Key Processing Principles


Personal Data are processed for one or more specific purposes

A specific and legitimate reason is needed for any personal data that is processed. The essential principle require the purpose for personal data be made before collecting the data; furthermore personal data can only be used for the specified reasons.

The specific purposes of the processing will be detailed through the privacy notice attached to the service description in ServiceNow. It is the responsibility of the controlling service to ensure that the information in the privacy notice is accurate and complete. The information may be updated through the appropriate template in ServiceNow and regenerating the privacy notice.

The Personal Data collected are adequate, relevant and limited to the minimum required for the purpose

It is the responsibility of the controlling service to justify the collection of the personal data and to ensure that it is strictly limited to the intended purpose. If required, for instance when sensitive personal data is processed, this will be explained and documented through an impact assessment template in ServiceNow. This information is kept by the ODP and is not made generally available.

Personal Data are accurate and kept up to date

The controlling service must ensure that information concerning personal data are kept up to date and that includes allowing the user to request modifications to his or her data. Such requests will be made to the service directly through the request form in ServiceNow.

Fair and Lawful processing

The concept of "Fair and Lawful" processing is implemented through a number of measures. Services which are processing personal information will generally do so in order to provide the service to the user community and will do so in the legitimate interests of CERN. The user will be informed through the privacy notice which is attached to the service description in ServiceNow. The user has the right to access the information which is held about him or her through the mechanism as described in the "For Data Subjects" section on this website.

Personal Data are retained for the minimum period necessary for the purpose

The controlling service will ensure that personal data are only kept for strictly the minimum period needed to fulfill the specific purpose for the collection and processing of the personal data. Retention guidelines will help the controlling service to determine the appropriate period data must or can be kept before it is to be deleted.

Personal Data are kept in a secure manner

The controlling service  will ensure that the personal data are kept in a secure manner which will ensure appropriate technical safeguards such as encryption wherever possible and otherwise strict access controls, audit logs etc. The controlling service is responsible for ensuring the confidentiality, integrity and appropriate availability of the Personal Data.