Anonymisation is an irreversible process that removes any data that can be used to identify a person either directly or indirectly, rendering the data subject unidentifiable by the service owner or by third parties.

Once data is truly anonymised and individuals are no longer identifiable, the data will no longer be considered as personal data and thus not fall within the scope of OC 11.

A Service is a Controlling Service if it determines the purposes and means of a processing operation.

In practice, the Controlling Service decides what data is to be collected, what will be done with it and why (purpose, legal basis, retention period, transfer etc.).

When different Services define different purposes or means for the same processing operation, each Service will be a Controlling Service for the part of the processing it has defined.

When purposes and means are determined jointly by two or more Service, these Services will be Joint Controlling Services.

A Data Breach is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.

A personal data breach is therefore a type of security incident and there are three different types of breach that may occur:

1. Confidentiality breach – an accidental or unauthorised disclosure of, or access to, personal data.
2. Availability breach – an accidental or unauthorised loss of access to, or destruction of, personal data.
3. Integrity breach – an accidental or unauthorised alteration of personal data.

A breach can concern confidentiality, availability and integrity of personal data at the same time, as well as any combination of these.

A personal data breach would, for example, include:

• personal data being disclosed to an unauthorised person, e.g. an email containing personal data being sent to the wrong person.
• an unauthorised person accessing personal data, e.g. an employee’s personnel file being inappropriately accessed by another staff member due to a lack of appropriate internal controls.
• a temporary or permanent loss of access to personal data, e.g. where a client’s or customer’s personal data is unavailable for a certain period of time due to a system shut down, power, hardware or software failure, infection by ransomware or viruses or denial of service attack, where personal data has been deleted either accidentally due to human error or by an unauthorised person or where the decryption key for securely encrypted data has been lost.

A Data Controller is CERN or an External Entity that, alone or jointly with others, determines the purposes and means of the processing of personal data.

In practice, the Data Controller decides why personal data is collected and how it is processed (e.g. purpose, legal basis, retention period, transfers).

CERN is the Data Controller for the processing of personal data falling within the scope of OC 11 where it determines such purposes and means.

When personal data is processed by an External Entity acting as a data controller, that entity is independently responsible for ensuring compliance with the legal framework applicable to it (e.g. the GDPR for an EU-based commercial entity), including that the processing is lawful, fair, transparent, proportionate, accurate, secure and limited to what is necessary for the stated purpose.

N.B.: Within CERN, the concept of a Data Controller should not be confused with that of a Controlling Service. The Controlling Service is an internal CERN function responsible for determining the purposes and means of a specific data processing operation. By contrast, the Data Controller is a broader legal concept that applies to CERN in its external relations.
In short, while the Controlling Service relates to CERN’s internal organisational responsibilities, the Data Controller refers to CERN’s role under applicable data protection frameworks.

Data Privacy is the right of individuals to control how their personal information is collected and used, and to ensure that the data is only used for its intended purpose.

Privacy is a legal concept - and not a technical one - and is recognised in the European Union as an fundamental right. CERN commits in its Code of Conduct to respect privacy of others and protect personal information.

A Data Privacy Impact Assessment is a process carried out to identify the impact on and risks of processing operations to the rights of data subjects and to determine the appropriate mitigation measures.

A Data Processor is CERN or an External Entity that processes personal data on behalf of a Data Controller.

The Data Processor does not decide why the data is processed. It acts only according to the instructions of the Data Controller and does not make independent decisions about the personal data it processes.

CERN itself can act as a Data Processor, for example when providing platforms such as Zenodo or Indico to external users. In such cases, it is the external user who determines the purpose of the processing; CERN's role is limited to providing and operating the technical means through which that processing takes place.

When an External Entity acts as a Data Processor on CERN's behalf, CERN will only engage entities that provide sufficient guarantees that they will implement appropriate technical and organisational measures to ensure the processing meets requirements comparable to those of OC 11. The relationship must be governed by a written arrangement specifying, among other things, the subject matter, nature, purpose and duration of the processing, the categories of personal data and data subjects involved, and the obligations of both parties.

N.B.: Within CERN, the concept of a Data Processor should not be confused with that of a Processing Service. The Processing Service is an internal CERN function that processes personal data solely on behalf of a Controlling Service. By contrast, the Data Processor is a broader legal concept that applies to CERN in its external relations.
In short, while the Processing Service relates to CERN’s internal organisational responsibilities, the Data Processor refers to CERN’s role under applicable data protection frameworks.

Data Security refers to the organisational, physical and technical measures put in place to safeguard the integrity of personal data and prevent events and activities such as unauthorised access, modification, disclosure or destruction.

It is the Data Controller's and the Controlling Service's responsibility to assure the security of the data they process.

An natural person - living or dead - whose personal data is subject to processing.

A data subject right request is a request from a data subject to a Controlling Service asking to exercise one or more of their 8 data subject rights defined in OC 11.

One of the aims of CERN’s data protection framework (Operational Circular no. 11, OC 11) is to empower individuals and give them control over their personal data.
OC 11 defines the following eight data subject rights:

• Right to information

• Right to access

• Right to object

• Right to correction

• Right to request temporary suspension of processing

• Right to deletion

• Right to portability

• Rights in respect of automated decision-making

External entities are any natural (an individual) or legal persons (organisations or companies) operating outside CERN's structure.

A grievance is a specific form of misprocessing that constitutes an infringement of OC 11 and directly affects the individual raising the grievance through the processing of their personal data.

Where two or more Data Controllers jointly determine the purposes and means of a processing operation, they are Joint (Data) Controllers. Joint controllership is determined by whether each party genuinely influences the decisions about why and how personal data is processed, not by how the parties choose to label or structure their relationship.

