About
Faculty
Contact us
About
Faculty
Contact us
Programs
Close

Programs & solutions

Bachelor Degree
Master Degree
Doctorate Degree
Executive Programs
Students
Career impact
Admissions
Financing
Apply now
Download brochure
Two female graduates in caps and gowns sitting on stage, one speaking into a microphone.

Privacy Policy

1.  INTRODUCTION

The American Instituteof Applied Sciences in Switzerland (AUS) needs to create,collect, process, and retain certain information about its employees, workers,students, clients, agents, and other individuals for various purposes. Thesepurposes include managing the progress of students, managing staff,recruiting and employing staff, and complying with legal and statutoryregulations. The institution is committed to protecting the rightsand freedoms of individuals with respect to managing the personalinformation that it processes.

This policy sets out the responsibilities and actions that the institution willtake to meet this commitment in accordance with our obligations andensure compliance with the Swiss Federal Act on Data Protection (FADP) andthe European General Data Protection Regulation (GDPR).

This policy applies to all staff and students and all personal data thatare created, collected, stored, and processed through the activity of theinstitution. It also sets out the responsibilities of theinstitution, its staff, and its students to comply with the provisionsof the above-mentioned regulations and laws.

AGSB S. A, Chemin du Levant 5, 1814 La Tour-de-Peilz, Switzerlandis the Data Controller of the personal data you provide to AUS.AUS determines the purposes for which, and the manner in which, anypersonal data (e.g., relating to students and their families, employees,suppliers, business contacts, and other third parties) is to becollected and processed. Personal data shall mean any information that relatesto an identified or identifiable living natural person.

The AUS President, Mohamad El Khansa, acts as a representativefor AUS and as its Data Protection Officer. Responsibilities include:overseeing and monitoring AUS’s data protection procedures and ensuring theyare compliant with the Swiss data protection regulations (such as theSwiss Federal Act on Data Protection of 1 September 2023),and EU data protection regulations (General Data Protection Regulation2016/679 of 27 April 2016 or GDPR), each as amendedor replaced from time to time. He may be contacted at info@aus.swiss


1.  THEDATA WE COLLECT

The categories of personaldata that we collect and process include the categories included below.

In general:

  • personal identifiers (such as name, business affiliation,     contact details, and address)
  • payment details
  • content of AUS’s communication with you
  • engagement with AUS, including, events attended, donations     received, volunteer service
  • security information (such as CCTV footage)
  • cookies and other website usage data


Regarding students and their families:

  • personal identifiers (such as name, unique student number,     family relationships, contact details and address)
  • characteristics (such as gender, age, language and     nationality)
  • attendance information (such as classes attended, number     of absences, absence reasons and any previous studies attended)
  • assessment information (such as data scores, tracking, and     internal and external testing)
  • relevant medical information (such as insurance information,     health conditions, physical and mental health care, immunizations and     allergies, dietary requirements, and medication)
  • special educational needs information (such as care     or support plans)
  • safeguarding information
  • photographs and videos (see below)
  • behavioral information (such as exclusions and any relevant     provisions put in place)
  • information regarding student support
  • information on residency in Switzerland (such as visa     application details, swiss student permit, details from swiss authorities)

1.  WHY WECOLLECT PERSONAL DATA

Personal data is generallyused for the purposes of managing our relationship with you, communicatingwith you, and/or providing you with information you may request from us.More specifically, in line with applicable law, personal data maybe used for the following purposes and for other purposes compatible withthe purposes described below:

  • to support student learning
  • to monitor and report on student progress
  • to provide appropriate first-aid and pastoral care
  • to assess the quality of our services
  • to meet the statutory requirements placed upon     us by the cantonal and federal authorities
  • to support our admissions process
  • to inform parents about events, activities, and other things     happening in the institution
  • to help investigate any concerns or complaints you may     have
  • to establish, defend or exercise claims
  • to terminate our contractual relationship
  • build and maintain the AUS community
  • make you aware and inform you about our services, news, events, and     activities
  • alumni: respond to your request regarding historical     information about your time at AUS

Personal data may furtherbe used for any other purpose you give your explicit consent to,or for purposes that may be of legitimate interest to AUS.

Most of the personal data mentioned is provided by you duringthe admission process and in the course of our contractualrelationship or collected through the use of AUS online services.Insofar as permitted, we may also hold personal data about ourbusiness partners, students, and their families that we have received frompublicly accessible sources (e.g., social media channels), authorities,or other third parties.

