Personal data is all information relating to an identified or identifiable natural person.
It is not so important what form personal data takes – it may be a sign, a writing, an image, a sound or a combination of these elements.
- Examples of directly identifying personal data
- ○ first name and last name;
- Examples of indirectly identifying personal data
- ○ telephone number;
○ SCIPER number;
○ AVS number;
○ location data;
○ Internet Protocol (IP) address.
Sensitive personal data
This is a sub-category of personal data that requires adequate protection measures. It includes data on:
- religious, ideological, political or trade union-related views or activities;
- health, the intimate sphere or the racial origin;
- genetic data;
- biometric data which unequivocally identifies a natural person;
- data on administrative or criminal proceedings and sanctions;
- social security measures.
- Examples of sensitive personal data
- ○ fingerprints;
○ medical images;
○ hospital records;
○ biological traits and genetic;
○ membership of a political party information or religious group;
○ sexual orientation;
○ criminal records.
These are the natural persons (individuals) whose data is processed.
- Examples of data subjects
- ○ EPFL students or employees;
○ The human participants that take part in the research project.
Data Controller vs Data Processor
Data controller: the private person or federal body that alone or jointly with others decides on the purpose and the means of the processing.
The ‘purpose’ relates to the goal of the processing:
- why is the data collection needed?
The ‘means’ refers to the essential characteristics of the processing design:
- what kind of personal data needs to be collected?
- For how long will the data be stored?
- To whom will the data be communicated?
An institution/organization can also be a joint controller when together with one or more organizations it jointly determines why and how the personal data should be processed.
- As a legal entity, EPFL is responsible for the processing of the personal data that it handles. If it were necessary to choose the one person who best embodies this role, this would clearly be the EPFL President.
The EPFL President may delegate this responsibility to other people within a given circle. For example, for the processing of data belonging to staff, it would be the Director of Human Resources who represents the EPFL President in the role of data controller.
In a research project, the delegated Data controller is the PI (principal investigator).
A data processor processes the data on behalf of the controller. The data processor is an external entity, mostly a service provider. The data processor is not able to change the purpose and the means of the use of the data, it is bound by the instructions it received from the data controller. It cannot use the data for its own purposes.
- A research lab is tasked to perform an analysis on data that is provided by another institution (the data controller). It will then return the data (and the results) to that institution.
The duties of the processor towards the controller must be specified in a written contract or agreement.
Another example is an IT service provider.
Processing the data
Processing covers a wide range of operations performed on personal data. In legal terms it means “any operation with personal data, irrespective of the means applied and the procedure, such as the collection, storage, use, revision, disclosure, archiving or destruction of data”.
- Example of processing
- ○ the automatic collection of personal data on the web,
○ the management of a database,
○ sharing data with a third party,
○ video recording of human participants in a research project,
○ storing IP addresses or MAC addresses,
○ the creation of a mailing list of participants,
○ the anonymization of data, etc
What is important when processing personal data is to keep in mind the fundamental principles of the law.
One fundamental right of the Data Protection Laws (FADP and GDPR) is the access right.
In this section we summarize the main legal obligations in processing personal data