This data protection notice provides an overview of how data are collected and processed on the ZHAW website www.zhaw.ch. Other ZHAW websites may have other or additional data protection notices.
The following information is intended to provide you with an overview of how your personal data are processed by us on our website and what your rights are under data protection law. How and which data are processed depends on the actual circumstances.
Who are we?
The ZHAW Zurich University of Applied Sciences is one of the leading universities of applied sciences in Switzerland.
Who does the data protection notice apply to?
Processing personal data means that we collect, store, use, transmit or delete those data. This data protection notice concerns personal data of the following individuals in relation to our website:
- interested parties, students and customers of the ZHAW, particularly in the fields of study, continuing education, research and business services
- all other natural persons who are in contact with our institution, e.g. authorised representatives, legal guardians, envoys, and representatives or employees of legal entities, as well as visitors to our websites and persons who register on the website
Until such time as any changes are made to the legal status of the law on Information and Data Protection (IDG) of the Canton of Zurich and the Swiss Federal Act on Data Protection (FADP), this data protection notice shall also apply to legal entities to the extent that the IDG or FADP is applicable.
- What sources and data do we use?
- Why do we process your data (processing purpose) and on what legal basis do we do so?
- Who receives my data?
- Are my data transmitted to a third country or an international organisation?
- How long will my data be stored?
- What are my data protection rights?
- Am I under any obligation to provide data?
- To what extent is decision-making automated?
- Is ‘profiling’ done?
- Cookies/web storage
- Statistics/IT system logs
- Links to social media platforms
- External content
- Changes to the data protection notice
- Information about your right to object
- Who is responsible for data processing?
What sources and data do we use?
We process data that are generated by the use of our website and/or data that are provided by you (e.g. when subscribing to a newsletter, registering for an event, completing online forms or other requests). This may be especially in connection with studies, continuing education, research or business services.
We collect your personal data in particular when you contact us, for example through our website as an interested party, applicant, customer etc. We process personal data that we receive from our customers within the scope of our business relationship. In addition, we process personal data – to the extent necessary to provide our business services – that we legitimately obtain from publicly accessible sources.
Furthermore, we process data generated through the use of our website and/or data that are provided by you (e.g. when subscribing to a newsletter, registering for an event or completing other online forms).
Relevant personal data are identifiers (name, address and other contact information; date and place of birth and citizenship) and authentication information (e.g. ID card details). They may also include order-related data, data relating to the performance of our contractual obligations, advertising and sales data, documentation data and other data similar to the above categories.
We do not collect any personal data if you only use the website for information purposes, i.e. if you do not complete any online forms, register for an event or otherwise provide us with information. Only the data transmitted by your browser will be conveyed, e.g. masked IP addresses, visitor behaviour on the website, date and time of the website visit, browser type and version, type of terminal device, referring webpage, etc. No identification is possible from this data.
Why do we process your data (processing purpose) and on what legal basis do we do so?
We process personal data in accordance with the provisions of the law on Information and Data Protection (IDG) of the Canton of Zurich, the Swiss Federal Act on Data Protection (FADP) and the European General Data Protection Regulation (GDPR) to the extent that their corresponding regulations are applicable. As the GDPR requires that we list these individually, the legal frameworks upon which we base our data processing are listed below where the GDPR is applicable. When processing personal data in accordance with the IDG or FDPA, we rely on the comparable legal frameworks in these laws.
For the purpose of fulfilling contractual obligations (Art. 6(1)(b) GDPR)
Data are processed in order to provide ZHAW services in the scope of performing our contracts (e.g. in the area of continuing education or as concerns our business services) with our customers or to carry out pre-contractual measures as requested. The purposes for which data processing is used
depend primarily on the specific business service and may include activities such as training or consulting. The contract documents and terms and conditions may contain further details on the purposes of data processing.
As part of a balancing of interests (Art. 6 (1)(f) GDPR)
Where necessary, we process your data beyond the actual performance of the contract to protect our legitimate interests or those of third parties. Examples include:
- conducting research
- carrying out advertising or market and opinion research, so long as you have not objected to the use of your data
- establishing legal claims or defending legal disputes
- processing newsletters, event registration and orders (provided that the person involved can be expected to send them)
- ensuring IT security and IT operations
- analysing internet traffic on our website or improving the functionality of our website
- preventing and investigating criminal offences
- developing business management measures and enhancing services and products
As a result of your consent (Art. 6(1)(a) GDPR)
To the extent that you have given us your consent to process your personal data for specific purposes (e.g. sharing data, evaluating personal data for the purposes of research and marketing, newsletters insofar as there is no legal requirement for this under Art. 6(1)(b)), such processing is lawful based on your consent. Your consent may be revoked at any time. This also applies to the revocation of declarations of consent provided to us before the GDPR took effect, i.e. prior to 25 May 2018. The revocation of consent does not affect the lawfulness of data processed before the revocation.
