad topic, and many issues will depend on the specific case of the cloud service, but here are some key general points to consider:

• When you upload personal data to the cloud (including entering it into a Google doc) you are processing personal data.
• When anyone reads the personal data you have entered, they are also processing personal data.
• Did you consider the privacy rights of the individuals and the personal content you are uploading?
• Is the purpose specific and is this the best method for achieving the purpose?
• Have you obtained the appropriate consent from the individuals or can you justify an appropriate legal basis for the processing you are performing?
• Do you understand the contractual relationship you have with cloud provider? What rights do they have to the content? What commitments do they have to protect personal data and are they sufficient?
• Have you protected the access to the content adequately?

You are accountable for the processing of personal data and the general rule is that if you can avoid it, you should!

There are many types of cloud Services, from applications that you can use to basic cloud storage, from internal solutions to external solutions.

What you should be careful of however, is storing personal data of other people in the cloud without adequate protection. So when working in the CERN professional context, be very careful when using cloud Services. Here are some guidelines to consider.

• Do you know how the cloud provider treats any data that you store with them? Have you checked? Does it offer adequate protection?
• Does your hierarchy know (and approve) of the cloud services you are using in your professional work?
• Is the processing of personal data you are engaged in compatible with the privacy notice for the Service?

Further advice on the use of cloud Services can be obtained from the Cloud Licence Office (CLO).

Doodle is a great tool for organising meetings. There are also security measures you can take to avoid all participants from seeing all the other participants and you would be wise to engage them. Hint: Select hidden poll in settings.

To give an example. Imagine you wish to organise a meeting to get together all people inside CERN that have children, you may accidentally create a public list of people, their profile (having children) and their presence at a given place and time. Furthermore this list will be accessible and viewable by anyone whether they were invited by you or not. You cannot assume the URL you give to possible participants will remain protected.

This is a violation of the privacy rights of individuals as you have created and published a profile by not taking appropriate technical measures to protect their privacy.

So be careful to use all the security measures at your disposal.

The google terms and conditions, that you must agree to, contain a number of specific obligations concerning privacy. Please be aware that these are not optional!

The most important are:

"You will not and will not assist or permit any third party to, pass information to Google that Google could use or recognize as personally identifiable information"

"You must post a Privacy Policy and that Privacy Policy must provide notice of Your use of cookies that are used to collect data."

"You must disclose the use of Google Analytics, and how it collects and processes data"

"You will use commercially reasonable efforts to ensure that a Visitor is provided with clear and comprehensive information about, and consents to, the storing and accessing of cookies or other information on the Visitor’s device where such activity occurs in connection with the Service and where providing such information and obtaining such consent is required by law."

"You must not circumvent any privacy features (e.g., an opt-out) that are part of the Service."

Source: https://www.google.com/analytics/terms/us.html

When you are a member of the personnel at CERN and you want to access data contained in your personal administrative files (Personal Records, MERIT, medical and Pension Fund files) or get a copy of them, you have the choice to exercise this right:

1. either by referring to § 9 of the Administrative Circular no. 10 (AC 10): every member of the personnel has the right to consult their personal record, in presence of a Human Relations Advisors (HRA).
   A delay to exercise this right is not specified in AC 10 and the files are to be consulted in general either in the premisses of the Records Office, or in the office of or via the HRA. They can make you also copies of documents, if applicable.
   If you want to proceed in this way, please contact directly your HRA or the Records Office, and don't submit a Data Subject Right Request.

2. or by referring to OC 11, which defines a delay of 90 days for granting access.
   If you prefer this way, you will find corresponding information about the exercise of your right to information on this web site.

Misprocessing reports are followed up by the Office of Data Privacy (ODP) in the following way:

1. Fact Finding
   First, the ODP establishes the facts pertaining to the processing of personal data concerned. This is typically done in collaboration with the services involved to find out what was done by whom, when and why. But also the study of applicable documentations, regulations, etc. are part of the fact finding.

2. Compliance Check
   Then, the ODP assesses whether the processing was/is compliant with Operational Circular no. 11 (OC 11). The ODP checks if essential principles of processing are respected, if a lawful basis exist, if data subject rights are observed, etc.

3. Recommendations
   Furthermore, if appropriate, the ODP tries to identify ways to bring the processing into compliance and recommends the services concerned specific measures for doing so. This can be for example: “Please, publish a privacy notice.”, or “Delete the data that is no longer needed.”, or “Carry out a Privacy Impact Assessment to analyse risks and identify suitable mitigation measures.”

4. Follow-up
   Finally - as an “extra step” not defined in OC 11 - the ODP gives the services concerned the opportunity to react on the recommendations, for instance by committing to implement them in a certain time-frame.

   The reason the ODP has added this extra step is that OC 11 does not provide for follow-up of recommendations, while giving data subjects the right to lodge a complaint if they are dissatisfied, provided that their own personal data is affected by the misprocessing.

   Thus, data subjects have sufficient elements allowing them to decide whether they would like to file an official complaint with the Data Protection Commission.

5. Documentation
   The steps above are documented in an evaluation report that is shared with the complainant and the services concerned. A copy is sent also to the Data Protection Commission for information.

