{"id":68359,"date":"2026-03-14T20:10:12","date_gmt":"2026-03-14T20:10:12","guid":{"rendered":"https:\/\/youngexplorersclub.ch\/understanding-swiss-photo-consent-policies\/"},"modified":"2026-03-14T20:10:12","modified_gmt":"2026-03-14T20:10:12","slug":"understanding-swiss-photo-consent-policies","status":"publish","type":"post","link":"https:\/\/youngexplorersclub.ch\/fr\/understanding-swiss-photo-consent-policies\/","title":{"rendered":"Understanding Swiss Photo Consent Policies"},"content":{"rendered":"<h2>Overview<\/h2>\n<p>Since the revised <strong>Swiss Federal Act on Data Protection (FADP)<\/strong> took effect on <strong>1 September 2023<\/strong>, identifiable photographs are treated as <strong>personal data<\/strong>. Controllers\u2014those who decide <strong>why<\/strong> and <strong>how<\/strong> images are processed\u2014must meet stricter <strong>transparency<\/strong>, <strong>documentation<\/strong> and <strong>accountability<\/strong> duties while also respecting civil\u2011law image\u2011protection rules (Art. 28 CC).<\/p>\n<h2>Key Takeaways<\/h2>\n<ul>\n<li>The revised <strong>FADP<\/strong> (effective <strong>1 Sep 2023<\/strong>) treats identifiable photos as <strong>personal data<\/strong> and operates alongside <strong>Art. 28 CC<\/strong>. Compliance programs must combine <strong>data\u2011protection<\/strong> and <strong>image\u2011protection<\/strong> duties.<\/li>\n<li><strong>Lawful bases<\/strong> go beyond <strong>consent<\/strong>. If relying on consent, it must be <strong>informed<\/strong>, <strong>specific<\/strong>, <strong>freely given<\/strong> and <strong>revocable<\/strong>. Controllers must <strong>document<\/strong> and <strong>justify<\/strong> the chosen legal basis.<\/li>\n<li>Maintain <strong>auditable consent records<\/strong> showing controller, purpose and scope (channels and duration). Include <strong>retention rules<\/strong>, <strong>withdrawal procedure<\/strong> and timestamps. Store <strong>consent metadata<\/strong> with each image.<\/li>\n<li>Apply extra safeguards for <strong>minors<\/strong> and <strong>high\u2011risk processing<\/strong>. Obtain explicit parental consent for commercial uses. Conduct <strong>DPIAs<\/strong> where appropriate. Use the <strong>editorial exemption<\/strong> only after a case\u2011by\u2011case balancing test.<\/li>\n<li>Implement technical and organisational measures: <strong>encrypt<\/strong> images in transit and at rest, enforce <strong>least\u2011privilege access<\/strong> and logging, map transfers and safeguards. Treat <strong>face\u2011recognition<\/strong> tools as high\u2011risk and require documented justification.<\/li>\n<\/ul>\n<h2>Lawful Bases and Documentation<\/h2>\n<h3>Acceptable Legal Bases<\/h3>\n<p>Controllers must record a clear <strong>lawful basis<\/strong> for processing images. Typical bases include:<\/p>\n<ul>\n<li><strong>Consent<\/strong> \u2014 informed, specific, freely given and revocable;<\/li>\n<li><strong>Contract<\/strong> \u2014 processing necessary to perform contractual obligations;<\/li>\n<li><strong>Legal obligation<\/strong> \u2014 where a statute or regulation mandates processing;<\/li>\n<li><strong>Legitimate interest<\/strong> \u2014 after a documented balancing test showing interests do not override the data subject\u2019s rights.<\/li>\n<\/ul>\n<h3>Documenting the Choice<\/h3>\n<p>For every processing activity, keep an auditable record that explains the chosen legal basis and the <strong>justification<\/strong> for it. This record should be retained and made available to supervisory authorities if requested.<\/p>\n<h2>Consent Records and Metadata<\/h2>\n<h3>What to Record<\/h3>\n<p>Consent records should be <strong>auditable<\/strong> and linked to each image. At minimum, record:<\/p>\n<ol>\n<li><strong>Controller<\/strong> identity;<\/li>\n<li><strong>Purpose<\/strong> and scope (including channels and duration);<\/li>\n<li><strong>Retention rules<\/strong> and deletion schedule;<\/li>\n<li><strong>Withdrawal procedure<\/strong> and timestamps for consent\/grant\/withdrawal;<\/li>\n<li>Any <strong>conditions<\/strong> attached to consent (e.g., limited to editorial or promotional use).<\/li>\n<\/ol>\n<h3>Technical Implementation<\/h3>\n<p>Store <strong>consent metadata<\/strong> together with the digital asset (e.g., in the DAM or asset database) so each image carries its legal status, consent timestamps and applicable restrictions.<\/p>\n<h2>Safeguards for Minors and High\u2011Risk Uses<\/h2>\n<h3>Minors<\/h3>\n<p>Apply <strong>heightened safeguards<\/strong> when processing images of minors. For commercial uses, obtain <strong>explicit parental consent<\/strong> and verify parental authority where feasible.<\/p>\n<h3>High\u2011Risk Processing<\/h3>\n<p>High\u2011risk uses (e.g., profiling, public dissemination, or use with face\u2011recognition) require additional measures:<\/p>\n<ul>\n<li>Conduct a <strong>Data Protection Impact Assessment (DPIA)<\/strong> where appropriate;<\/li>\n<li>Apply technical protections, anonymisation or pseudonymisation where possible;<\/li>\n<li>Limit access and perform regular risk reviews.