EPFL’s obligation

In this section we summarize the main legal obligations in processing personal data.

Keeping a Record of Data processing activities

EPFL must keep a register of its personal data processing activities, that shall contain at least the following information : 

  1. the identity of the controller
  2. the purpose of the processing
  3. a description of the categories of data subjects and the categories of personal data processed
  4. the categories of recipients;
  5. as far as possible, the time limit for storing personal data or the criteria for determining the storage period;
  6. as far as possible, a general description of the measures to ensure data security ;
  7. in the case of disclosure of personal data abroad, the name of the State concerned and the applicable guarantees.

The DPO coordinates the EPFL Record of data processing activities.

Please contact her for declaring the personal data processing you are responsible for.

Note that this is an obligation (Art. 12 FADP), applicable to administrative and research data processing activities.

Notifying data protection authorities of a data breach

In the event of a Data Breach1 EPFL’s data protection officer will form a crisis unit, and communication will be handled by a Mediacom spokesperson. 

The unit will review the relevant legal requirements (e.g., whether the data protection authorities and/or people involved need to be notified of the breach and, if so, how), determine what technical measures should be taken, and outline an optimal communication strategy for stakeholders within EPFL and outside our School. 

The GDPR requires EPFL to notify the relevant EU body within 72 hours of a data breach. Any delay can lead to serious consequences for our School. 

Under the updated FADP (unlike with the old version), we will be required to notify the Swiss Federal Data Protection and Information Commissioner within a similar timeframe.

Data breach crisis unit composition [PDF]

Informing data subjects

EPFL has published a Privacy Policy informing how it may process your personal data and the rights to which you are entitled. This Privacy Policy provide general information applicable in most situations and may be supplemented with more specific notices or regulations whenever applicable.

Taking technical and organizational measures (TOM)

One of EPFL’s obligations as a data controller is to take adequate technical and organizational measures to protect the personal data it processes, primarily to prevent data breaches.

When EPFL delegates processing to a data processor, it must ensure that the latter takes adequate measures to protect the data it processes on behalf of EPFL, by giving the subcontractor precise instructions and by carrying out audits.

But first of all: what is a technical or an organizational measure? When should these measures be implemented? How far should we go in implementing these measures?

Examples of technical measures
  • Authentication (user ID/password or double factor authentication)
  • Access rights management
  • Pseudonymization and anonymization
  • Encryption
  • Logging
  • Workspace, servers and Website security
  • Backup of data
Examples of organizational measures
  • Employee awareness and training
  • Documentation (of procedures, instructions, guidelines,…)
  • Contractual clauses (e.g. controlling outsourcing)
  • Performing controls and audits
Available guidelines
  • The FDPIC has published a guide on the technical and organizational measures to be put in place when processing personal data
  • The EPFL IT Security has developed best practices to be adopted when processing personal data (authentication required)
  • The DPO has elaborated templates of Data Processing Agreements to be attached to your contracts. In addition, the DPO has taken over the EU Standard Contractual Clauses recognized by the FDPIC as well as the Questionnaire to be attached in case of outsourcing to the USA. In view of the variety of situations that may arise and the complexity of transfers abroad, when you need to draw up specific data protection clauses, you can contact the DPO and/or the research legal affairs department (in the case of a research project).
When should these measures be implemented?

As early as the design stage of the processing, the question of what technical and organizational measures to put in place must be considered (principle of privacy by design and by default).

In case of a data breach, technical and/or organizational measures shall also be taken to limit the impact of the breach, respectively to prevent a similar problem from occurring in the future.

The implementation of protection measures can vary over time because often it is the needs that change with time. It is essential to adapt these measures throughout the data life cycle.

How far should we go in implementing these

EPFL, as data controller, takes the necessary technical and organizational measures to guarantee the security of the personal data processed, taking into account the state of the art, the costs generated by these measures, the purposes and risks of the processing.

An analysis of all these factors must be undertaken in each situation. 

  1.   Data breach : A data breach is any breach of security that results in the accidental or unlawful loss, alteration, deletion, destruction, disclosure or unauthorized access of personal data.


Some general definitions about personnal data, data controller, etc.

What is important when processing personal data is to keep in mind the fundamental principles of the law.

One fundamental right of the Data Protection Laws (FADP and GDPR) is the access right.

Training staff on data protection is one of the key activities of the DPO.