Data Protection @ CERN
The processing of personal data is inevitable within a work context and CERN aims to follow and observe best practices as regards the collection, processing and handling of this type of data.
CERN considers it important to collect and process only such personal data as is required for the functioning of the Organization. The CERN Code of Conduct already specifies the respect that must be given to the privacy of others and the protection of personal information.
The Office of Data Privacy provides a competency center and service for all issues related to data privacy, both for internal and external services involved with the collection and processing of personal data as well as for individuals whose personal data are collected and processed by CERN.
In keeping with its global reputation, CERN sets a high standard for the protection of the privacy rights of individuals. Indeed, this is also expected of, and by, the external communities with which it works. Further information is set out in CERN's Data Privacy Protection Policy and in its legal framework for data protection, Operational Circular no. 11 “The Processing of Personal Data at CERN” (OC 11).
Data protection principles require that personal information must:
- be processed fairly and lawfully;
- be used only for the purpose(s) for which it was collected;
- be adequate, relevant and not excessive for said purpose;
- be accurate and up-to-date;
- be kept no longer than is necessary;
- be processed in accordance with the data subject's rights;
- be kept secure and protected from unauthorised processing, loss or destruction;
- be transferred only to those countries and organisations that provide adequate protection for personal information.
In order to meet the requirements of the principles CERN will:
- strive to collect and process only essential personal data;
- make best efforts to ensure that personal data held is accurate;
- inform individuals on how to access and, if necessary, correct their personal data;
- use personal data efficiently and effectively and only for the purpose(s) described at the point of collection or as otherwise permitted by the Organization’s rules;
- take the necessary security measures to safeguard personal data (including against unauthorised processing and accidental loss or damage);
- ensure that personal data is not transferred without suitable safeguards;
- keep personal data only as long as is necessary for the Organization’s purposes; and,
- destroy personal data which is no longer needed.
In order to put these commitments into practice, CERN:
- provides detailed privacy statements for each CERN service that is involved in processing personal data;
- provides educational and informational material to cover the principles of data protection and its application at CERN;
- provides up-to-date advice on the handling of personal data in specific cases and situations encountered at CERN;
- has an Operational Circular that sets out the applicable rights and obligations of all persons involved as well as the procedural aspects of collecting, processing and handling of personal data.