Membership data
Question
The new Federal Act on Data Protection is in force. What do associations need to know?
Answer
The new Federal Act on Data Protection does not contain any specific provisions for associations. However, they must comply with the numerous new obligations and requirements laid down by the law. The most important change is an expansion of the obligation to provide information. When collecting personal data, associations must inform the data subjects about what data are collected and for what purposes they are processed. In practice, this obligation to provide information is usually fulfilled by means of a privacy policy on the website.
Question
A member would like to convene an extraordinary general meeting and has asked us to provide him with the contact details of all members. Are we allowed to do that?
Answer
If one fifth (or fewer, depending on the articles of association) of the members request an extraordinary general meeting, the Board of Directors must convene such a meeting. In practice, this means that the internal disclosure of member data within the association is permitted in this case, as it is required to exercise membership rights, namely, to convene an extraordinary general meeting (Art. 64 Section 3 of the Swiss Civil Code). In this case, however, the Board of Directors may only disclose the data that are strictly necessary to exercise this right (e.g., names and addresses). Members may only use the data passed on for this exact purpose; the data must then be destroyed, and the member in question must be expressly informed of this. As an alternative to publishing the data, the Board of Directors can offer to send the information to other members on behalf of the member.
Question
What do I need to know about our obligation to retain member data? Do we have to anonymise invoices for annual contributions, for example?
Answer
Data must be deleted as soon as they are no longer required for processing and there is no legal obligation to retain them. As long as there are still outstanding claims or a legal dispute, for example, the data do not have to be deleted. Furthermore, there is a ten-year retention obligation for annual reports, annual accounts, accounting vouchers and audit reports (see Art. 958f of the Code of Obligations). If such documents contain personal data, they may only be deleted after the deadline. The law now mandates that associations which are obligated to be listed in the commercial register must maintain a member list. They must keep the details of every member for five years after the member leaves the association (cf. Art. 61a of the Swiss Civil Code).
Question
When may an association pass on personal data within the association?
Answer
In most cases, each member must give their consent or be informed about the purpose of the data transfer with the option to object prior to the transfer. Appropriate reasons to forward member data to other members can be laid down in the articles of association. This includes, for example, information on forwarding lists with member data to umbrella organisations or a note that the member list is made available to all members in the protected member area of the website. Members may withdraw their consent at any time.
Question
Who is responsible for data protection in our association?
Answer
An association manages large volumes of personal data, most of which pertain to its members. It must handle these data carefully. The association’s Board of Directors is responsible for handling the data in accordance with data protection regulations. In particular, it must ensure that the association has a privacy policy and consistently protects member data from misuse.
