Data Sharing and Transfers
No. Sharing personal data with you would be considered as data transfer, and Operational Circular no. 11 (OC 11) allows data transfers between services at CERN or between a service and an external entity, only. In addition, the data transfer must be for a legitimate purpose.
Data transfers to private persons, other than the data subject or a duly authorised representative, is not foreseen in OC 11.
Furthermore, granting a person different from the data subject access to his/her personal record would imply the processing of a significant amount of personal data, as well as sensitive data, of that person, also taking into account the technical limitations of extracting the relevant information from the records (mainly in pdf format).
However, we can suggest other ways to gather details for the farewell speech.
For example, by interviewing your leaving colleague, provided that she consents to the interview, or by asking her to exercise her right to request a copy of her personal data by submitting a corresponding request via the web form referenced at the bottom of the relevant privacy notice. Further information on how to exercise the data subject's right of access can be found on our web site.
If you are someone who is subject to the GDPR then when transferring data to an International Organisation you have several things to consider. You are obliged to ensure that any personal data you transfer will be subject to the safe safeguards as they are when in your hands.
This is the principle that privacy travels with the data and what this means in practice is that you must rely on one of several prescribed measures in the GDPR, the most relevant of which are:
- The International Organisation has a formal adequacy ruling from the European Commission.
- There is a contract with clauses that are approved by the European Commission or a Supervisory body.
- The transfer is required to fulfill a contract with the data subject.
- The transfer is required for a specific and important public interest recognised in member state law.
- The data subject consents to the transfer having been informed of the risks.
In most cases for CERN and its collaborators using CERN-IT services, the only practical one that has real legal certainty is the last one, relying on consent from the data subject.
Practically this means that CERN must provide information regarding the rules of its privacy framework (OC11), and organisational and technical measures (ISO and other recognised certifications and standards). This is so that data subjects can understand the risks of sending their personal data to CERN and their agreement can be recorded. CERN can then handle data subject rights in accordance with OC11. This would provide an appropriate mechanism within the confines of the GDPR for a collaborator to use the services at CERN.
No. CERN’s data protection framework allows CERN to process personal data only when it is required for the proper functioning of the Organization (see also § 3 OC 11).
Sharing of personal data with natural persons for their private purposes does not qualify as such.
This covers also circumstances where you feel having a legitimate interest, such as collecting an outstanding debt of a former colleague who left CERN without leaving his new address.
All sharing of personal data, including with another Service (for examples photos), has to be compatible with the purpose when the data were initially collected.
The legitimate basis (for example providing a service) and the purpose (for example giving access to the service) must be declared in the privacy notice which details the aspects of why data are collected, for how long, the purpose and with whom they are shared.
It is therefore not approriate to share data with another service that was not originally foreseen.
In the case that such sharing is considered to be needed, the ODP must have approved the transfer and either:
-
A further justification is provided, for example the consent of the data subject, or
-
The purpose is demonstrably in line with the original purpose for which the data were collected.
OC 11 defines “Data Transfer” and “External Entity” as follows:
“§ 19. Transfer of Personal Data occurs whenever Personal Data is shared with, or access to such Data is granted to, one or more Services or External Entities.”
“§ 20. An External Entity is any legal person outside the Organization from which CERN receives, or to which it transfers, Personal Data.”
In jurisprudence, a natural person is a person (in legal meaning, i.e., one who has its own legal personality) that is an individual human being, as opposed to a legal person, which may be a private (i.e., business entity or non-governmental organization) or public (i.e., government) organization.
Individuals who are not Members of the Personnel but have a contract as temporary worker, consultant or similar with CERN are natural persons, and thus they are not considered as External Entities. Therefore, they can process personal data at CERN in the context of their mission and this activity would not be considered as Data Transfer.
Companies are in general legal persons, and when they process personal data on behalf of CERN they do this often in the context of a service contract that requires them to send their personnel onsite.
In this case, we would differentiate between the contractor’s personnel and their employers:
- The personnel would not be considered external entities as long as they carry out their work within the CERN structure (being attached to an organic unit, with an office, a phone number, an e-mail address, etc.,) and process personal data withing CERN’s systems, and do not share CERN personal data with their employers, or any other external entity.
- Their employers, on the other hand, would be considered external entities as they do not work within CERN’s structure.
- Should the contractor’s personnel share CERN personal data with their employers, or any other external entity, or process personal data outside of CERN’s systems, we would, in that case, consider both the former and the latter as external entities.
