What has changed in the new version of OC 11?

The revised OC 11:

  • Aligns CERN’s rules more closely with recognised international data protection best practices, including the EU General Data Protection Regulation (GDPR),
  • improves legal certainty and reduces legal and reputational risks,
  • simplifies implementation for Services while maintaining a high level of personal data protection, and
  • ensures technological neutrality and supports the long-term viability of CERN’s various activities.

Key areas of modernisation

Among the various updates introduced, the revision highlights ten key areas where clarification or simplification was most needed

Clarified Scope & Applicability

  • Purely private processing is excluded, the concept of “regular processing” is removed

Automated Decision-Making

  • Rights apply only where decisions produce legal or similarly significant effects, simplifying compliance

Archiving, Research and Statistics

  • Now treated as compatible purposes rather than legal bases, facilitating further processing

Internal Transfers

  • Consultation with the ODP replaces formal approval, safeguarding the ODP’s mandate and role while maintaining oversight

Data Privacy Impact Assessments (DPIAs)

  • Introduction of a risk-based approach that supports better prioritisation of genuinely high-risk processing and reduces unnecessary assessments

External Transfers

  • Clearer responsibilities and streamlined obligations improve understanding for suppliers and facilitate cooperation.
  • A more proportionate, risk-based framework now enables the use of cloud solutions for sensitive personal data, while preserving accountability.

Privacy by Design

  • Clearer implementation criteria help integrate privacy into systems and processes from the outset and throughout.

Processing by External Entities

  • Clear distinctions between CERN’s roles as controller and processor establish defined responsibilities, align the framework more closely with GDPR, and improve understanding for suppliers, facilitating contractual relationships and partnerships.

Data Breach Notifications

  • Required only in cases of high and unavoidable risk, ensuring a more proportionate process.

Grievances

  • Specific terminology now identifies non-compliant processing that directly affects individuals (“grievances”), strengthening legal and operational clarity, enhancing understanding, and helping reduce complaints.

Looking ahead

With this revision, CERN confirms its commitment to protecting personal data through a modern framework designed to keep pace with evolving technologies and collaborative research environments, while maintaining a high level of protection and ensuring continuity, clarity and proportionality in practice.