Introduction: federal law and cantonal law
Article 13 of the Swiss Federal Constitution states that the privacy of every person must be protected. If personal data is processed, this processing must therefore be in accordance with the applicable provisions of data protection law.
Personal data include, for example, name, address and date of birth, but also technical data that can be clearly assigned to a person and thus make them identifiable (e.g. the IP address).
In addition, some personal data requires special protection, e.g. religious and political worldview, sexual orientation, ethnicity or health data. Special protection is also necessary if the data collected is a compilation of data that allows an assessment of essential aspects of a person's personality (so-called personality profiles).
Depending on the individual research project, different rules and regulations may apply:
- Federal law: the Federal Act on Data Protection (FADP; SR 235.1), which has been in force since July 1, 1993, is applicable to private individuals and federal bodies. Privately conducted research projects that involve personal data are therefore subject to the provisions of the FADP. The same applies to research projects carried out at federal institutions (e.g. ETH, EPFL). A corresponding ordinance (DPO; SR 235.11) regulates the details.
- Cantonal law: The scope of the cantonal data protection laws are the canton, the municipalities and the communities. Research projects conducted at cantonal institutions (e.g. universities) are therefore subject to cantonal law. The terminology regarding data and data protection may vary from canton to canton (e.g. special personal data vs. data requiring special protection). The text on this website uses the terminology of the federal law.
Practical examples: Applicability of data protection laws to research projects
The following is a brief overview of the applicability of data protection laws to research projects in Switzerland.
- If the research takes place exclusively at a Swiss university, the regulations in cantonal law are applicable. The cantonal law applies to data processing by public bodies of the cantons and municipalities.
- If the research is carried out at a federal institution (e.g. ETH, EPFL), the regulations in the Federal Data Protection Act (FADP) and the respective Ordinance apply.
- If the research is conducted by private individuals, the regulations in the Federal Data Protection Act (FADP) and the FADP Ordinance apply.
- If the research takes place at several universities or if the data are processed (i.e. collected) in several cantons, the cantonal data protection laws of the respective cantons apply.
- In the case of international projects, the cantonal law is applicable if the data processing takes place in the respective canton, or the federal data protection law is applicable if the research is conducted privately or at a federal institution. In addition, the data protection law at the foreign research location is also applicable. If you process personal data of EU persons or monitor the online behavior of users located in the EU, the GDPR is applicable.
Swiss FADP under revision
The Federal Act on Data Protection is currently under revision and was adopted by the Swiss Parliament on September 25, 2020. The revision of the law became necessary due to the introduction of the General Data Protection Regulation (GDPR) in the surrounding EU/EEA countries. The new FADP will enter into force on September 1st, 2023 and is largely based on the European General Data Protection Regulation (GDPR).
New to the FADP are an increased transparency in information about data processing, the strengthening of the rights of data subjects and of the data protection authority, as well as the expansion of penalty provisions.
In contrast to the GDPR, the Swiss FADP assumes that the processing of personal data is permissible in principle. Additional justification, e.g. consent of the data subject, is required only in special cases. E.g. when sensitive personal data are involved. With the new FADP the provision on sensitive data also includes genetic and biometric data.
Explicit consent is also required in the case of so-called profiling with a high risk to the personality or fundamental rights of the data subject or in the case of profiling by a federal body. Profiling is a novelty of the new FADP and is understood as automated processing of personal data.
Another novelty to the new data protection regime is the personal criminal liability (fine of up to CHF 250,000) in the event of a data protection violation. Here, Swiss law goes further than its European counterpart, as the GDPR only recognizes corporate criminal liability.
To what extent the new FADP will have an impact on the cantonal data protection laws, which apply to the vast majority of research projects in Switzerland, remains to be seen.
Requirements for processing personal data
In Switzerland, research with personal data is possible if certain conditions are met and the necessary precautions are being taken. Below is a summary of the requirements for processing personal data as defined in Articles 4 and 5 of the Swiss FADP and Articles 5 and 6 of the GDPR. For research projects at universities, the respective cantonal law is applicable. However, cantonal law generelly refers to the same principles.
- Lawfulness: The processing of personal data takes place either based on a legal regulation and/or with the consent of the data subject, or based on an overriding legitimate interest of the processor.
- Purpose: Data processing must always be carried out for a specific purpose
- Adequacy: Data processing must be necessary to fulfill the intended purpose and proportionate with regard to the invasion of privacy. Data processing must only be carried out for the intended purpose and must not go beyond it.
- Integrity: Anyone processing personal data must ensure that the data is accurate.
- Recognizability of data processing: It must be recognizable to the data subject that personal data concerning him or her are being collected and processed.
- Transparency: Data subjects must be adequately informed about their data being processed so that they can understand what is being done with their data and for what purpose. Data subjects also have the right to request information about their data at any time and without providing reasons.
- Data security: Data processing must meet technical and organizational security requirements.
