The provisions of the Data Protection Act apply to associations, too. All member data (addresses and other personal data) may only be collected if they are necessary for exercising the association’s purpose. Without the consent of the member, they may not be passed on to third parties. Members have the right to request information with regard to their personal data from the association.

Question

Like many associations, we communicate by email, chat tools, electronic newsletters and digital filing systems. How do we, the Board of Directors, know which digital tools are safe in terms of data protection law?

Answer

The Board of Directors must check each provider’s reliability and ensure that they guarantee data security (in cases where the provider processes the association’s personal data as part of a contract, e.g., in the case of a cloud solution). The Board of Directors does so by asking the provider directly. The provider may also have certain quality labels or certifications in the area of data protection. An association must contractually obligate the provider, i.e., it must obtain legally binding assurances that the data will be handled responsibly, securely and in confidence.

Question

The new Federal Act on Data Protection is in force. What do associations need to know?

Answer

The new Federal Act on Data Protection does not contain any specific provisions for associations. However, they must comply with the numerous new obligations and requirements laid down by the law. The most important change is an expansion of the obligation to provide information. When collecting personal data, associations must inform the data subjects about what data are collected and for what purposes they are processed. In practice, this obligation to provide information is usually fulfilled by means of a privacy policy on the website.

Question

Associations have been receiving increased requests for information about their data processing policies. What do we need to know about this?

Answer

There have been amendments to the obligation to provide information. Associations should be prepared for this and define a procedure governing requests for information. Firstly, the identity of the person requesting information must be established (e.g. by means of an ID). The person must then be informed which data about them are processed for which purposes, how long they are stored and where the data comes from. If applicable, they must be told which recipients receive which data (e.g. umbrella organisation, printing company, etc.). This information should generally be provided in writing within 30 days and free of charge.

Question

Who is responsible for data protection in our association?

Answer

An association manages large volumes of personal data, most of which pertain to its members. It must handle these data carefully. The association’s Board of Directors is responsible for handling the data in accordance with data protection regulations. In particular, it must ensure that the association has a privacy policy and consistently protects member data from misuse.

Question

Do we need to amend our articles of association to comply with the new Federal Act on Data Protection?

Answer

We recommend that associations include an article on data protection the next time they revise their articles of association. This article regulates how the association handles data and how or in which cases, for example, the appropriate transfer of member data to other members is permitted. For support, the vitamin B model articles of association now include Article 13 on data protection, which contains sample formulations and comments: https://www.vitaminb-e.ch/tools/work-aids/

The provisions of the Data Protection Act apply to associations, too. All member data (addresses and other personal data) may only be collected if they are necessary for exercising the association’s purpose. Without the consent of the member, they may not be passed on to third parties. Members have the right to request information with regard to their personal data from the association.

Question

Is it permissible to ask members to respond with their first name, surname, and signature when participating in a written vote?

Answer

You must ensure that only people entitled to vote take part in the vote and/or elections. It is therefore correct that voting persons need to be able to be identified. An independent person can then count these ballots during the counting process and the results can be determined without allocating them to the people voting. If you want to ensure complete anonymity during votes, for example, you would have to create separate voting cards that have to be sent back with the vote or ballot (as is the case for political elections). I would only recommend this procedure if an election is strongly contested. 

Question

The new Federal Act on Data Protection is in force. What do associations need to know?

Answer

The new Federal Act on Data Protection does not contain any specific provisions for associations. However, they must comply with the numerous new obligations and requirements laid down by the law. The most important change is an expansion of the obligation to provide information. When collecting personal data, associations must inform the data subjects about what data are collected and for what purposes they are processed. In practice, this obligation to provide information is usually fulfilled by means of a privacy policy on the website.

The association maintains a list of members or a member file which contains the most important information about individual members (member data).

Question

A member would like to convene an extraordinary general meeting and has asked us to provide him with the contact details of all members. Are we allowed to do that?

