Data protection
Data protection means protecting your privacy. Data protection is always a relevant issue when it comes to your personal data. Under the Data Protection Act, personal data refers to information that relates to a specific or identifiable person. Data is considered to be “anonymised” if it cannot be used to identify a person, even when combined with other individual pieces of information. Anonymised data does not fall within the scope of the Data Protection Act.
Purely factual data can also be “sensitive” or confidential and need to be protected. By contrast, the Data Protection Acts (Swiss DPA or EU GDPR) do not apply to factual data.
Personal data and therefore the issue of data protection is relevant at ETH Zurich in a number of areas, for example in research projects and teaching, but also in administrative functions that deal with personal data. There are numerous regulations that govern this topic. The "Compliance Guide" provides an overview in the “Data protection” and “Research involving humans and personal data” sections.
The following principles apply to the processing of personal data:
- Legality: There must be a legal basis for the processing of the personal data or the person concerned must have given their consent;
- Purpose: Personal data may only be processed for the purpose indicated at the time of collection, that is evident from the circumstances, or that is provided for by law;
- Proportionality: Only the amount of data required to fulfil the applicable purpose may be processed – not as much data as is possible;
- Transparency: The relevant persons must be aware that their personal data is being collected and, in particular, must be aware of the purpose for this;
- Accuracy: Anybody processing personal data must ensure that it is accurate;
- Security: Personal data must be protected against loss and unauthorised processing by putting in place appropriate technical and organisational measures.
In this Moodle-Link you can access the "e-learning module on data protection” of the ETH Domain. You want to learn about the correct handling of personal data and thus protecting the constitutional rights of persons and raise your awareness in the matter. Welcome and enjoy!
Explanation on why this module is labelled EPFL and only refers to EPFL offices and EPFL persons: EPFL was the first institution of the ETH Domain to develop such an e-learning for its members in view of the renewal of Swiss privacy laws. ETH Domain has decided that the module explains the cornerstones of handling privacy matters in an attractive manner and that it should therefore be offered to other members in the ETH Domain. To this end, the EPFL module was translated into English to offer it here on ETH Zurich servers without having to design a whole new module. A customised module in German may follow at a later stage. Therefore, when you go through the e-learning, just focus on its material contents. It is generic, no matter in which institution of the ETH Domain you are. Where the module mentions EPFL offices or persons, you must, of course, refer to the respective office or person in your institution.
Please note:
As tracking on this module is not activated, your progress in the module is not saved. Means you have to restart the whole module if you quit before its end.
Terms of use
According to our licence agreement with EPFL as copyright holder, only employees of the institutions of the ETH Domain and the ETH Board are allowed to use the module and only for internal training purposes. You may not make the module available to third parties. Commercial or other use of the EPFL licence is forbidden.
If, as an employee of ETH Zurich, you process personal data as part of your job, you are responsible for complying with the applicable data protection provisions. The most important regulations can be found in the Compliance Guide under “IT security and data protection”.
In particular, you should follow the rules below in your day-to-day work:
- Only process as much personal data as is required to carry out your duties;
- Protect electronic data using a password chosen in line with the IT Services criteria; always keep your password secret and do not pass it on to anyone;
- Keep data, documents and data carriers (e.g. USB sticks, CDs, external hard drives) in a locked location (e.g. locked in an office drawer);
- When leaving your workplace, lock the screen or shut down your computer; lock your office door behind you;
- Do not leave your documents on the printer;
- Keep personal data confidential and be sure that it is only disclosed to authorised persons (in case of doubt, consult your line manager);
- In principle, no personal data should be sent abroad unless the person affected has given their consent.
In research projects, no matter whether they are based solely in Switzerland or are international (e.g. EU projects), the project manager (PM) is responsible for complying with data protection provisions. They must instruct their team members accordingly. This is set out in the “Guidelines for Research Integrity and Good Scientific Practice at ETH Zurich”.
There are various units that can provide you with advice on compliance with data protection provisions → Further assistance can be found here
Whenever possible, anonymised data should be used in (research) projects. If you nevertheless need to process personal data in a (research) project, you should always ask the following questions and be able to answer them with regard to your data management plan. Who is processing what data and for what purpose; for how long; where will it be stored and how will it be protected and when will it be anonymised and destroyed? More information on this can be found in the protected page “Data protection in Research Projects” factsheet.
