- INTRODUCTION
The American Institute of Applied Sciences in Switzerland (AUS) needs to create, collect, process, and retain certain information about its employees, workers, students, clients, agents, and other individuals for various purposes. These purposes include managing the progress of students, managing staff, recruiting and employing staff, and complying with legal and statutory regulations. The institution is committed to protecting the rights and freedoms of individuals with respect to managing the personal information that it processes.
This policy sets out the responsibilities and actions that the institution will take to meet this commitment in accordance with our obligations and ensure compliance with the Swiss Federal Act on Data Protection (FADP) and the European General Data Protection Regulation (GDPR).
This policy applies to all staff and students and all personal data that are created, collected, stored, and processed through the activity of the institution. It also sets out the responsibilities of the institution, its staff, and its students to comply with the provisions of the above-mentioned regulations and laws.
AGSB S. A, Chemin du Levant 5, 1814 La Tour-de-Peilz, Switzerland is the Data Controller of the personal data you provide to AUS. AUS determines the purposes for which, and the manner in which, any personal data (e.g., relating to students and their families, employees, suppliers, business contacts, and other third parties) is to be collected and processed. Personal data shall mean any information that relates to an identified or identifiable living natural person.
The AUS President, Mohamad El Khansa, acts as a representative for AUS and as its Data Protection Officer. Responsibilities include: overseeing and monitoring AUS’s data protection procedures and ensuring they are compliant with the Swiss data protection regulations (such as the Swiss Federal Act on Data Protection of 1 September 2023), and EU data protection regulations (General Data Protection Regulation 2016/679 of 27 April 2016 or GDPR), each as amended or replaced from time to time. He may be contacted at
info@aus.swiss - THE DATA WE COLLECT
The categories of personal data that we collect and process include the categories included below.
In general:
- personal identifiers (such as name, business affiliation, contact details, and address)
- payment details
- content of AUS’s communication with you
- engagement with AUS, including, events attended, donations received, volunteer service
- security information (such as CCTV footage)
- cookies and other website usage data
Regarding students and their families:
- personal identifiers (such as name, unique student number, family relationships, contact details and address)
- characteristics (such as gender, age, language and nationality)
- attendance information (such as classes attended, number of absences, absence reasons and any previous studies attended)
- assessment information (such as data scores, tracking, and internal and external testing)
- relevant medical information (such as insurance information, health conditions, physical and mental health care, immunizations and allergies, dietary requirements, and medication)
- special educational needs information (such as care or support plans)
- safeguarding information
- photographs and videos (see below)
- behavioral information (such as exclusions and any relevant provisions put in place)
- information regarding student support
- information on residency in Switzerland (such as visa application details, swiss student permit, details from swiss authorities)
- WHY WE COLLECT PERSONAL DATA
Personal data is generally used for the purposes of managing our relationship with you, communicating with you, and/or providing you with information you may request from us. More specifically, in line with applicable law, personal data may be used for the following purposes and for other purposes compatible with the purposes described below:
- to support student learning
- to monitor and report on student progress
- to provide appropriate first-aid and pastoral care
- to assess the quality of our services
- to meet the statutory requirements placed upon us by the cantonal and federal authorities
- to support our admissions process
- to inform parents about events, activities, and other things happening in the institution
- to help investigate any concerns or complaints you may have
- to establish, defend or exercise claims
- to terminate our contractual relationship
- build and maintain the AUS community
- make you aware and inform you about our services, news, events, and activities
- alumni: respond to your request regarding historical information about your time at AUS
Personal data may further be used for any other purpose you give your explicit consent to, or for purposes that may be of legitimate interest to AUS.
Most of the personal data mentioned is provided by you during the admission process and in the course of our contractual relationship or collected through the use of AUS online services. Insofar as permitted, we may also hold personal data about our business partners, students, and their families that we have received from publicly accessible sources (e.g., social media channels), authorities, or other third parties.
When submitting personal data please make sure that the data is correct. When providing personal data about a person other than yourself, please make sure that you are permitted to provide the data and that this other person is aware of this Privacy Notice.
Personal data is essential for AUS’s operational use. While the majority of personal data you provide to us is mandatory for the conclusion and performance of our contractual relationship, some of it may be provided on a voluntary basis. We will inform you when providing personal data is voluntary, or necessary to fulfill our contractual obligations.
- SPECIAL RULE ON CAMERA SURVEILLANCE, PHOTOGRAPHS, AND VIDEOS
For security and safety reasons, the AUS campus is under camera surveillance. AUS retains video images for a maximum of 30 days after which they are deleted, unless the images must be retained for further investigation or law enforcement processes.
