-A +A
Print

Policy on the use of personal data

The French National Centre for Scientific Research (CNRS) is a public scientific and technological establishment governed by the French Research Code and its articles R. 322-1 to R. 322-33. The CNRS is entrusted with a mission of public interest to carry out all research that contributes to the advancement of science and to France's economic, social and cultural progress.

In the framework of this mission, the CNRS ensures the protection of personal data which is part of the ethical and responsible practices it promotes within the scientific community.

The CNRS thus undertakes to process personal data in compliance with the current regulations, particularly the General Regulation (EU) 2016/679 dated April 27th 2016 (General Data Protection Regulation or 'GDPR') and Law No. 78-17 dated January 6th 1978 on data processing, data files and individual liberties, as amended.

In compliance with GDPR Articles 13 to 15, the objective of this document is to inform the people concerned about the processing of their personal data in the context of CNRS activities that support research like mailing lists, events management, partnerships or information systems. 

This data processing is part of the CNRS's public interest mission as defined by the Research Code. Data may be processed for a legitimate interest or a legal obligation depending on the end purpose.

It should be noted that separate specific information on the processing of personal data related to the scientific projects of CNRS research units is made available by the data controller on the laboratory's website or by means of an individual notice. This is therefore not described in this document.

I.  The people concerned

The data subjects of processing operations may be:

  • Staff members who are or have been employed by the CNRS;

  • Employees of joint research units other than those employed by the CNRS;

  • People employed by the CNRS's partners or service providers to the CNRS;

  • Users of CNRS websites;

  • The CNRS's external and occasional staff members, including interns and those with emeritus status;

  • People from outside the CNRS.

II.  The data collected and the associated end purposes

Several categories of data are collected directly or indirectly.

The management of contact databases and mailing lists

  • Purpose: contact databases are created to disseminate information about an institution's activities, solicit experts to form think tanks, and ask people to take part in actions initiated by the CNRS.
  • Data: the categories of data concerned are: identification data, professional contact details, areas of expertise, positions held and a person's home establishment.
  • Conservation periods: data are conserved for the duration of the relationship with the CNRS.

The management of institutional and scientific events

  • Purposes: the organisation of meetings, scientific events, discussion workshops, competitions and awards intended to promote research contribute to the valorisation and dissemination of research results, the management of the institution's activities and also to civil society's scientific and technical culture.
  • Data: the categories of data concerned are identification data, personal or professional contact details used to register events registrations such as positions held and a person's home establishment.
  • Retention periods: data is retained after the event for a maximum of one month, with the exception of events organised in Zones à Régime Restrictif (protected zones with restricted access) for which data is retained for two years.

The management of partnerships and public procurement

  • Purposes: the CNRS's partnership work involves agreements, conventions, calls for tender and contracts being concluded. Personal data are involved from the preparation of the agreement to its signature and also for monitoring the contractual relationship.
  • Data: the categories of data concerned are identification data, professional contact details, job title and a person's home establishment.
  • Retention period: data is retained after the end of the contract for a maximum of 10 years.

The management of websites administered by the CNRS

  • Purposes: data processing is required to manage the operation and security of the websites and technical administration thereof carried out with service providers where necessary (third-party application maintenance, hosting in particular).
  • Data: the categories of data involved are identification data, professional contact details, position held, a person's home establishment and site navigation data.
  • Retention periods: browsing data is kept for one year. Data relating to exchanges with service providers is kept for 5 years after the end of the contract.

The management of user accounts attached to the CNRS's information system

  • Purpose: temporary access to the information system may be granted under the responsibility of the Information Systems Department (DSI) according to the purpose of the external services entrusted to partners by the CNRS.
  • Data: user accounts require identification data, professional data (job functions, employers, contact details), connection data and browsing data.
  • Retention periods: data is deleted at the end of a subject's relationship with the CNRS.

III.  Data recipients

The recipients of the data are CNRS staff members and staff members of units in charge of all activities that require data processing. Data may also be transmitted to service providers asked by the CNRS to carry out a service defined by a public procurement contract.

The CNRS may transmit personal data to external recipients, particularly to organise the organisation's defence in the event of a dispute, an inspection or proceedings initiated by a supervisory authority, and also to authorised third parties.

IV.  Automated decision-making

Automated decision-making is not used for data processing.

V.  Safety measures

Security measures are implemented in compliance with the French State's information systems security policy (PSSI) as applied to the CNRS. The data is hosted in the European Union.

VI. Exercising your rights

You are entitled to access and obtain a copy of data concerning you, oppose the processing of these data or have them rectified or deleted. You also have the right to limit the processing of your data.

The CNRS informs you that, for certain processing operations, exercising your right to object to or delete your data can lead to functions and activities offered by the CNRS being inaccessible.

You may exercise these rights by contacting the CNRS Data Protection Officer (DPO) at the following address:

CNRS - Service Protection des Données, 2 rue Jean Zay, 54519 Vandoeuvre-lès-Nancy - dpd.demandes@cnrs.fr.

If you consider that your rights have not been respected, you can make an online complaint to the Commission on Information Technology and Liberties (CNIL) at https://www.cnil.fr/ or by post to CNIL, 3 Place de Fontenoy, TSA 80715 - 75334 Paris Cedex 07.

See more: