Processing by External Entities

Terminology

Processing by External Entities means that you as a controlling service use non-CERN resources and/or engage companies or organisations for the processing of personal data.

Typical examples are:

  • A service hires a company to run a user survey on CERN’s behalf
  • You use a software tool on the web for managing personal data, eg. to recruit new talents
  • Personal data is stored in a cloud solution

When using an external processor, the controlling service becomes responsible for the processing carried out by the external entity. Therefore, you must carefully check if the processor is suitable. The following check list and the details provided below explain the duties of the controlling service in this context.

Check List

Services that intent to use external processors, must make sure that:

  1. The external processor complies with the principles in OC 11
  2. Adequate safeguards are in place
  3. The external processor has got detailed instructions for the processing
  4. The points above are laid down in a contract with the external processor
  5. The processing by the external processor is documented in a RoPO.

You should follow this check list very early in the procurement process. Points 1 and 2 must be part of the decision making process, as non-compliance and/or insufficient safeguards are criteria for exclusion.

It is highly recommended to contact immediately the Cloud Licence Office (CLO) in the IT department, when you need to buy IT tools or cloud solutions. The CLO will coordinate points 1 and 2 of the process above, and liaise with the Computer Security Team, the ODP and the Procurement Service, if required.

1. OC 11 Compliance

When using external processors, you must make sure that they comply with CERN’s data protection framework.

In practise this means that to select a suitable external processor you should carefully check

  1. the country of the supplier
  2. in which country the actual data processing incl. storage will take place
  3. the privacy notice/policy provided by the supplier, as well as any other contractual document mentioning data protection aspects.

The country of the supplier should be one of CERN Member States, following CERN’s procurement rules. As CERN member states grant CERN diplomatic privileges and immunities, personal data benefits from additional protection through the clauses guaranteeing the inviolability of documents.

If the country of the supplier or the processing is part of the European Economic Area (EEA) plus Switzerland, their applicable national data protection legislation (GDPR or FDPA) is very similar to CERN’s OC 11, so that essential preconditions for compliance, enforcement and awareness of data protection principles exist.

The supplier should provide a privacy notice to inform how personal data is processed. Suppliers subject to GDPR are obliged by law to have one.
In general, they are published on their web site, together with other legal documents, such as terms of service or similar. The privacy notice will allow you to understand if the way the supplier processes personal data is compatible with OC 11.

Particular attention should be given to following provisions in privacy notices:

  • Which data is collected and processed? Do they seem reasonable and adequate for the purpose of the tool? In case of doubts, contact the ODP.

  • Does the supplier acts mainly as processor and considers his clients as controllers? If yes, this is the typical situation. Suppliers should only be controller of the data required to manage the contract with the client. Be careful if the supplier claims to be controller of other data.

  • Is personal data used for marketing purposes? This is often the case for free tools, but should not be present for paid software. Furthermore, usage of data for marketing requires the consent of the person concerned; an opt-out is not allowed. In general, usage of data for marketing is not compatible with OC 11.

  • Is personal data sold? Also sale of personal data is the price you have to pay when using tools for free. However, when paying for it, sale of personal is not acceptable. Anyhow, data sale is not compatible with OC 11.

  • With whom is personal data shared, incl. sub-processors? If a list of sub-processors is available, look at the companies and their locations. If they don’t correspond to CERN’s member states, if they are not in the EEA plus Switzerland, you should look for alternative solutions.

The ODP has prepared a Data Protection Questionnaire at the attention of potential suppliers to evaluate the conditions under they are processing personal data. You can send it to the potential supplier (see link at the bottom of the page), asking to send the completed form to the ODP. The answers will help to decide if CERN’s requirements are met.

The ODP will assist you in this assessment and elaborate recommendations in case conditions are not met.

2. Safeguards

When using external processors, you must make sure that appropriate safeguards are in place to protect the privacy of the individuals concerned.

The Computer Security Team is in charge of checking if external tools and cloud solutions comply with CERN’s security standards and thus guarantee that personal data is sufficiently protected. You should contact the Cloud and Licence Office (CLO) that will coordinate the involvement of the technical experts.

3. Instructions

When using external processors, you must make sure that they receive detailed instructions for the processing.

These instructions should comprise the following elements:

  • the subject-matter and duration of the processing,
  • the nature and purpose of the processing,
  • the type of personal data and categories of data subjects and
  • the obligations and rights of the controller

You should in particular specify if data transfers are foreseen and for how long data must be kept by the external processor.

These instructions will be part of the contract between CERN and the supplier.

4. Contract

When using external processors, you must make sure that compliance with OC 11, safeguards and instructions are documented in a contract.

The Procurement Service is responsible for setting up contracts of commercial natures. You should get in touch with a procurement officer of the Information Technology and Purchase Orders Section (IPT-PI-IP) to elaborate the appropriate document.

Please note that also for tools and service free of charge, a contract should be set up to formally establish the responsibilities of CERN and the supplier regarding the processing of personal data.

5. RoPO

When using external processors, you must make sure that processing by the external processor is documented in a RoPO.

Follow the instructions in the Records of Processing Operations procedure and specify in the “Transfer Data externally” table the supplier and its country, the personal data processed by him and the processing activities that are carried out. If the regular privacy notice of the supplier is available and applicable, it is good practice to add a link to it in the RoPO concerned.