Photographs and videos of students, parents, and employees may be taken to record and share daily campus life during the course of the academic year. Students, parents, and employees may be identifiable in these photographs or videos. Such photographs and videos may be used for educational and internal informational purposes (e.g. keeping records of lessons, field trips, sports, events, employee training, yearbook, and internal newsletter), for the identification of students, parents, or employees for health-related purposes (e.g. allergies), or for marketing and publication purposes, if and to the extent you gave us your consent where required under applicable data protection laws.
- DATA PROTECTION PRINCIPLES
The institution shall comply with the Data Protection Principles set out in the aforementioned. In summary, these state:
- Personal data shall be processed fairly and lawfully.
- An individual’s personal data should be made available to them upon request and they should be able to contact the entity collecting this information.
- Personal data shall be obtained only for specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose.
- The processing must be carried out in good faith and be proportionate.
- Personal data shall be adequate, relevant, and not excessive in relation to the purpose for which they are processed.
- Personal data shall be accurate and, where necessary, kept up to date.
- Personal data processed for any purpose shall not be kept longer than is necessary for that purpose or those purposes.
- Personal data shall be processed in accordance with the rights of the data subjects under the FADP and GDPR.
- Any person who processes personal data must satisfy themselves that the data are accurate. They must take all appropriate measures to correct, delete or destroy data that are incorrect or incomplete insofar as the purpose for which they are collected or processed is concerned. The appropriateness of the measures depends in particular on the form and the extent of the processing and on the risk that the processing poses to the data subject’s personality or fundamental rights.
- Appropriate security and organizational measures shall be taken against unauthorized or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
- Personal data shall not be transferred to another country unless that country ensures an adequate level of protection for the rights of data subjects in relation to the processing of personal data.
- DEFINITIONS
Data Subject — Identified or identifiable natural person.
Personal data — Any information relating to an identified or identifiable natural person (‘data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, online identifiers or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Sensitive personal data
- data relating to religious, philosophical, political, or trade union-related views or activities,
- data relating to health, the private sphere, or affiliation to a race or ethnicity,
- genetic data,
- biometric data that uniquely identifies a natural person,
- data relating to administrative and criminal proceedings or sanctions,
- data relating to social assistance measures.
Data Controller — An individual or legal person, public authority, agency, or other body who determines the purposes and means of processing personal data.
Data Processor — An individual or legal person, public authority, agency, or other body that processes personal data on behalf of the controller.
Special Categories of Data — Personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation. Information relating to criminal convictions and offenses is not included but should be offered the same level of protection.
Processing — Any operation or set of operations that is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Disclosure — transmitting personal data or making such data accessible.
Anonymization — The process of turning data into a form that does not identify individuals and where identification is not likely to take place. This allows for a much wider use of the information.
Profiling — Automated processing of personal data to evaluate certain aspects about an individual, in particular, to analyze or predict aspects concerning that individual’s performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location or movements
High-risk profiling — profiling that poses a high risk to the data subject’s personality or fundamental rights by matching data that allow an assessment to be made of essential aspects of the personality of a natural person
Pseudonymization — Procedure by which the most identifying fields within a data record are replaced by one or more artificial identifiers or pseudonyms.
Automatic decision-making — Making a decision solely by automated means without any human involvement.
Breach of data security — a breach of security that leads to the accidental or unlawful loss, deletion, destruction, modification, or unauthorized disclosure or access to personal data;
- ROLES AND RESPONSIBILITIES
All Data Processors are expected to read this policy and to ensure that the processing of personal data is in accordance with the Data Protection principles established earlier and the Institution’s policy and guidelines around them. The Line Managers shall be responsible for ensuring that their teams conform to this policy and the Data Protection principles and guidelines within it.
The Vice President shall be responsible for ensuring that all documents that are used to collect personal information on staff e.g. Staff Contracts, surveys, etc., include appropriate Data Protection statements that inform the data subject of information being collected, its purpose, and to whom it may be disclosed.
The Institution will maintain a record of processing activities, which records information relating to the processing of personal data. Users must ensure that the data they process is kept securely and that any personal information is not disclosed accidentally or otherwise to any unauthorized third party.
Staff and students who have any queries with respect to Data Protection should seek advice from the administration.
Students are required to follow this policy when processing any personal information as part of their studies and with the knowledge and express consent of an appropriate staff member (s).
Students are responsible for ensuring that they conform to this policy and any Guidelines based on it when requesting and using personal information in undertaking their studies in and on behalf of the institution.
Students are obliged to seek the approval of the Research Committee prior to conducting any research or academic activity that implies Personal Data and human subjects, in line with the regulations and guidelines provided by the Committee.