<\/li>\n<\/ul>\n<h2>Editorial Exemption<\/h2>\n<p>Use the <strong>editorial exemption<\/strong> only after a documented, <strong>case\u2011by\u2011case balancing test<\/strong> weighing public interest, freedom of expression and the data subject\u2019s privacy rights. Do not rely on it as a blanket justification.<\/p>\n<h2>Technical and Organisational Measures<\/h2>\n<h3>Encryption and Storage<\/h3>\n<p>Encrypt images both <strong>in transit<\/strong> and <strong>at rest<\/strong>. Use secure key management and limit plaintext exposure.<\/p>\n<h3>Access Controls and Logging<\/h3>\n<p>Enforce <strong>least\u2011privilege<\/strong> access using role\u2011based controls, multifactor authentication for privileged accounts, and comprehensive <strong>logging<\/strong> of access and processing events.<\/p>\n<h3>Transfers and Third Parties<\/h3>\n<p>Map any <strong>transfers<\/strong> of images to third parties and document contractual safeguards. Ensure adequate protections when transferring across borders.<\/p>\n<h3>Face\u2011Recognition and Emerging Tools<\/h3>\n<p>Treat <strong>face\u2011recognition<\/strong> and similar biometric tools as <strong>high\u2011risk<\/strong>. Require a documented justification, enhanced safeguards, and relevant approvals before deployment.<\/p>\n<h2>Practical Steps for Controllers<\/h2>\n<ol>\n<li>Update internal policies to reflect the revised <strong>FADP<\/strong> and <strong>Art. 28 CC<\/strong>.<\/li>\n<li>Map image inventories and tag assets with <strong>consent metadata<\/strong>.<\/li>\n<li>Implement technical controls (encryption, access control, logging).<\/li>\n<li>Establish a process for <strong>DPIAs<\/strong> and for deciding when the <strong>editorial exemption<\/strong> applies.<\/li>\n<li>Train staff on image\u2011specific duties and retention\/withdrawal procedures.<\/li>\n<\/ol>\n<p>If you want, I can draft a sample consent record template, an image\u2011processing checklist, or suggested DAM metadata fields to help operationalise these requirements.<\/p>\n<p> https:\/\/youtu.be\/MutNdlfq42Q<\/p>\n<h2>Top legal takeaway: what changed and why it matters<\/h2>\n<p>The headline is simple: <strong>FADP (revised)<\/strong> \u2014 in force <strong>1 September 2023<\/strong>. It tightened <strong>transparency<\/strong> and <strong>documentation obligations<\/strong>, raising <strong>consent standards<\/strong> and <strong>controller duties<\/strong>. I make that the starting point for every <strong>photo policy<\/strong> we review.<\/p>\n<h3>The legal framework now<\/h3>\n<p><strong>Identifiable photographs<\/strong> are <strong>personal data<\/strong>. That means the <strong>Swiss data-protection rules<\/strong> apply alongside image-specific rights. You must treat an identifiable photo like any other personal datum under the <strong>FADP (revised)<\/strong> \u2014 in force <strong>1 September 2023<\/strong>. At the same time, <strong>civil-law image protection<\/strong> remains relevant via <strong>Swiss Civil Code Art. 28 \u2014 personality rights (image)<\/strong>. Both regimes can apply to the same photo. <strong>Controllers<\/strong> need to address both sets of obligations in the same <strong>compliance program<\/strong>.<\/p>\n<p><strong>Legal bases<\/strong> are broader than consent. Consider the following lawful bases and document your choice:<\/p>\n<ul>\n<li><strong>Consent<\/strong><\/li>\n<li><strong>Contract<\/strong><\/li>\n<li><strong>Legal obligation<\/strong><\/li>\n<li><strong>Legitimate interest<\/strong><\/li>\n<\/ul>\n<p><strong>Consent<\/strong> works, but it isn\u2019t the only lawful route. <strong>Document why<\/strong> you picked a basis and be ready to justify it. <strong>Transfers<\/strong> are easier because of <strong>EU adequacy recognition (Switzerland)<\/strong>, which reduces friction when photos move to or from the EU. That said, you still need <strong>records<\/strong> and <strong>safeguards<\/strong>.<\/p>\n<h3>Practical steps for controllers (actionable list)<\/h3>\n<p>Follow these steps to meet the revised <strong>transparency<\/strong> and <strong>accountability<\/strong> standards:<\/p>\n<ul>\n<li><strong>Update privacy notices<\/strong> to name photography purposes and legal bases.<\/li>\n<li><strong>Keep auditable consent records<\/strong> and processing documentation that show who consented, when, and what they were told.<\/li>\n<li><strong>Run DPIAs<\/strong> for high-risk photo processing (publicity campaigns, identifiable children, profiling).<\/li>\n<li><strong>Map, document and limit retention<\/strong>: state how long images are kept and why.<\/li>\n<li><strong>Apply access and deletion workflows<\/strong> so requests about images are handled promptly.<\/li>\n<li><strong>Use appropriate contracts and security measures<\/strong> with processors who handle photos.<\/li>\n<li><strong>Put default minimisation in place<\/strong>: avoid collecting higher-resolution or identifying shots unless needed.