Anonymisation is an irreversible process that removes any data that can be used to identify a person either directly or indirectly, rendering the data subject unidentifiable by the service owner or by third parties.

Once data is truly anonymised and individuals are no longer identifiable, the data will no longer be considered as personal data and thus not fall within the scope of OC 11.

A Service is a Controlling Service if it determines the purposes and means of a processing operation.

In practice, the Controlling Service decides what data is to be collected, what will be done with it and why (purpose, legal basis, retention period, transfer etc.).
When different Services define different purposes or means for a given processing operation, each Service will be a Controlling Service of the processing for which it defined purposes or means.
When purposes and means are determined jointly by one or more Service, these Services will jointly be Controlling Services of the processing operation.

A Data Breach is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.

A personal data breach is therefore a type of security incident and there are three different types of breach that may occur:

1. Confidentiality breach – an accidental or unauthorised disclosure of, or access to, personal data.

2. Availability breach – an accidental or unauthorised loss of access to, or destruction of, personal data.

3. Integrity breach – an accidental or unauthorised alteration of personal data.

A breach can concern confidentiality, availability and integrity of personal data at the same time, as well as any combination of these.

A personal data breach would, for example, include:

• personal data being disclosed to an unauthorised person, e.g. an email containing personal data being sent to the wrong person.

• an unauthorised person accessing personal data, e.g. an employee’s personnel file being inappropriately accessed by another staff        member due to a lack of appropriate internal controls.

• a temporary or permanent loss of access to personal data, e.g. where a client’s or customer’s personal data is unavailable for a certain period of time due to a system shut down, power, hardware or software failure, infection by ransomware or viruses or denial of service attack, where personal data has been deleted either accidentally due to human error or by an unauthorised person or where the decryption key for securely encrypted data has been lost.

Data Privacy is the right of individuals to have control over how their personal information is collected and used.
It describes the practices which ensure that the data shared by individuals is only used for its intended purpose.

In most countries, privacy is a legal concept and not a technology, and in the European Union, privacy is recognised as an absolute fundamental right.
CERN commits in its Code of Conduct to respect privacy of others and protect personal information.

A Data Privacy Impact Assessment is a process carried out to identify the impact on and risks of processing operations to the rights of data subjects and to determine the appropriate mitigation measures.

Data Security refers to the organisational, physical and technical measures put in place to safeguard the integrity of personal data and prevent events and activities such as unauthorised access, modification, disclosure or destruction.

It is controlling service's responsibility to assure the security of the data it processes.

An individual - living or dead - whose personal data is subject to processing.

A data subject right request is a request from a data subject to a controlling service asking to exercise one or more of their 8 data subject rights defined in OC 11.

One of the aims of CERN’s data protection framework (Operational Circular no. 11, OC 11) is to empower individuals and give them control over their personal data.
OC 11 defines the following eight rights of data subjects:

• Right to information
• Right to access
• Right to object
• Right to correction
• Right to request temporary suspension of processing
• Right to deletion
• Right to portability
• Rights in respect of automated decision-making

External entities are any legal persons outside CERN.

In jurisprudence, a natural person is a person (in legal meaning, i.e., one who has its own legal personality) that is an individual human being, as opposed to a legal person, which may be a private (i.e., business entity or non-governmental organization) or public (i.e., government) organization.

Typically, legal persons can sue and be sued, own property, and enter into contracts.

Example: CERN's clubs and host states' authorities are external entities, the missions of CERN's member states, private companies and CERN's contractors as well.
However, CERN's members of the personnel and their family members, members of CERN's clubs are not legal but natural persons.

Misprocessing means that personal data is not processed in compliance with OC 11, CERN's data protection framework.
A data breach is a specific case of misprocessing, affecting the security of the personal data.

For example:

• A service processes data without a valid lawful basis.
• The personal data is used for other purposes than indicated in the privacy notice.
• The data is not deleted or anonymised after the end of the retention period.
• Insufficient security measures to protect the data.
• Too much personal data is exposed - data that is not necessary for the purpose of the processing.
• The Controlling Service did not take action to a Data Subject Request within the legal delay of 90 days and did not provide any reply or justification.

According to OC 11, "Personal Data is any information, in any form or medium, relating to an identified or identifiable person. It includes data such as name, passport or other national registration details, CERN ID number, banking information, personnel records, images and video-surveillance footage, online and device identifiers, addresses and telephone numbers, and Sensitive Personal Data."

This means personal data has to be information that relates to an individual and this individual must be identified or identifiable.

