Staffnet

Search

Data protection

Data protection means protecting your privacy. Data protection is always a relevant issue when it comes to your personal data. Under the Data Protection Act, personal data refers to information that relates to a specific or identifiable person. Data is considered to be “anonymised” if it cannot be used to identify a person, even when combined with other individual pieces of information. Anonymised data does not fall within the scope of the Data Protection Act.

Purely factual data can also be “sensitive” or confidential and need to be protected. By contrast, the Data Protection Acts (Swiss DPA or EU GDPR) do not apply to factual data.

Personal data and therefore the issue of data protection is relevant at ETH Zurich in a number of areas, for example in research projects and teaching, but also in administrative functions that deal with personal data. There are numerous regulations that govern this topic. The "Compliance Guide" provides an overview in the “Data protection” and “Research involving humans and personal data” sections.

 

The following principles apply to the processing of personal data:

  • Legality: There must be a legal basis for the processing of the personal data or the person concerned must have given their consent;
  • Purpose: Personal data may only be processed for the purpose indicated at the time of collection, that is evident from the circumstances, or that is provided for by law;
  • Proportionality: Only the amount of data required to fulfil the applicable purpose may be processed – not as much data as is possible;
  • Transparency: The relevant persons must be aware that their personal data is being collected and, in particular, must be aware of the purpose for this;
  • Accuracy: Anybody processing personal data must ensure that it is accurate;
  • Security: Personal data must be protected against loss and unauthorised processing by putting in place appropriate technical and organisational measures.
     

If, as an employee of ETH Zurich, you process personal data as part of your job, you are responsible for complying with the applicable data protection provisions. The most important regulations can be found in the Compliance Guide under “IT security and data protection”.

In particular, you should follow the rules below in your day-to-day work:

  • Only process as much personal data as is required to carry out your duties;
  • Protect electronic data using a password chosen in line with the IT Services criteria; always keep your password secret and do not pass it on to anyone;
  • Keep data, documents and data carriers (e.g. USB sticks, CDs, external hard drives) in a locked location (e.g. locked in an office drawer);
  • When leaving your workplace, lock the screen or shut down your computer; lock your office door behind you;
  • Do not leave your documents on the printer;
  • Keep personal data confidential and be sure that it is only disclosed to authorised persons (in case of doubt, consult your line manager);
  • In principle, no personal data should be sent abroad unless the person affected has given their consent.

    In research projects, no matter whether they are based solely in Switzerland or are international (e.g. EU projects), the project manager (PM) is responsible for complying with data protection provisions. They must instruct their team members accordingly. This is set out in the “Guidelines for Research Integrity and Good Scientific Practice at ETH Zurich”.

    There are various units that can provide you with advice on compliance with data protection provisions → Further assistance can be found here
     

Whenever possible, anonymised data should be used in (research) projects. If you nevertheless need to process personal data in a (research) project, you should always ask the following questions and be able to answer them with regard to your data management plan. Who is processing what data and for what purpose; for how long; where will it be stored and how will it be protected and when will it be anonymised and destroyed? More information on this can be found in the protected page“Data protection in Research Projects” factsheet.


 

The European General Data Protection Regulation (GDPR), which also applies to ETH Zurich in individual cases, stipulates that under the circumstances described below, a data protection impact assessment be carried out before any personal data is processed. This obligation applies if the intended processing of personal data poses a significant risk to the interests of the affected persons, i.e. there is a significant risk that the affected persons’ privacy and fundamental rights may be infringed upon. The applicable Swiss Data Protection Act does not contain such an obligation.

However, the Swiss Federal Data Protection Act (DPA) is currently being revised. The draft revision of the DPA also stipulates that in situations involving a particular risk, a data protection impact assessment be carried out. With reference to the provisions of the GDPR, we have created a protected pagefactsheet with a checklist. This contains answers to as many questions as possible relating to processing personal data (so that you do not forget any aspects when reviewing your project) as well as the process for performing a data protection impact assessment.
 

"Data breaches" are breaches of data security of personal data that result in personal data (including pseudonymised data) being inadvertently or unlawfully lost, deleted, destroyed or altered, or disclosed or accessed by unauthorised persons.

Such privacy violations must be reported to the ETH Zurich data protection advisor/DPO if they are likely to result in a high risk to the personality or fundamental rights of the data subjects.

protected pagePlease use this form for your notification. It is exclusively for ETH Zurich employees.

Data Protection Advisor/DPO of ETH Zurich is Tomislav Mitar (). The Deputy Data Protection Advisor/DPO of ETH Zurich is Ayse Sezer Cansev ().

Please submit the completed form to us within 72 hours of the discovery of the data breach. Send the form to the following three addresses: and directly to us: and .

Please do not contact the FDPIC yourself. The FDPIC is a supervisory authority. Contact must be made via the legal service or data protection advisor.

Your report does not have to be complete and final in every detail. It is more important to report the big picture quickly to get an initial overview of the incident.

If you, as the person responsible in connection with an incident, are not sure how high the risk to the persons concerned actually is, or if you have not yet been able to make a final risk assessment at the time of reporting, report your preliminary findings to us as they stand. As soon as you have more information, you can submit a supplementary notification to.

Where ETH Zurich processes personal data, it does so primarily in accordance with Swiss data protection legislation. Where applicable, it complies with the EU General Data Protection Regulation (GDPR; Regulation [EU] 2016/679 of April 27, 2016).

As a university not based in the EU, ETH Zurich may fall within the scope of the EU GDPR if it processes personal data of persons resident in the EU, e.g. by offering its educational services to such persons or if its researchers "observe the behavior of data subjects in the EU" as part of scientific projects (surveys, data collection, etc.). For example, its Master's programs and continuing education courses (School for Continuing Education) are also aimed at EU residents. In projects of all kinds, there may be a reference to EU data protection legislation if, for example, contract data processors are used in the EU who must themselves comply with EU legislation.

The obligation to appoint a representative in the EU does not apply to public authorities or bodies. ETH Zurich is an autonomous federal institution under public law with its own legal personality (Article 5 ETH Law; SR 414.110). As a decentralized administrative unit, it is part of the Federal Administration, is under the supervision of the Federal Government and is subject to Swiss law (Art. 2 para. 3 Government and Administration Organization Act, RVOG; SR 172.010).

As such, ETH Zurich is not obliged to appoint a representative in the EU for data protection issues. The point of contact for data protection issues at ETH Zurich is therefore the acting body of ETH Zurich, or - secondarily - the data protection advisor of ETH Zurich in Switzerland (Tomislav Mitar, DPO; ).

These units can also assist you with the issue of data protection:

  • Legal Office: If you have any general questions relating to data protection, you can contact the Legal Office, in particular Tomislav Mitar.
  • IT Services: If you have any questions relating in particular to saving data, data security or archiving, please contact the IT Services department (in particular, the System Services or the Services for Departments). 
  • Library: Should you have any questions relating to data management, in particular any questions about creating data management plans as well as archiving, the ETH Library can assist you, specifically the Digital Curation Office.
  • Ethics Commission of ETH Zurich: Person related research projects which do not fall under the responsibility of the Cantonal Ethics Commission are assessed by the Ethics Commission of ETH Zurich. Should you have any questions in this regard, please contact the office of the Ethics Commission.
  • Chief Information Security Officer (CISO): If you have any questions about IT security, please contact Domenico Salvati. In addition, each academic/service/administrative department has its own Information Security Officer (ISO), who is the point of contact for questions relating to IT security.
     
JavaScript has been disabled in your browser