Data Protection in Administration
Personal data is processed in nearly all offices of the University of Basel's administration. The cooperation and sensitivity of all employees is requested so the university can guarantee the legally required data protection.
Legal Grounds for Data Processing
The processing (i.e. collection, storage, disclosure, deletion, etc.) of personal data by the university as a public institution requires either a direct legal basis (e.g. Sec. 7 Student Regulations, Sec. 42 Staff Regulations) or the legal assignment of a task to the university which can only be performed by processing personal data (called an indirect legal basis, such as a research contract, Sec. 1 University Statutes).
Consent is not sufficient for the university to process personal data. However, consent is required when the legal basis permits processing in general, but not the processing of specific data referring to an individual person (see informed consent).
In addition, data may only be processed for a specific purpose, the processing must be proportionate (e.g. appropriate, necessary for the specific purpose, and reasonable for the data subject) and the principles of data minimization and transparency must be followed (for more information, see informed consent). Projects involving vulnerable persons (e.g. children) or in special settings (e.g. anonymous data collection) are subject to additional rules.
Commissioned Data Processing
The University of Basel is responsible for personal data processing in teaching, research, and administration (aka the “data controller” or “controller”).
As a rule, third parties external to the university may be commissioned for this purpose (called “data processors” or “processors”). However, the university remains responsible for the data processing and must safeguard the data by means of a commissioned data processing contract (CDPC).
The University may conversely be the data processor for another controller; in this case, it will be bound by a CDPC.
Commissioned data processing may consist of e.g., use of a cloud, IT support from an external provider, use of transcription software, or data collection by an external market research institute.
In research, the exchange of (health-related) data and (biological) material between university and other institutions is also regulated by contractual agreements (see in this respect e.g. Unitectra, SPHN or the GrantsOffice).
Due to the complexity of some collaborations and the diversity of the situations in question, specific advice and an individual contract should be obtained for each case.
Please contact the Data Protection Officer's team by email: firstname.lastname@example.org
Data Protection for Photographs of People
Few web pages, social media accounts, or brochures could do without images of people. Photographs of people are subject to both copyright protection, which protects the rights of the photographer to their own work, and to image rights, which are an aspect of the protection of personal rights. In addition, pictures of people are also protected by data protection law as personal data.
The use of images, especially their distribution and publication on websites, social media, etc., is only permitted if consent has been obtained.
Data Protection Review
The purpose of a data protection review is to identify potential risks before the collection and processing of personal data and to minimize them where possible.
In university life, data protection reviews particularly come into play before research projects and before the introduction of new digital services for teaching, research, or administration. The primary goal of these reviews is to determine whether the nature of the data or the processing of the data entails a high risk to the rights and freedoms of the data subject.
If the risk remains high despite the implementation of protection measures, or the data is being processed using new technologies or a very large number of people are affected (> 10,000), the project must be submitted to the canton's data protection officer for a prior consultation.
You can learn more on the data protection reviews web page.
Data Protection Statement for Websites & Forms
Anyone who operates a website collects and processes personal data belonging to the site's visitors. For this reason, a website always requires a data protection statement which transparently discloses which personal data is processed, for what purpose, for how long, and by whom (e.g., hosting provider, web analytics services, etc.). The data protection statement must advise the website's visitors of their rights, such as the right to information about the collected data and the right to revoke any consent given.
The data protection officer will assist in drafting the data protection statement; contact the team by e-mail.
In addition to the automatic data (log files) collected by every website, additional personal data may be collected by web forms such as contact or registration forms for newsletters or events. If you use such web forms, even only temporarily, you need an additional data protection notice. Please refer to the information sheet available for download.
If you have questions, you can contact the Data Protection Officer's team by email at any time.