Public Beta Trust Infrastructure Privacy Statement

1. General information

Your data is safe in our hands. The Federal Administration only collects the personal data that it absolutely requires to fulfil its tasks (data minimisation). Stored data is carefully managed and protected against any form of abuse.

Under Article 13 of the Swiss Constitution and the federal data protection provisions, all persons are entitled to have their individual privacy preserved and to be protected against the misuse of their personal data. The Federal Administration complies with these provisions on its websites and in providing its web services.

2. Introduction

In this privacy statement, the Federal Office of Information Technology, Systems and Telecommunication (FOITT) explains to what extent, for what purpose and under what conditions it processes personal data with regard to the use of the base registry and trust registry. The FOITT processes the data received either itself in accordance with this privacy statement, or by forwarding it to third parties.

The processing of personal data by the Federal Administration is governed by the Swiss Data Protection Act. It applies to data processing in connection with the operation of information systems for issuing and verifying digital credentials from the federal trust infrastructure. Data processing by the FOITT is based on the Federal Act on Electronic Identity Credentials (e-ID Act).

3. Scope

This privacy statement applies to data processing in connection with the base registry and the trust registry for the public beta trust infrastructure, the specific implementations of which are hereinafter referred to as beta base registry and beta trust registry.

4. Responsibility

The data processing described here is under the responsibility of the

Federal Office of Information Technology, Systems and Telecommunication FOITT
3003 Bern
Switzerland
T +41 58 463 25 11
info@bit.admin.ch

5. Data processing and purpose of the beta base registry and beta trust registry

The Federal Office of Information Technology, Systems and Telecommunication (FOITT) provides a publicly accessible base registry. It contains data that is required to:

  • verify whether electronic credentials such as cryptographic keys and identifiers have been subsequently changed;
  • verify whether electronic credentials originate from the issuers entered in the base registry and the associated identifiers;
  • enter persons in the trust registry who issue (issuers) or verify (verifiers) electronic credentials;
  • verify whether an electronic credential has been revoked.

The base registry does not contain any data on the individual electronic credentials, with the exception of data on their revocation. The data on the revocation of electronic credentials does not allow any conclusions to be drawn on the holder's identity or on the content of the credential.

The FOITT provides a publicly accessible trust registry; this contains data that is useful for:

  • the verification of the identity provided by the issuers and verifiers;
  • the secure use of electronic credentials.

When you use the service, we process the following personal data:

  • Surname
  • First name
  • Email address
  • IP address

6. The registration includes the following types of onboarding:

6.1 Onboarding to the beta base registry (technical trust)

Persons register their organisation on the swiyu trust infrastructure application linked in ePortal using their organisation name and email address. They then receive access to the API self-service portal application, where they can subscribe to the beta base registry and beta status registry API. The request to publish the public key material associated with the decentralised identifier (DID) is authorised in the controller and then stored in the beta base registry.

6.2 Onboarding to the beta trust registry via trust statement (human trust)

Persons can submit a request for inclusion in the beta trust registry on the swiyu trust infrastructure application linked in ePortal. Onboarding to the beta base registry in line with section 6.1 is a prerequisite for this. Persons then submit the information required for a trust statement (DID of the organisation in the beta base registry, organisation name, logo, email) to the FOITT using the contact method specified in the swiyu trust infrastructure.

7. What happens to your data?

The processing of personal data on the websites of the Confederation is limited to the data that is required to provide a properly functioning website and user-friendly content and services, or to the data that you actively made available to us. The personal data that we collect is only retained for as long as required in order to fulfil the purpose concerned. Some data may be retained for longer in order to meet statutory requirements or other obligations.

8. Data transfer

In order to achieve the purposes described in this privacy statement, it may be necessary for us to pass on your personal data to other authorities or service providers. The categories of recipients are as follows:

  • external service providers
  • suppliers
  • authorities
  • courts, if applicable

The provision of reports from information systems or their retrieval by ePortal takes place via Federal Administration servers.

9. Place of data processing

We store and process your personal data exclusively in Switzerland.

10. Data security

In order to protect the data against unauthorised access, loss and misuse, the FOITT takes appropriate security measures of both a technical nature (encryption, logging, access controls and restrictions, backups, IT and network security solutions, etc.) and an organisational nature (instructions for employees, confidentiality agreements, reviews, etc.).

Website: When you visit our website, the Federal Administration uses encrypted data communication based on TLS in conjunction with the highest encryption level supported by your browser. You can see whether an individual website page is transmitted in encrypted form by checking whether the lock symbol displayed in the address bar of your browser is closed.

General data processing: In addition, the Federal Administration takes appropriate technical and organisational security measures during data processing in order to protect your data against accidental or wilful manipulation, partial or complete loss, destruction or unauthorised access by third parties. The Federal Administration's security measures correspond to the current state of the art.

11. Your rights in relation to your personal data

You have the following rights in relation to personal data concerning you:

  • the right to obtain information on what personal data about you we store and how we process it;
  • the right to have a copy of your personal data provided or transferred to you in a commonly used format;
  • the right to rectification of your personal data;
  • the right to deletion of your personal data;
  • and the right to object to the processing of your personal data.

Please note that these rights are subject to statutory requirements and exceptions. To the extent permitted by law, we may refuse your request to exercise these rights. You additionally have the right to file an objection with the competent data protection authority.

12. Amendments

The FOITT may amend this privacy statement at any time without prior notice, in particular if we change our data processing practices or if new legal provisions come into force. The current published version or the version valid for the period in question shall apply.