Definitions

Examples of directly identifying personal data

○ first name and last name;
○ address;
○ photo;
○ voice.

Examples of indirectly identifying personal data

○ telephone number;
○ SCIPER number;
○ AVS number;
○ location data;
○ Internet Protocol (IP) address.

Sensitive personal data

This is a sub-category of personal data that requires adequate protection measures. It includes data on:

1. religious, ideological, political or trade union-related views or activities;
2. health, the intimate sphere or the racial origin;
3. genetic data;
4. biometric data which unequivocally identifies a natural person;
5. data on administrative or criminal proceedings and sanctions;
6. social security measures.

Examples of sensitive personal data

○ fingerprints;
○ medical images;
○ hospital records;
○ biological traits and genetic;
○ membership of a political party information or religious group;
○ sexual orientation;
○ criminal records.

Examples of data subjects

○ EPFL students or employees;
○ The human participants that take part in the research project.

The ‘purpose’ relates to the goal of the processing:

• why is the data collection needed?

The ‘means’ refers to the essential characteristics of the processing design:

• what kind of personal data needs to be collected?
• For how long will the data be stored?
• To whom will the data be communicated?

An institution/organization can also be a joint controller when together with one or more organizations it jointly determines why and how the personal data should be processed.

Example

As a legal entity, EPFL is responsible for the processing of the personal data that it handles. If it were necessary to choose the one person who best embodies this role, this would clearly be the EPFL President.
The EPFL President may delegate this responsibility to other people within a given circle. For example, for the processing of data belonging to staff, it would be the Director of Human Resources who represents the EPFL President in the role of data controller.

In a research project, the delegated Data controller is the PI (principal investigator).

Example

A research lab is tasked to perform an analysis on data that is provided by another institution (the data controller). It will then return the data (and the results) to that institution.
The duties of the processor towards the controller must be specified in a written contract or agreement.

Another example is an IT service provider.

Example of processing

○ the automatic collection of personal data on the web,
○ the management of a database,
○ sharing data with a third party,
○ video recording of human participants in a research project,
○ storing IP addresses or MAC addresses,
○ the creation of a mailing list of participants,
○ the anonymization of data, etc

More specific explanations about data processing in research are available on the page Privacy in research in the In Practice section.