Answer

If one fifth (or fewer, depending on the articles of association) of the members request an extraordinary general meeting, the Board of Directors must convene such a meeting. In practice, this means that the internal disclosure of member data within the association is permitted in this case, as it is required to exercise membership rights, namely, to convene an extraordinary general meeting (Art. 64 Section 3 of the Swiss Civil Code). In this case, however, the Board of Directors may only disclose the data that are strictly necessary to exercise this right (e.g., names and addresses). Members may only use the data passed on for this exact purpose; the data must then be destroyed, and the member in question must be expressly informed of this. As an alternative to publishing the data, the Board of Directors can offer to send the information to other members on behalf of the member.

All notes, addresses, file entries, files in the computer and files including photos referring to members and containing information about them are data. They are protected and may not be passed on without the consent of the persons concerned (data protection).

Question

What do I need to know about our obligation to retain member data? Do we have to anonymise invoices for annual contributions, for example?

Answer

Data must be deleted as soon as they are no longer required for processing and there is no legal obligation to retain them. As long as there are still outstanding claims or a legal dispute, for example, the data do not have to be deleted. Furthermore, there is a ten-year retention obligation for annual reports, annual accounts, accounting vouchers and audit reports (see Art. 958f of the Code of Obligations). If such documents contain personal data, they may only be deleted after the deadline. The law now mandates that associations which are obligated to be listed in the commercial register must maintain a member list. They must keep the details of every member for five years after the member leaves the association (cf. Art. 61a of the Swiss Civil Code).

Question

When may an association pass on personal data within the association?

Answer

In most cases, each member must give their consent or be informed about the purpose of the data transfer with the option to object prior to the transfer. Appropriate reasons to forward member data to other members can be laid down in the articles of association. This includes, for example, information on forwarding lists with member data to umbrella organisations or a note that the member list is made available to all members in the protected member area of the website. Members may withdraw their consent at any time.

Question

Associations have been receiving increased requests for information about their data processing policies. What do we need to know about this?

Answer

There have been amendments to the obligation to provide information. Associations should be prepared for this and define a procedure governing requests for information. Firstly, the identity of the person requesting information must be established (e.g. by means of an ID). The person must then be informed which data about them are processed for which purposes, how long they are stored and where the data comes from. If applicable, they must be told which recipients receive which data (e.g. umbrella organisation, printing company, etc.). This information should generally be provided in writing within 30 days and free of charge.

Question

Who is responsible for data protection in our association?

Answer

An association manages large volumes of personal data, most of which pertain to its members. It must handle these data carefully. The association’s Board of Directors is responsible for handling the data in accordance with data protection regulations. In particular, it must ensure that the association has a privacy policy and consistently protects member data from misuse.

The provisions of the Data Protection Act apply to associations, too. All member data (addresses and other personal data) may only be collected if they are necessary for exercising the association’s purpose. Without the consent of the member, they may not be passed on to third parties. Members have the right to request information with regard to their personal data from the association.

The general meeting and each individual member have a legally enforceable right to information towards the management of the association, if they can prove a legitimate interest (for example, to clarify whether they wish to submit a motion to the general meeting or to have access to the membership list for the purpose of convening an extraordinary general meeting). The association itself, on the other hand, has an interest in privacy and must comply with the provisions of data protection laws. This interest in privacy shall be weighed against members’ interest in disclosure and, depending on how much weight it has, the member will receive only partial or no information.

Copyright arises automatically when a work is created, for example, when something is photographed, painted, written or composed. Protection does not require registration, nor is the affixing of the © symbol a prerequisite for protection. The author is the (natural) person who created the work (principle of creativity). A “work” as defined by the Swiss Federal Act on Copyright and Related Rights (protected under Article 2 of the Copyright Act, CopA) must meet the following criteria: It must 1. be an intellectual creation; 2. have individual character, and 3. belong to the field of literature, art or computer programs. The website of an association can also be protected by copyright (design, code, texts, photos). The revision of the Copyright Act made an important addition to Article 2(3bis): photographic depictions are considered works, even if they do not have individual character. This means that since 1 April 2020, all images are protected, even those that do not meet the requirements of a work under Article 2(1) CopA, i.e. also images by amateur photographers!

