Guidance and FAQ - Principles

Does OC 11 apply to data collected before it entered into force?

The application of OC 11 is not dependent on the time when the data was collected.

It applies to all processing operations carried out since the introduction of the OC 11 on 1.1.2019, including data subject rights which are enforceable also for “old” data.

What does this mean in practice?

It means that everything that you do today with the data (even if it was collected years ago) must be compliant. This “everything” includes all kind of processing, also storage.

Examples:

Personal data was collected in 2010 when a new staff member was hired.
The collection was not subject to OC 11, however, if the data is still present today and it turns out that there is no legal basis and purpose for keeping it, you have to delete it (OC 11 obliges!).
A transfer of this data to an external entity carried out in March 2018 was not subject to OC 11.
However, when the data subject concerned submits today a data subject request to correct the data, CERN has to comply with OC 11 and inform this external entity and ask them to update the data, too.

How do you anonymise data?

Data anonymisation is an irreversible process by which all data that might allow the data subject to be identified is removed from the dataset in order to render the individual unidentifiable.

There are several anonymisation techniques, and your choice will depend on the context. As the result of the anonymisation process must be as permanent as the destruction, we advise you to check the reliability of the technique you have chosen on the basis of three criteria:

Is it still possible to single out an individual?
Is it still possible to link information to an individual?
Is it possible to deduce information about an individual?

If you can answer "no" to the three questions above, the chosen technique is reliable and will lead to complete anonymisation of the data. If in doubt, or if the chosen process does not meet all the criteria, you should carry out an in-depth analysis of the potential risks and consult the ODP.

How long can I keep personal data - retention periods?

Data storage

First of all, it is important to have an overview of where personal data is stored. This may include:

own servers;
third party servers;
email accounts;
desktops;
employee-owned device (BYOD);
backup storage; and/or
paper files.

General retention periods

Generally personal data should only be retained for as long as necessary. The retention periods can differ based on the type of data processed, the purpose of processing or other factors. Issues to consider include:

Whether any legal requirements apply for the retention of any particular data. For example:
- Trade law;
- Tax law;
- Employment law;
- Administrative law;
- Regulations regarding certain professions, e.g. medical.
In the absence of any legal requirements, personal data may only be retained as long as necessary for the purpose of processing. This means data is to be deleted e.g. when:
- the data subject has withdrawn consent to processing;
- a contract has been performed or cannot be performed anymore; or
- the data is no longer up to date.
Has the data subject requested the erasure of data or the restriction of processing?
Is the retention still necessary for the original purpose of processing?
Exceptions may apply to the processing for historical, statistical or scientific purposes.

During the retention period

Establish periodical reviews of data retained.
Establish and verify retention periods for data considering the following categories:
- the requirements of your service;
- type of personal data;
- purpose of processing;
- lawful grounds for processing; and
- categories of data subjects
If precise retention periods cannot be established, identify criteria by which the period can be determined.
Establish periodical reviews of data retained.

Expiration of the retention period

After the expiration of the applicable retention period personal data does not necessarily have to be completely erased. It is sufficient to anonymise the data. This may, for example, be achieved by means of:

erasure of the unique identifiers which allow the allocation of a data set to a unique person;
erasure of single pieces of information that identify the data subject (whether alone or in combination with other pieces of information);
separation of personal data from non-identifying information (e.g. an order number from the customer’s name and address); or
aggregation of personal data in a way that no allocation to any individual is possible.

In some cases, no action will be required if data cannot be allocated to an identifiable person at the end of the retention period, for example, because:

the pool of data has grown so much that personal identification is not possible based on the information retained; or
the identifying data has already been deleted.

Information obligations

In addition to other information obligations, in the context of data retention data subjects must be informed of:

the retention period;
if no fixed retention period can be provided – the criteria used to determine that period; and
the new retention period if the purpose of processing has changed after personal data has been obtained.

Is monitoring individuals at work acceptable?

In general, the monitoring of an employee’s computer usage, especially the use of keylogging software that records all keyboard entries made at a desktop computer does not comply with the best data protection practices.

All activities that involve substantial monitoring with the intention of identifying actions of individuals should be subject to a prior data privacy impact assessment.