<\/li>\n<li><strong>Train staff and volunteers<\/strong> on image rights and parental consent for minors. For practical guidance on supervising minors, link this with our notes on <a href=\"https:\/\/youngexplorersclub.ch\/what-parents-should-know-about-camp-supervision\/\">camp supervision<\/a>.<\/li>\n<li><strong>Maintain a clear opt-out mechanism<\/strong> for parents and subjects and log opt-outs in your records.<\/li>\n<\/ul>\n<p>I recommend a short <strong>compliance checklist<\/strong> tied to each photo use case. Keep one document per project that links <strong>purpose<\/strong>, <strong>lawful basis<\/strong>, <strong>DPIA outcome<\/strong>, <strong>retention period<\/strong> and <strong>consent logs<\/strong>. That single file becomes your first line in an <strong>audit<\/strong>.<\/p>\n<p><strong>Operational tips<\/strong> I use often: prefer <strong>written consent<\/strong> for publicity uses, <strong>timestamp all approvals<\/strong>, and <strong>encrypt storage<\/strong> of sensitive image archives. Where consent is relied on, include <strong>withdrawal instructions<\/strong> in the same place you ask for permission. For children, get <strong>parental consent<\/strong> and document <strong>age checks<\/strong>.<\/p>\n<p><img decoding=\"async\" src=\"https:\/\/youngexplorersclub.ch\/wp-content\/uploads\/2025\/11\/IMG_1589-Copy.jpg\" alt=\"Summer camp Switzerland, International summer camp\" title=\"\"><\/p>\n<h2>When consent is required \u2014 taking vs publishing and common exceptions<\/h2>\n<p>We treat any image that can identify a person as <strong>personal data<\/strong>. <strong>Consent<\/strong> is required whenever we process those images and no other lawful basis applies. We <strong>always check<\/strong> whether another legal basis exists before relying on consent.<\/p>\n<p>We draw a strict line between <strong>taking<\/strong> photos and <strong>publishing<\/strong> or otherwise processing them. <strong>Taking<\/strong> an image in a public place is generally permitted. <strong>Publishing<\/strong>, profiling, sharing on social channels, or using an image in a brochure raises a higher legal risk and often triggers the need for <strong>consent<\/strong>. <strong>Commercial use<\/strong> \u2014 especially advertising \u2014 requires consent.<\/p>\n<p>We apply the <strong>editorial exception<\/strong> cautiously. Journalism or genuine public-interest reporting can be lawful without consent after a case-by-case balancing against <strong>Art.28 CC<\/strong>. We follow the <strong>FDPIC guidance<\/strong> tests and weigh:<\/p>\n<ul>\n<li><strong>the public interest in dissemination<\/strong>,<\/li>\n<li><strong>the context and how the person is depicted<\/strong>,<\/li>\n<li><strong>the person&#8217;s notoriety and the likely damage to reputation<\/strong> (<strong>FDPIC guidance<\/strong>; <strong>Art.28 CC<\/strong>).<\/li>\n<\/ul>\n<p>We recommend these practical steps for every image that might identify someone:<\/p>\n<ol>\n<li><strong>Assess<\/strong> whether processing is taking place or just capturing.<\/li>\n<li><strong>Determine<\/strong> your lawful basis (consent, contract, legal obligation, legitimate interest).<\/li>\n<li><strong>Run<\/strong> the <strong>FDPIC tests<\/strong> on public-interest claims.<\/li>\n<li><strong>Document<\/strong> your decision and retention period.<\/li>\n<li><strong>Get explicit consent<\/strong> for commercial or promotional use.<\/li>\n<\/ol>\n<h3>Illustrative hypotheticals<\/h3>\n<p>Below are quick examples we use to guide decisions:<\/p>\n<ul>\n<li><strong>Street photo used in news coverage of a public event<\/strong>: We\u2019d likely publish without consent if the image contributes to reporting, doesn&#8217;t humiliate the subject, and passes the <strong>FDPIC<\/strong> balancing test. Cite: <strong>FDPIC guidance<\/strong>; <strong>Art.28 CC<\/strong>.<\/li>\n<li><strong>Same street photo used on a billboard for a brand<\/strong>: We treat this as <strong>commercial processing<\/strong> and require explicit consent.<\/li>\n<\/ul>\n<p>We integrate these rules into camp policies and training; see <a href=\"https:\/\/youngexplorersclub.ch\/safety-in-kids-camps-standards-training-what-parents-should-know-switzerland-edition\/\">Safety in kids camps<\/a> for related guidance.<\/p>\n<p><img decoding=\"async\" src=\"https:\/\/youngexplorersclub.ch\/wp-content\/uploads\/2025\/11\/PXL_20250716_082942005-1.jpg\" alt=\"Summer camp Switzerland, International summer camp\" title=\"\"><\/p>\n<h2>Consent standards, documentation and practical checklist<\/h2>\n<p>We, at the <strong>Young Explorers Club<\/strong>, follow the <strong>Swiss data-protection rule<\/strong> that consent must be <strong>informed, specific, freely given and revocable<\/strong> (<strong>FADP<\/strong>). I explain how that translates into <strong>records<\/strong> and daily practice so you can apply it without guesswork.