As a Service Owner you might sometimes get a "one time request" to extract, process or transfer data for a very particular purpose. Like for example information about all the participants of a given event.
The best way to answer reasonable requests of this type is with anonymised data. To carry out anonymisation it is important to understand what is the information being requested and the purpose for which the information will be put.
For data sets with very few people or very specific combinations of characteristics it is important to make sure that the identify cannot be reconstructed, or inferred, when using any other information that would be readily available.
It’s important to understand the difference between anonymised data and pseudonymised data.
To truly anonymise data, all individual identifiable information will be removed, and the data set will also be aggregated based on the requested fields. Anonymising data is an irreversible process rendering the data subject unidentifiable, while in case of pseudonymisation the data subject remains identifiable and can be identified with the use of additional information. However, pseudonymising the data provides further protection as it is no longer possible to directly identify the individual.
So for example instead of reporting there was a 23 year old Greek female, a 24 year old Spanish male and a 23 year old Spanish female, it is preferable to report the average age was 23.3 years, 2/3 of the participants were Spanish, 1/3 was Greek, 2/3 female and 1/3 male.
You might be asked to provide information about an individual or otherwise engage in the processing of information about an individual.
It would be useful then to consider: Why do I have this information in the first place? Is the processing requested compatible with the purpose for which I have the data?
Another test you might employ is: Would the individual be surprised by the processing I am about to perform?
For example, someone asks you for an individuals private phone number that you have for your own legitimate reasons. If now the individual receives a call from someone who you have given their phone number to, they may well be very surprised.
Avoid surprises!
To answer the question, we should first check the applicable provisions of Operational Circular no. 11 (OC 11):
As sharing of personal data between two services at CERN is allowed by OC 11 if it is in the interest of CERN and if the Office of Data Privacy (ODP) has approved the transfer, one could assume that the access to the personal record should be possible in this specific case.
The ODP considers that the purpose of publishing an obituary for a member of the personnel, who passed away during or after his or her contract with CERN, written by CERN is legitimate. The ODP generally approves such requests, provided that the next of kin of the deceased consent to the transfer.
So, our reply would be:
Yes, if the relatives of the deceased person agree with the edition and publication of an obituary, you may access the personal record of that person.
If the deceased person was an active member of the personnel, the Social Affairs Service of CERN is coordinating the procedure to be followed after a death of a member of the personnel and acting as the channel of communication between the family, the outside authorities and CERN’s internal services. Therefore, you should approach the Social Affairs Service to enquire whether an obituary is desired
In case the deceased person was a CERN retiree, since the Pension Fund Service will not handle such requests or the publication of obituaries, it is suggested to directly contact the relatives to ask for their consent.
If you are asked to provide data to another service, you need to consider the following questions:
- Why does this service want my data? Is there a clear purpose?
- Can I provide the data in pseudonymised, or preferably fully anonymised form to avoid transferring personal data. This will often be the case for services that are doing statistical or analytical work, however, you may need then to process the data before passing it to them.
- Can I rely on the recipient to fully comply with the privacy obligations of CERN?
As the service doing the transferring you are responsible for ensuring that the privacy protection transfers along with the data. Again, if personal data is not really required, anonymise the data first.
Data requested by the CERN Internal Audit Service (IAS)
Where the request is submitted by the IAS for the purposes of an audit or fraud investigation, it is to be considered that the Director-General has already authorised access to personal data necessary for the fulfilment of the IAS’ mission: for audit purposes (see § 8 CERN Internal Audit Charter) and for fraud investigation purposes (§§ 10 and 31, OC 10). Hence, a clear purpose and legal grounds exist to access data that is necessary and proportionate.
Therefore, as long as the respective Records of Processing Operations of both IAS and your service clearly specify that access to personal data is required for the execution of the IAS’s mandate, you shall transfer the relevant personal data as requested.
In case you are the processing service of the requested data and you have not been specifically instructed by the data controller to transfer data to the IAS, you should forward the request to the data controller if it has been submitted in the context of an audit.
Else - if you are informed that the request is submitted in the context of a fraud investigation, which obliges you to fully cooperate and maintain confidentiality throughout the fraud investigation - you have to disclose the personal data requested by the IAS.
In this respect it is noted that the IAS has to notify you of the context in which it is submitting the request for data, however without mentioning any details with regard to the specific investigation.
Don't hesitate to contact the ODP in the event of questions or doubts.