Data protection in clubs and associations
Data protection in clubs and associations
The following explanations are intended to help clubs and associations (generally referred to below as ‘associations’) and their members gain an overview of their rights and obligations. The focus is on the new obligations resulting from the revised Federal Act on Data Protection (FADP).
When joining an association, you must provide certain personal data: your postal and email addresses, your telephone number, your date of birth etc. It may also be the case that as a member, your activities will often involve the processing of other information about you. For sports clubs or gyms, this can include photos of events that you appear in or information on your performance. The collection and processing of this personal data, e.g. its publication or communication to third parties, such as sponsors, is subject to the requirements of the Federal Act on Data Protection.
The association committee is responsible for ensuring that member data is used lawfully. The committee may only request association members to provide personal data that is directly related to the purpose of the association as set out in its statutes. If the association intends to collect and use other data from its members, to use the data it has for other purposes or to publish the data (e.g. on its website), it must first inform members of the reasons it would like to use the data in this manner and of the fact that members can refuse to allow the data to be used.
The committee must ensure that the following principles are upheld:
- Purpose limitation: Personal data may only be collected for specific purposes that are clear to the individual whose data is being collected, and any further use must be for a reason compatible with those purposes.
- Transparency: Members of the association must be informed if their personal data is passed on to third parties or to other members and, if so, to whom and for what purpose.
- Data minimisation: Only the data that is actually necessary to fulfil the association's purpose may be used.
Frequent questions
Who is the controller as defined in Article 5j FADP?
As far as people outside the association are concerned, the association itself is the controller. As a legal entity, the association is responsible to the data subjects and the FDPIC for data processing and for guaranteeing their rights.However, criminal sanctions under the Data Protection Act (FADP) will not normally be imposed on a legal entity, but rather on the human being who is actually responsible for compliance with the FADP and who has committed an offence under Article 60 ff. FADP. (For more information on the sanctions, please refer to the following text:
The (criminal) liability of this person depends on their specific function and role in the case concerned – it is primarily intended to apply to persons in a managerial position.
Who is responsible for compliance with data protection regulations within the association?
An association as a corporate entity is managed and represented by its organs. The members’ general meeting, as the supreme organ of the association, elects representatives from the members of the association who form the committee as the executive organ and who represent the association in its external dealings.
The committee is responsible for ensuring that the association complies with the data protection regulations. If, for example, the committee sets up an administrative office to manage the day-to-day business, it must also draw up data processing guidelines with the business regulations and monitor the management of the association on a regular basis. Tasks relating to compliance with data protection regulations can also be assigned to a specific person, who need not be a member of the committee. Regardless of who is responsible for implementing and monitoring data protection measures, it is important that the office or person concerned has an adequate general overview of the data processing that is being carried out. Roles must be clearly defined so as to prevent a problem from not being addressed because of a lack of regulation. If necessary, the data controller must define the processing procedures and the corresponding rules (i.e. issue processing regulations).
Do associations need the consent of their members to process their data?
Although the law has been revised, the principles of processing have not changed significantly. Personal data may only be processed as the law provides, the processing must be carried out in good faith and must be proportionate (see Art. 6 FADP Principles). Personal data pertaining to association members may still be processed without the consent of the data subjects if, for example, processing is necessary to fulfil the objects of the association. It is important that data are only processed for the purpose for which they were collected and that the purpose is also evident to the data subject (purpose limitation). In this regard, reference is also made to the following comments on Article 19 FADP, which lays down the controller's duty to provide information.
If personal data are processed contrary to the principles of data protection law (e.g. for a different purpose), this may result in a violation of the data subject's personality rights. However, such processing may be justified if there is an overriding private or public interest (e.g. data processing in direct connection with a contract) or if the data subject has consented.
If consent is required for data processing, the data subject must be comprehensively and appropriately informed about all the essential aspects of the data processing. In this regard, reference is made to the following explanations on Article 19 FADP. In the case of sensitive personal data (e.g. health data) or high-risk profiling, the law requires express consent, i.e. the data subjects must actively state that they consent to data processing.
What are the rules on publishing photographs of association members on the website?
The consent of the persons concerned is required before publishing photographs on the association's website. Under the law, consent that has been given can be revoked at any time. Accordingly, once data subjects have given their consent to the publication of photographs on the association's website, they can subsequently revoke this at any time. Unless it has other justification, the association must remove the photos in question immediately. For further information, please see:
Can the name of a donor be disclosed to the family of a deceased person?