When submitting personal data please make sure that the data is correct.When providing personal data about a person other than yourself, pleasemake sure that you are permitted to provide the data and that this otherperson is aware of this Privacy Notice.

Personal data is essential for AUS’s operational use. While the majorityof personal data you provide to us is mandatory for theconclusion and performance of our contractual relationship, someof it may be provided on a voluntary basis. We willinform you when providing personal data is voluntary, or necessaryto fulfill our contractual obligations.


1.  SPECIALRULE ON CAMERA SURVEILLANCE, PHOTOGRAPHS, AND VIDEOS

For security and safety reasons,the AUS campus is under camera surveillance. AUS retains video images fora maximum of 30 days after which they are deleted, unless the imagesmust be retained for further investigation or law enforcementprocesses.

Photographs and videos of students, parents, and employees maybe taken to record and share daily campus life during the courseof the academic year. Students, parents, and employees maybe identifiable in these photographs or videos. Such photographsand videos may be used for educational and internal informational purposes(e.g. keeping records of lessons, field trips, sports, events, employeetraining, yearbook, and internal newsletter), for the identificationof students, parents, or employees for health-related purposes (e.g.allergies), or for marketing and publication purposes, if andto the extent you gave us your consent where required underapplicable data protection laws.


1.  DATAPROTECTION PRINCIPLES

The institution shall complywith the Data Protection Principles set out in the aforementioned.In summary, these state:

  • Personal data shall be processed fairly and lawfully.
  • An individual’s personal data should be made available     to them upon request and they should be able to contact the     entity collecting this information.
  • Personal data shall be obtained only for specified and lawful     purposes, and shall not be further processed in any manner     incompatible with that purpose.
  • The processing must be carried out in good faith and     be proportionate.
  • Personal data shall be adequate, relevant, and not excessive     in relation to the purpose for which they are processed.
  • Personal data shall be accurate and, where necessary, kept     up to date.
  • Personal data processed for any purpose shall not be kept     longer than is necessary for that purpose or those purposes.
  • Personal data shall be processed in accordance with the     rights of the data subjects under the FADP and GDPR.
  • Any person who processes personal data must satisfy themselves that     the data are accurate. They must take all appropriate measures     to correct, delete or destroy data that are incorrect     or incomplete insofar as the purpose for which they are     collected or processed is concerned. The appropriateness     of the measures depends in particular on the form and the     extent of the processing and on the risk that the processing     poses to the data subject’s personality or fundamental rights.
  • Appropriate security and organizational measures shall     be taken against unauthorized or unlawful processing     of personal data and against accidental loss or destruction of,     or damage to, personal data.
  • Personal data shall not be transferred to another country     unless that country ensures an adequate level of protection for     the rights of data subjects in relation to the processing     of personal data.

1.  DEFINITIONS

Data Subject — Identifiedor identifiable natural person.

Personal data — Any information relating to an identifiedor identifiable natural person (‘data subject'); an identifiablenatural person is one who can be identified, directlyor indirectly, in particular by referenceto an identifier such as a name, an identificationnumber, location data, online identifiers or to one or morefactors specific to the physical, physiological, genetic, mental,economic, cultural or social identity of that natural person.

Sensitive personal data

  • data relating to religious, philosophical, political,     or trade union-related views or activities,
  • data relating to health, the private sphere,     or affiliation to a race or ethnicity,
  • genetic data,
  • biometric data that uniquely identifies a natural person,
  • data relating to administrative and criminal proceedings     or sanctions,
  • data relating to social assistance measures.


Data Controller — An individual or legal person, publicauthority, agency, or other body who determines the purposes and meansof processing personal data.

Data Processor — An individual or legal person, publicauthority, agency, or other body that processes personal dataon behalf of the controller.

Special Categories of Data — Personal data revealing racialor ethnic origin, political opinions, religious or philosophicalbeliefs, or trade union membership, and the processing of geneticdata, biometric data for the purpose of uniquely identifyinga natural person, data concerning health or data concerninga natural person’s sex life or sexual orientation. Information relatingto criminal convictions and offenses is not included but shouldbe offered the same level of protection.

