This Privacy Notice aims at informing you about the personal data that EPFL collects and the rights you can assert on the use of your personal data.
We want to be as transparent as possible on the personal data we collect. Our goal is to present to you the EPFL confidentiality rules in a clear and simple way, in order for you to understand which data EPFL processes and for what purpose .
Identity of the Data Controller
EPFL is mainly a Data Controller. Processing is carried out under the Swiss Federal Data Protection Act dated 19 June 1992 (FDA/R.S 235.1) as well as the Regulation (EU) 2016 / 679 of the European parliament and of the Council of 27 April 2016 on the protection of natural persons with regards to the processing of personal data and on the free movement of such data (hereinafter “General Data Protection Regulation”, “GDPR”).
EPFL is bound to respect the principles related to data protection. In application of these principles, personal data must :
- be processed lawfully, fairly and in a transparent manner ;
- be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes;
- be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
- be accurate ;
- be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures;
- be processed in a manner that ensures appropriate security of the personal data;
- be transfered outside of Switzerland or the European Union only if the recipient State has an adequate level of personal data protection or provide with appropriate safeguards.
In compliance with the data protection Regulation, you have the right to access, question, modify, and rectify all your personal data on file. You also have the right to object to processing of personal data for legitimate reasons as well as a right to object to the use of those data for commercial prospecting in accordance with applicable regulations. On request, you may receive a copy of your personal data and you may amend any personal data which are inaccurate or incomplete. EPFL reserves the right to refuse any abusive request or one which is contrary to the Law.
EPFL’s mandate is to promote the cultural, social and economic development of Switzerland by the training of the new generation of top-tier scientists and professionals and to develop research excellence for the Society and its Economy. EPFL processes personal data in particular in line with its three academic core tasks which are the Education, Research and Innovation, and its supporting services. Processing for archiving purposes, scientific or statistical purposes are exempt from some legal obligations.
For details about the type of data we collect in the scope of the Campus Analytics project, see our project descriptions.
Purpose of the processing
EPFL uses personal data in order to undertake its activities, as described above. We can also use these personal data to communicate with you.
For details about the purpose of the processing in the scope of the Campus Analytics project, see our project descriptions.
Information to users
In compliance with the data protection regulation, EPFL informs you here about how it processes personal data
EPFL advises you in particular of :
- the name of the data controller (in this case, EPFL itself);
- the purpose of the processing (see projects);
- the data recipients (see partners);
- your rights (see Right of Access section below);
- the retention period (see bellow).
Recipients of your personal data are mainly central services or EPFL faculties, as well as some vendors or subcontractors for operational or analytical purposes.
For the purpose of Campus Analytics, the data recipients are either EPFL central services or EPFL research labs that we identify as strategic partners. We do not share your private data with external entities.
EPFL keeps your personal data for no longer than is necessary for the purposes for which the personal data are processed, in accordance with the applicable legislation. Research Data can be retained for 20 years, if they are not anonymised . This period can be extended, if some protective measures have been taken in order to avoid the identification of the data subject (anonymisation, hash…).
EPFL ensures the safety and the security of personal data by implementing enhanced data security through the use of data and logical security resources. We deploy appropriate measures at both the technological and organizational level to protect the stored personal data of our users from unauthorised access, improper use, alteration, unlawful or accidental destruction and accidental loss. These are consistent with the Good Practise and the latest regulations, considering the risks involved, to protect your personal data.
EPFL shares your personal data in compliance with the applicable legislation.
Jurisdiction and applicable law
Swiss Law is applicable. The place of execution and of jurisdiction is at the registered office of EPFL.
For specific information concerning the Campus Analytics project, please contact Dr. Francisco Pinto from the Center for Digital Education (CEDE) at [email protected].