Eco‑responsible  images

Image compression reduces page weight and loading times.

Read more about it

Search in

The legal framework

Table of contents

The law in Switzerland
The law in the European Union (RGPD)
International developments
The supervisory authorities


 

The law in Switzerland

A federal law and cantonal laws

In Switzerland, data protection laws are administered in accordance with the principle of subsidiarity: the federal law (nLPD) covers the private sector and the federal public administration. Cantonal public administrations and the entities that depend on them are governed by cantonal data protection law.

For the administration of the Canton of Vaud and the University of Lausanne, it is the law of the Canton of Vaud à data protection (LPrD) that applies.

A large part of university research in Switzerland is therefore governed by cantonal data protection laws. 

The data protection law of the canton of Vaud (LPrD)

The Personal Data Protection Act (LPrD) of the Canton of Vaud was adopted by the Vaud Grand Council on 11 September 2007, and was last updated on 1ᵉʳ October 2018.

As a legal person to whom the canton has entrusted public tâches and in the performance of said tâches, the Lausanne university is subject to à the LPrD.

The LPrD does not apply to civil, criminal or administrative proceedings, nor to personal data processed in application of the federal law on intelligence and article 2, paragraph 1 of the law on judicial police files 1.

The Federal Data Protection Act (nLPD)

The Federal Data Protection Act (nLPD) was passed by the Swiss Parliament in autumn 2020 and entered into force on 1th September 2023. The purpose of this law is to better protect the personal data of Swiss citizens and to improve the way this data is processed.

The nLPD introduces the following eight major changes for businesses.

  1. Only the data of natural persons are now covered, and no longer that of legal entities.
  2. Genetic and biomedical data are included in the definition of sensitive data.
  3. The principles of "Privacy by Design" and "Privacy by Default" are introduced.As its name suggests, the principle of "Privacy by Design" requires developers to incorporate the protection and respect for users' privacy into the very structure of the product or service that collects personal data. The principle of "Privacy by Default" (data protection by default) ensures the highest level of security from the moment the product or service is put into circulation, by activating by default, i.e. by default, the "privacy by default" principle;In other words, without any intervention from users, all the necessary measures are taken to protect data and restrict its use. In other words, all software, hardware and services must be configured to protect data and respect users' privacy.
  4. Impact analyses (AIPD) must be carried out, where there is a risk to the personality or fundamental rights of the individuals concerned.
  5. The duty to inform is extended: the collection of all personal data, and not just so-called sensitive data, must give rise to prior information of the data subject.
  6. The duty to inform is extended: the collection of all personal data, and not just so-called sensitive data, must give rise to prior information of the data subject.
  7. The duty to inform is extended: the collection of all personal data, and not just so-called sensitive data, must give rise to prior information of the data subject.
  8. The keeping of a register of processing activities becomes mandatory. However, the implementing order provides for an exemption for SMEs whose data processing presents a limited risk of harm to the personalities of the individuals concerned.
  9. A prompt announcement is required in the event of a breach of data security to address the Federal Data Protection and Transparency Commissioner (FDPIC).
  10. The concept of profiling (i.e. the automated processing of personal data) makes its entry into the law.

The University of Lausanne is subject to the Canton of Vaud's Data Protection Act (LPrD).

The law in the European Union (RGPD)

The General Data Protection Regulation (RGPD) is a regulation that harmonises national data protection laws within the’European Union (EU) and strengthens the protection of all EU residents with regard to the confidentiality of their personal data. It entered into force on 25 May 2018.

The GDPR applies to all companies that process the personal data of EU citizens, whether or not they are located in the EU.

It also introduces  new rights for the individuals concerned. Companies must comply with this law and respect the new obligations associated with it.

The law also introduces new rights for the people concerned.

The GDPR covers only the data of natural persons and no longer that of legal persons. Personal data general data biometric data are considered to be sensitive data. The RGPD also introduces the principles of “Privacy by Design” and “Privacy by Default” to ensure that data is protected by design and by default.

The RGPD à l'Université de Lausanne

The GDPR applies to the processing of personal data that is carried out by an organisation that does not have an establishment in the European Union only in two cases:

  1. For the sale of goods or services to persons in the EU, whether or not payment is required; or
  2. the monitoring of the behaviour of such persons, insofar as it concerns behaviour that takes place within the European Union.

For other personal data processing activities, the RGPD does not apply à l'Université de Lausanne

The DPO can advise you on the application of the RGPD to your data processing operations.

International developments

There are several international laws on data protection. The General Data Protection Regulation (GDPR) is a European law that harmonises national data protection laws within the European Union (EU) and strengthens the protection of all personal data;es within the European Union (EU) and strengthens the protection of all EU residents with regard to the confidentiality of their personal data. The GDPR applies to all companies that process the personal data of EU citizens, whether they are located in the EU or not.

In the United States, there is no single federal data protection law. However, there are several federal and state laws that regulate the protection of personal data, such as the Children's Online Privacy Protection Act (COPPA), the California Consumer Privacy Protection Act (CCPA) and the Virginia Consumer Privacy Protection Act (VCDPA).

Other countries around the world have passed data protection laws such as China, Brazil, Argentina, Japan. This number is constantly increasing.

There are also international laws on data protection, such as the Council of Europe's Convention 108+, which sets out standards for the protection of personal data.

The Council of Europe's Convention 108+, which sets out standards for the protection of personal data.

The supervisory authorities

The APDI, the Vaud cantonal authority

In the Canton of Vaud, the Vaud cantonal authorities and the entities reporting to them are monitored and advised by the Data Protection Authority and right to information - APDI.

The CPD is UNIL's point of contact for relations between the institution and the APDI. 

The FDPIC, the federal supervisory authority

The Federal Data Protection and Information Commissioner - FDPIC - monitors and advises the private sector and federal authorities only. 

The CNIL, the French supervisory authority

The National Commission for Information Technology and Civil Liberties, the CNIL, is the supervisory and advisory authority for France. Its website contains a wealth of information and analysis that is inspiring in the application of data protection law in Switzerland. 

The EDPB, the EU's coordinating authority

The European Data Protection Board, the EDPB,  is the coordinating and supervisory authority for European supervisory authorities.

His opinions and his guidelines, recommendations and best practices are a major source of interpretation of European law. For specialists, reading them is a must.