Revision of OC 11: a modernised data privacy framework for CERN

Revision of OC 11: a modernised data privacy framework for CERN

February 12, 2026 discoverhiddenusacom Technology

CERN Ushers in New Era of Data Privacy with Revised OC 11

CERN, the European Organization for Nuclear Research, has officially implemented a revised data privacy framework, Operational Circular No. 11 (OC 11), as of February 1, 2026. This update, approved on December 17, 2025, builds upon the original OC 11 adopted in 2018 and subsequent annexes added in 2021, marking a significant step in modernizing how the organization handles personal data.

A Targeted Revision, Not a Revolution

The changes aren’t a complete overhaul, but a focused revision designed to clarify, simplify, and strengthen the application of existing principles. This approach acknowledges over five years of practical experience with the initial framework. The aim is to enhance legal certainty and reduce risks while maintaining a high level of data protection.

Aligning with Global Standards: GDPR and Beyond

A key objective of the revision is to align CERN’s data protection rules more closely with international best practices, notably the EU General Data Protection Regulation (GDPR). This alignment isn’t merely about compliance; it’s about adopting a globally recognized standard for responsible data handling. The revised OC 11 also aims to improve technological neutrality, ensuring the framework remains viable as CERN’s research and collaborative environments evolve.

Key Modernizations: What’s Changed?

Several specific areas have been modernized to improve efficiency and clarity:

  • Scope and Applicability: The definition of what falls under OC 11 has been refined, excluding purely private processing activities and streamlining the maintenance of Records of Processing Operations (RoPOs). The removal of the “regular processing” concept reduces ambiguity.
  • Research Processing: Archiving, scientific research, and statistical processing are now considered compatible purposes rather than legal bases, facilitating further data use.
  • Data Privacy Impact Assessments (DPIAs): A risk-based approach now governs DPIA requirements, prioritizing high-risk processing and optimizing resource allocation.
  • Data Protection by Design: Clarification on integrating privacy into systems and processes supports the selection of appropriate solutions and ensures data protection by default.
  • Data Breach Notifications: Notifications are now limited to cases with high and unavoidable risk, streamlining the process.
  • Automated Decision Making: Rights related to automated decision-making apply only when decisions have legal or significant effects, simplifying RoPO drafting.
  • Internal Data Transfers: These no longer require approval from the Office of Data Privacy (ODP), with consultation sufficing.
  • External Data Transfers: Responsibilities are clarified, and unnecessary obligations removed, improving collaboration with suppliers and enabling proportionate use of solutions like cloud services.
  • External Entities Processing: Clear distinctions are made between CERN as a controller and as a processor, aligning with GDPR principles.
  • Grievances: Specific terminology is introduced for non-compliant processing directly affecting individuals, improving clarity and reducing complaints.

The Future of Data Privacy in Scientific Research

CERN’s revision of OC 11 isn’t an isolated event. It reflects a broader trend within the scientific community towards greater data privacy and security. As research becomes increasingly data-intensive and collaborative, organizations are recognizing the need for robust frameworks to protect sensitive information. The emphasis on GDPR alignment suggests a growing understanding that data privacy is not just a legal requirement, but a fundamental ethical obligation.

The move towards risk-based DPIAs and proportionate breach notification processes also indicates a shift towards more pragmatic and efficient data protection practices. This is particularly important in large, complex organizations like CERN, where overly burdensome regulations can stifle innovation.

Upcoming Information Sessions and Resources

To support understanding and implementation, the ODP will host information sessions in English (February 19, 2026) and French. Factsheets and slides from these sessions will be made available. Individuals and services can contact the ODP directly at [email protected] with questions.

Frequently Asked Questions

Q: What is OC 11?
A: Operational Circular No. 11 is CERN’s internal data protection framework, governing the processing of personal data.

Q: When did the revised OC 11 come into effect?
A: February 1, 2026.

Q: What is the role of the ODP?
A: The Office of Data Privacy provides guidance and support on data protection matters at CERN.

Q: Does this revision affect external partners working with CERN?
A: Yes, the clarified responsibilities for external data transfers and processing by external entities will impact how CERN collaborates with partners.

Q: Where can I find more information about the revision?
A: Visit the CERN news page for details.

Did you know? CERN jointly organized an informative session on cloud sovereignty with ESA, EMBL, EPO, and ESO on January 26, 2026, to mark Data Protection Day.

Have questions or thoughts on CERN’s updated data privacy framework? Share your comments below!

, , , , , ,