Controlling and Processing Services





In a nutshell...

If you want to collect or process personal data at CERN you will be considered as a Service. And if you are the person accountable for the processing, you are the Service Owner.

This implies that a few basic rules are to be observed.

If you are the one that is deciding what personal data should be collected, and how it is used and processed, then you would be accountable and be considered as controlling service.

Firstly, the processing must have a lawful basis (e.g. legitimate interest, contract or consent of the individual) and a specific purpose.

You need to make sure that you are observing the general principles, including only collecting the minimum data required for the specific purpose and that the information is not retained any longer than necessary.

You need to ensure that the processing is transparently communicated in form of a privacy notice, so completing and publishing a records of processing operations (RoPO) is required.

Finally, if you are using other services at CERN to store or process the personal data you need to make sure that the systems you are storing personal data in are appropriate for that use.

A detailed explanations about your duties can be found in the pages under the "Obligations of Controlling Services" header.