Data Protection Officer

In this page you will understand the role of the Data Protection Officer (DPO) at EPFL.

In this page you will find explanations regarding the Data Protection Officer's role (DPO), in particular how she can help you and what her missions are.

The role of the data protection officer (DPO)

Why a DPO is needed?

  • As federal body, EPFL must designate a data protection officer (DPO) to oversee:
    • compliance with data protection laws and regulations
    • risk-mitigation efforts with regard to non-compliance.
  • When EPFL serves as a data controller1, it must also:
    • take the appropriate measures to protect the personal data
    • demonstrate compliance with legal requirements including when the processing of personal data is subcontracted to third parties as “data processors.”

What does the DPO do?

  • Assists the EPFL community with issues related to personal data protection.
  • Informs and advises the EPFL community of their obligations under the law.
  • Monitors compliance with data protection laws, such as through audits, awareness-raising activities, staff training and more.
  • Coordinates EPFL’s record of processing activities.
  • Advises on data protection impact assessments (DPIAs) and monitors performance.
  • Acts as a contact point for requests from individuals on:
    • how their personal data are processed
    • how to exercise their rights.
  • Cooperates with data protection authorities (DPAs) and acts as a contact point for them (e.g., in the event of a data breach).
  • Presents EPFL’s upper management a yearly report.

What does the DPO not do?

  • The DPO is not personally liable for data protection compliance. This liability falls to EPFL as a data controller. Non-compliance may result in:
    • negative consequences or damage to data subjects
    • damage to EPFL’s image (reputational risk)
    • material legal and/or financial consequences (e.g., fines or the loss of EU research grants).
  • The DPO is not responsible for the protection of all kinds of data (e.g., animal data).
  • The DPO does not implement measures to protect personal data.
    • The DPO advises on the measures to be taken, but implementation is the responsibility of the data controller.

When should the DPO be called on?

  • The DPO should be contacted:
    • Immediately in the event of a data breach (see: How to notify a data breach)
    • Early on in your research or administrative project to help you with the legal requirements. Some projects require researchers or administrarive project managers to conduct a data protection impact assessment (DPIA) before starting, and the DPO can help you with that. The DPO can also advise you on privacy by design – a fundamental principle in data protection that can help you prevent data breaches and manage personal data efficiently.

DPO independence

  • Data controllers cannot give the DPO any instructions for performing the DPO’s tasks.
  • The DPO cannot have any conflicts of interest.

  1.  Data controller : Who sets the purposes for which and the means by which personal data are processed datacontroller-back

Contact us


Chiara Tanteri

dpo (at)

BS 248
Station 4

1015 Lausanne

Access map