File a Report
A Data Breach is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
A personal data breach is therefore a type of security incident and there are three different types of breach that may occur:
- Confidentiality breach – an accidental or unauthorised disclosure of, or access to, personal data.
- Availability breach – an accidental or unauthorised loss of access to, or destruction of, personal data.
- Integrity breach – an accidental or unauthorised alteration of personal data.
A breach can concern confidentiality, availability and integrity of personal data at the same time, as well as any combination of these.
A personal data breach would, for example, include:
- personal data being disclosed to an unauthorised person, e.g. an email containing personal data being sent to the wrong person.
- an unauthorised person accessing personal data, e.g. an employee’s personnel file being inappropriately accessed by another staff member due to a lack of appropriate internal controls.
- a temporary or permanent loss of access to personal data, e.g. where a client’s or customer’s personal data is unavailable for a certain period of time due to a system shut down, power, hardware or software failure, infection by ransomware or viruses or denial of service attack, where personal data has been deleted either accidentally due to human error or by an unauthorised person or where the decryption key for securely encrypted data has been lost.
Misprocessing means that personal data is not processed in compliance with OC 11, CERN's data protection framework.
A data breach is a specific case of misprocessing, affecting the security of the personal data.
- A service processes data without a valid lawful basis.
- The personal data is used for other purposes than indicated in the privacy notice.
- The data is not deleted or anonymised after the end of the retention period.
- Unsufficient security measures to protect the data.
In which Cases?
If you are not satisfied with the reply to your Data Subject Right Request, or if you want to notify cases of misprocessing or a data breach, you can file a report with the ODP.
You can do this even if the (potential) misprossing or data breach do not concern directly your personal data.
Submitting a Report
Below you find a link to a form allowing you to submit your report.
If it concerns your data subject right request, don't forget to indicate the reference number of this request.
Handling of your Report
The ODP will evaluate your report, carry out any necessary investigations and, where it deems appropriate, recommend remedial action at the attention of the services concerned.
Data Breaches will be subject to a specific handling, involving CERN's computer security team, following CERN's Data Breach Response procedure.
For all other subjects, depending on the circumstances, the ODP will forward your report to the services concerned so that they are able to provide you with explanations.
If you are afraid of possible disadvantages, the ODP can communicate the case to the service without disclosing your identity, and act as a middle-man between you and the service for confidentiality reasons. This is obviously not possible if the purpose of your report involves your own personal data.
CERN's legal framework does not prescribe a delay to handle reports, however the ODP will do its best to do this as swiftly as possible.
You, and if applicable the services concerned, will be informed about the outcome of the evalutation by the ODP.
And in case the personal data concerned is your own, the ODP will advise you also of your right to lodge a formal complaint
Do you need advice concerning data protection at CERN?
⇒ Submit your question by opening a ticket in CERN's Service Portal