<\/p>\n<p><strong>Consent records<\/strong> must capture a fixed set of fields so you can prove <strong>scope<\/strong> and <strong>timing<\/strong>. Include:<\/p>\n<ul>\n<li><strong>Controller name<\/strong><\/li>\n<li><strong>Purpose<\/strong><\/li>\n<li><strong>Scope<\/strong><\/li>\n<li><strong>Retention<\/strong><\/li>\n<li><strong>Withdrawal procedure<\/strong><\/li>\n<li><strong>Timestamp<\/strong><\/li>\n<\/ul>\n<p>Define <strong>scope<\/strong> clearly by <strong>channel<\/strong> and <strong>duration<\/strong> \u2014 for example: <strong>print, web, social, third-party distribution<\/strong> \u2014 and state how long each channel applies.<\/p>\n<p>Use <strong>written or digitally signed releases<\/strong> for commercial uses. <strong>E-signatures<\/strong> from <strong>DocuSign<\/strong> or <strong>Adobe Sign<\/strong> are acceptable if the audit trail is preserved and tamper-evidence is clear. Capture <strong>identity and age verification<\/strong> where relevant: <strong>parental\/guardian signatures<\/strong> for minors, a copy of <strong>ID<\/strong> when required, or a signed <strong>capacity statement<\/strong>. We also apply the same rules when we run <a href=\"https:\/\/youngexplorersclub.ch\/photography-camps-for-kids-and-teens\/\">photography camps<\/a>, and we collect <strong>parental consent<\/strong> before filming or photographing participants.<\/p>\n<p><strong>Record structure<\/strong> and an <strong>example clause<\/strong> should be brief and explicit. Recommended consent-record fields:<\/p>\n<ul>\n<li><strong>Controller name<\/strong><\/li>\n<li><strong>Purpose<\/strong> (clear short phrase)<\/li>\n<li><strong>Scope<\/strong> with listed channels<\/li>\n<li><strong>Explicit consent<\/strong> checkbox or signature<\/li>\n<li><strong>Clear revocation instruction<\/strong><\/li>\n<li><strong>Capture method<\/strong> and <strong>timestamp<\/strong><\/li>\n<\/ul>\n<p>Use a short example clause like this in your form:<\/p>\n<p>&#8220;<strong>Controller:<\/strong> Young Explorers Club. <strong>Purpose:<\/strong> use in print, web, social and third-party distribution. <strong>I expressly consent<\/strong> to the use of the photograph(s) as described. To revoke consent, email <strong>privacy@youngexplorersclub.ch<\/strong>; revocation stops future use but won&#8217;t retract lawfully published material. <strong>Signature\/Checkbox:<\/strong> ______. <strong>Capture method:<\/strong> digital\/paper. <strong>Timestamp:<\/strong> YYYY\u2011MM\u2011DD HH:MM.&#8221;<\/p>\n<p>Adopt a clear <strong>retention rule<\/strong> and make it consistent with operations. Retain release forms and consent logs for a defined period after last use. A practical company policy example: &#8220;<strong>consent records retained for duration of the use plus 5 years for audit<\/strong>.&#8221; Store <strong>consent metadata<\/strong> alongside the image file so search and audit are quick, and export logs regularly for backup.<\/p>\n<h3>Practical checklist<\/h3>\n<ul>\n<li><strong>Predefined release templates<\/strong> that include controller, purpose, scope, retention, withdrawal, capture method and timestamp.<\/li>\n<li><strong>Signed record<\/strong> (paper or e-signature) containing the fields above and an explicit consent checkbox or signature.<\/li>\n<li><strong>Store consent metadata<\/strong> alongside the image (file metadata and a centralized consent log).<\/li>\n<li><strong>Process revocation requests promptly<\/strong> and document the action and effective date; stop future use and note limitations of retroactive removal.<\/li>\n<li><strong>Verify age and capacity<\/strong> where applicable; require parental\/guardian signature for minors and keep ID checks or age attestations.<\/li>\n<\/ul>\n<p><img decoding=\"async\" src=\"https:\/\/youngexplorersclub.ch\/wp-content\/uploads\/2025\/10\/Young-Explorers-Club-Camp-Evasion-AUG-2024-781-1.jpg\" alt=\"Summer camp Switzerland, International summer camp\" title=\"\"><\/p>\n<h2>Minors, capacity and workplace photography<\/h2>\n<p>We, at the <strong>young explorers club<\/strong>, set the age of majority at <strong>18<\/strong>. <strong>Minors<\/strong> under <strong>18<\/strong> require extra care for image use and distribution.<\/p>\n<h3>Minors and parental consent<\/h3>\n<p>I require <strong>parental opt-in<\/strong> for routine school or event photos. For <strong>commercial<\/strong> or <strong>non-routine uses<\/strong> \u2014 advertising, social media marketing, external publications \u2014 I recommend <strong>explicit parental consent<\/strong> for anyone under <strong>18<\/strong>. Consent should be <strong>informed and specific<\/strong>. It must list the intended <strong>channels<\/strong>, the <strong>duration of use<\/strong>, and any <strong>third parties<\/strong> who may receive the material. For straightforward camp or activity images intended only for internal sharing, document a lawful basis such as <strong>legitimate interest<\/strong>, but keep <strong>parental records<\/strong> on file.<\/p>\n<p>I acknowledge the sensitivity families have about images. For parent-facing guidance and expectations, I point them to our <strong><a href=\"https:\/\/youngexplorersclub.ch\/what-parents-should-know-about-camp-supervision\/\">parent guidance<\/a><\/strong> so they can make informed choices before arrival.