Data Protection for Clubs at CERN
A Service is a Controlling Service if it determines the purposes and means of a processing operation.
In practice, the Controlling Service decides what data is to be collected, what will be done with it and why (purpose, legal basis, retention period, transfer etc.).
When different Services define different purposes or means for the same processing operation, each Service will be a Controlling Service for the part of the processing it has defined.
When purposes and means are determined jointly by two or more Service, these Services will be Joint Controlling Services.
CERN’s clubs are autonomous entities with their own legal personality (see the descriptions under 2.1 and chapter C of the document Clubs sous l'égide de l'Association du Personnel du CERN). In consequence, they process personal data under their own responsibility while applying the applicable legislation of their country of establishment:
-
the General Data Protection Regulation (GDPR) if the club has been set up under the French law of 1901 (see publication of the French government regarding club’s obligations with regard to the GDPR), or is providing goods or services to people present in the EU;
-
the Swiss Federal Act on Data Protection if the club has been set up based on art. 60 of the Code Civil Suisse (see relevant publication of the Swiss data protection authority).
When clubs are using CERN's IT infrastructure or other services to process personal data, they are not considered “Controlling Service” and are therefore not subject to Operational Circular No. 11 (OC11).
Useful Links
| Link Type | URL |
|---|---|
| Legal document | Operational Circular no. 11 "The Processing of Personal Data at CERN" rev. 1 |
| External | General Data Protection Regulation 2016/679 (GDPR) |
| External | Federal Act on Data Protection (FADP) |