File a Report
A Data Breach is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
A personal data breach is therefore a type of security incident and there are three different types of breach that may occur:
1. Confidentiality breach – an accidental or unauthorised disclosure of, or access to, personal data.
2. Availability breach – an accidental or unauthorised loss of access to, or destruction of, personal data.
3. Integrity breach – an accidental or unauthorised alteration of personal data.
A breach can concern confidentiality, availability and integrity of personal data at the same time, as well as any combination of these.
A personal data breach would, for example, include:
• personal data being disclosed to an unauthorised person, e.g. an email containing personal data being sent to the wrong person.
• an unauthorised person accessing personal data, e.g. an employee’s personnel file being inappropriately accessed by another staff member due to a lack of appropriate internal controls.
• a temporary or permanent loss of access to personal data, e.g. where a client’s or customer’s personal data is unavailable for a certain period of time due to a system shut down, power, hardware or software failure, infection by ransomware or viruses or denial of service attack, where personal data has been deleted either accidentally due to human error or by an unauthorised person or where the decryption key for securely encrypted data has been lost.
Misprocessing means that personal data is not processed in compliance with OC 11, CERN's data protection framework.
A data breach is a specific case of misprocessing, affecting the security of the personal data.
- A service processes data without a valid lawful basis.
- The personal data is used for other purposes than indicated in the privacy notice.
- The data is not deleted or anonymised after the end of the retention period.
- Insufficient security measures to protect the data.
- Too much personal data is exposed - data that is not necessary for the purpose of the processing.
- The Controlling Service did not take action to a Data Subject Request within the legal delay of 90 days and did not provide any reply or justification.
In which Cases?
If you are not satisfied with the reply to your Data Subject Right Request, or if you want to notify cases of misprocessing or a data breach, you can file a report with the ODP.
You can do this even if the (potential) misprocessing or data breach do not concern directly your personal data.
Submitting a Report
Below you find a link to a form allowing you to submit your report.
If it concerns your data subject right request, don't forget to indicate the reference number of this request.
Handling of your Report
The ODP will evaluate your report, carry out any necessary investigations and, where it deems appropriate, recommend remedial action at the attention of the services concerned.
Data Breaches will be subject to a specific handling, involving CERN's computer security team, following CERN's Data Breach Response procedure.
In case of a reported misprocessing, depending on the circumstances, the ODP will forward your report to the services concerned so that they are able to provide explanations. The ODP will assess the compliance of the processing and, if necessary, recommend corrective measures to the services.
If you are afraid of possible disadvantages, the ODP can communicate the case to the serviced without disclosing your identity, and act as a middle-man between you and the service for confidentiality reasons. This is obviously not possible if the purpose of your report involves your own personal data.
CERN's legal framework does not prescribe a delay to handle reports, however the ODP will do its best to do this as swiftly as possible.
You, and if applicable the services concerned, will be informed about the outcome of the evaluation by the ODP.
And in case the personal data concerned is your own, the ODP will advise you also of your right to lodge a formal complaint
Do you need advice concerning data protection at CERN?
⇒ Submit your question by opening a ticket in CERN's Service Portal