<\/p>\n<h3>Practical templates and procedures<\/h3>\n<p>Use the following <strong>templates<\/strong> and steps to operationalize <strong>consent<\/strong>:<\/p>\n<ul>\n<li><strong>Pre-event parental consent form<\/strong> with clear opt-in boxes: include separate toggles for <strong>on-site displays<\/strong>, <strong>social media<\/strong>, <strong>printed brochures<\/strong>, and <strong>third-party sharing<\/strong>.<\/li>\n<li><strong>School\/event opt-in<\/strong> must default to <strong>unchecked<\/strong>; require <strong>active consent<\/strong> for each category.<\/li>\n<li><strong>Employment media-consent clause<\/strong> in contracts or a separate release form for staff: state whether images may be used for <strong>marketing<\/strong> and require <strong>explicit, documented consent<\/strong> for those uses.<\/li>\n<li>For <strong>internal uses<\/strong> (ID badges, staff directories, rostering), rely on <strong>contract necessity<\/strong> or <strong>legitimate interest<\/strong>; record the lawful basis and provide a simple <strong>objection route<\/strong> for employees.<\/li>\n<li><strong>Power imbalance<\/strong>: consent may not be freely given in employment. Offer <strong>alternatives<\/strong> (e.g., anonymized photos, badge-only portraits not used externally) and obtain a signed statement that consent was given <strong>voluntarily<\/strong>.<\/li>\n<li><strong>Withdrawal mechanism<\/strong>: let employees and parents withdraw consent for future uses and explain effects on previously published material (withdrawal stops future distribution but cannot reliably retract images already in circulation).<\/li>\n<li><strong>Record-keeping<\/strong>: timestamped consent records, versioned forms, and a central register that links each image to its consent metadata (who gave it, scope, expiry).<\/li>\n<\/ul>\n<p>I advise clear <strong>operational rules<\/strong> for <strong>staff photographers<\/strong> and <strong>event leaders<\/strong>: carry <strong>printed forms<\/strong>, <strong>verify identity<\/strong> of the consenting adult, and <strong>log where images will be published<\/strong>. For <strong>marketing campaigns<\/strong>, require an <strong>explicit clause<\/strong> in <strong>hiring documents<\/strong> or a <strong>separate release<\/strong>; never rely solely on <strong>implied consent<\/strong> in <strong>employment contexts<\/strong>.<\/p>\n<p><img decoding=\"async\" src=\"https:\/\/youngexplorersclub.ch\/wp-content\/uploads\/2025\/11\/IMG_0196-2.jpg\" alt=\"Summer camp Switzerland, International summer camp\" title=\"\"><\/p>\n<h2>Platforms, storage, cross-border transfers and technical controls (tools and vendors)<\/h2>\n<p>We, at the <strong>young explorers club<\/strong>, treat <strong>platform terms<\/strong> as operational guidance but never as a substitute for our <strong>legal duties as controller<\/strong>. Platform uploads to <strong>Instagram<\/strong>, <strong>Facebook<\/strong> or <strong>TikTok<\/strong> typically create <strong>third\u2011party processing chains<\/strong> and can trigger <strong>international transfers<\/strong>. Always verify platform <strong>retention<\/strong> and <strong>content re\u2011use<\/strong> clauses before you publish. Platforms may keep copies long after you <strong>delete<\/strong> a post.<\/p>\n<p><strong>Swiss transfers<\/strong> to the <strong>EU<\/strong> are easier thanks to <strong>Switzerland&#8217;s EU adequacy recognition<\/strong>, which simplifies <strong>EU\u2194CH<\/strong> moves. Transfers to other countries need checking. Confirm <strong>adequacy decisions<\/strong> or implement safeguards like <strong>standard contractual clauses<\/strong>, <strong>binding corporate rules<\/strong> or documented, explicit <strong>consent<\/strong> where appropriate. Keep a <strong>transfer register<\/strong> that maps <strong>processing activities<\/strong> to <strong>destination jurisdictions<\/strong> and safeguards used.<\/p>\n<h3>Required technical and organisational measures<\/h3>\n<p>Use the following controls as the baseline for any photo program; implement them in the <strong>DAM<\/strong> and any <strong>consent system<\/strong>.<\/p>\n<ul>\n<li><strong>Encrypt images in transit and at rest<\/strong> to reduce exposure from backups or cloud misconfigurations.<\/li>\n<li><strong>Apply role\u2011based access control and least privilege<\/strong> so only authorized staff can view or export identifiable photos.<\/li>\n<li><strong>Log access, downloads and edits<\/strong> of media files; retain logs as part of your retention schedule.<\/li>\n<li><strong>Store consent metadata with each image in the DAM<\/strong> (who consented, scope, date, version of form, revocations).<\/li>\n<li><strong>Keep a retention schedule<\/strong> that links consent scope to publishing windows and automated deletion.<\/li>\n<li><strong>Use automated alerts for revoked consent<\/strong> to block republishing and trigger redaction workflows.<\/li>\n<li><strong>Conduct regular tests of face\u2011detection and tagging algorithms<\/strong> in a staging environment before using them in production.