Understanding Swiss Photo Consent Policies

Overview

Since the revised Swiss Federal Act on Data Protection (FADP) took effect on 1 September 2023, identifiable photographs are treated as personal data. Controllers—those who decide why and how images are processed—must meet stricter transparency, documentation and accountability duties while also respecting civil‑law image‑protection rules (Art. 28 CC).

Key Takeaways

• The revised FADP (effective 1 Sep 2023) treats identifiable photos as personal data and operates alongside Art. 28 CC. Compliance programs must combine data‑protection and image‑protection duties.
• Lawful bases go beyond consent. If relying on consent, it must be informed, specific, freely given and revocable. Controllers must document and justify the chosen legal basis.
• Maintain auditable consent records showing controller, purpose and scope (channels and duration). Include retention rules, withdrawal procedure and timestamps. Store consent metadata with each image.
• Apply extra safeguards for minors and high‑risk processing. Obtain explicit parental consent for commercial uses. Conduct DPIAs where appropriate. Use the editorial exemption only after a case‑by‑case balancing test.
• Implement technical and organisational measures: encrypt images in transit and at rest, enforce least‑privilege access and logging, map transfers and safeguards. Treat face‑recognition tools as high‑risk and require documented justification.

Lawful Bases and Documentation

Acceptable Legal Bases

Controllers must record a clear lawful basis for processing images. Typical bases include:

• Consent — informed, specific, freely given and revocable;
• Contract — processing necessary to perform contractual obligations;
• Legal obligation — where a statute or regulation mandates processing;
• Legitimate interest — after a documented balancing test showing interests do not override the data subject’s rights.

Documenting the Choice

For every processing activity, keep an auditable record that explains the chosen legal basis and the justification for it. This record should be retained and made available to supervisory authorities if requested.

Consent Records and Metadata

What to Record

Consent records should be auditable and linked to each image. At minimum, record:

1. Controller identity;
2. Purpose and scope (including channels and duration);
3. Retention rules and deletion schedule;
4. Withdrawal procedure and timestamps for consent/grant/withdrawal;
5. Any conditions attached to consent (e.g., limited to editorial or promotional use).

Technical Implementation

Store consent metadata together with the digital asset (e.g., in the DAM or asset database) so each image carries its legal status, consent timestamps and applicable restrictions.

Safeguards for Minors and High‑Risk Uses

Minors

Apply heightened safeguards when processing images of minors. For commercial uses, obtain explicit parental consent and verify parental authority where feasible.

High‑Risk Processing

High‑risk uses (e.g., profiling, public dissemination, or use with face‑recognition) require additional measures:

• Conduct a Data Protection Impact Assessment (DPIA) where appropriate;
• Apply technical protections, anonymisation or pseudonymisation where possible;
• Limit access and perform regular risk reviews.

Editorial Exemption

Use the editorial exemption only after a documented, case‑by‑case balancing test weighing public interest, freedom of expression and the data subject’s privacy rights. Do not rely on it as a blanket justification.

Technical and Organisational Measures

Encryption and Storage

Encrypt images both in transit and at rest. Use secure key management and limit plaintext exposure.

Access Controls and Logging

Enforce least‑privilege access using role‑based controls, multifactor authentication for privileged accounts, and comprehensive logging of access and processing events.

Transfers and Third Parties

Map any transfers of images to third parties and document contractual safeguards. Ensure adequate protections when transferring across borders.

Face‑Recognition and Emerging Tools

Treat face‑recognition and similar biometric tools as high‑risk. Require a documented justification, enhanced safeguards, and relevant approvals before deployment.

Practical Steps for Controllers

1. Update internal policies to reflect the revised FADP and Art. 28 CC.
2. Map image inventories and tag assets with consent metadata.
3. Implement technical controls (encryption, access control, logging).
4. Establish a process for DPIAs and for deciding when the editorial exemption applies.
5. Train staff on image‑specific duties and retention/withdrawal procedures.

If you want, I can draft a sample consent record template, an image‑processing checklist, or suggested DAM metadata fields to help operationalise these requirements.

https://youtu.be/MutNdlfq42Q

Top legal takeaway: what changed and why it matters

The headline is simple: FADP (revised) — in force 1 September 2023. It tightened transparency and documentation obligations, raising consent standards and controller duties. I make that the starting point for every photo policy we review.