Processing — Any operation or set of operations thatis performed on personal data or on sets of personaldata, whether or not by automated means, such as collection,recording, organization, structuring, storage, adaptation or alteration,retrieval, consultation, use, disclosure by transmission, disseminationor otherwise making available, alignment or combination, restriction,erasure or destruction.

Disclosure — transmitting personal data or making such dataaccessible.

Anonymization — The process of turning data into a form thatdoes not identify individuals and where identification is not likelyto take place. This allows for a much wider use of theinformation.

Profiling — Automated processing of personal data to evaluatecertain aspects about an individual, in particular, to analyzeor predict aspects concerning that individual’s performance at work,economic situation, health, personal preferences, interests, reliability,behavior, location or movements

High-risk profiling — profiling that poses a high risk to thedata subject’s personality or fundamental rights by matching datathat allow an assessment to be made of essential aspectsof the personality of a natural person

Pseudonymization — Procedure by which the most identifying fieldswithin a data record are replaced by one or more artificialidentifiers or pseudonyms.

Automatic decision-making — Making a decision solelyby automated means without any human involvement.

Breach of data security — a breach of security that leadsto the accidental or unlawful loss, deletion, destruction,modification, or unauthorized disclosure or access to personaldata;



1.  ROLES ANDRESPONSIBILITIES

All Data Processors are expectedto read this policy and to ensure that the processingof personal data is in accordance with the Data Protectionprinciples established earlier and the Institution’s policy and guidelinesaround them. The Line Managers shall be responsible for ensuring that theirteams conform to this policy and the Data Protection principles andguidelines within it.

The Vice President shall be responsible for ensuring that all documentsthat are used to collect personal information on staff e.g. StaffContracts, surveys, etc., include appropriate Data Protection statements thatinform the data subject of information being collected, its purpose, andto whom it may be disclosed.

The Institution will maintain a record of processing activities,which records information relating to the processing of personaldata. Users must ensure that the data they process is kept securely andthat any personal information is not disclosed accidentallyor otherwise to any unauthorized third party.

Staff and students who have any queries with respect to Data Protectionshould seek advice from the administration.

Students are required to follow this policy when processing any personalinformation as part of their studies and with the knowledge andexpress consent of an appropriate staff member (s).

Students are responsible for ensuring that they conform to this policy andany Guidelines based on it when requesting and using personalinformation in undertaking their studies in and on behalfof the institution.

Students are obliged to seek the approval of the Research Committeeprior to conducting any research or academic activity that impliesPersonal Data and human subjects, in line with the regulations andguidelines provided by the Committee.



1.  RIGHTS OFTHE DATA SUBJECTS

Under the data protectionlegislation, you have some rights regarding your personal data processedby us in order to verify the lawfulness of processing.In particular, you have the right to:

  • request information about your personal data processed by AUS
  • request a copy of the personal data AUS holds     on you; this includes the right to data portability, i.e., the     right to receive your personal data in a structured,     commonly used format
  • restrict processing and/or object to the processing     of personal data, in which case we may, however,     no longer be in a position to provide any related     services or perform our contractual obligations
  • request that your personal data is erased where there     is no compelling reason for its continued processing
  • request that your personal data is amended if it is     inaccurate or incomplete


Where the processing of your personal data is based on yourconsent, you have the right to withdraw this consent at any time.Such withdrawal of consent will not affect the lawfulness of theprocessing based on consent before the withdrawal.

Please note that your rights pursuant to this section may be limitedin order to preserve any preponderant interest of AUSor any third parties.

In addition, you have the right to lodge a complaint with thecompetent data protection authority. The competent data protection authorityof Switzerland is the Federal Data Protection and InformationCommissioner (http://www.edoeb.admin.ch).

The institution will ensure that arrangements are made to provide for therights available to Data Subjects under FADP and GDPR:

1.  The rightto be informed.

2.  The right of access.

3.  The right to rectification.

4.  The right to erasure.

5.  The right to restrictprocessing.

6.  The right to dataportability.

7.  The right to object.

8.  Rights in relationto automated decision-making and profiling.

9.  The right to data securityand confidentiality.


The institution is committed to protecting the confidentialityof all those whose Personal Data it holds.

The above notwithstanding, the institution is obligated to disclosesome personal data strictly in compliance with legislation and regulatoryrequirements. Such requests would require:

1.  A statement certifying andidentifying the agency’s legal authority for requesting the documents.

2.  A description of theparticular information and kinds of information requested as wellas the purpose of use.

3.  Confirmation that the agencywill maintain the requested confidential information in confidence andin line with the prevailing data protection laws and guidelineson the organizational and national level.