<\/li>\n<\/ul>\n<p><strong>Consent metadata<\/strong> is as important as the image. Implement a searchable fieldset in your <strong>DAM<\/strong> so <strong>legal<\/strong>, <strong>marketing<\/strong> and <strong>camp staff<\/strong> can confirm rights at a glance.<\/p>\n<h2>Tool categories and practical vendor choices<\/h2>\n<p>I recommend separating <strong>capture<\/strong>, <strong>storage<\/strong> and <strong>downstream tooling<\/strong> so you can swap vendors without losing legal records.<\/p>\n<ul>\n<li><strong>Consent capture &amp; management:<\/strong>\n<ul>\n<li>DocuSign, Adobe Sign, OneTrust and TrustArc are useful for signed digital releases and consent lifecycle tracking.<\/li>\n<\/ul>\n<\/li>\n<li><strong>DAM \/ photo storage:<\/strong>\n<ul>\n<li>FotoWare, Bynder, Canto and Adobe Experience Manager support rich metadata fields and access controls; choose one that lets you store consent flags with media.<\/li>\n<\/ul>\n<\/li>\n<li><strong>Model\/photographer release apps:<\/strong>\n<ul>\n<li>Easy Release and ModelRelease speed in\u2011field signing and export structured consent data.<\/li>\n<\/ul>\n<\/li>\n<li><strong>Metadata, forensic and redaction tools:<\/strong>\n<ul>\n<li>ExifTool and ImageMagick for metadata editing and bulk redaction; OpenCV for prototype face detection and automated blurring.<\/li>\n<\/ul>\n<\/li>\n<li><strong>Face\u2011recognition risk awareness:<\/strong>\n<ul>\n<li>Microsoft Azure Face API, Amazon Rekognition and PimEyes can identify risk but raise significant privacy and legal issues; treat them as <strong>high\u2011risk tooling<\/strong>.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<h2>Operational recommendations and risk controls<\/h2>\n<p><strong>Test<\/strong> automated face detection (<strong>OpenCV<\/strong>) in a closed environment and use results for tagging and drafts only. <strong>Never auto\u2011publish<\/strong> based on algorithmic matches. Combine detection with <strong>human review<\/strong> before any public use. If <strong>consent<\/strong> is missing or withdrawn, apply immediate <strong>redaction<\/strong> with <strong>ImageMagick<\/strong> or an <strong>OpenCV<\/strong> script and <strong>record the action<\/strong> in the image\u2019s metadata.<\/p>\n<p>We align our publishing checks with <strong>camp supervision policies<\/strong> and keep consent aligned to activity types; see our guidance on <a href=\"https:\/\/youngexplorersclub.ch\/what-parents-should-know-about-camp-supervision\/\">camp supervision<\/a>. Maintain a versioned <strong>consent register<\/strong> separate from the <strong>DAM<\/strong> so you can produce proof of consent during audits or incident response.<\/p>\n<p>Finally, treat <strong>face\u2011recognition services<\/strong> as an escalated legal decision. Evaluate them for <strong>necessity and proportionality<\/strong>, document the <strong>lawful basis<\/strong> for any use, and ensure contracts cover <strong>international processing<\/strong> and <strong>deletion obligations<\/strong>. Platform retention and third\u2011party reuse remain a live risk\u2014review terms before you hit <strong>publish<\/strong>.<\/p>\n<p><img decoding=\"async\" src=\"https:\/\/youngexplorersclub.ch\/wp-content\/uploads\/2025\/11\/IMG_1052-Copy.jpg\" alt=\"Summer camp Switzerland, International summer camp\" title=\"\"><\/p>\n<h2>Practical steps, templates, enforcement and real-world do\/don\u2019t<\/h2>\n<p>We, at the <strong>young explorers club<\/strong>, keep <strong>consent handling<\/strong> simple and auditable. I present a <strong>compact operational flow<\/strong>, a single <strong>checklist<\/strong> you can apply immediately, and short <strong>hypotheticals<\/strong> to show consequences.<\/p>\n<p>We use the <strong>checklist<\/strong> below to convert policy into practice.<\/p>\n<h3>Actionable checklist<\/h3>\n<ul>\n<li><strong>Risk assessment for image processing<\/strong>: map purposes, identify <strong>sensitive groups<\/strong> (including <strong>minors<\/strong>), and flag <strong>commercial uses<\/strong>.<\/li>\n<li><strong>Consent templates\/releases<\/strong>: prepare written and digital templates that record <strong>purpose<\/strong>, <strong>scope<\/strong>, <strong>duration<\/strong>, and <strong>withdrawal method<\/strong>.<\/li>\n<li><strong>On-site clear signage<\/strong>: place visible signs at entrances stating photography is happening and where to view consent options.<\/li>\n<li><strong>Opt-in\/opt-out for attendees<\/strong>: add an explicit tickbox on pre-event sign-up forms and a clear opt-out option at the event.<\/li>\n<li><strong>Metadata to store<\/strong>: always tag images with <strong>photographer<\/strong>, <strong>subject identifier<\/strong>, <strong>timestamp<\/strong>, <strong>purpose<\/strong>, and <strong>consent proof<\/strong>.<\/li>\n<li><strong>Retention and deletion policy<\/strong>: adopt the sample line <strong>&#8220;consent records retained for duration of the use plus 5 years for audit.