The legal framework now

Identifiable photographs are personal data. That means the Swiss data-protection rules apply alongside image-specific rights. You must treat an identifiable photo like any other personal datum under the FADP (revised) — in force 1 September 2023. At the same time, civil-law image protection remains relevant via Swiss Civil Code Art. 28 — personality rights (image). Both regimes can apply to the same photo. Controllers need to address both sets of obligations in the same compliance program.

Legal bases are broader than consent. Consider the following lawful bases and document your choice:

• Consent
• Contract
• Legal obligation
• Legitimate interest

Consent works, but it isn’t the only lawful route. Document why you picked a basis and be ready to justify it. Transfers are easier because of EU adequacy recognition (Switzerland), which reduces friction when photos move to or from the EU. That said, you still need records and safeguards.

Practical steps for controllers (actionable list)

Follow these steps to meet the revised transparency and accountability standards:

• Update privacy notices to name photography purposes and legal bases.
• Keep auditable consent records and processing documentation that show who consented, when, and what they were told.
• Run DPIAs for high-risk photo processing (publicity campaigns, identifiable children, profiling).
• Map, document and limit retention: state how long images are kept and why.
• Apply access and deletion workflows so requests about images are handled promptly.
• Use appropriate contracts and security measures with processors who handle photos.
• Put default minimisation in place: avoid collecting higher-resolution or identifying shots unless needed.
• Train staff and volunteers on image rights and parental consent for minors. For practical guidance on supervising minors, link this with our notes on camp supervision.
• Maintain a clear opt-out mechanism for parents and subjects and log opt-outs in your records.

I recommend a short compliance checklist tied to each photo use case. Keep one document per project that links purpose, lawful basis, DPIA outcome, retention period and consent logs. That single file becomes your first line in an audit.

Operational tips I use often: prefer written consent for publicity uses, timestamp all approvals, and encrypt storage of sensitive image archives. Where consent is relied on, include withdrawal instructions in the same place you ask for permission. For children, get parental consent and document age checks.

When consent is required — taking vs publishing and common exceptions

We treat any image that can identify a person as personal data. Consent is required whenever we process those images and no other lawful basis applies. We always check whether another legal basis exists before relying on consent.

We draw a strict line between taking photos and publishing or otherwise processing them. Taking an image in a public place is generally permitted. Publishing, profiling, sharing on social channels, or using an image in a brochure raises a higher legal risk and often triggers the need for consent. Commercial use — especially advertising — requires consent.

We apply the editorial exception cautiously. Journalism or genuine public-interest reporting can be lawful without consent after a case-by-case balancing against Art.28 CC. We follow the FDPIC guidance tests and weigh:

• the public interest in dissemination,
• the context and how the person is depicted,
• the person’s notoriety and the likely damage to reputation (FDPIC guidance; Art.28 CC).

We recommend these practical steps for every image that might identify someone:

1. Assess whether processing is taking place or just capturing.
2. Determine your lawful basis (consent, contract, legal obligation, legitimate interest).
3. Run the FDPIC tests on public-interest claims.
4. Document your decision and retention period.
5. Get explicit consent for commercial or promotional use.

Illustrative hypotheticals

Below are quick examples we use to guide decisions:

• Street photo used in news coverage of a public event: We’d likely publish without consent if the image contributes to reporting, doesn’t humiliate the subject, and passes the FDPIC balancing test. Cite: FDPIC guidance; Art.28 CC.
• Same street photo used on a billboard for a brand: We treat this as commercial processing and require explicit consent.

We integrate these rules into camp policies and training; see Safety in kids camps for related guidance.

Consent standards, documentation and practical checklist

We, at the Young Explorers Club, follow the Swiss data-protection rule that consent must be informed, specific, freely given and revocable (FADP). I explain how that translates into records and daily practice so you can apply it without guesswork.

