Data Protection-Glossary and FAQ
Digital Dictionary and FAQ on Data Protection
Types of (Personal) Data
What is “personal data”?
Personal data is all information relating to an identified person or a person identifiable by means of the information (see Section 3(3) of the Information and Data Protection Act of the Canton of Basel-Stadt [IDG]).
This includes, for example, name, date of birth, email address, telephone and mobile number, OASI number, matriculation number, bank details, IP address (with exceptions), gender, photograph and also identifying characteristics (e.g. only woman in the XY team).
A distinction must be made between “normal” personal data and “sensitive” personal data (see Section 3(4) IDG). These have an increased risk of being used in the violation of fundamental rights of the data subjects due to their significance, the way they are processed and/or because they can be used to create a profile of the person concerned. It includes, for example, data on children and other vulnerable persons (e.g. ethnic minorities) or information on a person’s health.Show answer Show question
What is “non-personal data”?
Non-personal data is all information that does not contain any references to a person (e.g. amounts of money, temperatures). Due to this fact, it is not subject to the provisions of data protection law.
However, it should be noted that the distinction between personal and non-personal data is fluid: Through additional information or technical processing, non-personal data (and also anonymized data) can in fact become personal data once more – in which case the provisions of data protection law would again apply.Show answer Show question
What is the difference between “anonymously collected,” “anonymized” and “pseudonymized” data?
We speak of “anonymously collected” data when data is collected in such a way that there is no connection between the data subject – i.e. the person about whom any information is collected – and the data at any time. Completely anonymous data collection can, however, only be assumed with caution since contact data or at least the IP number is usually provided, especially in digital surveys. Anonymous data is strictly non-personal data and is not subject to data protection law. The term anonymization, on the other hand, is understood as the process of irreversibly removing any references to a person from personal data.
“Anonymized” data is no longer subject to the provisions of data protection law from the time of the irreversible removal of any references to a person.
In contrast to anonymization, pseudonymization does not irreversibly remove references to a person, but merely replaces them with a specific key or code. Re-personalization of the information is still possible through the key or code. Due to this fact, the provisions of data protection law apply unchanged. Furthermore, it is also necessary to regulate the conditions under which a person may be identified again and how the key or code is stored (key management).
The distinction between the terminology pairs “personal data” and “non-personal data” and “anonymized data” and “pseudonymized data” is fluid: Through additional information or technical processing, non-personal data or anonymized data can become personal data (again).Show answer Show question
Processing Personal Data
What does “processing” (of personal data) mean?
The term “data processing” is very broad and covers everything that can be done with personal data, regardless of the person, technique, duration or medium (e.g. collecting, processing, storing, disclosing or passing on, archiving and/or destroying).Show answer Show question
When can “personal data” be processed?
Students, researchers and/or employees of the University of Basel may only process personal data if there is a legal basis for doing so (i.e. a law or an ordinance).
For the processing of “sensitive” personal data (e.g. data on a person’s health), an ordinance is not sufficient as a legal basis; in such cases, a direct authorization or obligation in a sectoral or special law is always necessary (e.g. in the Human Research Act [HFG] or Health Insurance Act [KVG]).
The principles of data protection law are of particular importance when processing personal data, namely: lawfulness, transparency, purpose limitation, proportionality and accuracy of the data. For more information, see the data protection glossary on the Data Protection Officers’ website.Show answer Show question
Am I allowed to have personal data processed by others?
The University of Basel is responsible for the processing of personal data in teaching, research and administration (the “controller”). Third parties external to the university may, in principle, be called in for this purpose (“processors”); however, the university remains responsible for the data processing. The handling of data should therefore be secured by agreement (“data processing agreement” [DPA]). The core basis of this agreement is that the processor is subject to the direction of the controller; furthermore, the data may only be processed in a way that is also permitted for the controller.
Commissioned data processing is assumed, for example, if an external IT service provider hosts a website, data is stored in a cloud, a survey or transcription tool is used or external third parties are granted access rights to a data set.