The disclosure of the identity of donors, possibly with details of the amount donated, to the family of a deceased person requires the consent of the donors. They must be informed at the time the donation is made that their details will be passed on, and they must be offered a simple way of agreeing to or prohibiting this disclosure, e.g. by making a note on the payment slip.
Disclosure of member data
Disclosure of member data within the association
In principle, the committee is responsible for communicating information to all members within the association. If this is done online, they will place recipients' email addresses in bcc in order to prevent them being passed on to other members.
Providing member data to other members (e.g. giving out a list of members with addresses) is in principle only permitted if each member's consent has been obtained in advance and the data is being transmitted for a clear purpose. For example, the data can be used to establish contact between members for activities related to the association, but not for commercial purposes.
Special case: Reporting to an umbrella organisation
An umbrella organisation or federation is a legal entity independent of the association and therefore has the status of a third party in relation to association members. Member data can therefore only be passed on to the umbrella organisation if the persons concerned have given their consent or if this is provided for in the statutes.
Disclosure of member data to third parties (outside the association)
Providing member data to third parties is only permitted if members have been informed of the purpose of the disclosure and have expressly consented to it or are given the opportunity to opt out beforehand. The information must specify which data (address, date of birth, telephone number, etc.) is being provided, for what purpose (e.g. advertising, licensing) and to which third parties (sponsors, federation, etc.).
The statutes or a specific regulation may provide for disclosure in specific circumstances.
The disclosure of data to third parties is also possible when permitted or required by law (e.g. disclosure of data as part of criminal proceedings).
Publication of member data
Prior to any publication, the association committee should consider whether it is appropriate to publish the data in question, either in print or on the association website, depending on the context and purpose of the publication. It should also inform the members. Publishing data online entails an increased risk that personal privacy will be breached. The published information becomes accessible worldwide, and the people concerned have no control over how their data is used. It is almost impossible to delete material that has been published online. It often makes more sense to provide a specific group of people with access to member data via a restricted area of the website.
Fallbeispiel:
Die Veröffentlichung des Protokolls der Generalversammlung auf der Website hat zur Folge, dass eine unbegrenzte Anzahl von Personen auf der ganzen Welt Zugang zum Inhalt des Protokolls hat. Da Sie das Protokoll nur an Ihre Mitglieder versenden müssen, würde die Veröffentlichung im Internet eine unverhältnismässige Bearbeitung von Personendaten darstellen. Die Alternative eines Zugangs zum Inhalt des Protokolls, der auf Ihre Mitglieder beschränkt ist, wäre eher angemessen.
What are the most important recommendations? (rights and obligations)
A stricter obligation to minimise data
In accordance with the principle of proportionality (see Art. 6 para. 2 FADP), only personal data that are suitable and necessary for the intended purpose may be processed. In addition, there must be a proportionate relationship between the purpose and the means used, and the rights of the data subjects must be protected as far as possible. The principle of proportionality partially overlaps with the newly introduced principles of ‘data protection by design and default’, which are set out in Article 7 FADP.
According to the obligation to minimise data, the processing of personal data in clubs and associations must be organised in such a way that it is limited to the minimum necessary to achieve the intended purpose, unless the data subject agrees otherwise.
Personal data must be erased or anonymised as soon as it is no longer required for the purpose of processing; there is no statutory obligation to retain it. One such obligation is the 10-year retention obligation for annual reports, annual accounts and accounting documents.
Duty to provide information when collecting personal data
The duty to provide information pursuant to Article 19 FADP applies to all data processing and is intended to improve the transparency of data processing, thereby bolstering the rights of data subjects. In particular, information must be provided on the identity of and how to contact the controller, the collection of personal data, the purposes of processing, and recipients or categories of recipients of disclosed data.
The information must be provided when personal data is collected from the data subject. The duty to provide information also applies if the data are not obtained directly from the data subjects. The information must be provided in a precise, transparent, comprehensible and easily accessible form. The more sensitive the personal data processed and the greater the risk of a breach of personality rights, the higher the requirements for the extent and level of detail of the information provided to the data subjects.
To ensure transparency in practice, it has proven to be a good idea to formulate all the relevant information about data collection and subsequent data processing in separate data protection notices or provisions and then publish them, on the website of the association, for example. Reference can then be made to this generally accessible information when collecting data.