Any individual who can be distinguished from others is considered identifiable.

An individual is directly identifiable if you can identify them using nothing but the information you possess.

Indirect identification means you cannot identify an individual through the information you are processing alone, but you may be able to by using other information you hold or information you can access from another source.
A third party using your data and combining it with information they can access to identify an individual is another form of indirect identification.

An easy example of information that could be used to indirectly identify someone is an individual’s license plate number. The police (a third party) can quickly match a name to a license plate number. Consequently, the license plate number is personal data.

Privacy by Default means that once a product or service has been released to the public, the strictest privacy settings should apply by default, without any manual input from the end user.

Privacy by Design is a framework based on proactively embedding privacy into the design and operation of IT systems, networked infrastructure, policies, procedures and administrative and business practices.

Developing and integrating privacy solutions in the early phases of a project identifies any potential problems at an early stage to prevent them in the long run.

A Privacy Notice is a published document at the attention of the data subjects that explains why the controlling service concerned processes personal data, details its processing operations and informs data subjects of their rights.

To make it short:

Processing = Collecting + Exploiting + Destruction

A more detailed definition:

Processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as:

• collection,

• recording,

• organisation, 

• structuring, 

• storage,

• adaption or alteration,

• retrieval,

• consultation, 

• use,

• disclosure by transmission, 

• dissemination or otherwise making available,

• alignment or combination,

• restriction,

• erasure

So, in principle, everything one can do with data is processing!

Examples:

• staff management and payroll administration;

• access to/consultation of a contacts database containing personal data;

• sending promotional e-mails;

• shredding documents containing personal data;

• posting/putting a photo of a person on a website;

• storing IP addresses or MAC addresses;

• video recording (CCTV).

A Service is a Processing Service if it processes Personal Data solely on behalf of the Controlling Service.

The Processing Service executes the processing operation requested by the Controlling Service and does not take initiative regarding establishing or changing the purposes or means of the processing operation.

A Processing Service for a given activity might become a Controlling Service for the Personal Data in question if it takes decision to process the data in ways that differ from the instructions given by the original Controlling Service.

A Service can be both Controller and Processor for different processing operations when they are in charge of Controlling and Processing activities.

Profiling means any form of automated processing of personal data to evaluate certain aspects relating to a data subject, in particular, but not restricted to, his or her performance at work or behaviour.

Pseudonymisation is a way of protecting personal data by replacing data which could be used to directly identify an individual with, for example, a fake name or ID number (i.e. a pseudonym).

This process makes it more difficult to directly identify an individual, but not impossible! It is considered that through pseudonymisation individuals are still identifiable or indirectly identified, because with use of additional information it is still possible to know who they are.

For this reason (that is, because pseudonymised data are personal data), OC 11 remains fully applicable to pseudonymised data.

Personal data processing could lead to physical, material or non-material damage of data subjects, in particular:

• where the processing may give rise to
  • discrimination,
  • identity theft or fraud,
  • financial loss,
  • damage to the reputation,
  • loss of confidentiality of personal data protected by professional secrecy,
  • unauthorised reversal of pseudonymisation,
  • or any other significant economic or social disadvantage;
• where data subjects might be deprived of their general rights or prevented from exercising control over their personal data.

Likelihood and severity of the risk to the general rights of individuals can vary according to factors, such as: 

• where sensitive personal data are processed;
• where aspects relating to Data Subjects are evaluated in order to create or use personal profiles;
• where personal data of persons under 16 years of age are processed;
• or where processing involves a large amount of personal data and affects a large number of data subjects.

Sensitive Personal Data is any personal data relating to:

• physical or mental health;
• genetic or biometric data;
• racial or ethnic origin;
• sexual orientation;
• political, religious or philosophical opinions or beliefs;

whereby:

Genetic Data is personal data relating to the inherited or acquired genetic characteristics of a person, which gives unique information about his or her physiology or health and which results, in particular, from an analysis of a biological sample taken from him or her, and

Biometric Data is personal data that results from specific technical processing and that relates to the physical, physiological or behavioural characteristics of a person and allow or confirm his or her unique identification.

For the purpose of CERN's data protection framework, a Service denotes one or more activities involving the processing of personal data on a regular basis for the benefit of the Organization.

A Service does not necessarily correspond to an organic unit or a functional area.

A Service is a

• Controlling Service if it determines the purposes and means of a processing operation, or a

• Processing Service if it processes personal data solely on behalf of the Controlling Service.

A Service Owner is the person accountable for the processing of Personal Data by his or her Service.