Processors can therefore be natural persons as well as companies or public authorities that process personal data on behalf of the controller (e.g. student, researcher or employee of the University of Basel).
In some cases, these processors in turn involve “subcontracted data processors” – whether and to what extent this is permitted depends on the agreement between the controller and the processor.Show answer Show question
Who bears the (data protection) responsibility?
If personal data is processed in the context of the university (e.g. by employees, researchers or students), the responsibility under data protection law always lies with the university as a public institution of the canton. It must therefore ensure that the processing is both organizationally and technically compliant with data protection legislation. Employees, researchers and students bear joint responsibility in this regard and must comply in particular with the university’s guidelines (e.g. when using the IT infrastructure).Show answer Show question
Data Protection Principles (when Processing Personal Data)
What does the principle of lawfulness mean?
The principle of lawfulness states that all administrative action must be bound by the rule of law. Accordingly, any processing of personal data by the University of Basel must be based on a legal basis that authorizes or obliges it (see Section 9 IDG).Show answer Show question
What does the principle of purpose limitation mean?
A specific purpose must be defined at the beginning of each processing of personal data. This purpose must be communicated transparently to the data subjects (see principle of transparency). The processed data may then be processed for this defined purpose only (see Section 12 IDG).
In the event of any other use not communicated at the outset (e.g. subsequent use for a new project), the consent of the persons concerned must be obtained again.Show answer Show question
What does the principle of transparency mean?
According to the principle of transparency, any data processing must be known to the data subjects – i.e. the person must be informed transparently about the key questions (Who? How? What for? For how long? etc.). In addition, the public body must organize the handling of data in such a way that it can provide information quickly, comprehensively and factually (see Section 4(1) IDG).Show answer Show question
What does the principle of proportionality mean?
The principle of proportionality stipulates that only appropriate personal data and only as much personal data as is necessary to achieve the predefined purpose may be processed (see Section 9(3) IDG). The objective pursued and the means used must be in reasonable proportion to each other and the rights of the data subjects must be safeguarded.Show answer Show question
What does the principle of accuracy mean?
Personal data must be correct and, insofar as the purpose of use requires, complete (see Section 11 IDG); the person responsible must actively ensure that this is the case. Incorrect data must be corrected or otherwise deleted.Show answer Show question
When and why do I need a Data Protection Statement?
Anyone who operates a website collects and processes personal data of website visitors. Therefore, a website always needs a Data Protection Statement that provides information about what personal data is processed, for what purpose, for how long and by whom (e.g. hosting providers, web analysis tools); what measures the organization takes to protect the privacy of the users; what rights the data subjects have.
The more complex the data collection, the more detailed the Data Protection Statement should be. In any case, it must be created individually for the respective website.
Which data protection law is relevant for me?
The University of Basel is a public institution of the canton. The provisions of the Information and Data Protection Act of the Canton of Basel-Stadt, IDG for short, therefore apply to students, researchers and/or employees of the University. This also applies to other cantonal or municipal authorities and institutions as well as to private individuals who process data on behalf of the canton.
Depending on the case, however, other regulations from other data protection laws must also be taken into account – e.g. from the Swiss Data Protection Act (DSG) or, in cases with international aspects, those of the European General Data Protection Regulation (EU-GDPR).
Furthermore, internal university directives and regulations, as well as further decrees must be observed (e.g. on the use of IT resources or the handling of (research) data).
In the case of private research, the Swiss Data Protection Act (DSG) applies and the responsibility lies with the private person processing the data.Show answer Show question
Rights of Data Subjects
What are the “rights of data subjects”?
With regard to data protection, the law grants data subjects a wide range of rights: from the right of access to (their own) information and (personal) data (see Section 25 et seq. IDG), to the protection of their own personal data (see Section 27 IDG) and the blocking of disclosure (Section 28 IDG).
It is now possible to report potential data breaches to the Data Protection Officer as a supervisory authority (Section 28a IDG).Show answer Show question