Data Privacy Statement
The purpose of this Data Privacy Statement is to inform users about the personal data we process in connection with our websites and how, where and why we do so. The Data Privacy Statement also provides information on the rights of persons whose data we process.
Our websites are subject to Swiss data protection law as well as any applicable foreign data protection legislation such as, in particular, the General Data Protection Regulation (GDPR) of the European Union (EU). The European Commission recognises that Swiss data protection legislation provides an adequate level of protection.
1. Contact addresses
Responsible for the processing of personal data:
Swiss National Science Foundation (SNSF)
We will make you aware of any other persons or offices who may be responsible or, along with us, co-responsible for the processing of personal data in individual cases.
2. Processing of personal data
Personal data comprise all data related to a specific person. An affected person is a person whose personal data are processed. Processing encompasses every handling of personal data, irrespective of the methods and procedures used, notably the storage, disclosure, procurement, collection, deletion, saving, modification, destruction and use of personal data.
The European Economic Area (EEA) consists of the European Union, Liechtenstein, Iceland and Norway.
2.2 Legal framework
We process personal data in accordance with Swiss data protection law and in particular with the Federal Act on Data Protection (FADP) and the Ordinance to the Federal Act on Data Protection (OFADP).
In instances where the GDPR applies, we process personal data in accordance with at least one of the following legal principles:
- Article 6 paragraph 1 letter e of the GDPR or the necessary processing of personal data to perform tasks that are in the public interest.
- Article 6 paragraph 1 letter b of the GDPR for the necessary processing of personal data to fulfil a contract with the affected person, and to conduct pre-contractual measures.
- Article 6 paragraph 1 letter f GDPR for the necessary processing of personal data to protect our valid interests or those of third parties in cases where the fundamental freedoms and basic rights and interests of the affected persons do not take precedence. Valid interests are, in particular, our interest in providing, and if necessary advertising, our services sustainably, securely, reliably and in a user-friendly format; information security and protection against misuse and unauthorised use; assertion of our own legal claims; and compliance with Swiss law.
- Article 6 paragraph 1 letter c GDPR for the necessary processing of personal data to fulfil any legal commitments we may have with respect to applicable laws of member states of the EEA.
- Article 6 paragraph 1 letter a GDPR for processing personal data with the affected person's consent.
- Article 6 paragraph 1 letter d GDPR for personal data processing that is necessary for safeguarding vital interests of the affected person or another natural person.
2.3 Nature, scope and purpose
We process the personal data that are required so that we can provide our services sustainably, securely, reliably and in a user-friendly format. Such personal data may, in particular, fall into the data categories of inventory data, contact data, browser and appliances data, content data, metadata or peripheral data as well as usage data, location data and contractual and payment data.
We process personal data for the duration needed to fulfil the relevant purpose(s) or to meet legal requirements. Personal data that no longer need to be processed is anonymised and deleted. Persons whose data are processed have the right in principle to have such data deleted.
In principle, we always obtain the consent of the affected persons, unless the processing is permissible for other legal reasons, for example due to legal requirements to honour a contract entered into with the affected person and for the purpose of taking corresponding pre-contractual measures; to protect our overriding legitimate interests; because the data processing is obvious in the given circumstances; or after the affected person has been informed in advance.
Within this framework, we process in particular data that affected persons send us themselves and of their own volition, for example using postal mail, email, contact forms, social media, telephone, or in response to a call for proposals. We may store such data for example in an address book or in a customer relationship management (CRM) system or using comparable tools. If you transmit personal data about third parties, you will be obliged to ensure such data are protected and correct.
In addition, we process personal data that we receive from third parties, obtain from publicly accessible sources or collect while fulfilling our tasks, to the extent that such processing is legally permissible.
Personal data from job applications are processed only to the extent necessary to evaluate someone's employability or in view of any subsequent employment contract. The personal data needed to conduct an application process are derived from the data requested or provided, for example within the scope of a job description. Applicants have the option to transmit further data linked to their application.
2.4 Processing of personal data by third parties, including abroad
We may have personal data processed by third parties or process such data together with them or with their aid or transmit them to third parties. Such third parties are, in particular, providers whose services we use. We guarantee an adequate level of protection for data made available to such third parties.
Such third parties are in principle based in Switzerland or in the EEA. However, they may also be located in other countries and territories on Earth or elsewhere in the universe, provided their data protection laws according to the assessment of the Federal Data Protection and Information Commissioner (FDPIC) and, where the GDPR applies, according to the assessment of the European Commission. guarantee an adequate level of data protection, or if an adequate level of data protection is guaranteed for other reasons, e.g. based on a corresponding contractual agreement, notably on the basis of standard contractual clauses, or through a corresponding certification. In exceptional cases, such a third party may be located in a country that does not offer an adequate level of data protection, provided the corresponding legal data protection requirements, e.g. obtaining the express consent of the affected person, are met.
3. Rights of affected persons
Affected persons whose personal data we process have specific rights under Swiss data protection law. This includes the right of information and the right of correction, deletion or blocking of the processed data.
Affected persons whose data we process may - if and insofar as the DPRG applies - demand confirmation as to whether we process their personal data and, if we do, demand information about the processing of their personal data, limit the processing of their personal data, assert their right to data transmission and correct, delete ("right to be forgotten"), block or complete their personal data.
Affected persons whose personal data we process may - if and insofar the DRPG applies - revoke their consent at any time with effect for the future and raise objections against the processing of their personal data at any time.