The processing of personal data for public research is subject to these general rules. Public research with personal questions is permitted without a special legal basis if ...
- the research data is not personal,
- the data are anonymized or pseudonymized as soon as the research purpose permits, and
- publications based on the data do not allow any conclusions to be drawn about the persons concerned.
Please note: Anonymized data are not subject to data protection laws. Pseudonymized data on the other hand, are data that can still be linked to a specific person by using a key. Hence, pseudonymized data in combination with the key are subject to data privacy laws. Consequently only anonymized but not pseudonymized data can be published in an openly accessible way. Pseudonymized data ought to be protected accordingly by only granting access to the key and the raw data to authorized parties. Furthermore, if possible and in accordance with the guidelines of the research institution, it should be considered to delete the key and the raw data once the research project has come to an end.
Practical implications of data privacy regulations
Implementing legal requirements in research projects
To help research staff implementing the legal provisions in their individual research projects, many cantons require them to formally assess if the IT systems they use are secure and how the protection of personal data is ensured. This applies to all projects using digital instruments and tools to collect, transmit, and process personal data and other sensitive information. This includes for example electronic lab notebooks, applications such as Qualtrics, LimeSurvey, Redcap, and computing environments where software such as Matlab, Nvivo, SPSS, etc. are deployed. The aim is to ensure that every project that processes personal data using electronic devices complies with the respective data protection and information security laws and regulations (in German, ISDS = Informationsschutz und Datensicherheit). In particularly sensitive cases, dedicated security concepts must be established and submitted to the supervisory authorities for inspection. (Cf. for example for the Canton of Bern KDSG, Art. 17a.)
Researchers working with personal data should therefore reach out to institutional legal and IT support, as well as to the respective data protection authorities at an early stage to find out about the respective data protection and information security (ISDS) regulations and how to comply with them.
Data protection in everyday research - Protection of personal data in technical terms
Due to data protection regulations, personal data require greater protection than other data. In this context, more stringent requirements are placed on the technical tools used to store and process personal data. From a technical point of view, the data must be adequately protected, e.g. against access by third parties. This means, in particular, that a storage medium must be selected that takes the required security aspects into account.
- Network of the participating institution: It is recommended to store the data in the network of the education institution where the data are collected and processed. Depending on the design of the research project, the data are stored in a project folder to which several people have access or in a personal folder and technically secured by the institutional IT services. In the case of particularly sensitive data or large amounts of data, any special requirements for the technical infrastructure should be clarified with the IT services of the respective institution before the research project begins.
- Cloud: Researchers working collaboratively on a project at different institutions sometimes require a cloud solution in order to be able to make the data available to each other as quickly as possible during the project. The use of a cloud solution is unproblematic for non-personal data. With personal data, greater caution is required to ensure data protection: The more sensitive the data, the higher the requirements for the cloud solution to be used.
For particularly sensitive personal data, the use of a cloud solution should ideally be avoided altogether. In case a cloud solution is necessary to store and share personal data during collaborative research projects, a cloud solution hosted in Switzerland (e.g. SWITCHdrive) is recommended. In any case, the selected cloud solution should store data in a country that provides at least the same level of data protection as Switzerland, e.g. a cloud solution in a member state of the EU. The Federal Data Protection and Information Commissioner provides a list of countries whose level of data protection is deemed equivalent to Switzerland. The use of U.S.-based cloud providers like Google, Microsoft or Dropbox should be avoided. Furthermore it is recommended to encrypt any personal data before it is being stored and shared on a cloud.
- Mobile devices: Mobile devices (e.g. notebook, tablet or smartphone) are particularly suitable for rapid data processing during the research project. If personal data is processed, the mobile devices must be adequately protected against unauthorized access by third parties (e.g., by password protection). Data collection with smartphones should be avoided because the data is usually uploaded to a U.S. cloud immediately after collection (e.g., in the case of audio or video recordings of interviews). If personal data is nevertheless stored on the smartphone, it must be deleted from the respective device as soon as possible after data collection.
Datenschutzrecht in der Schweiz
Bei Erhebung, Verwendung, Bearbeitung, Aufbewahrung und Publikation von Daten sind ethische und rechtliche Grundsätze und Normen zu beachten, die in vielen Fällen einen besonderen Umgang mit den Forschungsdaten verlangen.
In Art. 13 der Schweizerischen Bundesverfassung ist festgelegt, dass die Privatsphäre jeder Person zu schützen ist. Werden Personendaten verarbeitet, muss diese Verarbeitung daher in Einklang mit den geltenden datenschutzrechtlichen Bestimmungen stehen. Je nach Forschungsprojekt bzw. der beteiligten Institution, ist das eidgenössische oder das kantonale Datenschutzrecht massgeblich. Hinzu kommen institutionell Richtlinien, die den Umgang mit personenbezogenen Forschungsdaten genauer definieren.