All measures should minimise the intrusion of privacy for the individual as a primary consideration, not simply be based on the easiest technical solutions to implement. For example, the employee’s business computer could be checked in the presence of the employee as a first measure in line with the Organizations procedures for doing so.

Is the IP address of my computer personal data about me?

Yes, according to the definition in OC 11, personal data includes also “online and device identifiers“.

Examples of such identifiers are:

Internet protocol (IP) addresses;
cookie identifiers; and
other identifiers such as radio frequency identification (RFID) tags.

These identifiers refer to information that is related to an individual’s tools, applications, or devices, like their computer or smartphone. The above is by no means an exhaustive list. Any information that could identify a specific device, like its digital fingerprint, are identifiers.

And these identifiers can leave traces which may be used to create a profile of the device user and his identification, especially if combined with unique identifiers and other information received by servers.

Therefore, both dynamic and static IP addresses are considered personal data, as they allow the direct or indirect identification of the individual using the corresponding device.

May I use publicly available personal data?

Someone posts personal information on a social networking site, so its public and I can use it right?

Well, not exactly. Irrespective of the fact that these data are now known in the public domain, they can only be processed for the same purposes that they were originally made public.

The data subject always remains the owner of his/her personal data, whether publicy available or not.

Consequently, what is posted on a social networking site cannot be used for an employment evaluation for example.

Prevention or Detection?

In general, from a data protection standpoint, it is better to prevent something undesirable rather than monitoring to make sure that it does not happen. The simple logic is of course that in order to detect something you must monitor it and in doing so will process other, potentially personal, infomation. Such processing need not take place if prevention is implemented.

What is CERN's position in relation to the GDPR?

The European Organization for Nuclear Research (“CERN”) is an Intergovernmental Organization with its seat in Geneva, Switzerland. By virtue of its particular legal status, the Organization enjoys certain privileges and immunities under international law.

CERN processes personal data solely in accordance with its internal legislation. CERN’s data privacy framework builds on principles established in its Member States and more generally the European Union, which are implemented through technical and organizational measures. CERN has designated a Data Privacy Adviser (DPA), who provides a competency centre for all issues related to data privacy at CERN.

In any event, as CERN is not subject to any national or similar jurisdiction, disputes in the context of personal data processing shall be resolved in accordance with CERN’s internal legislation or, that failing, by arbitration.

A statement regarding data privacy protection is available online https://home.cern/data-privacy-protection-statement.

CERN will respond to your request in accordance with its internal procedures.

What is your relationship with the data subject?

The Data Subject is the individual whose personal data you are processing. Your relationship with the individual can effect the risks involved in ensuring that data are processed in a correct manner. Broadly, we can define 4 categories:

A direct, transactional relationship with the individual, for example secretariats dealing with the processing of staff, users, visitors etc.
A direct, long-term relationship with the individual, for example the pension fund.
An indirect, visible relationship with the individual, for example a service processing on behalf of another service.
An indirect, invisible relationship with the individual, for example the processing of computer logs.

When completing the RoPO for your Service, you should consider how you are processing and informing the data subjects whose personal data you are processing.

What to consider when creating a new Service?

When creating a new Service the following should be done:

Firstly, the Service must be registered in the CERN Service Catalogue.
The processing operations and potential privacy issues should be identified by the Service designers.
Services shall be set by default in a manner ensuring the minimum level of collecting, processing and sharing of personal data. This includes transferring in and out of the Service. Such data transfers should be documented in the privacy notice.
Users must remain in full control of their data which requires that no implied consent is allowed (CERN’s policy when relying on consent is to require explicit consent, see the consent procedure) and that they can easily decide and change the amount of personal data they want to disclose. The ability to exercise their right of access, and of being forgotten must be implemented.
This should be reviewed with all the appropriate stakeholders, including the Office of Data Privacy (ODP) if needed.
A RoPO and if necessary, a privacy impact assessment in ServiceNow should be completed.
If it appears that the processing would result in high risk in absence of measures taken to mitigate it, a prior consultation with the ODP is required.
Adequate security measures shall be put in order to ensure security during the whole lifecycle of the Service. This is in order to guarantee that when a Service is stopped all the personal data stored related to that Service is deleted with no possibility for anyone to access it.