Affected persons whose personal data we process have a right of appeal before a responsible regulatory body. The regulatory body for data protection in Switzerland is the Federal Data Protection and Information Commissioner (FDPIC)
4. Data Security
We take appropriate and suitable technical and organisational measures to guarantee data protection and, in particular, data security. Despite these measures, however, the processing of personal data on the internet is prone to security breaches. Therefore we cannot guarantee absolute data security.
Access to our websites is via transport encryption (SSL/TLS, specifically with the Hypertext Transfer Protocol Secure, abbreviated as HTTPS). Most browsers display a padlock icon in the address bar to indicate transport encryption.
5. Using our websites
When you visit one of our websites, cookies as "session cookies" may be saved temporarily in your browser or for a specified period as "permanent cookies". Session cookies are automatically deleted when you close your browser. Permanent cookies enable recognition of returning visitors to our websites, thereby also measuring their reach, for example. Permanent cookies may also, for example, be used for online marketing.
For cookies used to measure success and reach, or for advertising purposes, an overall "opt out" is possible via the Network Advertising Initiative (NAI), YourAdChoices (Digital Advertising Alliance) or Your
Online Choices (European Interactive Digital Advertising Alliance, EDAA).
5.2 Server log files
Each time one of our websites is accessed, we may register the following data should they be transmitted to our server infrastructure by your browser or should they be identifiable via our web browsers: data and time including time zone, IP address, HTTP status code, operating system including user interface and version, browser including language and version, individual pages opened on our websites including amount of data transmitted, and website last visited in the current browser window (referrer).
We save such data, which may also constitute personal data, in server log files. These data are necessary to ensure that our websites remain user-friendly and reliable, and to guarantee data security, notably the protection of personal data - also through third parties or with the aid of third parties.
5.3 Tracking pixels
We may use tracking pixels on our websites. Tracking pixels are also referred to as web beacons. Tracking pixels - also those from third parties whose services we are using - are small, generally invisible images that are automatically opened when a user visits our website. Tracking pixels can record the same data as server log files.
6. Notifications and messages
We send notifications and messages, for example newsletters, by email and via other communication channels, such as instant messaging.
6.1 Measuring success and reach
Notifications and messages may contain weblinks or tracking pixels which record whether a specific message was opened and which weblinks were clicked. Such weblinks and tracking pixels can also collect personalised information about the use of notifications and messages. We need these usage statistics to measure our success and reach so that we can effectively, sustainably, securely and reliably offer user-friendly notifications and messages based on the needs and reading habits of the recipients.
6.2 Consent and objection
You need in principle to give your express consent to the use of your email address and other contact addresses, unless their use is permitted on other legal grounds. If permission is required for the receipt of emails, we use the "double opt-in" process, i.e. you receive an email with a weblink which you have to click as confirmation in order to prevent any misuse by unauthorised third parties. We may keep a record of any consent you have given, including the IP address and the date and time as evidence and for security reasons.
You may in principle cancel your registration for notifications and messages, for example newsletters. Notifications and messages that we require to provide our services remain reserved. By cancelling your registration, you can in particular object to your user data being used for statistical purposes linked to the measurement of success and reach.
6.3 Service provider for notifications and messages
We may also send notifications and messages via our services for third parties or with the help of service providers. This usually does not involve the use of any cookies whatsoever. We guarantee an adequate level of protection for data made available to such services.
7. Social media
We use social media platforms and other online platforms to communicate with interested parties and to inform them about our services. This may involve data processing outside Switzerland and the EEA.
We bear joint responsibility for our social media presence on Facebook, incl. so-called page insights, together with Facebook Ireland Limited in Ireland, if and insofar the GDPR applies. The page insights show us how visitors interact with our Facebook page. We use page insights to make our social media presence on Facebook more effective and user-friendly.
Facebook, in which we agree, in particular, that Facebook shall be responsible for guaranteeing the rights of affected persons. Information relevant to the page insights can be found in the "Information about Page Insights" including the "Page insights addendum regarding the Controller" and "Information about Page Insights Data" of Facebook.
8. Third-party services
We use third-party services to make our websites available sustainably, securely, reliably and in a user-friendly format, and to accomplish our tasks. Such services also serve the purpose of embedding content in our websites. Such services - for example storage and other such services - require access to your IP address, else they will not be able to transmit the relevant content. Such services may be based outside Switzerland and the EEA, provided an adequate level of data privacy is guaranteed.
Third parties whose services we use may, for their own security-relevant, statistical and technical purposes, process data in connection with our websites as well as from other sources - cookies, log files and tracking pixels, in particular - in aggregated, anonymised or pseudo-anonymised form.
8.1 Contact options
We use the services of third parties to improve our communication with them and other persons. We guarantee that such third parties provide an adequate level of data privacy.
8.2 Social media functions and social media content
We use third-party services so that we can include selected fonts on our websites. No cookies are generally used in this context. We guarantee an adequate level of data privacy.
8.5 Success and reach measurement
We use third-party services in order to determine the success and reach of our websites. Cookies may be used in this context. We guarantee that such services provide an adequate level privacy, notably by anonymising and pseudo-anonymising data.
8.5.1 Google Analytics
We use Google Analytics in particular to analyse how our websites are being used and specifically to determine the success and reach of our websites. Google Analytics is a service provided by Google LLC in the USA. Google Ireland Limited is responsible for the service vis-à-vis users in the EEA and in Switzerland.
We will in any case have your IP address anonymised prior to the analysis by Google. Your IP address will in principle not be transmitted to Google in the USA.
8.5.3 Google Tag Manager
9. Final Provisions
We may modify this Data Privacy Statement at any time. We will inform you about changes and additions in suitable form, in particular by publishing the latest version of the Data Privacy Statement on our website.
30 June 2021