Processing by Third Parties

The conditions for “processing by third parties” as specified in § 6 IDG are met when a public body, such as UZH, tasks a third party with processing information, i.e. factual, personal and special personal data. Terms that are used synonymously include outplacement, outsourcing, commissioned work, or contract data processing.

“Third parties” include natural or legal persons and other public bodies.

Pursuant to § 3 IDG, the term “processing” refers to any instance of handling information such as obtaining, saving, using, editing, making public, granting access to, or destroying information.

Further details can be found in the guidelines on third-party processing of the Data Protection Officer of the Canton of Zurich (German).

When information belonging to UZH is processed on behalf of UZH, specific legal, technical, and organizational measures must be implemented. The corresponding requirements are specified in the Canton of Zurich’s Act on Information and Data Protection (Information und den Datenschutz, IDG) and Ordinance on Information and Data Protection (Verordnung über die Information und den Datenschutz, IDV).

In view of these circumstances, UZH has created a legally reviewed package solution (GTCs, confidentiality declaration and fact sheet) that incorporates cantonal requirements and provide UZH staff with clear instructions on how to proceed when concluding the relevant contracts (see “Package Solution”).

Further information can be found here (German).