Protection of data privacy in Switzerland
Legal and ethical principles and standards must be complied with when collecting, using, processing, storing and publishing data. These principles and standards often require special handling of the research data.
The following information is not legally binding. It serves only as an overview of the current legal situation in Switzerland with regard to research data management. Information on European law (in particular the GDPR) can be found in the "rights and obligations" section (German only).
Introduction
Article 13 of the Swiss Federal Constitution states that the privacy of every person must be protected. If personal data is processed, this processing must therefore be in accordance with the applicable provisions of data protection law.
Personal data include, for example, name, address and date of birth, but also technical data that can be clearly assigned to a person and thus make them identifiable (e.g. the IP address).
In addition, some personal data requires special protection, e.g. religious and political worldview, sexual orientation, ethnicity or health data. Special protection is also necessary if the data collected is a compilation of data that allows an assessment of essential aspects of a person's personality (so-called personality profiles).
Which law is applicable?
The Federal Act on Data Protection (FADP; SR 235.1) is applicable to private individuals and federal bodies. Privately conducted research projects that involve personal data are therefore subject to the provisions of the FADP. The same applies to research projects carried out at federal institutions (e.g. ETH, EPFL). A corresponding ordinance (DPO; SR 235.11) regulates the details.
The Federal Act on Data Protection was revised and entered into force on September 1st, 2023 and aimed at alignment with the European General Data Protection Regulation (GDPR).The main changes introduced by the revision of this law can be found here.
Since the FADP applies to federal institutions (e.g. ETH, EPFL), these changes primarily impact activities at these institutions. For cantonal institutions, the respective cantonal data protection laws are mainly applicable. For example, although the revised FADP mainly focuses on protecting natural persons, cantonal institutions are further required to protect both natural and legal person, if the respective cantonal law mandates it.
Please note that in cases of collaboration, the changes introduced by the revision of the FDAP may also impact cantonal institutions (for further details, see 'Practical examples: Applicability of data protection laws to research projects')
The scope of the cantonal data protection laws are the canton, the municipalities and the communities. Research projects conducted at cantonal institutions (e.g. universities) are therefore subject to cantonal law. The terminology regarding data and data protection may vary from canton to canton (e.g. special personal data vs. data requiring special protection). The text on this website uses the terminology of the federal law.
Practical examples: Applicability of data protection laws to research projects
The following is a brief overview of the applicability of data protection laws to research projects in Switzerland.
- If the research takes place exclusively at a Swiss university, the regulations in cantonal law are applicable. The cantonal law applies to data processing by public bodies of the cantons and municipalities.
- If the research is carried out at a federal institution (e.g. ETH, EPFL), the regulations in the Federal Data Protection Act (FADP) and the respective Ordinance apply.
- If the research is conducted by private individuals, the regulations in the Federal Data Protection Act (FADP) and the FADP Ordinance apply.
- If the research takes place at several universities or if the data are processed (i.e. collected) in several cantons, the cantonal data protection laws of the respective cantons apply.
- In the case of international projects, the cantonal law is applicable if the data processing takes place in the respective canton, or the federal data protection law is applicable if the research is conducted privately or at a federal institution. In addition, the data protection law at the foreign research location is also applicable. If you process personal data of EU persons or monitor the online behavior of users located in the EU, the GDPR is applicable.
Requirements for processing personal data
In Switzerland, research with personal data is possible if certain conditions are met and the necessary precautions are being taken. The Federal Act on Data Protection lists the principles for processing personal data in Article 6.
The corresponding regulations of the GDPR can be found in Articles 5 and 6.
For research projects at cantonal universities, the respective cantonal law is applicable. However, cantonal law is generally based on the same principles as federal law.
The processing of personal data for public research is subject to the general rules listed above. Public research with personal questions is permitted without a special legal basis if ...
- the research data is not personal,
- the data are anonymised or pseudonymised as soon as the research purpose permits, and
- publications based on the data do not allow any conclusions to be drawn about the persons concerned.
Data anonymisation & pseudonymisation
Anonymised data are not subject to data protection laws. Pseudonymised data on the other hand, are data that can still be linked to a specific person by using a key. Hence, pseudonymised data in combination with the key are subject to data privacy laws. Consequently only anonymised but not pseudonymised data can be published in an openly accessible way. Pseudonymised data ought to be protected accordingly by only granting access to the key and the raw data to authorized parties. Furthermore, if possible and in accordance with the guidelines of the research institution, it should be considered to delete the key and the raw data once the research project has come to an end.
