News Announcement Topic: At CERN

Revision of OC 11: a modernised data privacy framework for CERN

|

By Office of Data Privacy

Following the Director-General’s approval on 17 December 2025, the revised Operational Circular No. 11, “The processing of personal data at CERN” (OC 11), entered into force on 1 February 2026. This revised Circular cancels and replaces Operational Circular No. 11 dated January 2019 and its two annexes which came into force on 1 July 2021. This revision marks an important step in the modernisation of CERN’s internal data privacy framework, building on more than five years of experience in the application and interpretation of OC 11.

The changes introduced are not an extensive reform of the existing framework, but a targeted revision that preserves the fundamental principles of OC 11 while clarifying, simplifying and strengthening its application across the Organization.

Objectives of the revision

The revised OC 11:

  • aligns CERN’s rules more closely with recognised international best practices in data protection, including the EU General Data Protection Regulation (GDPR),
  • improves legal certainty and reduces legal and reputational risks,
  • simplifies implementation for CERN services while maintaining a high level of personal data protection, and
  • ensures technological neutrality and supports the long-term viability of CERN’s various activities.

Key areas of modernisation

Among the various updates introduced, the revision highlights ten key areas where clarification or simplification was most needed.

The scope and applicability of OC 11 have been clarified by excluding purely private processing activities, removing the need to maintain Records of Processing Operations (RoPOs) for such processing. Abolishing the concept of “regular processing” reduces uncertainty for services.

Archiving, scientific or historical research and statistical processing are no longer treated as legal bases but as compatible purposes, which facilitates further processing.

The decision as to whether a Data Privacy Impact Assessment (DPIA) is required now follows a risk-based approach that considers multiple factors and is supported by advisory input from the Office of Data Privacy (ODP). This improves the prioritisation of high-risk processing and reduces unnecessary DPIAs, leading to more efficient use of resources.

The data protection by design principle now clarifies what must be considered when integrating privacy into systems and processes, supporting the selection of appropriate solutions and ensuring that personal data is protected by default.

Personal data breach notifications are now limited to cases involving a high and unavoidable risk and no disproportionate effort, making the process more efficient and proportionate to the actual risk.

The rights in respect of automated decision making now applies only where a decision produces a legal or similarly significant effect, which simplifies the drafting of RoPOs and responses to data subject requests.

Internal data transfers no longer require ODP approval, with consultation sufficing, simplifying processes while fully respecting the ODP’s mandate and its role as an independent advisory body.

For external transfers, responsibilities have been clarified and unnecessary obligations removed, improving understanding for potential suppliers and facilitating cooperation.
At the same time, a more proportionate framework for transferring sensitive personal data enables services to use solutions such as cloud services where appropriate, while preserving accountability.

The framework governing processing by external entities now explicitly distinguishes between CERN acting as a controller and CERN acting as a processor, with clear roles and responsibilities in each case. This aligns the framework more closely with the GDPR, improving understanding for potential suppliers and facilitating contractual relationships and partnerships.

Finally, specific terminology has been introduced for non-compliant processing that directly affects individuals (“grievances”), thereby improving legal and operational clarity, enhancing understanding for the persons concerned and contributing to a reduction in complaints.

Looking ahead

With this revision, CERN confirms its commitment to protecting personal data through a modern framework designed to keep pace with evolving technologies and collaborative research environments, while maintaining a high level of protection and ensuring continuity, clarity and proportionality in practice.

Next steps

The ODP will continue its gradual efforts to update related policies, guidance and operational documentation to reflect the changes introduced by the revision.

To support understanding and implementation, the ODP will also organise information sessions in both English and French, aimed at explaining the key changes in a practical and accessible way. The English session will take place on Thursday, 19 February at 11:00, and the French session will be announced shortly. A factsheet and the slides used during these events will be made available for those who wish to consult them.

In the meantime, and at any stage, individuals and services are encouraged to contact the Office of Data Privacy with any questions or requests for guidance by writing to: privacy.protection@cern.ch.

________

To mark Data Protection Day, CERN, ESA, EMBL, EPO and ESO jointly organised, on 26 January 2026, an informative session on cloud sovereignty. You can watch the recording here (CERN login required).

Also On At CERN

Heating homes with the world’s largest partic...

At CERN
News

Presidential visits to CERN

At CERN
News

Building a culture for success

At CERN
Opinion
Mark Thomson

Help shape how CERN improves

At CERN
News

CERN wishes you a happy 2026

At CERN
News

CERN highlights in 2025

At CERN
News

Reflecting on all we have achieved together

At CERN
Opinion
Fabiola Gianotti

Private donors pledge 860 million euros for C...

At CERN
Press release

All change for Room C

At CERN
News
View all news