Zenodo is hosted at CERN and subject to CERN's special legal status as an Intergovernmental Organization (IGO) and thus enjoys certain privileges and immunities under international law. Processing of personal data at CERN is governed by CERN's Operational Circular 11 (OC11) that offers data protection at the same high standards and is comparable to GDPR and FADP. Hence, CERN processes personal data solely in accordance with its internal legislation. CERN’s data privacy framework builds on principles established in its Member States and more generally the European Union, which are implemented through technical and organizational measures.
Further information is available on:
- Zenodo privacy policy: https://about.zenodo.org/privacy-policy/
- CERN's legal status: https://about.zenodo.org/infrastructure/
- Privacy at CERN : https://privacy.web.cern.ch
- Operational Circular 11: https://cds.cern.ch/record/2651311
Above links details how to exercise your rights as a data subject.
CERN is in this respect similar to EU institutions like the European Commission. GDPR only applies to EU member states, and not EU institutions themselves who have their own legal framework (Regulation 2018/1725) because they don't operate under EU member state laws. Regulation 2018/1725 is naturally aligned with GDPR, similar to that CERN's Operational Circular 11 is aligned with GDPR and FADP.