As a principle, the ODP handles the reports in a confidential way by not disclosing the identity of the complainant to the services involved. However, this is not always possible, in particular when the own personal data of the complainant are concerned.

OC 11 does not define a time limit for the handling of misprocessing reports. The ODP tries to do its best to quickly investigate, evaluate and recommend. Unfortunately, the ODP often faces an important work load, which generates certain delays.

The responsibility for data protection at CERN is decentralised and organised in a particular way: Controlling Services are accountable for their processing activities. Consequently, data subject rights are to be exercised with regard to the personal data held by a specific Controlling Service.

It is not possible to satisfy a general request covering "all the information CERN helds about me". Bearing in mind that CERN's service catalogue contains currently over 600 active services, granting such a request would involve a disproportionate effort.

Therefore you should identify the Controlling Services concerned, in order to formulate the desired request to access personal data.

CERN's Layered Privacy Notice contains the list of Controlling Services that have published their privacy notice, allowing you to understand which personal data they process.

In case you are not sure which Controlling Service is responsible for the processing activity you are interested in, the Office of Data Privacy is available to provide you advice.

If the people on the photo are part of a crowd and can't be individually identified, you can publish the photo.

Else, the purpose of the image rather than the image itself should be your starting point.

If you intend to use the image to provide information about a certain aspect of CERN's activities, and the people who are photographed are essential, you do not need their written consent.
This could be the case for photos featuring persons having acquired a certain notoriety, e.g. a head of state, a famous actor, during their visit at CERN; or for the photo of CERN's Director-General at an official event of the Organization.

If the people are interchangeable and the photo is used as a genre image, you are required to obtain the written consent of the person concerned.

For purposes such as illustration of web sites (e.g. to show the ambience during lectures, the diversity of the participants, etc. to attract more candidates) the photo of an individual is not essential, but rather a “nice-to-have”. Therefore, you would not be able to demonstrate a legitimate interest.

In conclusion, consent would be the most appropriate lawful basis.

Please note that for being valid, the consent must be freely given, clear, unambiguous and separate from other terms. You have to inform the individuals about the purpose of the processing (that means: what will be done with the photo? Who has access? When will it be deleted?) when you ask them for consent. Individuals must actively opt in by ticking a box, signing a document, providing an affirmative response to a verbal statement etc. The evidence of consent must be recorded (when, where and how it was given).
And: Consent must be as easy to withdraw as to give!

And don’t forget, as controlling service you must document your processing operations in a RoPO!

While it might seem normal to contact people through mailing lists there are a number of considerations you should make:

• Does the individual reasonably expect to be on a mailing list and be contacted?
• Will the purpose for future communications be related to the original purpose for creating the list?
• Can the individuals remove themselves from the mailing list easily?

When in doubt you should always ensure you have obtained the consent of the individual through an "opt-in" checkbox to receive further information.

An example case are events involving external registrants. While it might be reasonable to expect communication after registering for an event that only continues up to the time the event has taken place. Subsequent communications should only be made with the consent of the individual, which should be gathered at the time of registration. An option to subsequently opt-out should be presented in future communications with the individuals.

Another example might be team or collaboration mailing lists. It is a reasonable expectation that communications will be made to the individuals during the time of the project, but at the end of the project the individuals should agree to continuing communications if they wish to receive them by an "opt-in" mechanism. An option to subsequently opt-out should be presented in future communications with the individuals.

When sending an e-mail you might be tempted to put multiple recipients in the TO: list. Under many situations this is normal (contacting specific colleagues). However, presuming there is a justifiable reason for sending the mail, then you should not, in general, be revealing the list of names to everyone, as this exposes personal information in a public manner and may negatively impact the expectation of privacy.

To avoid this, you should use the BCC (Blind Carbon Copy) mechanism of e-mail clients, not TO: or CC:, to send to a list of recipients such that no-one else can see who else has received the message.

Creating lists of people based on specific personal data, for e.g. nationality, is processing of personal data. And it can lead to profiling groups of people unintentionally.

Creating lists should be done for clear, identifible and justifiable purposes. The best way to manage lists is through "self registration" allowing people to add or delete themselves.

Dynamic lists should be treated with extreme care as their contents can be used to profile segments of the population so be sure to ensure that access to the members of the list are well protected.

In most situations you should not transfer the list outside CERN to other organisations or persons.

E-mail necessarily generates multiple copies in multiple locations and a number of people have access to e-mail systems. Preferred mechanisms would allow controlled access to the personal data and the possibility of deletion when the purpose of processing has expired. 

• The use of e-mail for communicating personal data is to be avoided wherever possible.
• If e-mail is justified, attachments containing personal data should always be encrypted.
• Secure collaboration workspaces are the preferred mechanism.

No. If the printer is easily accessible by other persons, the confidentiality of the information in the document may be compromised. This would be then considered as a data breach.

Documents with personal data must not be open to prying eyes, and they should be safe from taken by mistake by somebody else.

Therefore you should enable the Secure Print option for all of your printing at CERN, by following these easy instructions.

More recommendations about the secure handling of paper documents can be found in our corresponding guidelines.