You are doing business with CERN


If you are a supplier of CERN, or if you are interested in becoming one, information about CERN’s specific requirements for the processing of personal data may be interesting for you.

A short overview of CERN’s legal framework for data protection is available in the For Everybody section of this web site.

You should read these pages first to familiarise yourself with the rules CERN and its suppliers are subject to.

In the context of the commercial relationship with CERN, you will certainly process personal data:

  1. For the purpose of managing the contractual relationship with us.

    You will probably register in your databases names of your contacts at CERN, you will send e-mails to your procurement officer at CERN, invoices to CERN’s financial services etc.

    When doing this, you process personal data and you will follow the national rules of the country of your business (eg. the GDPR when your company is in a country belonging to the EU). CERN’s data protection framework does not apply to these activities.

  2. When the service or good you supply to CERN involves the processing of personal data on behalf of CERN (e.g. you provide a cloud solution to CERN).

    In this situation, the processing must be compliant with CERN’s data protection framework. Please find in the link below a specific information for CERN’s suppliers about this subject.

    Being a supplier, complying with CERN’s data protection framework means in practise:

    • When processing personal data on behalf of CERN, you will act solely as “external processor” and must process the data only following the instructions of CERN.

    • Data collection and processing must be necessary, reasonable and adequate for the purpose.

    • The sole controller of the personal data is CERN.

    • Personal data processed on CERN's behalf must not be sold or otherwise shared.

    • Personal data processed on CERN's behalf must not be used for other purposes, such as marketing.

    • Data processing incl. storage must take place only in CERN’s member states, ideally subject to GDPR or Swiss FDPA. This applies also to any sub-processor you may engage.

    • You are responsible for having adequate safeguards in place to ensure the security of the data.

The ODP has prepared a Data Protection Questionnaire at the attention of potential suppliers to evaluate the conditions under they are processing personal data (see link at the bottom of the page).

You might be asked to complete it prior to the establishment of a contract. Your answers will help to decide if CERN’s requirements are met.

Please note that the list above is not exhaustive, and depending on the specific case, additional obligations might be applicable. Duties and rights of you and CERN in the context of data protection will be part of the contract.


Office of Data Privacy
Data Privacy Adviser