Handling of Data Transfer Requests
As a controlling service, you are in charge of handling data transfer requests that concern the personal data you are processing.
Such requests can be submitted either by another service at CERN or by an external entity.
Transfers within CERN
When transferring data within CERN, the transfer must be only for the purposes that are documented in the RoPO of the services concerned.
As a controlling service, you must inform the services to which you transfer the data to, that they must apply appropriate organisational and technical measures.
If it is necessary to transfer data internally for purposes that are not part of the RoPO, the service concerned must
- determine that this would be in the interest of CERN, and
- ask the ODP to approve the transfer.
For doing so, please submit a request to the ODP using the form mentioned below.
Transfers between CERN and External Entities
a) Transfer to CERN
When you receive personal data from an external entity, before you start any processing of this data, you have to verify that the external entity was legally entitled to transfer the data.
In practise this means that you have to ask the sender of the data to provide you with an appropriate prove (for example: a signed consent form of the data subject concerned, if the transfer was based on consent).
b) Transfer to an External Entity
When a controlling service transfers data to an external entity, this happens in general because
either there is a recurrent transfer of personal data established in the framework of a contract or another formal agreement.
Examples are the recurrent transfer of data to CERN's third-party administrator UNIQA for the CHIS, and the regular data exchange with CERN's host states authorities to establish legitimation documents for the members of the personnel.
These transfers are to be documented in the RoPO of the controlling services concerned.
or the External Entity has submitted an ad-hoc request for a single data transfer.
Examples are requests of missions of CERN's member states for personal details of their nationals.
For ad-hoc data transfers, the external entity must submit a data transfer request using the designated form. These requests are by default assigned to the ODP, who assures their coordination and determines and contacts to controlling service concerned. A detailed documentation of the handling of requests for ad-hoc data transfers is available in the procedure mentioned below.