What is a supervisory authority?
A data protection supervisory authority is a well-defined and well-established body in Europe and throughout the world, tasked with several duties with regard to the application of data protection laws.
There are currently over 130 such authorities, in various countries and intergovernmental organisations.
They have specific characteristics regarding their mission and powers:
- they must be independent
- they supervise the application of data protection rules
- they must be able to receive complaints, conduct investigations, and enforce compliance
- they monitor the handling of data breaches
- they provide access to redress and remedies (meaning they are competent to award compensation to data subjects in case of misprocessing)
Why does CERN need a supervisory authority?
When Operational Circular No. 11 entitled “The processing of personal data at CERN” (OC 11) was established in 2018, the “Comité de concertation permanent” (CCP) agreed to implement the complete data protection framework in a phased approach, and implement the supervisory authority in a second stage, possibly shared with other intergovernmental organisations.
In the meantime, other intergovernmental organisations have each implemented their own authority and the idea of the shared approach was abandoned.
It should be noted that OC 11 is not complete without a supervisory authority; as an example, complaint options are only available for members of the personnel when their own data is concerned.
Not having an authority creates various risks:
- in terms of scientific collaboration with research partners in Europe
- regarding EU projects (pillar assessments now include a data protection evaluation)
- should complaints be addressed to a host state supervisory authority
The data protection audit carried out in 2020 at CERN correctly identified that this element was missing from our program, and as a result two annexes of OC 11 were elaborated, shaping the form of the Data Protection Commission.
How were the annexes of OC 11 elaborated?
Given the audit finding and the above-mentioned risks, the Director General (DG) established a working group with the aim of drafting a proposal. The working group was chaired by the former Director of Finance and Human Resources, Martin Steinacher; its members were the Legal Service and the Office of Data Privacy (ODP). The Staff Association joined in August 2020.
The working group benchmarked with other organisations and analysed the requirements and possible structures, to identify a suitable approach for CERN.
As previously stated, two draft annexes to OC 11 were established to describe the mandate, powers and functions of CERN’s supervisory authority: the Data Protection Commission (DPC).
These annexes were presented to sub-group 1 of the CCP, and discussed at several meetings. Comments from departments and the Staff Association have been taken into account to agree on the final version of the text, which was then approved by the CCP and signed by the DG.
The introduction of the Data Protection Commission also required slight adjustments to the Staff Rules and Regulations to allow for a direct appeal to the Administrative Tribunal of the International Labour Organization (ILOAT) against its decisions; the corresponding modifications were approved by the Council in June 2021.
What will be the composition of the Data Protection Commission?
The DPC will be composed of three external data protection experts, recommended collectively by representatives of the DG, the Staff Association and the ODP for nomination by the DG.
They are nominated for a period of three years and their mandate can be extended for up to three more years. In the exercise of their functions, the DPC members shall act in complete independence and impartiality, neither seek nor accept instructions from anyone and keep confidentiality regarding matters arising from their functions.
How will the Data Protection Commission exercise its compliance functions?
The ODP will inform the Data Protection Commission about data breaches and misprocessing reports, so that it can decide if investigations and assessments are required.
Furthermore, in order to assure independence, the Data Protection Commission is free to determine the best way to carry out its compliance functions. That means it can freely decide about additional activities to ensure the compliance with data protection rules and policies. The Data Protection Commission will collaborate with CERN’s services, the Internal Audit service and the ODP.
In the context of its compliance functions, the Data Protection Commission has the right to carry out investigations, to obtain access to Personal Data if required, and to order, via the Director-General, a Controlling Service to restrict or stop the processing of Personal Data and to bring the processing into compliance with OC 11. It can also recommend appropriate follow-up measures to the Director-General.
How will the Data Protection Commission exercise its complaints function?
Data subjects who are not satisfied with the outcome of their data subject request or a misprocessing report that concerns their own data, can submit a complaint to the Data Protection Commission within 60 days following the notification of the decision by the ODP.
The Data Protection Commission will first verify if the complaint is receivable, before investigating if the rights of the data subject have been violated. At the end of the investigation, the Data Protection Commission will establish a written report to document the facts and findings and to express its opinion, and recommend the Director-General appropriate follow-up measures if applicable.
These measures can comprise the reimbursement of reasonable costs and the payment of a moral compensation of up to 5000 CHF to the data subject. In exceptional and well-justified situations, this compensation can be up to 10000 CHF.
The Director-General shall then decide whether or not to accept the report and the recommendations. The Data Subject will be informed of the decision in writing.
Can Data Subjects challenge the decision of the Director-General?
Members of the personnel who consider that the decision of the Director-General affects them adversely, can file a complaint with the ILOAT.
Data Subjects who are not members of the personnel can resort to arbitration.