- RIGHTS OF THE DATA SUBJECTS
Under the data protection legislation, you have some rights regarding your personal data processed by us in order to verify the lawfulness of processing. In particular, you have the right to:
- request information about your personal data processed by AUS
- request a copy of the personal data AUS holds on you; this includes the right to data portability, i.e., the right to receive your personal data in a structured, commonly used format
- restrict processing and/or object to the processing of personal data, in which case we may, however, no longer be in a position to provide any related services or perform our contractual obligations
- request that your personal data is erased where there is no compelling reason for its continued processing
- request that your personal data is amended if it is inaccurate or incomplete
Where the processing of your personal data is based on your consent, you have the right to withdraw this consent at any time. Such withdrawal of consent will not affect the lawfulness of the processing based on consent before the withdrawal.
Please note that your rights pursuant to this section may be limited in order to preserve any preponderant interest of AUS or any third parties.
In addition, you have the right to lodge a complaint with the competent data protection authority. The competent data protection authority of Switzerland is the Federal Data Protection and Information Commissioner (
http://www.edoeb.admin.ch).
The institution will ensure that arrangements are made to provide for the rights available to Data Subjects under FADP and GDPR:
- The right to be informed.
- The right of access.
- The right to rectification.
- The right to erasure.
- The right to restrict processing.
- The right to data portability.
- The right to object.
- Rights in relation to automated decision-making and profiling.
- The right to data security and confidentiality.
The institution is committed to protecting the confidentiality of all those whose Personal Data it holds.
The above notwithstanding, the institution is obligated to disclose some personal data strictly in compliance with legislation and regulatory requirements. Such requests would require:
- A statement certifying and identifying the agency’s legal authority for requesting the documents.
- A description of the particular information and kinds of information requested as well as the purpose of use.
- Confirmation that the agency will maintain the requested confidential information in confidence and in line with the prevailing data protection laws and guidelines on the organizational and national level.
The institution will also be required to share some personal data with its academic partners. All transfers of information will be done in a manner that ensures the security of the transfer and is restricted to only information that allows the institutions involved to fulfill their mandate and responsibilities under the terms of their Agreement.
All staff are bound by the confidentiality clause in their employment contract and have an obligation to protect all personal data they may come into contact with during their line of work.
For students, the process for approval of research projects involving human participants will be implemented in line with the regulations developed in this regard by the Research Committee and will address the requirements of FADP and GDPR.
A Data Processor may not disclose any data about applicants, students, or staff members, including information about if an individual has ever been an applicant, student, or staff member unless they are clear that they have the authority of the Institution to do so. This also applies in relation to submitting Personal Data on the Institution’s websites or the internet in general.
A Data Processor may not provide references to prospective employers, agencies, or others without the consent of the Data Subject. Where the Institution is submitted as a referee, the person in question should duly notify the Institution and provide consent.
The institution will ensure that where consent is the legal basis for processing personal data, this consent meets the standards required. Data Subjects will take positive action to provide consent that is explicit and freely given. Consent will be separate from other terms and conditions. Consent will not be a precondition of a service.
Consent will be specific and granular.
- Data Subjects will be able to withdraw consent at any time and the process for withdrawing consent will be as easy as it was to give consent.
- Evidence of consent will be retained.
- Consent will be kept under review and renewed as required.
- The institution will not use consent for core activities where there is an imbalance in the relationship between the institution and the Data Subjects. Where this is the case an alternative condition for processing will be identified.
- In recognition of the need to protect the rights of individuals, the institution will take steps, when processing their personal data, to address their rights and the Data Protection Principles, in particular fairness.
- STORING PERSONAL DATA
Personal data is stored in line with the Swiss data protection regulations and EU GDPR on servers located in Switzerland, EU-EFTA countries, and the USA. AUS maintains appropriate technical and organizational measures to preserve the confidentiality and integrity of your personal data (protection against unauthorized or unlawful access or processing, accidental loss, destruction or damage, cyber-security).
AUS does not store personal data indefinitely; data is only stored for as long as is necessary to serve the purposes described above. It may be processed beyond the end of our contractual relationship to establish, defend, or exercise claims (during the applicable limitation period), meet legal or post-contractual obligations, including legal documentation requirements, and to safeguard other legitimate interests of AUS.
- WHO WE SHARE PERSONAL INFORMATION WITH
AUS restricts the use of and access to personal data to those who have an absolute need to know in order to provide the services and serve the purposes described above (authorized personnel or agents). AUS will not share your personal data with any external parties other than those set out in this policy, or except with your explicit prior consent, or as required under applicable laws or regulations.
External recipients whom AUS routinely shares personal data with are the following:
- any company or provider where sharing the information is necessary to make payments or book benefits to you
- institutions that the students attend after leaving us
- our local, cantonal, and federal authorities to meet our legal obligations
- the Swiss education authorities
- the student’s family and representatives
- educators and examining bodies
- service providers to enable them to provide the service we have contracted them for (e.g., providers of IT services; academic service providers; providers of extra-curricular activities, internships, and field trips; tertiary education institutions)
- our auditors
- health authorities
- police forces, courts, tribunals
Where necessary, AUS will oblige external recipients to comply with this policy and to process personal data securely and exclusively for the purposes allowed by AUS.