Practical implications of data privacy regulations
Implementing legal requirements in research projects
To help research staff implementing the legal provisions in their individual research projects, many cantons require them to formally assess if the IT systems they use are secure and how the protection of personal data is ensured. This applies to all projects using digital instruments and tools to collect, transmit, and process personal data and other sensitive information. This includes for example electronic lab notebooks, applications such as Qualtrics, LimeSurvey, Redcap, and computing environments where software such as Matlab, Nvivo, SPSS, etc. are deployed. The aim is to ensure that every project that processes personal data using electronic devices complies with the respective data protection and information security laws and regulations (in German, ISDS = Informationsschutz und Datensicherheit). In particularly sensitive cases, dedicated security concepts must be established and submitted to the supervisory authorities for inspection. (Cf. for example for the Canton of Bern KDSG, Art. 17a.)
Researchers working with personal data should therefore reach out to institutional legal and IT support, as well as to the respective data protection authorities at an early stage to find out about the respective data protection and information security (ISDS) regulations and how to comply with them.
Data protection in everyday research - Protection of personal data in technical terms
Due to data protection regulations, personal data require greater protection than other data. In this context, more stringent requirements are placed on the technical tools used to store and process personal data. From a technical point of view, the data must be adequately protected, e.g. against access by third parties. This means, in particular, that a storage medium must be selected that takes the required security aspects into account:
It is recommended to store the data in the network of the education institution where the data are collected and processed. Depending on the design of the research project, the data are stored in a project folder to which several people have access or in a personal folder and technically secured by the institutional IT services. In the case of particularly sensitive data or large amounts of data, any special requirements for the technical infrastructure should be clarified with the IT services of the respective institution before the research project begins.
Researchers working collaboratively on a project at different institutions sometimes require a cloud solution in order to be able to make the data available to each other as quickly as possible during the project. The use of a cloud solution is unproblematic for non-personal data. With personal data, greater caution is required to ensure data protection: The more sensitive the data, the higher the requirements for the cloud solution to be used.
For particularly sensitive personal data, the use of a cloud solution should ideally be avoided altogether. In case a cloud solution is necessary to store and share personal data during collaborative research projects, a cloud solution hosted in Switzerland (e.g. SWITCHdrive) is recommended. In any case, the selected cloud solution should store data in a country that provides at least the same level of data protection as Switzerland, e.g. a cloud solution in a member state of the EU. The Federal Data Protection and Information Commissioner provides a list of countries whose level of data protection is deemed equivalent to Switzerland. The use of U.S.-based cloud providers like Google, Microsoft or Dropbox should be avoided. Furthermore it is recommended to encrypt any personal data before it is being stored and shared on a cloud.
Mobile devices (e.g. notebook, tablet or smartphone) are particularly suitable for rapid data processing during the research project. If personal data is processed, the mobile devices must be adequately protected against unauthorized access by third parties (e.g., by password protection). Data collection with smartphones should be avoided because the data is usually uploaded to a U.S. cloud immediately after collection (e.g., in the case of audio or video recordings of interviews). If personal data is nevertheless stored on the smartphone, it must be deleted from the respective device as soon as possible after data collection.
Datenschutzrecht in der Schweiz
Bei Erhebung, Verwendung, Bearbeitung, Aufbewahrung und Publikation von Daten sind ethische und rechtliche Grundsätze und Normen zu beachten, die in vielen Fällen einen besonderen Umgang mit den Forschungsdaten verlangen.
In Art. 13 der Schweizerischen Bundesverfassung ist festgelegt, dass die Privatsphäre jeder Person zu schützen ist. Werden Personendaten verarbeitet, muss diese Verarbeitung daher in Einklang mit den geltenden datenschutzrechtlichen Bestimmungen stehen. Je nach Forschungsprojekt bzw. der beteiligten Institution, ist das eidgenössische oder das kantonale Datenschutzrecht massgeblich. Hinzu kommen institutionell Richtlinien, die den Umgang mit personenbezogenen Forschungsdaten genauer definieren.