Data Protection

Since EPFL is a public institution, the collection or other processing of data must in principle have a legal basis to be lawful. In certain cases, particularly in the field of research, another legal basis – such as the consent of the data subject – may constitute an adequate basis. At the time of the data collection, the data subject must be informed of the collection, its purposes, his or her rights, the categories of recipients and whether the data will be transferred to third parties and/or outside of Switzerland.

Personal data must be processed for the purpose stated at the time of collection. Only data that are suitable and necessary for the purposes of the processing operation may be processed. Furthermore, there must be a reasonable relationship between the purposes and the means used, and the rights of the data subject must be safeguarded to the greatest extent possible.

Personal data that are found to be inaccurate must be erased or rectified as soon as possible.

The duration of data storage must be limited to that which is strictly necessary to achieve the purpose of the processing, in compliance with the various legal provisions on storage that may apply depending on the nature of the data. As soon as personal data are no longer necessary for the purposes of the processing, they must be destroyed or anonymized.

Data controllers and processors must adequately secure personal data in relation to the risk involved, by using appropriate organizational and technical measures.

The measures must be such as to avoid any breach of data security. These measures include pseudonymization, encryption, the use of passwords or strong authentication, and access authorization limited to persons who have an objective need to access the data in order to perform their duties at EPFL. Physical documents must also be protected. They must be kept under lock and key.

A breach of security of personal data is any breach of security that results in the accidental or unlawful loss, alteration, erasure, destruction or disclosure of, or unauthorized access to, personal data.

Any suspected or actual data breach must be reported immediately to the independent data protection officer (DPO), using the ServiceNow form (authentication required). EPFL is required to notify the Federal Data Protection and Information Commissioner (FDPIC) and, where applicable, the relevant European authorities of any data breach that is likely to pose a high risk to the personality or fundamental rights of the data subject. The Data Protection Officer (DPO) coordinates the notification of the breach in accordance with legal deadlines. The DPO is also responsible for coordinating the communication of the breach to the individuals concerned.

Subject to the lawfulness of such a transfer and in the absence of a valid alternative, personal data may be transferred outside of Switzerland (and outside of the EU if the GDPR applies), provided that certain protective measures are put in place beforehand: standard contractual clauses of the Federal Data Protection Commissioner (or the European Commission if the GDPR applies), or an adequacy decision of the Federal Data Protection Commissioner (or the European Commission if the GDPR applies) regarding the recipient state. Transfers to the United States require special attention due to the risk of surveillance by the US government (additional security measures should be taken).

Data protection features must be embedded in IT systems when they are designed. The controller must implement appropriate technical and organizational measures to ensure that, by default, only personal data that are necessary for each specific purpose of processing are processed.

This obligation applies to the amount of personal data collected, the extent of processing, the period of data storage and the accessibility of the data. The application of the principle of privacy by design and by default is an important instrument to prevent security breaches of personal data.

When considering a cloud-based solution, particular attention must be paid to the risks and challenges associated with transferring personal data to the servers of a third-party service provider. It is essential to ensure that the duty of professional secrecy (Art. 320 of the Swiss Criminal Code) is not violated. Appropriate technical safeguards—such as encryption, anonymization, or hashing—must also be in place. In 2023, the EPFL Direction decided to require the use of a Cloud Service Evaluation Framework (authentication required), which includes a risk assessment based on compliance with standard legal and technical requirements.

Before launching a new technology or project involving the processing of personal data, a data protection impact assessment (DPIA) must be carried out for any situation where the processing of data creates a high risk to the rights and freedoms of natural persons. DPIA templates are available from the DPO.

The fact that personal data are freely available to the public does not necessarily mean that these data can be used freely. The use of such “public” personal data, in particular for research purposes, requires a data protection analysis. As regards the legal basis for processing, certain excep- tions may be raised, for example in the context of research, or if data subjects have already received information about the processing. In general, the controller must carry out a balancing of interests between the effort to inform the data subjects and the possible effects on them. This balancing of interests must be documented and should lead to the implementation of appropriate measures. This may involve making the information publicly available on the controller’s website or in a newspaper, or carrying out a DPIA.

Anonymization means processing that irreversibly prevents the re-identification of a person. It involves the removal of any direct or indirect identifiers linked to that person, making re-identification extremely difficult or impossible. It also implies that there are no legal means for the data holder to obtain additional identifying information from a third party. Possible technical means include homomor- phic encryption, randomization techniques (noise addition, permutation of values, differential privacy) and generalization techniques (aggregation and k-anonymity, l-diversity). Anonymized data are not subject to data protection law. If anonymization ultimately fails, the data protection law will apply.

Any person may ask EPFL whether any data concerns him or her and, if so, to be informed of this personal data, as well as the purpose, the legal basis of the processing, the categories of data processed, the participants in the file and the recipients of the data. The request for access should be sent to [email protected].