Joint Controllers must set out, by means of a formal arrangement, their respective responsibilities (e.g. how to respond to data subject rights requests and how data subjects will be informed of those responsibilities).

Misprocessing means that personal data is not processed in compliance with CERN's data protection framework, OC 11.

It covers general situations where personal data is not handled in accordance with the rules and principles set out in OC 11; for example:

• A service processes data without a valid lawful basis.

• The personal data is used for other purposes than indicated in the privacy notice.

• The data is not deleted or anonymised after the end of the retention period.

• Insufficient security measures to protect the data.

• Too much personal data is exposed - data that is not necessary for the purpose of the processing.

Anyone who becomes aware of Misprocessing or potential Misprocessing must report it to the Office of Data Privacy (ODP).
If the Misprocessing concerns their own personal data, Data Subjects may file a grievance with the ODP instead.

According to OC 11, "Personal Data means any information, in any form or medium, relating to an identified or identifiable person. It includes data such as name, passport or other national registration details, CERN ID number, banking information, personnel records, images and video-surveillance footage, online and device identifiers, addresses and telephone numbers, and Sensitive Personal Data."

This means personal data has to be information that relates to an individual who is either identified or identifiable.

Any individual who can be distinguished from others is considered identifiable.

An individual is directly identifiable if you can identify them solely from the information you hold.
They are indirectly identifiable if you cannot identify them from that information alone, but you could do so by combining it with other information you hold or you can access from another source (including information held by third parties).
A third party using your data and combining it with information they can access to identify an individual is another form of indirect identification.

An easy example of information that could be used to indirectly identify someone is an individual’s license plate number. The police (a third party) can match a name to a license plate number. Consequently, the license plate number is personal data.

Privacy by Default means that once a product or service has been released to the public, the strictest privacy settings should apply by default, without requiring any action from the end user.

Privacy by Design is a principle requiring that privacy be proactively embedded into the design and operation of IT systems, networked infrastructure, policies, procedures and administrative and business practices.

Developing and integrating privacy solutions in the early phases of a project helps identify potential problems at an early stage and prevent them in the long run.

A Privacy Notice is a published document addressed to the data subjects that explains why a Controlling Service processes their personal data. It includes details on the processing operations and informs data subjects of their rights.

To make it short: Processing means anything done with personal data – from collecting, using and storing it, to deleting it, or even merely accessing it

A more detailed definition: Processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as:

• collection,
• recording,
• organisation, 
• structuring, 
• storage,
• adaption or alteration,
• retrieval,
• consultation, 
• use,
• disclosure by transmission, 
• dissemination or otherwise making available,
• alignment or combination,
• restriction,
• erasure

Basically, anything one can do with data is processing!

Examples:

• staff management and payroll administration;
• access to/consultation of a contacts database containing personal data;
• sending promotional e-mails;
• shredding documents containing personal data;
• posting/putting a photo of a person on a website;
• storing IP addresses or MAC addresses;
• video recording (CCTV).

A Service is a Processing Service if it processes Personal Data solely on behalf of a Controlling Service.

It carries out the processing as instructed by the Controlling Service and does not take any initiative in defining or changing its purposes or means.

A Processing Service may become a Controlling Service if it decides to process the data in ways that go beyond or differ from the instructions given by the Controlling Service.

A Service can act as both Controlling and Processing Service for different processing operations.

Profiling means any form of automated processing of personal data to evaluate certain aspects relating to a data subject, in particular, but not restricted to, their performance at work or behaviour.

Pseudonymisation is a way of protecting personal data by replacing data which could be used to directly identify an individual with, for example, a fake name or ID number (i.e. a pseudonym).

This process makes it more difficult to directly identify an individual, but not impossible! It is considered that through pseudonymisation individuals are still identifiable or indirectly identified, because with use of additional information it is still possible to know who they are.

For this reason (that is, because pseudonymised data are personal data), OC 11 remains fully applicable to pseudonymised data.

Personal data processing may cause physical, material or non-material harm to data subjects, this includes situations where:

• the processing may give rise to:

  • discrimination,

  • identity theft or fraud,

  • financial loss,

  • damage to the reputation,

  • loss of confidentiality of personal data protected by professional secrecy,

  • unauthorised reversal of pseudonymisation,

  • or any other significant economic or social disadvantage;

• data subjects are be deprived of their general rights or prevented from exercising control over their personal data.

The likelihood and severity of such risks may increase where: 

• sensitive personal data are processed;

• aspects relating to Data Subjects are evaluated in order to create or use personal profiles;

• personal data of persons under 16 years of age are processed; or

• the processing involves a large amount of personal data and affects a large number of data subjects.

Sensitive Personal Data is any personal data relating to:

• physical or mental health;

• genetic or biometric data;

• racial or ethnic origin;

• sexual orientation;

• political, religious or philosophical opinions or beliefs;

whereby:

Genetic Data means personal data relating to the inherited or acquired genetic characteristics of a person, which gives unique information about his or her physiology or health and which results, in particular, from an analysis of a biological sample taken from him or her, and

Biometric Data means personal data that results from specific technical processing and that relates to the physical, physiological or behavioural characteristics of a person and allow or confirm his or her unique identification.

For the purposes of CERN's data protection framework, a Service denotes one or more activities involving the processing of personal data for the benefit of the Organization.

A Service does not necessarily correspond to an organic unit or a functional area.

A Service is a

• Controlling Service if it determines the purposes and means of a processing operation, or a

• Processing Service if it processes personal data solely on behalf of the Controlling Service.

A Service Owner is the person accountable for the processing of Personal Data by their Service.