&#8221;<\/strong> and publish retention windows.<\/li>\n<li><strong>Staff training<\/strong>: train photographers and staff on <strong>consent capture<\/strong>, tagging, and how to handle <strong>withdrawals<\/strong>.<\/li>\n<li><strong>Incident response<\/strong>: define steps for <strong>takedown<\/strong>, <strong>notification<\/strong>, and <strong>remedial reporting<\/strong> if a complaint arises.<\/li>\n<li><strong>When consent unavailable<\/strong>: anonymise images by blurring or pixelating identifiable subjects before any sharing.<\/li>\n<li><strong>On-site collection for subject-specific shots<\/strong>: get signed releases for close-ups or commercial uses; keep digital copies linked to image metadata.<\/li>\n<li><strong>Post-event verification<\/strong>: tag-and-check every image against <strong>consent records<\/strong> before publication.<\/li>\n<\/ul>\n<h3>Do\/don\u2019t essentials (apply these immediately)<\/h3>\n<ul>\n<li>\n    <strong>Do:<\/strong><\/p>\n<ul>\n<li>Get written or digital <strong>consent<\/strong> for <strong>commercial use<\/strong>.<\/li>\n<li><strong>Document consents<\/strong> and use event signage.<\/li>\n<li>Keep records with <strong>metadata<\/strong>.<\/li>\n<li><strong>Accept withdrawals<\/strong> and act promptly.<\/li>\n<\/ul>\n<\/li>\n<li>\n    <strong>Don\u2019t:<\/strong><\/p>\n<ul>\n<li>Assume platform terms cover your <strong>legal duties<\/strong>.<\/li>\n<li>Use photos of <strong>minors<\/strong> for promotion without <strong>parental opt-in<\/strong>.<\/li>\n<li>Rely on <strong>verbal consent<\/strong> without a record.<\/li>\n<li>Force employees to consent for <strong>marketing<\/strong>.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<h3>Sample event flow I recommend<\/h3>\n<p><strong>Pre-event:<\/strong> sign-up with a consent tickbox. <strong>On-site:<\/strong> visible signage and staff reminders; photographers collect signed releases for subject-specific shots. <strong>Post-event:<\/strong> tag-and-check linking images to consent records before any publication.<\/p>\n<h3>Enforcement and remedies<\/h3>\n<p><strong>FDPIC<\/strong> \u2014 the <strong>supervisory authority<\/strong> \u2014 handles complaints. Available remedies include <strong>deletion<\/strong>, <strong>objection<\/strong>, and <strong>civil damages<\/strong> (see <strong>Art. 28 CC<\/strong>). Expect complaints, civil liability, and <strong>reputational harm<\/strong> if you skip steps.<\/p>\n<h3>Three short hypotheticals illustrating risk<\/h3>\n<ul>\n<li><strong>Festival:<\/strong> a photographer publishes images commercially without releases \u2014 likely complaints, takedown requests, civil claims and reputational damage.<\/li>\n<li><strong>Protest:<\/strong> a news outlet uses a protest photo for reporting \u2014 the <strong>editorial exception<\/strong> can apply, but you must balance <strong>public interest<\/strong> and <strong>Art. 28 CC<\/strong>.<\/li>\n<li><strong>Workplace:<\/strong> a company posts employee marketing images without contractual consent \u2014 power imbalance may make processing <strong>unlawful<\/strong>; remediation and damages can follow.<\/li>\n<\/ul>\n<h3>Immediate actions for photographers (do these now)<\/h3>\n<ol>\n<li><strong>Ask<\/strong> before shooting close-ups.<\/li>\n<li><strong>Capture consent<\/strong> on-site whenever possible.<\/li>\n<li><strong>Tag images<\/strong> with consent metadata.<\/li>\n<li><strong>Restrict publishing<\/strong> until consent verification completes.<\/li>\n<\/ol>\n<p>For events with <strong>children<\/strong>, link policy to your <strong>camp supervision guidance<\/strong> such as <a href=\"https:\/\/youngexplorersclub.ch\/what-parents-should-know-about-camp-supervision\/\">camp supervision<\/a> so <strong>parents<\/strong> see both safety and consent practices.<\/p>\n<p><img decoding=\"async\" src=\"https:\/\/youngexplorersclub.ch\/wp-content\/uploads\/2025\/11\/IMG_4170-Copy.jpg\" alt=\"Summer camp Switzerland, International summer camp\" title=\"\"><\/p>\n<section>\n<h2>Sources<\/h2>\n<p>\n    <a href=\"https:\/\/www.fedlex.admin.ch\/eli\/cc\/2020\/787\/de\" target=\"_blank\" rel=\"noopener\">Fedlex \u2014 Bundesgesetz \u00fcber den Datenschutz (FADP)<\/a><br \/>\n    <a href=\"https:\/\/www.fedlex.admin.ch\/eli\/cc\/24\/233_245_233\/de#art_28\" target=\"_blank\" rel=\"noopener\">Fedlex \u2014 Schweizerisches Zivilgesetzbuch (ZGB), Art. 28 Schutz der Pers\u00f6nlichkeit<\/a><br \/>\n    <a href=\"https:\/\/www.edoeb.admin.ch\/edoeb\/de\/home.html\" target=\"_blank\" rel=\"noopener\">FDPIC (ED\u00d6B) \u2014 Fotografieren und Datenschutz (Hinweise und Guidance)<\/a><br \/>\n    <a href=\"https:\/\/commission.europa.eu\/justice\/data-protection\/international-dimension-data-protection\/adequacy-decisions\/swiss-confederation_en\" target=\"_blank\" rel=\"noopener\">European Commission \u2014 Adequacy decision: Swiss Confederation<\/a><br \/>\n    <a href=\"https:\/\/www.swissinfo.ch\/eng\/what-changes-under-the-new-swiss-data-protection-law\/48625710\" target=\"_blank\" rel=\"noopener\">Swissinfo \u2014 What changes under the new Swiss data protection law?