Partage et transferts de données

A colleague of mine will leave CERN soon (e.g. for retirement or at the end of the contract). I would like to write a personal farewell speech to honour our excellent collaboration. May I consult her personal record to gather details about her career?

No, not without the person’s consent.

Accessing and sharing this type of information would qualify as processing personal data. Under CERN’s data protection rules (OC 11), this requires a valid legal basis. In this situation, the only appropriate legal basis would be the colleague’s consent.

Therefore, without her explicit agreement, the Records Office — as the controller of personal records — cannot grant you access to her file.

Additional considerations

Even with a legitimate interest, consulting a full personal record would be:

Highly privacy-intrusive, as it contains a large amount of personal (and potentially sensitive) data
Not proportionate for the purpose of preparing a farewell speech
Technically impractical, as extracting relevant information from records (often in PDF format) can be difficult

Suggested alternatives

You can achieve your goal in more appropriate ways:

Ask your colleague directly
The simplest and most respectful option is to speak with her and gather the information you need.
Request her agreement to share specific information from her personal record
If she agrees, she can exercise her right of access and obtain a copy of her personal data via the official web form, then choose what to share with you
Ask other colleagues
You may collect relevant information by speaking with colleagues who have worked closely with her.

In short

You cannot access a colleague’s personal record without consent.
Instead, rely on direct communication, consent, and less intrusive sources.

Are you a collaborator subject to the GDPR transferring personal data to CERN?

If you are someone who is subject to the GDPR then when transferring data to an International Organisation you have several things to consider. You are obliged to ensure that any personal data you transfer will be subject to the safe safeguards as they are when in your hands.

This is the principle that privacy travels with the data and what this means in practice is that you must rely on one of several prescribed measures in the GDPR, the most relevant of which are:

The International Organisation has a formal adequacy ruling from the European Commission.
There is a contract with clauses that are approved by the European Commission or a Supervisory body.
The transfer is required to fulfill a contract with the data subject.
The transfer is required for a specific and important public interest recognised in member state law.
The data subject consents to the transfer having been informed of the risks.

In most cases for CERN and its collaborators using CERN-IT services, the only practical one that has real legal certainty is the last one, relying on consent from the data subject.

Practically this means that CERN must provide information regarding the rules of its privacy framework (OC11), and organisational and technical measures (ISO and other recognised certifications and standards). This is so that data subjects can understand the risks of sending their personal data to CERN and their agreement can be recorded. CERN can then handle data subject rights in accordance with OC11. This would provide an appropriate mechanism within the confines of the GDPR for a collaborator to use the services at CERN.

As an individual, can I obtain personal data, such as the private address, of a person working at CERN for my very own purposes?

No. CERN’s data protection framework allows CERN to process personal data only when it is required for the proper functioning of the Organization (see also § 3 OC 11).

Sharing of personal data with natural persons for their private purposes does not qualify as such.

This covers also circumstances where you feel having a legitimate interest, such as collecting an outstanding debt of a former colleague who left CERN without leaving his new address.

Can we share personal data between Services?

All sharing of personal data, including with another Service (for examples photos), has to be compatible with the purpose when the data were initially collected.

The legitimate basis (for example providing a service) and the purpose (for example giving access to the service) must be declared in the privacy notice which details the aspects of why data are collected, for how long, the purpose and with whom they are shared.

It is therefore not appropriate to share data with another service that was not originally foreseen.

In the case that such sharing is considered to be needed, the ODP must have consulted prior to the transfer and either:

A further justification is provided, for example the consent of the data subject, or
The purpose is demonstrably in line with the original purpose for which the data were collected.

Does the processing of Personal Data at CERN by a person who is not a Member of the Personnel, qualify as “Transfer to an External Entity”?

OC 11 defines “External Entity” and “Data Transfer” as follows:

“§ 8. External Entity means any natural or legal person operating outside the Organization’s structure.”
“§ 22. Transfer means disclosure, dissemination of or otherwise making available, including by granting access, of Personal Data to one or more Services or External Entities.”

In jurisprudence, a natural person is a person (in legal meaning, i.e., one who has its own legal personality) that is an individual human being, as opposed to a legal person, which may be a private (i.e., business entity or non-governmental organization) or public (i.e., government) organization.

Individuals who are not Members of the Personnel but have a contract as temporary worker, consultant or similar with CERN are natural persons and are operating inside CERN's structure, and thus they are not considered as External Entities. Therefore, they can process personal data at CERN in the context of their mission and this activity would not be considered as Data Transfer.

Companies are in general legal persons, and when they process personal data on behalf of CERN they do this often in the context of a service contract that requires them to send their personnel onsite.
In this case, we would differentiate between the contractor’s personnel and their employers:

The personnel would not be considered external entities as long as they carry out their work within the CERN structure (being attached to an organic unit, with an office, a phone number, an e-mail address, etc.,) and process personal data withing CERN’s systems, and do not share CERN personal data with their employers, or any other external entity.
Their employers, on the other hand, would be considered external entities as they do not work within CERN’s structure.
Should the contractor’s personnel share CERN personal data with their employers, or any other external entity, or process personal data outside of CERN’s systems, we would, in that case, consider both the former and the latter as external entities.

