In principle, no.
CERN’s standard contractual conditions require that personal data processed on its behalf must remain within CERN’s Member States. This ensures that the data benefits from CERN’s legal framework, including its privileges and immunities, which provide an additional level of protection.
As a result, using cloud services that store or process personal data outside CERN’s Member States (including in the United States) is generally not permitted, whether by CERN personnel or suppliers.
Important clarification
Some countries, including the United States, are recognised (under certain frameworks) as providing adequate levels of data protection comparable to European standards.
However, for CERN - that does not apply GDPR - this alone is not sufficient. CERN’s contractual and institutional requirements go beyond general data protection adequacy rules.
What this means in practice
- You should only use cloud solutions that keep personal data within CERN’s Member States
- Transfers outside these countries require prior assessment and explicit authorisation by CERN
- You must not assume that a service is acceptable just because it complies with EU data protection rules