Consent records must capture a fixed set of fields so you can prove scope and timing. Include:

• Controller name
• Purpose
• Scope
• Retention
• Withdrawal procedure
• Timestamp

Define scope clearly by channel and duration — for example: print, web, social, third-party distribution — and state how long each channel applies.

Use written or digitally signed releases for commercial uses. E-signatures from DocuSign or Adobe Sign are acceptable if the audit trail is preserved and tamper-evidence is clear. Capture identity and age verification where relevant: parental/guardian signatures for minors, a copy of ID when required, or a signed capacity statement. We also apply the same rules when we run photography camps, and we collect parental consent before filming or photographing participants.

Record structure and an example clause should be brief and explicit. Recommended consent-record fields:

• Controller name
• Purpose (clear short phrase)
• Scope with listed channels
• Explicit consent checkbox or signature
• Clear revocation instruction
• Capture method and timestamp

Use a short example clause like this in your form:

“Controller: Young Explorers Club. Purpose: use in print, web, social and third-party distribution. I expressly consent to the use of the photograph(s) as described. To revoke consent, email privacy@youngexplorersclub.ch; revocation stops future use but won’t retract lawfully published material. Signature/Checkbox: ______. Capture method: digital/paper. Timestamp: YYYY‑MM‑DD HH:MM.”

Adopt a clear retention rule and make it consistent with operations. Retain release forms and consent logs for a defined period after last use. A practical company policy example: “consent records retained for duration of the use plus 5 years for audit.” Store consent metadata alongside the image file so search and audit are quick, and export logs regularly for backup.

Practical checklist

• Predefined release templates that include controller, purpose, scope, retention, withdrawal, capture method and timestamp.
• Signed record (paper or e-signature) containing the fields above and an explicit consent checkbox or signature.
• Store consent metadata alongside the image (file metadata and a centralized consent log).
• Process revocation requests promptly and document the action and effective date; stop future use and note limitations of retroactive removal.
• Verify age and capacity where applicable; require parental/guardian signature for minors and keep ID checks or age attestations.

Minors, capacity and workplace photography

We, at the young explorers club, set the age of majority at 18. Minors under 18 require extra care for image use and distribution.

Minors and parental consent

I require parental opt-in for routine school or event photos. For commercial or non-routine uses — advertising, social media marketing, external publications — I recommend explicit parental consent for anyone under 18. Consent should be informed and specific. It must list the intended channels, the duration of use, and any third parties who may receive the material. For straightforward camp or activity images intended only for internal sharing, document a lawful basis such as legitimate interest, but keep parental records on file.

I acknowledge the sensitivity families have about images. For parent-facing guidance and expectations, I point them to our parent guidance so they can make informed choices before arrival.

Practical templates and procedures

Use the following templates and steps to operationalize consent:

• Pre-event parental consent form with clear opt-in boxes: include separate toggles for on-site displays, social media, printed brochures, and third-party sharing.
• School/event opt-in must default to unchecked; require active consent for each category.
• Employment media-consent clause in contracts or a separate release form for staff: state whether images may be used for marketing and require explicit, documented consent for those uses.
• For internal uses (ID badges, staff directories, rostering), rely on contract necessity or legitimate interest; record the lawful basis and provide a simple objection route for employees.
• Power imbalance: consent may not be freely given in employment. Offer alternatives (e.g., anonymized photos, badge-only portraits not used externally) and obtain a signed statement that consent was given voluntarily.
• Withdrawal mechanism: let employees and parents withdraw consent for future uses and explain effects on previously published material (withdrawal stops future distribution but cannot reliably retract images already in circulation).
• Record-keeping: timestamped consent records, versioned forms, and a central register that links each image to its consent metadata (who gave it, scope, expiry).

I advise clear operational rules for staff photographers and event leaders: carry printed forms, verify identity of the consenting adult, and log where images will be published. For marketing campaigns, require an explicit clause in hiring documents or a separate release; never rely solely on implied consent in employment contexts.

Platforms, storage, cross-border transfers and technical controls (tools and vendors)

We, at the young explorers club, treat platform terms as operational guidance but never as a substitute for our legal duties as controller. Platform uploads to Instagram, Facebook or TikTok typically create third‑party processing chains and can trigger international transfers. Always verify platform retention and content re‑use clauses before you publish. Platforms may keep copies long after you delete a post.