The institution will also be required to share some personal datawith its academic partners. All transfers of information will be donein a manner that ensures the security of the transfer andis restricted to only information that allows the institutionsinvolved to fulfill their mandate and responsibilities under the termsof their Agreement.

All staff are bound by the confidentiality clause in their employmentcontract and have an obligation to protect all personal data they maycome into contact with during their line of work.

For students, the process for approval of research projects involvinghuman participants will be implemented in line with the regulationsdeveloped in this regard by the Research Committee and will addressthe requirements of FADP and GDPR.

A Data Processor may not disclose any data about applicants, students,or staff members, including information about if an individualhas ever been an applicant, student, or staff member unless they areclear that they have the authority of the Institution to do so.This also applies in relation to submitting Personal Data on theInstitution’s websites or the internet in general.

A Data Processor may not provide references to prospective employers,agencies, or others without the consent of the Data Subject. Wherethe Institution is submitted as a referee, the personin question should duly notify the Institution and provide consent.

The institution will ensure that where consent is the legal basis forprocessing personal data, this consent meets the standards required. DataSubjects will take positive action to provide consent thatis explicit and freely given. Consent will be separate from otherterms and conditions. Consent will not be a preconditionof a service.

Consent will be specific and granular.

1.  Data Subjects will be ableto withdraw consent at any time and the process for withdrawingconsent will be as easy as it was to give consent.

2.  Evidence of consent willbe retained.

3.  Consent will be kept underreview and renewed as required.

4.  The institution will not useconsent for core activities where there is an imbalance in therelationship between the institution and the Data Subjects. Where thisis the case an alternative condition for processing willbe identified.

5.  In recognition of theneed to protect the rights of individuals, the institution will takesteps, when processing their personal data, to address their rights andthe Data Protection Principles, in particular fairness.

1.  STORINGPERSONAL DATA

Personal data is storedin line with the Swiss data protection regulations and EU GDPRon servers located in Switzerland, EU-EFTA countries, and the USA.AUS maintains appropriate technical and organizational measures to preservethe confidentiality and integrity of your personal data (protectionagainst unauthorized or unlawful access or processing, accidentalloss, destruction or damage, cyber-security).

AUS does not store personal data indefinitely; data is only stored foras long as is necessary to serve the purposes describedabove. It may be processed beyond the end of our contractualrelationship to establish, defend, or exercise claims (during theapplicable limitation period), meet legal or post-contractual obligations,including legal documentation requirements, and to safeguard otherlegitimate interests of AUS.


1.  WHO WE SHARE PERSONALINFORMATION WITH


AUS restricts the use of and access to personal data to thosewho have an absolute need to know in order to provide theservices and serve the purposes described above (authorized personnelor agents). AUS will not share your personal data with any externalparties other than those set out in this policy, or except with yourexplicit prior consent, or as required under applicable lawsor regulations.

External recipients whom AUS routinely shares personal data with are thefollowing:

  • any company or provider where sharing the information     is necessary to make payments or book benefits to you
  • institutions that the students attend after leaving us
  • our local, cantonal, and federal authorities to meet our legal     obligations
  • the Swiss education authorities
  • the student’s family and representatives
  • educators and examining bodies
  • service providers to enable them to provide the service     we have contracted them for (e.g., providers of IT services;     academic service providers; providers of extra-curricular activities,     internships, and field trips; tertiary education institutions)
  • our auditors
  • health authorities
  • police forces, courts, tribunals


Where necessary, AUS will oblige external recipients to comply with thispolicy and to process personal data securely and exclusively for thepurposes allowed by AUS.

Transfer of personal data is usually limited to recipientslocated in Switzerland. However, transfer of personal data may occurto recipients located in the EU-EFTA countries and the USA.If external recipients or external service providers are locatedin countries whose legislation does not guarantee an adequate levelof data protection, AUS will implement suitable safeguards in theform of appropriate contractual clauses, namely standard contractualclauses and model contracts for data transfers recognized by the SwissFederal Data Protection and Information Commissioner, in orderto ensure compliance with this Privacy Notice and applicable laws.


1.  DATASECURITY

All personal data mustbe kept secure from unauthorized access. For computer-based information,this would include the use of passwords, password-protected screensavers,cryptographic mechanisms, and physical forms of security including,portable media such as USB pens being locked away, etc.