Transfer of personal data is usually limited to recipients located in Switzerland. However, transfer of personal data may occur to recipients located in the EU-EFTA countries and the USA. If external recipients or external service providers are located in countries whose legislation does not guarantee an adequate level of data protection, AUS will implement suitable safeguards in the form of appropriate contractual clauses, namely standard contractual clauses and model contracts for data transfers recognized by the Swiss Federal Data Protection and Information Commissioner, in order to ensure compliance with this Privacy Notice and applicable laws.
- DATA SECURITY
All personal data must be kept secure from unauthorized access. For computer-based information, this would include the use of passwords, password-protected screensavers, cryptographic mechanisms, and physical forms of security including, portable media such as USB pens being locked away, etc.
Personal Data must not be held for longer than required and it must be destroyed securely. A Data Processor must periodically review if the Data Subjects' data is accurate, up to date, and still necessary.
Particular care must be taken when holding personal information on laptops. Personal information held on laptops should be deleted as soon as it is no longer required.
Personal data held on paper should be kept in locked cupboards and/or drawers unless it is being worked on. Personal data/information should not be downloaded to non-encrypted laptops/devices.
This is in line with the legal requirement to take appropriate security and organizational measures for the prevention of unauthorized access to, alteration of, disclosure of, accidental loss, and destruction of the data in its control and to ensure that the measures provide a level of security appropriate to — (i)the harm that might result from unauthorized access to, alteration of, disclosure of, destruction of the data and its accidental loss; and (ii)the nature of the data concerned.
In the event that personal data, including any special category data, is unlawfully destroyed, lost, stolen, corrupted, disclosed, or released to an unauthorized person (s), the administrative staff must be informed.
Data breaches should be contained and responded to immediately upon discovering the breach. Data Processors should not try to manage the breach on their own but instead, report the incident and cooperate by providing information relating to the scope of the incident.
A Data Protection Impact Assessment should be undertaken immediately to identify the measures required to contain or limit potential damage and recovery from the incident. Any discussion of the data breach or circulation of information must be restricted to those directly involved in the investigation.
The communication of any data breach that involves personal data must be handled with care. Wider communication of a data breach, including notification to the regulatory authorities or research sponsors will be managed by the Institution.
- ACCOUNTABILITY AND GOVERNANCE
The institution shall implement appropriate technical and organizational measures such as pseudonymization, data-protection principles, and data minimization in order to effectively protect the rights of data subjects.
The institution shall implement proper technical measures to ensure that personal data that are essential for a specific purpose are processed. Obligation shall be based on the amount of data of collected personal data, extent of processing, period of storage, and accessibility.
These measures will serve to ensure that by default, personal data are not accessed without the data subject’s intervention.
Requests by Data Subjects who are not members of the institution for access, rectification, erasure, portability, and/or objections to the processing of their Personal Data should be made through the institution’s website. Similar requests by staff members or students may be submitted via their work or student email accounts to the administration. The administration will be accountable for ensuring FADP and GDPR compliance by the organization, as well as evaluating and implementing data protection policies.
- WEBSITE ANALYTICS
We use website statistic packages such as Google Analytics to analyze trends in how our website is accessed and utilized. Information monitored includes internet protocol (IP) addresses, kind of device used, geographic location of visitors, browser type, internet service provider (ISP), referring/exit pages, platform type, date/time stamp, time spent on pages, and keywords used to find our site via search engines. This information is anonymous and cannot be directly linked to individual users. We may use it to identify high-use or low-use areas of the site, pinpoint problem areas of the site, analyze broad demographic trends in our visitors and make decisions about how to make it easier for people to find and navigate our website.
If you do not want analytics to be used in your browser, you can
install the Google Analytics browser add-on. More information about the ways in which Google Analytics collects and processes personal data may be found
here.
The AUS website may contain links to other sites. Please be aware that AUS is not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of each and every website that collects personally identifiable information.
The AUS website may use "cookies" to help you personalize your online experience. A cookie is a text file that is placed on your hard disk by a web page server. Cookies cannot be used to run programs or deliver viruses to your computer. Cookies are uniquely assigned to you and can only be read by a web server in the domain that issued the cookie to you.
One of the primary purposes of cookies is to provide a convenience feature to save you time. The purpose of a cookie is to tell the Web server that you have returned to a specific page.
You have the ability to accept or decline cookies. Most Web browsers automatically accept cookies, but you can usually modify your browser setting to decline cookies if you prefer. If you choose to decline cookies, you may not be able to fully experience the interactive features of the AUS website.
If you wish to disable cookies, you may do so through your individual browser options. More detailed information about cookie management with specific web browsers can be found on the browsers' respective websites.