Personal data is important for research. It is important to recall the rules which apply to ensure a fair balance between the interests of the research and the rights of those whose data is processed (the data subjects). The following explanations are intended to provide both researchers and federal bodies that may need to process personal data for a research project with the information required to comply with data protection requirements.
This section is intended for private researchers or researchers working on behalf of a federal body, as well as for federal bodies that carry out research themselves, commission third parties to do so or that pass on personal data to researchers. In principle, data processing by cantonal or communal public bodies, such as universities (with the exception of the Federal Institutes of Technology) and cantonal, university, regional and communal hospitals, falls within the competence of the cantonal or communal data protection authorities and is not covered by the following explanations.
Furthermore, the Federal Act on Data Protection (FADP) does not apply to processing anonymised data if re-identification by a third party is impossible (the data has been completely and permanently anonymised) or would require so much effort that no interested party will attempt it. However, it should be borne in mind that technological progress nowadays makes it possible to process large quantities of data and to allow for numerous cross-checks between them, so that ultimately the processed data are not or are inadequately anonymised. In addition, in the light of technological developments, a data subject who is today considered anonymous may tomorrow be identified without great difficulty.
The FADP contains two specific provisions concerning the processing of personal data for research purposes; one for the private sector (Art. 31 para. 2 let. e FADP) and the other for federal bodies (Art. 39 FADP).
The reason for processing the personal data must not be related to the person whose data is processed. This means that the identity of the person whose data is processed is irrelevant for the data processing and that anonymised or at least pseudonymised data could just as well be used to achieve the same goal. Both private individuals and federal bodies benefit from the data protection conditions set out in these two provisions. It should be noted that these provisions do not cover research that focuses on individuals (e.g. research by historians and genealogists).
The data must therefore be anonymised as soon as the purpose of the processing allows and the results of the research are published in a form that does not allow the identification of the data subjects. Sharing personal data with third parties is carried out in a form that does not allow the data subject to be identified. Recipients of data from a federal body may only disclose that data to third parties with the consent of the federal body concerned.
If the federal bodies themselves intend to process personal data in the context of their own research projects in a way that goes beyond what is permitted by Article 39 FADP, in accordance with Article 34 FADP, they must do on the basis of legal provisions that allow them to process personal data for research purposes (e.g. Research and Innovation Promotion Act, ETH Act, etc.).
Requirements to be observed
Each case must be considered in its own research context and according to its own specifics. The researcher, as the person responsible for data protection, must comply with the following points in particular when processing personal data as part of their research project:
Researchers must give priority to the use of anonymised data if the project allows this, i.e. it must be impossible to attribute data to an identified or identifiable person or the effort to do so must be disproportionate.If the type or purpose of the research does not allow working with anonymised data - because, for example, it is necessary to contact the persons concerned at regular intervals - then researchers must code or encrypt the data (pseudonymised data). The data must be anonymised as soon as possible and the results of the research must be published in a form that does not allow for the identification of the persons concerned.
Duty to inform and seek consent
In cases where participation in a research project is optional, the data subject must consent to the processing of their data and has at least the right to object (for medical research, consult the chap. Human research).In order to give valid consent, the data subject must be fully and objectively informed about the proposed data processing in advance. The information given must be transparent, understandable and easily accessible. There are certain exceptions to these requirements.
Impact assessment on the protection of personal data
If the processing operation is likely to result in a high risk to the data subject's personality rights or fundamental rights, e.g. if the processing operation involves a large volume of sensitive data or cross-referencing of data, as may occur in the context of medical research projects, the data controller (university, research centre, private company, etc.) must first carry out a personal data protection impact assessment in accordance with Article 22 FADP. Exceptions are possible.
Reporting data security breaches
The data controller must notify the FDPIC as soon as possible of any data security breach that is likely to pose a high risk to the data subject's personality rights or fundamental rights, and must also inform the data subject if this is necessary for his or her protection.
Register of processing activities
The obligation to keep a register of processing activities and to declare it to the FDPIC applies to both private researchers and federal bodies (Art. 12 FADP) (link to the declaration form).
It goes without saying that the principles and other provisions of the FADP (e.g. on security, disclosure of personal data abroad, rights of data subjects, outsourcing, etc.) are also applicable to research activities.
Last modification 26.07.2023