Data protection
Question
Do we need to amend our articles of association to comply with the new Federal Act on Data Protection?
Answer
We recommend that associations include an article on data protection the next time they revise their articles of association. This article regulates how the association handles data and how or in which cases, for example, the appropriate transfer of member data to other members is permitted. For support, the vitamin B model articles of association now include Article 13 on data protection, which contains sample formulations and comments: https://www.vitaminb-e.ch/tools/work-aids/
Question
Like many associations, we communicate by email, chat tools, electronic newsletters and digital filing systems. How do we, the Board of Directors, know which digital tools are safe in terms of data protection law?
Answer
The Board of Directors must check each provider’s reliability and ensure that they guarantee data security (in cases where the provider processes the association’s personal data as part of a contract, e.g., in the case of a cloud solution). The Board of Directors does so by asking the provider directly. The provider may also have certain quality labels or certifications in the area of data protection. An association must contractually obligate the provider, i.e., it must obtain legally binding assurances that the data will be handled responsibly, securely and in confidence.
Question
Is it permissible to ask members to respond with their first name, surname, and signature when participating in a written vote?
Answer
You must ensure that only people entitled to vote take part in the vote and/or elections. It is therefore correct that voting persons need to be able to be identified. An independent person can then count these ballots during the counting process and the results can be determined without allocating them to the people voting. If you want to ensure complete anonymity during votes, for example, you would have to create separate voting cards that have to be sent back with the vote or ballot (as is the case for political elections). I would only recommend this procedure if an election is strongly contested.
Question
The new Federal Act on Data Protection is in force. What do associations need to know?
Answer
The new Federal Act on Data Protection does not contain any specific provisions for associations. However, they must comply with the numerous new obligations and requirements laid down by the law. The most important change is an expansion of the obligation to provide information. When collecting personal data, associations must inform the data subjects about what data are collected and for what purposes they are processed. In practice, this obligation to provide information is usually fulfilled by means of a privacy policy on the website.
Question
A member would like to convene an extraordinary general meeting and has asked us to provide him with the contact details of all members. Are we allowed to do that?
Answer
If one fifth (or fewer, depending on the articles of association) of the members request an extraordinary general meeting, the Board of Directors must convene such a meeting. In practice, this means that the internal disclosure of member data within the association is permitted in this case, as it is required to exercise membership rights, namely, to convene an extraordinary general meeting (Art. 64 Section 3 of the Swiss Civil Code). In this case, however, the Board of Directors may only disclose the data that are strictly necessary to exercise this right (e.g., names and addresses). Members may only use the data passed on for this exact purpose; the data must then be destroyed, and the member in question must be expressly informed of this. As an alternative to publishing the data, the Board of Directors can offer to send the information to other members on behalf of the member.
Question
What do I need to know about our obligation to retain member data? Do we have to anonymise invoices for annual contributions, for example?
Answer
Data must be deleted as soon as they are no longer required for processing and there is no legal obligation to retain them. As long as there are still outstanding claims or a legal dispute, for example, the data do not have to be deleted. Furthermore, there is a ten-year retention obligation for annual reports, annual accounts, accounting vouchers and audit reports (see Art. 958f of the Code of Obligations). If such documents contain personal data, they may only be deleted after the deadline. The law now mandates that associations which are obligated to be listed in the commercial register must maintain a member list. They must keep the details of every member for five years after the member leaves the association (cf. Art. 61a of the Swiss Civil Code).
Question
Our association now has a Facebook account. To make the page attractive, we want to make photos of our activities available within the network. In some cases, easily recognisable individuals are shown. Does their permission need to be requested? After all, the images on our Facebook page can only be viewed by "friends".
Answer
Photos are classified as sensitive personal data and, generally speaking, may only be used with the consent of the individuals shown in them. Even if you are able to restrict access on Facebook, it is nevertheless an open medium whose appeal lies in precisely the fact that more and more people gain more and more insights. Furthermore, the association is interested in having as many "friends" as possible.
I therefore advise against publishing any photos without first obtaining the consent of the affected individuals. Sending an enquiry in this regard to association members also provides the opportunity to get in contact with them.
As a rule, images should be used in which people are only recognisable to a limited extent or as part of a crowd. Furthermore, photos should not be noted with the names of the people who appear in them and no images should be used that encroach on the privacy of the people shown in them or that allow for conclusions to be drawn about their religious or political views, show the consumption of drugs or criminal activities, document the receipt of social welfare, etc.
It goes without saying that images should be deleted upon the request of the people they show.
Question
Associations have been receiving increased requests for information about their data processing policies. What do we need to know about this?
Answer
There have been amendments to the obligation to provide information. Associations should be prepared for this and define a procedure governing requests for information. Firstly, the identity of the person requesting information must be established (e.g. by means of an ID). The person must then be informed which data about them are processed for which purposes, how long they are stored and where the data comes from. If applicable, they must be told which recipients receive which data (e.g. umbrella organisation, printing company, etc.). This information should generally be provided in writing within 30 days and free of charge.
Question
Who is responsible for data protection in our association?
Answer
An association manages large volumes of personal data, most of which pertain to its members. It must handle these data carefully. The association’s Board of Directors is responsible for handling the data in accordance with data protection regulations. In particular, it must ensure that the association has a privacy policy and consistently protects member data from misuse.
