If you are a supplier of CERN, or if you are interested in becoming one, information about CERN’s specific requirements for the processing of personal data may be interesting for you.

A short overview of CERN’s legal framework for data protection is available in the For Everybody section of this web site.

You should read these pages first to familiarise yourself with the rules CERN and its suppliers are subject to.

In the context of the commercial relationship with CERN, you will certainly process personal data:

1. For the purpose of managing the contractual relationship with us.

   You will probably register in your databases names of your contacts at CERN, you will send e-mails to your procurement officer at CERN, invoices to CERN’s financial services etc.

   When doing this, you process personal data and you will follow the national rules of the country of your business (eg. the GDPR when your company is in a country belonging to the EU). CERN’s data protection framework does not apply to these activities.

2. When the service or good you supply to CERN involves the processing of personal data on behalf of CERN (e.g. you provide a cloud solution to CERN).

   In this situation, you will act as CERN's data processor and must follow specific rules - which a very similar to the GDPR obligations set out in its Article 28.

   These rules will be set out in a written agreement between you and CERN that will describe what data you process, why, how long, and what both you and CERN must do.
   In practice, this means:

   1. Follow CERN’s instructions only
      You can only use the personal data exactly as CERN tells you, and not for your own purposes or anything else.

   2. Do not subcontract without permission
      You must not pass the work to another company (sub-processor) unless CERN has given you written approval.If CERN gives general approval, you must still inform them before adding or changing any subcontractor, so they can object if needed.

   3. Stay responsible for your subcontractors
      If you hire another company to help process the data, they must follow the same rules as you and you remain fully responsible if they fail to comply.

   4. Ensure confidentiality
      Anyone in your organisation who handles personal data must keep it confidential, and be bound by a confidentiality obligation (contract or law).

   5. Protect the data and report incidents
      You must:

      • Put in place appropriate security measures to protect the data
      • Quickly inform CERN if a data breach happens
      • Help CERN meet its legal obligations in such cases

   6. Help CERN respond to individuals
      If people (data subjects) exercise their rights (for example, asking to access or correct their data), you must assist CERN in handling these requests.

   7. Respect CERN’s special legal status
      You must respect CERN’s privileges and immunities, especially the protection and inviolability of its documents and archives

   8. Be able to prove compliance
      If CERN asks, you must show that you comply with your contractual obligations and allow audits or inspections by CERN or its representatives

   9. Return or delete the data when finished
      When your contract ends or the work is completed you must either return all personal data to CERN or permanently delete it, depending on CERN’s instructions

   In short: You must handle personal data only as instructed, securely, and transparently, remain responsible for any partners you use, and give control back to CERN at all times.

The ODP has prepared a Data Protection Questionnaire at the attention of potential suppliers to evaluate the conditions under they are processing personal data (see link at the bottom of the page).

You might be asked to complete it prior to the establishment of a contract. Your answers will help to decide if CERN’s requirements are met.

Please note that the list above is not exhaustive, and depending on the specific case, additional obligations might be applicable. Duties and rights of you and CERN in the context of data protection will be part of the contract.