Data Protection for Clubs at CERN
CERN’s clubs are autonomous entities with their own legal personality (see the descriptions under 2.1 and chapter C of the document Clubs sous l'égide de l'Association du Personnel du CERN). In consequence, they process personal data under their own responsibility while applying the applicable legislation of their country of establishment:
the General Data Protection Regulation (GDPR) if the club has been set up under the French law of 1901 (see publication of the French government regarding club’s obligations with regard to the GDPR), or is providing goods or services to people present in the EU;
the Swiss Federal Act on Data Protection if the club has been set up based on art. 60 of the Code Civil Suisse (see relevant publication of the Swiss data protection authority).
However, the club shall also comply with the rules set out in Operational Circular No. 11 (OC11) whenever CERN is used for the processing of personal data (like for example: use of e-groups, Indico, data bases hosted at CERN).
Of note that personal data transfers between CERN and EU or Switzerland have additional requirements both in the host countries and at CERN (OC11).
CERN’s club XYZ is established in France and uses an off-the-shelf tool to manage its members. The tool comprises a cloud solution which stores the data someplace in France.
→ For this processing, the GDPR is applicable.
With the purpose of facilitating the communication within the club, the same club sets up an e-group at CERN and imports the e-mail addresses of its members.
→ OC 11 applies for the transfer of personal data to CERN and for all further processing using the e-group.