<\/a><br \/>\n    <a href=\"https:\/\/www.pwc.ch\/en\/services\/legal\/fadp.html\" target=\"_blank\" rel=\"noopener\">PwC Schweiz \u2014 The revised Swiss Data Protection Act (FADP): key changes<\/a><br \/>\n    <a href=\"https:\/\/www.docusign.com\/what-is-electronic-signature\" target=\"_blank\" rel=\"noopener\">DocuSign \u2014 What is an electronic signature?<\/a><br \/>\n    <a href=\"https:\/\/www.onetrust.com\/products\/consent-management-platform\/\" target=\"_blank\" rel=\"noopener\">OneTrust \u2014 Consent Management Platform<\/a><br \/>\n    <a href=\"https:\/\/www.fotoware.com\/\" target=\"_blank\" rel=\"noopener\">FotoWare \u2014 Digital Asset Management (DAM)<\/a><br \/>\n    <a href=\"https:\/\/exiftool.org\/\" target=\"_blank\" rel=\"noopener\">Phil Harvey \u2014 ExifTool: Read and write meta information in files<\/a><br \/>\n    <a href=\"https:\/\/imagemagick.org\/\" target=\"_blank\" rel=\"noopener\">ImageMagick \u2014 ImageMagick: Image processing software<\/a>\n  <\/p>\n<\/section>\n","protected":false},"excerpt":{"rendered":"<p>Revised Swiss FADP (from 1 Sep 2023) treats identifiable photos as personal data\u2014update consent, documentation and security for compliance.<\/p>\n","protected":false},"author":1,"featured_media":64934,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_kad_blocks_custom_css":"","_kad_blocks_head_custom_js":"","_kad_blocks_body_custom_js":"","_kad_blocks_footer_custom_js":"","_kad_post_transparent":"","_kad_post_title":"","_kad_post_layout":"","_kad_post_sidebar_id":"","_kad_post_content_style":"","_kad_post_vertical_padding":"","_kad_post_feature":"","_kad_post_feature_position":"","_kad_post_header":false,"_kad_post_footer":false,"_kad_post_classname":"","_joinchat":[],"footnotes":""},"categories":[307,298,302,291,292],"tags":[],"class_list":["post-68359","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-camping-en","category-climbing-en","category-cycling-en","category-explores","category-travel-en"],"wpml_language":null,"taxonomy_info":{"category":[{"value":307,"label":"Camping"},{"value":298,"label":"Climbing"},{"value":302,"label":"Cycling"},{"value":291,"label":"Explores"},{"value":292,"label":"Travel"}]},"featured_image_src_large":["https:\/\/youngexplorersclub.ch\/wp-content\/uploads\/2025\/11\/IMG_9661-1-1024x768.jpg",1024,768,true],"author_info":{"display_name":"grivas","author_link":"https:\/\/youngexplorersclub.ch\/fr\/author\/grivas\/"},"comment_info":"","category_info":[{"term_id":307,"name":"Camping","slug":"camping-en","term_group":0,"term_taxonomy_id":307,"taxonomy":"category","description":"","parent":0,"count":500,"filter":"raw","cat_ID":307,"category_count":500,"category_description":"","cat_name":"Camping","category_nicename":"camping-en","category_parent":0},{"term_id":298,"name":"Climbing","slug":"climbing-en","term_group":0,"term_taxonomy_id":298,"taxonomy":"category","description":"","parent":0,"count":500,"filter":"raw","cat_ID":298,"category_count":500,"category_description":"","cat_name":"Climbing","category_nicename":"climbing-en","category_parent":0},{"term_id":302,"name":"Cycling","slug":"cycling-en","term_group":0,"term_taxonomy_id":302,"taxonomy":"category","description":"","parent":0,"count":500,"filter":"raw","cat_ID":302,"category_count":500,"category_description":"","cat_name":"Cycling","category_nicename":"cycling-en","category_parent":0},{"term_id":291,"name":"Explores","slug":"explores","term_group":0,"term_taxonomy_id":291,"taxonomy":"category","description":"","parent":0,"count":500,"filter":"raw","cat_ID":291,"category_count":500,"category_description":"","cat_name":"Explores","category_nicename":"explores","category_parent":0},{"term_id":292,"name":"Travel","slug":"travel-en","term_group":0,"term_taxonomy_id":292,"taxonomy":"category","description":"","parent":0,"count":499,"filter":"raw","cat_ID":292,"category_count":499,"category_description":"","cat_name":"Travel","category_nicename":"travel-en","category_parent":0}],"tag_info":false,"_links":{"self":[{"href":"https:\/\/youngexplorersclub.ch\/fr\/wp-json\/wp\/v2\/posts\/68359","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/youngexplorersclub.ch\/fr\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/youngexplorersclub.ch\/fr\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/youngexplorersclub.ch\/fr\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/youngexplorersclub.ch\/fr\/wp-json\/wp\/v2\/comments?post=68359"}],"version-history":[{"count":0,"href":"https:\/\/youngexplorersclub.ch\/fr\/wp-json\/wp\/v2\/posts\/68359\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/youngexplorersclub.ch\/fr\/wp-json\/wp\/v2\/media\/64934"}],"wp:attachment":[{"href":"https:\/\/youngexplorersclub.ch\/fr\/wp-json\/wp\/v2\/media?parent=68359"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/youngexplorersclub.ch\/fr\/wp-json\/wp\/v2\/categories?post=68359"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/youngexplorersclub.ch\/fr\/wp-json\/wp\/v2\/tags?post=68359"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}