Navigation

Data processing in associations

 

 

Collecting and using data within an association

Being a member of an association involves processing personal data. What are the rules on how this data can be collected and used?

Membership of an association, such as a cultural society or sports club, requires the processing of personal information: the association will need your address and date of birth, and may well keep photos or information on your achievements, etc. The use of this data in online publications, in sponsor communications or for other similar activities is subject to certain conditions.

When joining an association, you must provide certain personal data: your postal and email addresses, your telephone number, your date of birth etc. It may also be the case that as a member, your activities will often involve the processing of other information about you. For sports clubs or gyms, this can include photos of events that you appear in or information on your performance. The collection and processing of this personal data, e.g. its publication or communication to third parties, such as sponsors, is subject to the requirements of the Federal Act on Data Protection.

The association committee is responsible for ensuring that member data is used lawfully. The committee may only request association members to provide personal data that is directly related to the purpose of the association as set out in its statutes. If the association intends to collect and use other data from its members, to use the data it has for other purposes or to publish the data (e.g. on its website), it must first inform members of the reasons it would like to use the data in this manner and of the fact that members can refuse to allow the data to be used. 

The committee must ensure that the following principles are upheld:

  • Purpose limitation: Personal data may only be collected for specific purposes that are clear to the individual whose data is being collected, and any further use must be for a reason compatible with those purposes.
  • Transparency: Members of the association must be informed if their personal data is passed on to third parties or to other members and, if so, to whom and for what purpose.
  • Data minimisation: Only the data that is actually necessary to fulfil the association's purpose may be used. 

Special case: Reporting to an umbrella organisation 

An umbrella organisation or federation is a legal entity independent of the association and therefore has the status of a third party in relation to association members. Member data can therefore only be passed on to the umbrella organisation if the persons concerned have given their consent or if this is provided for in the statutes. 

Disclosure of member data within the association

In principle, the committee is responsible for communicating information to all members within the association. If this is done online, they will place recipients' email addresses in bcc in order to prevent them being passed on to other members. 
Providing member data to other members (e.g. giving out a list of members with addresses) is in principle only permitted if each member's consent has been obtained in advance and the data is being transmitted for a clear purpose. For example, the data can be used to establish contact between members for activities related to the association, but not for commercial purposes. 

Disclosure of member data to third parties (outside the association) 

Providing member data to third parties is only permitted if members have been informed of the purpose of the disclosure and have expressly consented to it or are given the opportunity to opt out beforehand. The information must specify which data (address, date of birth, telephone number, etc.) is being provided, for what purpose (e.g. advertising, licensing) and to which third parties (sponsors, federation, etc.). 
The statutes or a specific regulation may provide for disclosure in specific circumstances.
The disclosure of data to third parties is also possible when permitted or required by law (e.g. disclosure of data as part of criminal proceedings).

Example:

Publishing an association's general meeting minutes online provides an unlimited number of people worldwide with access to the content of the minutes. Since only members are required to receive the meeting minutes, online publication does not constitute a proportionate use of personal data. It would be more appropriate to publish the minutes in such a way that guarantees only the association’s members have access to them. 

Publication of member data

Prior to any publication, the association committee should consider whether it is appropriate to publish the data in question, either in print or on the association website, depending on the context and purpose of the publication. It should also inform the members. Publishing data online entails an increased risk that personal privacy will be breached. The published information becomes accessible worldwide, and the people concerned have no control over how their data is used. It is almost impossible to delete material that has been published online. It often makes more sense to provide a specific group of people with access to member data via a restricted area of the website. 

 

 

Further topics

 

Amateur sports events

What data may be processed in connection with an amateur sports event?

Photos and privacy

Smartphones and social networks have made it commonplace to take photos and publish them in some form. It’s important to know the rules that apply.

Right to be forgotten on the internet

Search engines make information that was published on the internet at a certain point in time accessible to everyone... including information that one would sometimes rather forget.

Questions on data protection

Take a look at our FAQ or call our hotline.

Right to information

In accordance with the Federal Act on Data Protection, any person may request information from the controller of a data file as to whether their personal data is being processed.

The main provisions

Here you can find out more about changes to the Data Protection Act, which came into force on 1 September 2023.

Webmaster
Last modification 11.05.2023

Top of page