Question

We published images on our website that we found via Google. We have now received a warning from lawyers in Germany. Do we have to take this seriously?

Answer

On Swiss websites, suspected copyright breaches often occur through the unauthorised use of images. For this reason, many warnings are issued owing to the use of such images on Swiss websites, with this also being especially true from Germany, where an actual warning industry has become established. Typical traps that lead to warnings include "image theft" via Google or Wikipedia, the violation of license conditions for "free" or "license-free" images and the online publication of presentations or association magazines with images.

In the case of the images for which the warnings are issued, it is often questionable whether they are protected by copyright in Switzerland. The absence of protection in Switzerland does not mean, however, that it is not possible to receive warnings from Germany. In cases of doubt, a court must rule on the matter. In each individual case, it is therefore essential to carefully check how to respond correctly to such a warning.

Should you respond incorrectly, you may damage your own legal position. In (almost) every case, the wrong response is to simply dispose of such warnings as waste paper. Nor is it usually possible to settle such warnings by issuing an apology to the opposing lawyer. It also doesn't help to insult the opposing lawyer.

Recommendations from the lawyer Martin Steiger on the correct way to proceed upon receiving warnings

A model release is the written legal permission, usually signed by the person depicted in a photograph, which gives the photographer or the association permission to publish the image.

Question

Our association now has a Facebook account. To make the page attractive, we want to make photos of our activities available within the network. In some cases, easily recognisable individuals are shown. Does their permission need to be requested? After all, the images on our Facebook page can only be viewed by "friends".

Answer

Photos are classified as sensitive personal data and, generally speaking, may only be used with the consent of the individuals shown in them. Even if you are able to restrict access on Facebook, it is nevertheless an open medium whose appeal lies in precisely the fact that more and more people gain more and more insights. Furthermore, the association is interested in having as many "friends" as possible.

I therefore advise against publishing any photos without first obtaining the consent of the affected individuals. Sending an enquiry in this regard to association members also provides the opportunity to get in contact with them.

As a rule, images should be used in which people are only recognisable to a limited extent or as part of a crowd. Furthermore, photos should not be noted with the names of the people who appear in them and no images should be used that encroach on the privacy of the people shown in them or that allow for conclusions to be drawn about their religious or political views, show the consumption of drugs or criminal activities, document the receipt of social welfare, etc.

It goes without saying that images should be deleted upon the request of the people they show.

It is recommended that the rights of use of the association to copyrighted material and the right to the image of the members of the association be specified in separate regulations. The drafting of such regulations is usually the responsibility of the Board, provided this is regulated accordingly in the Articles of Association. A regulation of the persons depicted governs the use of images in which members of the association are depicted and/or the use of such material by the association.

It is recommended that the rights of use of the association to copyrighted material and the right to the image of the members of the association be specified in separate regulations. The drafting of such regulations is usually the responsibility of the Board, provided this is regulated accordingly in the Articles of Association. The regulations for photographers govern the rights of use by the association to copyright material created by members of the association, such as photographs, clips, illustrations, etc.

Every person has a right to their own image, so they can decide whether, where, when it may be published in print or online. The person depicted must therefore give their consent, for example, by means of a so-called model release. Supplementary regulations concerning the content of images with regard to the right to one’s own image of members and/or the use of such material by the association are, therefore, also important.

When publishing photographs on the internet, two rights are to be considered: the copyright and the right to one’s own image (personality rights). The copyright arises automatically at the time of the creation of a work. Websites may be protected by copyright, e.g. the design, the code, the texts or the photos used. When publishing photos on its website, the association must make sure that they are allowed to use the photos (right of use). In addition, any publication of a photograph requires the consent of the person depicted (right to own picture). Attention: Anyone who publishes material from third parties (such as a PPT presentation) on their website may be sued for copyrighted photos displayed therein!