Handling of Data Subject Right Request
A data subject right request is a request from a data subject to a controlling service asking to exercise one or more of their 8 data subject rights defined in OC 11.
One of the aims of CERN’s data protection framework (Operational Circular no. 11, OC 11) is to empower individuals and give them control over their personal data.
OC 11 defines the following eight rights of data subjects:
- Right to information
- Right to access
- Right to object
- Right to correction
- Right to request temporary suspension of processing
- Right to deletion
- Right to portability
- Rights in respect of automated decision-making
The Operational Circular No. 11 gives rights to the persons concerned – also known as “Data Subjects” – to manage their personal data that has been collected by CERN. These rights include accessing the personal data, obtaining copies of it, requesting changes to it, restricting the processing of it, deleting it, or receiving it in an electronic format.
The controlling service is obliged to promptly consider each request of data subjects to exercise their rights. The controlling service has to provide a substantive response either by taking the requested action or by providing an explanation for why the request cannot be accommodated by the controller.
A deadline of 90 working days has to be observed.
Data Subject Rights requests submitted via the underlying Service Now form are by default assigned to the ODP, who assures the coordination of the request. This includes the identification of the responsible controlling service and the forwarding of the request to it.
So, you as a controlling service, will get the request normally through ServiceNow. Note that the identity of the individual must be verified before providing personal data. Furthermore, sending personal data via e-mail may not be appropriate without additional safeguards including encryption (see other advice in this section).
Right to be Informed
The privacy notice should be complete and available.
Right to Access
You should be in a position to verify what processing is taking place on an individual's personal data and provide access to the personal data. Note that all this information should match what is on the privacy notice.
Right to Data Portability
Where data who are processed on the basis of consent or a contract exist in a digital format, an individual can request their data to be provided in a convenient format. We consider Excel an appropriate format, but other formats including text files would also be appropriate. Obscure binary formats would not be considered appropriate.
Right to Correction
Data should be accurate and complete and all inaccuracies or incompletions should be corrected promptly.
When the personal data have been transferred to another Service or an external entity, you have to make a reasonable effort to notify them about such correction.
Right to Deletion
Normally data should be removed without "undue delay" where they are no longer needed for the purpose or have been inappropriately processed. This must be balanced against the needs of the Organisation especially when still needed for Official Investigations.
Data should not be deleted if there is a suspension of processing requested by the individual as would be the case when the data are needed for a legal claim by the individual.
When the personal data have been transferred to another Service or an external entity, you have to make a reasonable effort to notify them about such deletion.
Right to Object to Processing
If the privacy notice indicates that the processing is based on the legitimate interest of the Organisation, and the individual exercises this right, then the processing must stop until such time as the Organisation can show "compelling" grounds to continue the processing.
For other lawful bases, the requester should provide an explanation why the legitimacy of the processing of his/her personal data is lacking.
Right to Suspension
The right can be exercised in two situations:
- when the data subject has submitted a request for correction or deletion, and wants that before these requests are handled, the data concerned is no longer processed.
- when the data subject needs the personal data for a legal claim and wants to avoid that the data concerned will be erased by the controlling service.
In both cases, you should immediately stop the processing, and then verify the legitimacy of the request to suspension.
Rights wrt automated decision-making
If the personal data is used for automatic decision making, you must be able to explain the data subject concerned the rules applied for this decision making. If the decision is challenged, you should review with human intervention, that means without using the algorithm.