Key Processing Principles
Personal Data are processed for one or more specific purposes
A specific and legitimate reason is needed for any personal data that is processed. The essential principle require the purpose for personal data be made before collecting the data; furthermore personal data can only be used for the specified reasons.
The specific purposes of the processing will be detailed through the privacy notice attached to the service description in ServiceNow. It is the responsibility of the controlling service to ensure that the information in the privacy notice is accurate and complete. The information may be updated through the appropriate template in ServiceNow and regenerating the privacy notice.
| Guiding Questions on purpose limitation | 
|---|
| 
 | 
The Personal Data collected are adequate, relevant and limited to the minimum required for the purpose
It is the responsibility of the controlling service to justify the collection of the personal data and to ensure that it is strictly limited to the intended purpose. If required, for instance when sensitive personal data is processed, this will be explained and documented through an impact assessment template in ServiceNow. This information is kept by the ODP and is not made generally available.
| Guiding Questions on data minimisation | 
|---|
| 
 | 
Personal Data are accurate and kept up to date
The controlling service must ensure that information concerning personal data are kept up to date and that includes allowing the user to request modifications to his or her data. Such requests will be made to the service directly through the request form in ServiceNow.
| Guiding Questions on accuracy | 
|---|
| 
 | 
Fair, transparent and lawful processing
The concept of "Fair, Transparent and Lawful" processing is implemented through a number of measures. Services which are processing personal information will generally do so in order to provide the service to the user community and will do so in accordance with CERN's internal legislation. The user will be informed through the privacy notice which is attached to the service description in ServiceNow. The user has the right to access the information which is held about him or her through the mechanism as described in the "For Data Subjects" section on this website.
| Guiding Questions on fairness | 
|---|
| 
 | 
Personal Data are retained for the minimum period necessary for the purpose
The controlling service will ensure that personal data are only kept for strictly the minimum period needed to fulfill the specific purpose for the collection and processing of the personal data. Retention guidelines will help the controlling service to determine the appropriate period data must or can be kept before it is to be deleted.
| Guiding Questions on storage limitation | 
|---|
| 
 | 
Personal Data are kept in a secure manner
The controlling service will ensure that the personal data are kept in a secure manner which will ensure appropriate technical safeguards such as encryption wherever possible and otherwise strict access controls, audit logs etc. The controlling service is responsible for ensuring the confidentiality, integrity and appropriate availability of the Personal Data.
| Guiding Questions on security | 
|---|
| 
 | 
Useful Links
| Link Type | URL | 
|---|---|
| Legal document | Operational Circular no. 11 "The Processing of Personal Data at CERN" | 
| Procedure | Data retention guideline | 
| Procedure | Data breach response procedure | 
