Controlling and Processing Services
A Service is a Controlling Service if it determines the purposes and means of a processing operation.
In practice, the Controlling Service decides what data is to be collected, what will be done with it and why (purpose, legal basis, retention period, transfer etc.).
When different Services define different purposes or means for a given processing operation, each Service will be a Controlling Service of the processing for which it defined purposes or means.
When purposes and means are determined jointly by one or more Service, these Services will jointly be Controlling Services of the processing operation.
A Service is a Processing Service if it processes Personal Data solely on behalf of the Controlling Service.
The Processing Service executes the processing operation requested by the Controlling Service and does not take initiative regarding establishing or changing the purposes or means of the processing operation.
A Processing Service for a given activity might become a Controlling Service for the Personal Data in question if it takes decision to process the data in ways that differ from the instructions given by the original Controlling Service.
A Service can be both Controller and Processor for different processing operations when they are in charge of Controlling and Processing activities.
For the purpose of CERN's data protection framework, a Service denotes one or more activities involving the processing of personal data on a regular basis for the benefit of the Organization.
A Service does not necessarily correspond to an organic unit or a functional area.
A Service is a
-
Controlling Service if it determines the purposes and means of a processing operation, or a
-
Processing Service if it processes personal data solely on behalf of the Controlling Service.
A Service Owner is the person accountable for the processing of Personal Data by his or her Service.
In a nutshell...
If you want to collect or process personal data at CERN you will be considered as a Service. And if you are the person accountable for the processing, you are the Service Owner.
This implies that a few basic rules are to be observed.
If you are the one that is deciding what personal data should be collected, and how it is used and processed, then you would be accountable and be considered as controlling service.
Firstly, the processing must have a lawful basis (e.g. legitimate interest, contract or consent of the individual) and a specific purpose.
You need to make sure that you are observing the general principles, including only collecting the minimum data required for the specific purpose and that the information is not retained any longer than necessary.
You need to ensure that the processing is transparently communicated in form of a privacy notice, so completing and publishing a records of processing operations (RoPO) is required.
Finally, if you are using other services at CERN to store or process the personal data you need to make sure that the systems you are storing personal data in are appropriate for that use.
A detailed explanations about your duties can be found in the pages under the "Obligations of Controlling Services" header.
Useful Links
Link Type | URL |
---|---|
Procedure | Processing and Controlling Services |