Controlling and Processing Services
A Service is a Controlling Service if it determines the purposes and means of a processing operation.
In practice, the Controlling Service decides what data is to be collected, what will be done with it and why (purpose, legal basis, retention period, transfer etc.).
When different Services define different purposes or means for the same processing operation, each Service will be a Controlling Service for the part of the processing it has defined.
When purposes and means are determined jointly by two or more Service, these Services will be Joint Controlling Services.
A Service is a Processing Service if it processes Personal Data solely on behalf of a Controlling Service.
It carries out the processing as instructed by the Controlling Service and does not take any initiative in defining or changing its purposes or means.
A Processing Service may become a Controlling Service if it decides to process the data in ways that go beyond or differ from the instructions given by the Controlling Service.
A Service can act as both Controlling and Processing Service for different processing operations.
For the purposes of CERN's data protection framework, a Service denotes one or more activities involving the processing of personal data for the benefit of the Organization.
A Service does not necessarily correspond to an organic unit or a functional area.
A Service is a
-
Controlling Service if it determines the purposes and means of a processing operation, or a
-
Processing Service if it processes personal data solely on behalf of the Controlling Service.
A Service Owner is the person accountable for the processing of Personal Data by their Service.
In a nutshell...
If you want to collect or process personal data at CERN you will be considered as a Service. And if you are the person accountable for the processing, you are the Service Owner.
This implies that a few basic rules are to be observed.
If you are the one that is deciding what personal data should be collected, and how it is used and processed, then you would be accountable and be considered as controlling service.
Firstly, the processing must have a lawful basis (e.g. legitimate interest, contract or consent of the individual) and a specific purpose.
You need to make sure that you are observing the general principles, including only collecting the minimum data required for the specific purpose and that the information is not retained any longer than necessary.
You need to ensure that the processing is transparently communicated in form of a privacy notice, so completing and publishing a records of processing operations (RoPO) is required.
Finally, if you are using other services at CERN to store or process the personal data you need to make sure that the systems you are storing personal data in are appropriate for that use.
A detailed explanations about your duties can be found in the pages under the "Obligations of Controlling Services" header.
Useful Links
| Link Type | URL |
|---|---|
| Procedure | Processing and Controlling Services |