Exercise your Rights
A data subject right request is a request from a data subject to a controlling service asking to exercise one or more of their 8 data subject rights defined in OC 11.
For which Data?
The Data Subject Rights may be exercised only in regard to one's personal data. For example, that means that you can not request the deletion of another person's data.
However, in case of:
- Minors and adults under guardianship: parents/legal guardians may exercise those rights on their behalf;
- Deceased persons: the successor may exercise those rights;
- The exercise of rights on behalf of another data subject: a valid power of attorney is required.
When submitting a data subject right request, you must specify if you want to exercise the rights for your own data or if you are acting on behalf of another person. In the latter case, you will have to provide evidence that you are entitled to act in the name of the person concerned.
If required, CERN may ask you also to prove your identify.
Submitting a Request
At the bottom of each privacy notice, you will find a link to a web form allowing you to submit a request for the data processed by the service concerned.
This is the preferred way to submit requests, as it insures that your request contains important information thus facilitating and accelerating the handling of your request by CERN.
Only if you are not able to locate the applicable privacy notice, you should use the general request form. Please refrain from using e-mail to submit your request!
You can only exercise one right at a time and per service. If you want to exercise more rights or for data held by several services, please proceed by submitting different forms.
In the request you have to specify the right that you want to exercise and to provide further details, depending on the right. Please be as specific as possible.
Handling of your Request
Once the request has been submitted with the form, it will be assigned to the Office of Data Privacy (ODP). The ODP will determine the controlling service concerned and dispatch the request to this service; the ODP will furthermore provide advice to the parties involved and coordinate the exchange between you and the service, if required.
You are entitled to receive a written response to your request, including the reasons for the decision, within 90 calendar days.
The controlling service is in charge of handling your request, which must be promptly considered. The controlling service has to provide a substantive response either by taking the requested action or by providing an explanation for why the request cannot be accommodated.
Refusal of Requests
The rights are not always absolute, but may depend on specific conditions - which are explained in the corresponding chapters of this web site - and if they are not met, your request will have to be rejected.
Furthermore, the exercise of your rights may be refused in exceptional circumstances, which are:
Your request is unfounded or excessive
The controlling service can also refuse to comply with a request if it is:
- manifestly abusive,
- fraudulent or
- obstructive to the purpose of the processing (eg. due to its repetitive or unduly broad nature).
If complying with a request would result in so much work or expense as to outweigh your right of access to your personal data, the controlling service can deny it.
Violation of rights of other data subjects
The controlling service can refuse a request if granting it would violate the rights of other data subjects. This is the case if responding to a request involves providing information that relates both to you and to another individual who can be identified (directly or indirectly) from that information.
Restrictions decided by the Director-General
On a temporary, exceptional and specific basis, the Director-General can decide to restrict the exercise of the rights detailed above, when:
- such restriction is necessary for the prevention, detection or investigation of possible misconduct or illegal activity;
- CERN has received a request for the Transfer of Personal Data from national authorities, and the request is reasonable and compatible with the status of the Organization; or
- such restriction is essential to safeguard the rights, safety and security of the Data Subject or of other individuals or the security of the Organization’s premises or its functioning.
Normally, the individuals concerned are informed by the Director-General when such measures are taken.
File a Report
If you are not satisfied with the response you have received and you consider that your personal data has been processed in a manner that is not compliant with CERN's data protection framework, you can file a report with the ODP.