On the basis of legal requirements (Art. 6(1)(c) GDPR) or in the public interest (Art. 6(1)(e) GDPR)
The ZHAW is subject to the provisions of the Higher Education Act as well as other statutory requirements of Swiss law, which stipulate that personal data may also be processed if required by law or if it is in the public interest. The basis for this, particularly as concerns study programmes and continuing education, is provided in the Swiss Higher Education Act.
Data that you enter into a form are transmitted in encrypted form. Furthermore, they are stored on our servers with all due care and attention and protected from being accessed by any third parties. Access to your data will only be granted to those employees who require it to fulfil their tasks. The ZHAW will only pass on your data to third parties if this has been expressly stated elsewhere or to external service providers who process this data for the ZHAW on the basis of an order processing contract. The data gathered will only be collected for the declared purpose and will not be passed on.
Our various newsletters allow us to inform you about current topics concerning the ZHAW and our products. To send you a newsletter, we require at a minimum your e-mail address. As a general rule, we also require your name and gender and, if necessary, your address (in order to determine the applicable legal basis). If you wish to subscribe to one or more newsletters, you can enter this information in the fields provided. After you have sent us this information, you will receive an e-mail from us to the address you provided, in which you will be asked to verify your e-mail address by clicking on a link.
You may cancel your subscription to our newsletters at any time and object to further processing of your data. At the end of each newsletter, there is an option to remove your name from the mailing list.
Who receives my data?
Within the ZHAW, only those parties that need access to your data to fulfil our contractual and statutory obligations receive such access. Service providers and agents used by us may also receive data for these purposes, such as companies in the categories of IT services, logistics, printing services, telecommunications, advising and consulting, as well as sales and Marketing.
The following parties may, for example, receive your personal data:
- public authorities and institutions (e.g. law enforcement agencies) if there is a statutory or regulatory obligation
- risk management bodies within the ZHAW due to legal or regulatory obligations
Additional recipients of data may be those bodies for which you have given us your consent to transfer the data or for which you have exempted us from the duty of confidentiality by agreement or consent.
Are my data transmitted to a third country or an international organisation?
Data transfer to locations in countries outside the European Union or Switzerland (known as third countries) takes place (e.g. in the scope of research cooperation with foreign universities/organisations) to the extent
- it is required by law or
- you have given us your consent or
- we have provided suitable guarantees through appropriate mechanisms (e.g. contracts).
How long will my data be stored?
We process and store your personal data for as long as is necessary to fulfil our contractual and statutory obligations or for as long as we consider it necessary for the purposes for which they are being processed or our legitimate interests exist or your consent has not been revoked.
If the data are no longer necessary to fulfil contractual or statutory obligations, they are deleted on a regular basis unless there is a need to further process the data – for a limited period of time – for the following purposes:
- to comply with retention obligations under commercial and tax law, in particular the Code of Obligations (CO) and the tax laws. These laws usually specify time limits of ten years for retention or documentation.
- to preserve evidence under the statute of limitations. In accordance with Art. 127 FF of the Swiss Code of Obligations (OR), these statutes of limitation may be up to 10 years. The statute of limitation for diploma documents is 50 years.
What are my data protection rights?
You are entitled to different rights depending on the applicable legal basis. If the IDG or FADP is applicable, your rights are governed by these regulations.
If the GDPR is applicable, the following applies: Every individual concerned has the right of access (Article 15 GDPR), the right to rectification (Article 16 GDPR), the right to erasure (Article 17 GDPR), the right to restriction of processing (Article 18 GDPR), the right to object (Article 21 GDPR) and the right to data portability (Article 20 GDPR).
In addition, there is a right to lodge a complaint with a competent data protection supervisory authority (Article 77 GDPR).
You may revoke consent to the processing of personal data at any time by informing us accordingly. This also applies to the revocation of declarations of consent provided to us before the GDPR took effect, i.e. prior to 25 May 2018. Please note that such revocation will only be valid for the future and does not affect any processing done before the date of revocation.
Am I under any obligation to provide data?
Within the framework of our business relationship, you must provide the personal data necessary to initiate and conduct the business relationship and fulfil the related contractual obligations
as well as the personal data we are required to collect by law. As a general rule, we would not be able to enter into a contract or carry one out with you without these data.
To what extent is decision-making automated?
In principle and pursuant to Article 22 GDPR, we do not use fully automated decision-making processes to establish and conduct business relationships. In the event that we should use such processes in individual cases, we will inform you accordingly to the extent prescribed by law.
Is ‘profiling’ done?
In some instances, we use automated processing of your data with the goal of evaluating certain personal aspects (i.e. profiling). For example, we use profiling as follows:
- We use evaluation tools to inform and advise you of our products in a targeted manner. These enable demand-oriented communication and advertising, including market research and opinion polling.
