In general, the processing of personal data, in order to comply with the law, must comply with a number of principles, namely :
The law defines personal data as "all information relating to an identified or identifiable person".
Personal data may contain direct identifiers (name, date of birth, address, etc.) or indirect identifiers (which may reveal a person's identity when aggregated).
Sensitive data is personal data relating to :
A personality profile is a collection of data that makes it possible to assess the essential characteristics of a natural person's personality (art. 3, lit. d, LPD).
The collection of personal and sensitive data is only possible with the prior and informed consent of the person concerned or when such collection is explicitly provided for in a law.
These data may only be processed for the purpose indicated at the time of collection.
It should be noted that anonymous data are not considered as personal data since they do not correspond to an identified or identifiable person. However, be careful that anonymization is complete and irreversible in order to take advantage of this processing option.
Pseudonymized (coded) data is not anonymous and must therefore be treated as personal data and be accompanied by security measures.
The General Data Protection Regulations (GDPR) regulate data protection and privacy for any individual residing within the EU, as well as the communication of personal data outside the EU. In the field of research, this Regulation applies to all institutions and companies operating internationally that collect and process personal data from EU residents or send data from Swiss nationals abroad (EU).
Like the Swiss and cantonal laws on personal data, the GDPR does not apply to the processing of personal data of deceased persons or legal entities.
Article 9 of the GDPR lists a set of so-called "special categories" of data whose processing is prohibited in principle :
Nevertheless, the article then lists a series of 10 exceptions under which these types of data may be processed, one of which concerns scientific research :
The GDPR also provides that personal data may only be collected for "specified, explicit and legitimate purposes" which should in principle be defined prior to processing and brought to the attention of the data subjects (Articles 13 and 14). However, recital 33 acknowledges that it is not always possible to determine in advance the exact purpose of a processing operation carried out for scientific research purposes. In terms of research, there is therefore some scope for formulating the purposes of processing data collected in a less precise way than required by the GDPR. It may be accepted, for example, that this purpose may be broadened or clarified over the course of the research project and according to its needs.
The European legal framework for the management of personal data must be taken into account when conducting research in collaboration with European researchers or on the personal data of EU residents.
It should also be noted that the GDPR (Art. 35) provides that before any processing activity "likely to generate a high risk for the rights and freedoms of individuals", the controller must carry out a data protection impact assessment (DPIA). For more information, please refer to the CNIL website.
The current European standard embodied by the GDPR is more "protective" and demanding than that expressed in the Personal Data Protection Act of the canton of Vaud (LPrD). Article 12 of the LPrD provides that: "Where the processing of personal data requires the consent of the data subject, the latter shall not validly consent unless he freely expresses his will and after having been duly informed. In the case of sensitive data and personality profiles, his or her consent must also be explicit".
Article 4 of the DGPS defines the data subject's consent as "any free, specific, informed and unequivocal expression of will by which the data subject accepts, by a clear declaration or positive act, that personal data relating to him/her may be processed".
Consent will only constitute an appropriate legal basis if the person concerned has a real control and choice as to whether or not to accept the proposed conditions or to refuse them without prejudice. Valid consent can only be obtained before the controller starts processing the data.
Valid consent under European law therefore implies an expression of will :
In addition, the controller must keep proof of consent in the event of an inspection.
It should be noted that the processing of sensitive data must also be subject to the collection of explicit consent. Oral consent is therefore not sufficient to process sensitive personal data.