Controlling your treatment

Limiting a processing activity

A processing activity for personal data must be appraised from start to finish, from the collection of personal data à its destruction or anonymisation.

When the deactivation of a processing activity is problematic, questions drawn to the legal bases, accountability and purpose of the processing can help deactivate itself.

For the sake of readability, a principal processing activity may have sub-processing activities, even if this term is not explicitly mentioned in the law. 

The concept of treatment in the law

A processing of personal data is defined as any opération or set of opérations carried out or not using automated procedures and applied to personal data, in particular (Article 4 LPrD) :

• collection,
• registration,
• organisation,
• conservation,
• adaptation or modification,
• extraction,
• consultation,
• dissemination or any other form of making available,
• approximation or interconnection, as well as
• locking,
• erasure or destruction.

Processing activity is not defined in the law.

Two distinct responsibilities

The law recognizes two types of responsibility for data processing: the data controller and the data processor.

A person is the data controller when’he/she defines the purposes and means of the processing. &At UNIL, the management is the data controller for data processing carried out by the institution.

A person is a sub-processor when’he processes data according to the instructions of the data controller. It is responsible for the proper performance of the processing in accordance with these instructions.

When two entities jointly define the purposes and means of the processing, they are jointly responsible for the processing. 

The concept of controller and processor in the law

Processor, natural or legal person, public authority, service or any other body which, alone or jointly with others, determines the content, as well as the purposes of the file (Art. 4 al. 1 ch. 8 LPrD).

Sub-processor, natural or legal person, public authority or any other body that processes personal data on behalf of the controller (Art. 4 al. 1 ch. 9 LPrD). 

Further information

• The European Union's EDPB  (European Data Protection Board) guideline 7/2020 is an essential reference and a good starting point for understanding the more detailed definition.
• When the distinction between « controller », « processor » and « joint controller » is difficult à to make, try the checklist from the English data protection authority ICO (Information Commissioner’s Office)

A clear and precise purpose

Having a clear and precise purpose for data processing is not only a founding principle of data protection, it also serves to weigh up proportionality. Describing the purpose of personal data processing plays a central role in ensuring compliance with the law.

For research, please see the section on research privilege.

Authorised processing

Any processing of personal data must comply with the principle of legality, and must therefore be authorised by law.

In the public sector, personal data may be processed in two cases (art. 5 LPrD):

Processing is authorised by law;
It is used to carry out a public task (see the University's missions).
In certain cases, where the data subject is able to exercise his or her choice freely and acts in an informed manner, consent may be given.

This rule differs significantly from that which applies in the private sector.

It is generally advisable to consult a data protection officer or the DPO to ensure that you choose the right legal basis.

The data subject

The ‘data subject’ is the person who is identified or identifiable by the data being processed.

Since the entry into force of the new Federal Data Protection Act (nLPD), legal entities (e.g. companies, organisations) are no longer data subjects.

The law

Data subject: any natural or legal person whose data is processed (Art. 4 al. 1 ch. 4 LPrD)

Personal data

A broad definition

Any information that relates to an identified or identifiable individual is personal data.

The law

Personal data means any information relating to an identified or identifiable person (Art. 4 al. 1 ch. 1 LPrD)

To go further law

A natural person may be identified:

• directly (example: name and first name);
• indirectly (example: by a telephone or licence plate number, an identifier such as a social security number, a postal or e-mail address, but also voice or image).

The identification of a natural person can be performed:

• from a single datum (example: name);
• by cross-referencing a set of data (e.g. a woman living at such and such an address, born on such and such a day and a member of such and such an association).

By contrast, company details (for example, the company Compagnie A with its postal address, switchboard telephone number and a general contact email, compagnie1[@]email.fr) are not, in principle, personal data.
The document from the European Union's Article29 working group discusses in detail issues relating to the definition of personal data. 

Sensitive data

A particular category of personal data

Sensitive data is a particular category of personal data that requires special protection. The list of sensitive data is laid down by law. Not all so-called "sensitive" data is therefore sensitive within the meaning of the law.

The law

Sensitive data means any personal data relating to (Art. 4 al. 1 ch. 2 LPrD):

The revision of the LPrD should introduce two additional categories:

• religious, philosophical, political or trade union opinions or activities, as well as an ethnic origin;
• the intimate sphere of the person, in particular his or her psychological, mental or physical state;
• individual measures and assistance arising from social legislation;
  • Generic data;
  • Biological data uniquely identifying a natural person.

An order of magnitude

Knowing the number of people affected by the data processing makes it easier to manage the risk of processing personal data.

An order of magnitude is sufficient (10aine, 100aine, 1000ier etc). It may also be necessary to mention how much this order of magnitude varies each year (e.g. 5,300 students, 150 more per year)

The number of personal data to be processed will vary according to the number of students.

Keeping it for a limited time

Personal data may be kept for a limited period only if there is a justified reason for doing so. The principle of proportionality would be violated if data were kept for longer than is necessary to pursue the purpose for which it was collected.

The retention period may be expressed :

• by a specific period - 100 days, for example, or
• by a criterion - when the person has not been active on the platform for two years.

Deleting them properly

There are two legally recognised ways of deleting personal data:

• permanent deletion using appropriate IT methods, or
• anonymisation.

Definitive anonymisation is increasingly difficult to achieve, particularly given the proliferation of data available online.

Further information

Opinion of the EU Article 29 Working Party on anonymisation techniques

Communicating and transferring personal data

Consult the page transferring data.