Cookies are text files that are placed and stored on a computer system through a web browser. You can at any time prevent cookies from being stored by our website by means of a corresponding setting on your internet browser and thus permanently prevent them from being placed. Moreover, previously stored cookies can be deleted at any time via your internet browser or other software programmes.
Web storage (also known as DOM storage or supercookies) is a technology for web applications used for storing data in a web browser. DOM storage supports persistent data storage, similar to cookies, as well as local, session-dependent storage.
In contrast to cookies, which both servers as well as clients (browsers) can access, DOM storage is controlled entirely by the client (browser). Data are not transferred to the server with every HTTP request, and a web server cannot write data directly to the DOM storage. Access is exclusively via scripts on the website. We use the session storage mechanism of the DOM storage standard, for example to save the filter selection when searching for continuing education programmes. These data are automatically deleted when the browser window is closed and are therefore no longer available in later browser sessions.
Storing data in web storage can also be prevented by not accepting cookies. However, we would like to point out that rejecting web storage could result in restrictions with respect to how ZHAW websites function.
Statistics/IT system logs
The Website www.zhaw.ch and its direct subpages use web analytics software (currently www.matomo.org and siteimprove.de). Known as tracking, this can be disabled by using the Do Not Track setting found in most internet browsers. This setting adds a Do Not Track tag to the header of the browser request, indicating that the user does not want their browsing behaviour tracked.
IT system logs
Whenever you use the internet, e.g. when accessing websites or sending e-mails, data are automatically transmitted that, in some cases, could be classified as personal data and stored by us in what are known as system logs. The system logs are stored by the ZHAW to identify errors or for security reasons. If the data are no longer required to fulfil operational or statutory obligations, they shall be deleted.
Links to social media platforms
We would also like to point out the following: links to social media platforms are suspected of transmitting data to Facebook or other social media providers, even when the individual websites are merely accessed. The ‘Share’ links on our website to Facebook and other social media platforms behave like normal links. As long as you do not click on the links and thus leave our website and switch within the browser, for example to Facebook, none of your user data are transmitted to the social media platform.
The ZHAW uses what is known as a social aggregator to display social media content on our website, such as tweets or Instagram posts. It allows us to collect individual posts from our social media sites and display them on the ZHAW website. Your user data are not transmitted to the aggregator, the aggregator operator or the relevant social media platforms, nor are they stored temporarily by the ZHAW. Posts by social media users that mention the ZHAW may also be displayed on our website. Apart from publicly accessible information such as profile/user names, links to images or videos and the like, the ZHAW does not publish any data about these users on its website. Thanks to the use of this social aggregator, the ZHAW does not need to use otherwise widespread social media plug-ins, which send the user data of website visitors directly to the social media platform operators. This does not apply to social media content that cannot be integrated into our website by means of an aggregator. See ‘External content’ below.
External content from Youtube, Vimeo, SRF, Issue, Soundcloud, Slidershare and Google Maps is displayed on our website via iframe and other tools. The IP address is transmitted and the content provider can set cookies, etc. If the website visitor is logged in to the network of the respective third party provider at the same time, a visit to the website may be assigned to the user’s account, depending on the provider. The ZHAW has no control over the manner in which the data are transmitted and has a legitimate interest in integrating this external content.
Changes to the data protection notice
We reserve the right to change this data protection notice at any time. The date of the last update can be found at the bottom of this data protection notice.
Information about your right to object in accordance with Article 21 of the General Data Protection Regulation (GDPR)
Individual right to object
You have the right to object at any time, on grounds relating to your particular situation, to processing of personal data concerning you which is based on Article 6(1)(e) of the GDPR (data processing in the public interest) and Article 6(1)(f) of the GDPR (data processing on the basis of balancing interests), including profiling based on those provisions according to Article 4(4) of the GDPR. If you exercise your right to object, your personal data shall no longer be processed unless we can demonstrate compelling legitimate grounds for the processing that override your interests, rights and freedoms or for the establishment, exercise or defence of legal claims.
Right to object to processing data for direct marketing purposes
In individual cases we process your personal data for direct marketing purposes. You have the right to object at any time to processing of your personal data for such marketing, which includes profiling to the extent that it is related to such direct marketing. If you exercise your right to object to processing for direct marketing purposes, your personal data shall no longer be processed for such purposes. The objection does not require a specific form and should be addressed if possible to: firstname.lastname@example.org
Who is responsible for data processing and how can I contact them?
Responsibility lies with:
ZHAW Zurich University of Applied Sciences, Gertrudstrasse 15, 8401 Winterthur, Telephone: +41 (0)58 934 71 71, E-Mail: email@example.com
If you have any questions on data protection, please contact:
ZHAW Zurich University of Applied Sciences, President's Office, Gertrudstrasse 15, 8401 Winterthur, E-Mail: firstname.lastname@example.org