The application of OC 11 is not dependent on the time when the data was collected.
It applies to all processing operations carried out since the introduction of the OC 11 on 1.1.2019, including data subject rights which are enforceable also for “old” data.
What does this mean in practice?
It means that everything that you do today with the data (even if it was collected years ago) must be compliant. This “everything” includes all kind of processing, also storage.
Examples:
-
Personal data was collected in 2010 when a new staff member was hired.
The collection was not subject to OC 11, however, if the data is still present today and it turns out that there is no legal basis and purpose for keeping it, you have to delete it (OC 11 obliges!). -
A transfer of this data to an external entity carried out in March 2018 was not subject to OC 11.
However, when the data subject concerned submits today a data subject request to correct the data, CERN has to comply with OC 11 and inform this external entity and ask them to update the data, too.