When you are a member of the personnel at CERN and you want to access data contained in your personal administrative files (Personal Records, MERIT, medical and Pension Fund files) or get a copy of them, you have the choice to exercise this right:

1. either by referring to § 9 of the Administrative Circular no. 10 (AC 10): every member of the personnel has the right to consult their personal record, in presence of a Human Relations Advisors (HRA).
   A delay to exercise this right is not specified in AC 10 and the files are to be consulted in general either in the premisses of the Records Office, or in the office of or via the HRA. They can make you also copies of documents, if applicable.
   If you want to proceed in this way, please contact directly your HRA or the Records Office, and don't submit a Data Subject Right Request.

2. or by referring to OC 11, which defines a delay of 90 days for granting access.
   If you prefer this way, you will find corresponding information about the exercise of your right to information on this web site.

Unlike European data protection legislation, the protection granted by OC 11 does not end with the death of the data subject. In the event of death, the rights of the deceased may be exercised by their legal successor. This means that the legal successor may, for example, access the deceased's personal data, request changes and/or corrections, or report misprocessing of the deceased’s personal data.

To do so, the requester must prove both their identity and their status as a legal successor of the deceased.

Legal succession must be evidenced by public or publicly certified documents, such as a certificate of inheritance or a European Certificate of Succession.

Special case: Community of heirs

If the submitted document indicates that the deceased has multiple legal successors, i.e. a community of heirs, the exercise of rights becomes somewhat more complicated.

As a rule, a community of heirs can only exercise the rights of the deceased person jointly. An exception applies to requests for access or copies of the deceased’s personal data: in this case, each heir can submit an individual request, which will be processed and answered individually.

All other rights must be exercised jointly, either by:

• the requester submitting written consent from all other heirs together with their proves of identity, or
• a legal representative (e.g. a notary) acting on behalf of the entire community of heirs, supported by powers of attorney from each heir.

Misprocessing reports are followed up by the Office of Data Privacy (ODP) in the following way:

1. Fact Finding
   First, the ODP establishes the facts pertaining to the processing of personal data concerned. This is typically done in collaboration with the services involved to find out what was done by whom, when and why. But also the study of applicable documentations, regulations, etc. are part of the fact finding.

2. Compliance Check
   Then, the ODP assesses whether the processing was/is compliant with Operational Circular no. 11 (OC 11). The ODP checks if essential principles of processing are respected, if a lawful basis exist, if data subject rights are observed, etc.

3. Recommendations
   Furthermore, if appropriate, the ODP tries to identify ways to bring the processing into compliance and recommends the services concerned specific measures for doing so. This can be for example: “Please, publish a privacy notice.”, or “Delete the data that is no longer needed.”, or “Carry out a Privacy Impact Assessment to analyse risks and identify suitable mitigation measures.”

4. Follow-up
   Finally - as an “extra step” not defined in OC 11 - the ODP gives the services concerned the opportunity to react on the recommendations, for instance by committing to implement them in a certain time-frame.

   The reason the ODP has added this extra step is that OC 11 does not provide for follow-up of recommendations, while giving data subjects the right to lodge a complaint if they are dissatisfied, provided that their own personal data is affected by the misprocessing.

   Thus, data subjects have sufficient elements allowing them to decide whether they would like to file an official complaint with the Data Protection Commission.

5. Documentation
   The steps above are documented in an evaluation report that is shared with the complainant and the services concerned. A copy is sent also to the Data Protection Commission for information.

As a principle, the ODP handles the reports in a confidential way by not disclosing the identity of the complainant to the services involved. However, this is not always possible, in particular when the own personal data of the complainant are concerned.

OC 11 does not define a time limit for the handling of misprocessing reports. The ODP tries to do its best to quickly investigate, evaluate and recommend. Unfortunately, the ODP often faces an important work load, which generates certain delays.

The responsibility for data protection at CERN is decentralised and organised in a particular way: Controlling Services are accountable for their processing activities. Consequently, data subject rights are to be exercised with regard to the personal data held by a specific Controlling Service.

It is not possible to satisfy a general request covering "all the information CERN helds about me". Bearing in mind that CERN's service catalogue contains currently over 600 active services, granting such a request would involve a disproportionate effort.

Therefore you should identify the Controlling Services concerned, in order to formulate the desired request to access personal data.

CERN's Layered Privacy Notice contains the list of Controlling Services that have published their privacy notice, allowing you to understand which personal data they process.

In case you are not sure which Controlling Service is responsible for the processing activity you are interested in, the Office of Data Privacy is available to provide you advice.