Personal Data must not be held for longer than required and it mustbe destroyed securely. A Data Processor must periodically reviewif the Data Subjects' data is accurate, up to date, andstill necessary.

Particular care must be taken when holding personal informationon laptops. Personal information held on laptops shouldbe deleted as soon as it is no longer required.

Personal data held on paper should be kept in locked cupboardsand/or drawers unless it is being worked on. Personaldata/information should not be downloaded to non-encryptedlaptops/devices.

This is in line with the legal requirement to take appropriatesecurity and organizational measures for the prevention of unauthorizedaccess to, alteration of, disclosure of, accidental loss, and destructionof the data in its control and to ensure that the measuresprovide a level of security appropriate to — (i)the harm thatmight result from unauthorized access to, alteration of, disclosure of,destruction of the data and its accidental loss; and (ii)the natureof the data concerned.

In the event that personal data, including any special category data,is unlawfully destroyed, lost, stolen, corrupted, disclosed,or released to an unauthorized person (s), the administrativestaff must be informed.

Data breaches should be contained and responded to immediately upondiscovering the breach. Data Processors should not try to manage thebreach on their own but instead, report the incident and cooperateby providing information relating to the scope of the incident.

A Data Protection Impact Assessment should be undertaken immediatelyto identify the measures required to contain or limit potentialdamage and recovery from the incident. Any discussion of the data breachor circulation of information must be restricted to thosedirectly involved in the investigation.

The communication of any data breach that involves personal data mustbe handled with care. Wider communication of a data breach,including notification to the regulatory authorities or researchsponsors will be managed by the Institution.



1.  ACCOUNTABILITYAND GOVERNANCE

The institution shall implementappropriate technical and organizational measures suchas pseudonymization, data-protection principles, and data minimizationin order to effectively protect the rights of data subjects.

The institution shall implement proper technical measures to ensure thatpersonal data that are essential for a specific purpose are processed.Obligation shall be based on the amount of dataof collected personal data, extent of processing, periodof storage, and accessibility.

These measures will serve to ensure that by default, personal dataare not accessed without the data subject’s intervention.

Requests by Data Subjects who are not members of the institution foraccess, rectification, erasure, portability, and/or objections to theprocessing of their Personal Data should be made through theinstitution’s website. Similar requests by staff members or studentsmay be submitted via their work or student email accounts to theadministration. The administration will be accountable for ensuring FADPand GDPR compliance by the organization, as well as evaluatingand implementing data protection policies.


1.  WEBSITEANALYTICS

We use website statisticpackages such as Google Analytics to analyze trends in how ourwebsite is accessed and utilized. Information monitored includes internet protocol(IP) addresses, kind of device used, geographic location of visitors,browser type, internet service provider (ISP), referring/exit pages, platformtype, date/time stamp, time spent on pages, and keywords used to findour site via search engines. This information is anonymous and cannotbe directly linked to individual users. We may useit to identify high-use or low-use areas of the site,pinpoint problem areas of the site, analyze broad demographic trendsin our visitors and make decisions about how to make it easierfor people to find and navigate our website.

If you do not want analytics to be used in yourbrowser, you can install the Google Analytics browseradd-on. More information about theways in which Google Analytics collects and processes personal data maybe found here.

The AUS website may contain links to other sites. Please be awarethat AUS is not responsible for the privacy practices of such othersites. We encourage our users to be aware when they leave oursite and to read the privacy statements of each and every websitethat collects personally identifiable information.

The AUS website may use "cookies" to help you personalize youronline experience. A cookie is a text file that is placedon your hard disk by a web page server. Cookies cannotbe used to run programs or deliver viruses to yourcomputer. Cookies are uniquely assigned to you and can only be read by a webserver in the domain that issued the cookie to you.

One of the primary purposes of cookies is to providea convenience feature to save you time. The purposeof a cookie is to tell the Web server that you havereturned to a specific page.

You have the ability to accept or decline cookies. Most Web browsersautomatically accept cookies, but you can usually modify your browser settingto decline cookies if you prefer. If you choose to declinecookies, you may not be able to fully experience the interactivefeatures of the AUS website.

If you wish to disable cookies, you may do so through yourindividual browser options. More detailed information about cookie managementwith specific web browsers can be found on the browsers' respectivewebsites.