The European Organization for Nuclear Research (CERN) is an intergovernmental organisation based in Geneva, Switzerland. Due to its specific legal status, CERN benefits from privileges and immunities under international law. As a result, CERN is not subject to national or supranational data protection laws, including the EU General Data Protection Regulation (GDPR).

The European Data Protection Board (EDPB), in its Guidelines 3/2018 on the territorial scope of the GDPR (Article 3), also clarifies that the GDPR does not affect the application of international law, including provisions governing the privileges and immunities of international organisations.

Furthermore, with regard to data transfers from the European Union to CERN, the Organization — by virtue of its intergovernmental status and associated privileges and immunities — is not subject to the Standard Contractual Clauses (SCCs). This interpretation is confirmed by the European Commission in its Q&A on the SCCs (Question 25).

Instead, CERN processes personal data exclusively in accordance with its own internal legislation. Its data protection framework is based on principles established in its Member States and, more broadly, within the European Union, and is implemented through appropriate technical and organisational measures. CERN will handle any requests in accordance with its internal procedures.

CERN has appointed a Data Privacy Adviser (DPA), who acts as the central point of expertise for all data protection matters within the Organisation. Because CERN is not subject to national jurisdictions, any disputes related to the processing of personal data are handled under its internal rules or, where necessary, through arbitration.

Further information on CERN’s approach to data protection is available in its Data Privacy Protection Policy.