Personal Data

Personal data is all information relating to an identified or identifiable natural person.

It is not so important what form personal data takes – it may be a sign, a writing, an image, a sound or a combination of these elements.

Personal data is all information relating to an identified or identifiable person.

Personal data is all information relating to an identified or identifiable person.

Examples of directly identifying personal data
first name and last name;
Examples of indirectly identifying personal data
telephone number;
SCIPER number;
AVS number;
location data;
Internet Protocol (IP) address.

Sensitive personal data

This is a sub-category of personal data that requires adequate protection measures. It includes data on:

  1. religious, ideological, political or trade union-related views or activities;
  2. health, the intimate sphere or the racial origin;
  3. genetic data;
  4. biometric data which unequivocally identifies a natural person;
  5. data on administrative or criminal proceedings and sanctions;
  6. social security measures.
Examples of sensitive personal data
medical images;
hospital records;
biological traits and genetic;
membership of a political party information or religious group;
sexual orientation;
criminal records.

Data Subjects

These are the natural persons (individuals) whose data is processed.

Examples of data subjects
EPFL students or employees;
The human participants that take part in the research project.

Data Controller vs Data Processor

Data controller: the private person or federal body that alone or jointly with others decides on the purpose and the means of the processing.

The ‘purpose’ relates to the goal of the processing:

  • why is the data collection needed?

The ‘means’ refers to the essential characteristics of the processing design:

  • what kind of personal data needs to be collected?
  • For how long will the data be stored?
  • To whom will the data be communicated?

An institution/organization can also be a joint controller when together with one or more organizations it jointly determines why and how the personal data should be processed.

As a legal entity, EPFL is responsible for the processing of the personal data that it handles. If it were necessary to choose the one person who best embodies this role, this would clearly be the EPFL President.
The EPFL President may delegate this responsibility to other people within a given circle. For example, for the processing of data belonging to staff, it would be the Director of Human Resources who represents the EPFL President in the role of data controller.

In a research project, the delegated Data controller is the PI (principal investigator).

A data processor processes the data on behalf of the controller. The data processor is an external entity, mostly a service provider. The data processor is not able to change the purpose and the means of the use of the data, it is bound by the instructions it received from the data controller. It cannot use the data for its own purposes.

A research lab is tasked to perform an analysis on data that is provided by another institution (the data controller). It will then return the data (and the results) to that institution.
The duties of the processor towards the controller must be specified in a written contract or agreement.

Another example is an IT service provider.

Processing the data

Processing covers a wide range of operations performed on personal data. In legal terms it means “any operation with personal data, irrespective of the means applied and the procedure, such as the collection, storage, use, revision, disclosure, archiving or destruction of data”.

Example of processing
○ the automatic collection of personal data on the web,
the management of a database,
○ sharing data with a third party,
○ video recording of human participants in a research project,
○ storing IP addresses or MAC addresses,
○ the creation of a mailing list of participants,
○ the anonymization of data, etc

More specific explanations about data processing in research are available on the page Privacy in research in the In Practice section.


What is important when processing personal data is to keep in mind the fundamental principles of the law.

One fundamental right of the Data Protection Laws (FADP and GDPR) is the access right.

In this section we summarize the main legal obligations in processing personal data

Training staff on data protection is one of the key activities of the DPO.