The Swiss Federal Act on Data Protection (FADP) stipulates that a data protection impact assessment (DPIA) must be carried out if the processing of personal data may entail a high risk to the personality or fundamental rights of the data subject. This DPIA must be carried out before the personal data is actually processed and - if high risks remain despite the measures taken - submitted to the Federal Data Protection Commissioner for review. We have created a protected page factsheet with a checklist for carrying out a DPIA. This explains the procedure and the checklist attempts to ask all relevant questions about personal data processing so that you do not forget any aspect during your project review. The checklist therefore also serves as a general checklist for data protection aspects.
We also provide you with a second form, protected page the actual DPIA form, in which you can record the results of your DPIA.
The European General Data Protection Regulation (GDPR), which also applies to ETH Zurich in individual cases, also stipulates the obligation to carry out a prior data protection impact assessment. This obligation also applies here if the intended processing of personal data poses a high risk to the interests of the data subjects, i.e. a high risk to the personality or fundamental rights of the data subject.
"Data breaches" are breaches of data security of personal data that result in personal data (including pseudonymised data) being inadvertently or unlawfully lost, deleted, destroyed or altered, or disclosed or accessed by unauthorised persons.
Such privacy violations must be reported to the ETH Zurich data protection advisor/DPO if they are likely to result in a high risk to the personality or fundamental rights of the data subjects.
protected page Please use this form for your notification. It is exclusively for ETH Zurich employees.
Data Protection Advisor/DPO of ETH Zurich is Tomislav Mitar (tomislav.mitar@sl.ethz.ch). The Deputy Data Protection Advisor/DPO of ETH Zurich is Ayse Sezer Cansev (ayse.sezer@sl.ethz.ch).
Please submit the completed form to us within 72 hours of the discovery of the data breach. Send the form to the following three addresses: ds@ethz.ch and directly to us: tomislav.mitar@sl.ethz.ch and ayse.sezer@sl.ethz.ch.
Please do not contact the FDPIC yourself. The FDPIC is a supervisory authority. Contact must be made via the legal service or data protection advisor.
Your report does not have to be complete and final in every detail. It is more important to report the big picture quickly to get an initial overview of the incident.
If you, as the person responsible in connection with an incident, are not sure how high the risk to the persons concerned actually is, or if you have not yet been able to make a final risk assessment at the time of reporting, report your preliminary findings to us as they stand. As soon as you have more information, you can submit a supplementary notification to.
Where ETH Zurich processes personal data, it does so primarily in accordance with Swiss data protection legislation. Where applicable, it complies with the EU General Data Protection Regulation (GDPR; Regulation [EU] 2016/679 of April 27, 2016).
As a university not based in the EU, ETH Zurich may fall within the scope of the EU GDPR if it processes personal data of persons resident in the EU, e.g. by offering its educational services to such persons or if its researchers "observe the behavior of data subjects in the EU" as part of scientific projects (surveys, data collection, etc.). For example, its Master's programs and continuing education courses (School for Continuing Education) are also aimed at EU residents. In projects of all kinds, there may be a reference to EU data protection legislation if, for example, contract data processors are used in the EU who must themselves comply with EU legislation.
The obligation to appoint a representative in the EU does not apply to public authorities or bodies. ETH Zurich is an autonomous federal institution under public law with its own legal personality (Article 5 ETH Law; SR 414.110). As a decentralized administrative unit, it is part of the Federal Administration, is under the supervision of the Federal Government and is subject to Swiss law (Art. 2 para. 3 Government and Administration Organization Act, RVOG; SR 172.010).
As such, ETH Zurich is not obliged to appoint a representative in the EU for data protection issues. The point of contact for data protection issues at ETH Zurich is therefore the acting body of ETH Zurich, or - secondarily - the data protection advisor of ETH Zurich in Switzerland (Tomislav Mitar, DPO; ds@ethz.ch).
These units can also assist you with the issue of data protection:
- Legal Office: If you have any general questions relating to data protection, you can contact the Legal Office, in particular Tomislav Mitar.
- IT Services: If you have any questions relating in particular to saving data, data security or archiving, please contact the IT Services department (in particular, the System Services or the Services for Departments).
- Library: Should you have any questions relating to data management, in particular any questions about creating data management plans as well as archiving, the ETH Library can assist you, specifically the Digital Curation Office.
- Ethics Commission of ETH Zurich: Person related research projects which do not fall under the responsibility of the Cantonal Ethics Commission are assessed by the Ethics Commission of ETH Zurich. Should you have any questions in this regard, please contact the office of the Ethics Commission.
- Chief Information Security Officer (CISO): If you have any questions about IT security, please contact Johannes Hadodo. In addition, each academic/service/administrative department has its own Information Security Officer (ISO), who is the point of contact for questions relating to IT security.