General Principles on handling ad hoc requests by external entities for transfer of personal data

How to handle requests for information that contain personal data?

As a Service Owner you might sometimes get a "one time request" to extract, process or transfer data for a very particular purpose. Like for example information about all the participants of a given event.

The best way to answer reasonable requests of this type is with anonymised data. To carry out anonymisation it is important to understand what is the information being requested and the purpose for which the information will be put.

For data sets with very few people or very specific combinations of characteristics it is important to make sure that the identify cannot be reconstructed, or inferred, when using any other information that would be readily available.

It’s important to understand the difference between anonymised data and pseudonymised data.

To truly anonymise data, all individual identifiable information will be removed, and the data set will also be aggregated based on the requested fields. Anonymising data is an irreversible process rendering the data subject unidentifiable, while in case of pseudonymisation the data subject remains identifiable and can be identified with the use of additional information. However, pseudonymising the data provides further protection as it is no longer possible to directly identify the individual.

So for example instead of reporting there was a 23 year old Greek female, a 24 year old Spanish male and a 23 year old Spanish female, it is preferable to report the average age was 23.3 years, 2/3 of the participants were Spanish, 1/3 was Greek, 2/3 female and 1/3 male.

How to handle requests to provide information about an individual?

You might be asked to provide information about an individual or otherwise engage in the processing of information about an individual.

It would be useful then to consider: Why do I have this information in the first place? Is the processing requested compatible with the purpose for which I have the data?

Another test you might employ is: Would the individual be surprised by the processing I am about to perform?

For example, someone asks you for an individuals private phone number that you have for your own legitimate reasons. If now the individual receives a call from someone who you have given their phone number to, they may well be very surprised.

Avoid surprises!

Request for personal data by legal entities

The EP department would like to publish an obituary for a CERN physicist who recently passed away. I have been appointed as editor of the obituary. May I have a look at his personal record to gather details about his career?

To answer the question, we should first check the applicable provisions of Operational Circular no. 11 (OC 11):

As sharing of personal data between two services at CERN is allowed by OC 11 if it is in the interest of CERN and if the Office of Data Privacy (ODP) has been consulted prior to the transfer, one could assume that the access to the personal record should be possible in this specific case.

The ODP considers that the purpose of publishing an obituary for a member of the personnel, who passed away during or after his or her contract with CERN, written by CERN is legitimate. The ODP generally has no reservations regarding such transfers, provided that the next of kin of the deceased consent to the transfer.

So, our reply would be:

If the relatives of the deceased person agree with the edition and publication of an obituary, your access to the personal record of that person would be compliant with OC 11.

If the deceased person was an active member of the personnel, the Social Affairs Service of CERN is coordinating the procedure to be followed after a death of a member of the personnel and acting as the channel of communication between the family, the outside authorities and CERN’s internal services. Therefore, you should approach the Social Affairs Service to enquire whether an obituary is desired

In case the deceased person was a CERN retiree, since the Pension Fund Service will not handle such requests or the publication of obituaries, it is suggested to directly contact the relatives to ask for their consent.

What shall I do when another service wants access to my data?

If you are asked to provide data to another service, you need to consider the following questions:

Why does this service want my data? Is there a clear purpose?
Can I provide the data in pseudonymised, or preferably fully anonymised form to avoid transferring personal data. This will often be the case for services that are doing statistical or analytical work, however, you may need then to process the data before passing it to them.
Can I rely on the recipient to fully comply with the privacy obligations of CERN?

As the service doing the transferring you are responsible for ensuring that the privacy protection transfers along with the data. Again, if personal data is not really required, anonymise the data first.

Data requested by the CERN Internal Audit Service (IAS)

Where the request is submitted by the IAS for the purposes of an audit or fraud investigation, it is to be considered that the Director-General has already authorised access to personal data necessary for the fulfilment of the IAS’ mission: for audit purposes (see § 8 CERN Internal Audit Charter) and for fraud investigation purposes (§§ 10 and 31, OC 10).
Hence, a clear purpose and legal grounds exist to access data that is necessary and proportionate.

Transparency is ensured by the IAS’s privacy notice, which documents not only the purposes of the personal data processed, but also the source of collection, as well as by CERN’s Layered privacy notice, which stipulates that each controlling service may transfer personal data to CERN's competent services for auditing purposes or as part of official investigations (e.g. for fraud or harassment) or for the establishment, exercise or defense of legal claims.

Therefore, you should transfer the relevant personal data as requested.

In case you are the processing service of the requested data and you have not been specifically instructed by the data controller to transfer data to the IAS, you should forward the request to the data controller if it has been submitted in the context of an audit.
Else - if you are informed that the request is submitted in the context of a fraud investigation, which obliges you to fully cooperate and maintain confidentiality throughout the fraud investigation - you have to disclose the personal data requested by the IAS.
In this respect it is noted that the IAS has to notify you of the context in which it is submitting the request for data, however without mentioning any details with regard to the specific investigation.

Don't hesitate to contact the ODP in the event of questions or doubts.