It is not necessary for non-specialists to know every article of the law. What is important when processing personal data is to keep in mind the fundamental principles of the law.
Here is an overview on such as principles.
As a federal institution, EPFL must have a legal basis for processing personal data. These legal requirements can sometimes be quite restrictive. In any case, they can be surprising for people coming to EPFL from the private sector.
Before embarking on a project involving personal data, you should make sure the requisite legal basis exists.
At EPFL, our main legal basis is established in the Swiss Federal Act on the Federal Institutes of Technology (ETH Act). This Act allows for the processing of the personal data of students, employees and research-project participants. Specific EPFL directives have also been drafted (the Lex on Polylex) for personal-data situations that are not covered by the Act. However, if the data to be processed are sensitive, you must ensure the processing is permitted through a formal law or obtain the explicit consent of the identified or identifiable natural person (i.e., the “data subject”).
EPFL’s data protection officer can help you if you have a question.
When collecting personal data, you must inform data subjects of:
- the name of the data controller
- the concerned categories of data
- the purpose of the processing (and “secondary purpose” or further use of data, if applicable)
- the duration of data retention
- the procedure of exercising the data subject associated rights
- the name of the Data Protection Officer
- the name of the State or international organization to which data is transferred (if applicable)
Switzerland’s personal data protection laws are set out in the Federal Act on Data Protection (FADP); those for the EU are given in the General Data Protection Regulation (GDPR). Both regulations include a “research privilege” whereby scientists can use personal data collected in an earlier research project or supplied by a public body, provided that the data are anonymized or pseudonymized. In this case, no further legal justification is needed (such as obtaining consent), since all identifiable information in the data have been removed.
The duty to inform applies not only when data are first collected, but also throughout the life of the data, such as if there is a change in the purpose of your research project, the type of data collected, the legal basis for collecting data, or the data recipients, for example.
Do you really need all the data you plan to collect and process?
You should collect and process only the necessary data that are directly relevant to the purpose of your processing. This is one of the most important principles in personal data protection.
The data controller is responsible for making sure the data are accurate and complete in light of the original collection and use purpose. EPFL, when serving as a data controller, must correct or destroy any inaccurate or incomplete personal data.
The FADP gives data subjects the right to have any inaccurate personal data corrected.
Data retention is a fundamental element of personal data protection, but one that many organizations find hard to implement and comply with. Here are some questions you should keep in mind when you plan to process personal data:
- How long will you retain the data?
- Do you plan to archive the data?
- Have you established your archiving process?
- Do you plan to delete the data?
- Have you established your deletion process?
You should consider these questions in the design phase of your project.
The FADP requires that data controllers follow the principles of “privacy by design” (data protection through technology design) and “privacy by default” (only data absolutely necessary for a specific purpose are processed, and this is established before data processing starts). Public-sector organizations and businesses should implement these principles right from the planning stage by setting up the appropriate organizational and technical measures.
Privacy by design requires that personal-data processing applications are designed in such a way that data are anonymized or deleted by default.
Privacy by default protects the users of online services who have not looked into the terms of use (or the associated right of objection) of the service in question, since only the personal data that are absolutely necessary for the intended purpose are processed (unless users actively allow further processing of their personal data).
By “security” here we mean the security of data in both physical (e.g., paper) and digital format.
Security involves setting up the necessary organizational and technical measures to protect the confidentiality, integrity, availability and traceability of data so that an organization can meet its objectives and obligations. Security is not an end in itself, but an indispensable means. It should be planned out with resources that are commensurate with the value of the assets to be protected and with the organization’s legal, regulatory and contractual obligations.
Security measures should be planned out prior to data collection and processing, and should take into account the environment in which the data will be processed. Any partner organizations or subcontractors involved in a project should also be required to implement the measures, where applicable. Your data-security contacts at EPFL are the heads of IT and the IT administrators. Data security is crucial for complying with data protection laws.
On this website you can find information about technical and organizational measures (TOM) to be put in place when processing personal data.