The main purpose of the data protection laws is to protect the rights and freedom of individuals. The FADP and GDPR provide many rights. You have the right to receive a copy of your Personal Data and you may request the correction of any Personal Data which is inaccurate or incomplete. You also have the right to object to the processing of your Personal Data for legitimate reasons as well as a right to object to the use of those data for prospecting in accordance with applicable laws. When the processing is based on your consent, you have the right to withdraw your consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal. EPFL reserves the right to refuse any abusive request or one which is contrary to applicable laws. Finally, you have the right to lodge a complaint with the relevant supervisory authority.
In this page we analyze the right to information in details.
What is the Right to information ?
Mary, a 1st year Bachelor student in Communication Systems, would like to know what personal data EPFL processes about her and receive a copy of it.
Paul, former administrative employee of the EPFL financial service, who resigned 4 years ago, requests a copy of his personal data that EPFL processed during his employment at the School.
In the above examples, EPFL has an obligation to provide a copy of the personal data to Mary and Paul. Their right to information is perfectly legitimate.
The right to information is a key institution of data protection.
“The right to information is a prerogative of the right to self-determination in data processing, because only the person who is aware of the data that are processed on his account can have them rectified, destroyed or contest their accuracy and thus effectively protect his personality”, M.Mayor.
The legal requirements in Switzerland for the right to information are set out in Art. 25 new FADP . The updated version will strengthen this right relative to the existing version. They have the advantage of being similar to Article 15 of the GDPR.
1 Any person may request information from the controller on whether personal data relating to them is being processed
2 The data subject shall receive the following information:
a the identity and contact details of the controller;
b the processed personal data as such;
c the purpose of the processing;
d the duration of the personal data storage or, if this is not possible, the criteria for determining this period;
e the available information about the source of the personal data, if it has not been collected from the data subject;
f if applicable, whether an automated individual decision has been taken and the logic behind the decision;
g if applicable, the recipients or categories of recipients to whom personal data are communicated
3 The data subject may consent to having personal data relating to their health communicated by a health profession of their choice.
4 If the controller arranges for personal data to be processed by a processor, it remains under a duty to provide information.
5 No one may waive their right to information in advance.
6 The controller must provide information free of charge. The Federal Council may provide for exceptions, in particular if the effort required is disproportionate
7 The information shall in general be provided within 30 days.
Individual requests form
If you are an EPFL community member, click here to send us your request (under authentication).
As external person, send an email at dpo (at) epfl.ch .
FAQ
No.
The exercise of the right to information is personal. You cannot exercise your access right on behalf of someone else.
In general, no, but in very special cases (large volume of data or manual work) the data controller may ask for a fee.
The right to information must serve the protection of personality. The request can be refused if it is abusive.
“An abuse of right exists when the exercise of the right by the holder does not respond to any interest worthy of protection, when it is purely quibbling or, when, in the circumstances in which it is exercised, the right is put in the service of interests which do not correspond to those which the rule is intended to protect“, M. Mayor.
No, once a request has been received by the Data Controller, the latter is no longer entitled to modify (or delete) the data concerning the applicant. Once a response has been provided, data that is no longer needed for processing can be deleted. As evidence, it may be justified to wait for a possible response from the applicant.
This example should encourage us to delete data as soon as it is no longer required for processing and therefore to regularly analyze the data we manage to ensure that the retention periods are respected. One way to achieve this is to apply the principle of privacy by design.
No, personal notes do not fall under the application of the law, but it is important to understand the notion of personal notes. These are notes that I keep in my personal notebook and that I do not share with other people.
General
Some general definitions about personnal data, data controller, etc.
What is important when processing personal data is to keep in mind the fundamental principles of the law.
In this section we summarize the main legal obligations in processing personal data
Training staff on data protection is one of the key activities of the DPO.