In connection with websites, these notices are referred to as privacy statements/policies or data protection declarations. If personal data is collected on a website (e.g. via a contact form), information can be provided in a (multi-level) privacy statement. When choosing the form of information, the controller must ensure that the data subjects receive the most important information at the first stage of communication.
For further information, please refer to the information already published on our website:
Do all members have to be informed about data already collected because the law has changed?
When the new Data Protection Act came into force, the principles of data processing essentially remained the same (see above). This means that data controllers do not have to inform data subjects again about data processing that had already taken place before 1 September 2023, provided that notice had already been given of the processing and nothing has changed since.
Improving the rights of data subjects
Persons whose personal data are processed have the right to obtain information about their own data. As a rule, this information must be provided within 30 days and at no cost to the person concerned. Furthermore, individuals also have the right to have incorrect data corrected or to request the erasure of data. Associations must offer data subjects a simple way of exercising their rights. This is why the provision of information in accordance with Article 19 FADP is so important. The information on these rights can, for example, be placed on the association’s own website with a contact address.
Obligation to carry out a data protection impact assessment
If new data processing is planned that could potentially pose a high risk to the data subjects, a data protection impact assessment (DPIA) must be carried out. This must precisely document the intended project and consider appropriate measures to protect the data subjects. Under paragraph 2 of Article 22 FADP, a high risk may arise from the use of new technologies, and depends on the nature, extent, circumstances and purpose of the processing. The more extensive the processing and the more sensitive the processed data, the higher the risk is likely to be.
For relatively small organisations, such as associations, it is not always clear whether a DPIA should be carried out. It is therefore advisable to carry out a preliminary risk assessment in order to obtain a clearer idea of what the data processing involves and what the risks are to be able to assess on a more objective basis whether a DPIA should be carried out.
Obligation to issue processing regulations
Under Article 5 of the Data Protection Ordinance (DPO), private controllers and processors must issue regulations if they process large volumes of sensitive personal data by automated means (i.e. not only in analogue form, but also with the aid of computers, smartphones, tablets or cameras) or carry out high-risk profiling.
The term ‘large volume’ refers to cases in which sensitive personal data are not merely processed on an occasional basis. Large volume processing occurs, for example, if the processing of sensitive personal data is one of the main activities of the association. Associations in the health and social sectors (e.g. patient organisations) are likely to be affected by this obligation.
High-risk profiling is processing that allows an assessment of key aspects of personality, i.e. provides a complete picture of a person, e.g. information from health applications such as fitness trackers, which compile and link a large volume of diverse data.
Obligation to keep a record of processing activities
The controller and all data processors are obliged to keep a record of their processing activities. The record is a general description of the processing activities that should contain as a minimum the information listed in Article 12 paragraphs 2 and 3 FADP and allows compliance with the obligations to provide transparency and documentation.
Clubs and associations with fewer than 250 employees (including volunteers) whose processing activities involve only a low risk of breaches of personality rights are generally exempt from keeping records, unless they process a large volume of sensitive personal data or carry out high-risk profiling (Art. 24 para. 1 lets a and b GDPR). Associations in the health and social sectors (e.g. patient associations) are more than likely to be affected by this obligation in that they process sensitive personal data. Irrespective of whether this obligation applies, keeping records is a useful way of keeping an adequate eye on the processing procedures in your own association.
Recognition of codes of conduct from professional, industry and trade associations
Professional, industry and trade associations that are authorised by their articles of association to safeguard the economic interests of their members may draw up codes of conduct that explain aspects of the FADP for their respective fields and provide guidance on applying the data protection standards correctly (Art. 11 FADP). For example, explanations can help to define ‘high risk’ in accordance with Article 22 paragraph 1 FADP. For a fee, an association can submit its code to the FDPIC for a critical review, but it is under no obligation to do so.
What data may be processed in connection with an amateur sports event?
Smartphones and social networks have made it commonplace to take photos and publish them in some form. It’s important to know the rules that apply.
Search engines make information that was published on the internet at a certain point in time accessible to everyone... including information that one would sometimes rather forget.
Take a look at our FAQ or call our hotline.
In accordance with the Federal Act on Data Protection, any person may request information from the controller of a data file as to whether their personal data is being processed.
Here you can find out more about changes to the Data Protection Act, which came into force on 1 September 2023.