Swiss transfers to the EU are easier thanks to Switzerland’s EU adequacy recognition, which simplifies EU↔CH moves. Transfers to other countries need checking. Confirm adequacy decisions or implement safeguards like standard contractual clauses, binding corporate rules or documented, explicit consent where appropriate. Keep a transfer register that maps processing activities to destination jurisdictions and safeguards used.

Required technical and organisational measures

Use the following controls as the baseline for any photo program; implement them in the DAM and any consent system.

• Encrypt images in transit and at rest to reduce exposure from backups or cloud misconfigurations.
• Apply role‑based access control and least privilege so only authorized staff can view or export identifiable photos.
• Log access, downloads and edits of media files; retain logs as part of your retention schedule.
• Store consent metadata with each image in the DAM (who consented, scope, date, version of form, revocations).
• Keep a retention schedule that links consent scope to publishing windows and automated deletion.
• Use automated alerts for revoked consent to block republishing and trigger redaction workflows.
• Conduct regular tests of face‑detection and tagging algorithms in a staging environment before using them in production.

Consent metadata is as important as the image. Implement a searchable fieldset in your DAM so legal, marketing and camp staff can confirm rights at a glance.

Tool categories and practical vendor choices

I recommend separating capture, storage and downstream tooling so you can swap vendors without losing legal records.

• Consent capture & management:
  • DocuSign, Adobe Sign, OneTrust and TrustArc are useful for signed digital releases and consent lifecycle tracking.
• DAM / photo storage:
  • FotoWare, Bynder, Canto and Adobe Experience Manager support rich metadata fields and access controls; choose one that lets you store consent flags with media.
• Model/photographer release apps:
  • Easy Release and ModelRelease speed in‑field signing and export structured consent data.
• Metadata, forensic and redaction tools:
  • ExifTool and ImageMagick for metadata editing and bulk redaction; OpenCV for prototype face detection and automated blurring.
• Face‑recognition risk awareness:
  • Microsoft Azure Face API, Amazon Rekognition and PimEyes can identify risk but raise significant privacy and legal issues; treat them as high‑risk tooling.

Operational recommendations and risk controls

Test automated face detection (OpenCV) in a closed environment and use results for tagging and drafts only. Never auto‑publish based on algorithmic matches. Combine detection with human review before any public use. If consent is missing or withdrawn, apply immediate redaction with ImageMagick or an OpenCV script and record the action in the image’s metadata.

We align our publishing checks with camp supervision policies and keep consent aligned to activity types; see our guidance on camp supervision. Maintain a versioned consent register separate from the DAM so you can produce proof of consent during audits or incident response.

Finally, treat face‑recognition services as an escalated legal decision. Evaluate them for necessity and proportionality, document the lawful basis for any use, and ensure contracts cover international processing and deletion obligations. Platform retention and third‑party reuse remain a live risk—review terms before you hit publish.

Practical steps, templates, enforcement and real-world do/don’t

We, at the young explorers club, keep consent handling simple and auditable. I present a compact operational flow, a single checklist you can apply immediately, and short hypotheticals to show consequences.

We use the checklist below to convert policy into practice.

Actionable checklist

• Risk assessment for image processing: map purposes, identify sensitive groups (including minors), and flag commercial uses.
• Consent templates/releases: prepare written and digital templates that record purpose, scope, duration, and withdrawal method.
• On-site clear signage: place visible signs at entrances stating photography is happening and where to view consent options.
• Opt-in/opt-out for attendees: add an explicit tickbox on pre-event sign-up forms and a clear opt-out option at the event.
• Metadata to store: always tag images with photographer, subject identifier, timestamp, purpose, and consent proof.
• Retention and deletion policy: adopt the sample line “consent records retained for duration of the use plus 5 years for audit.” and publish retention windows.
• Staff training: train photographers and staff on consent capture, tagging, and how to handle withdrawals.
• Incident response: define steps for takedown, notification, and remedial reporting if a complaint arises.
• When consent unavailable: anonymise images by blurring or pixelating identifiable subjects before any sharing.
• On-site collection for subject-specific shots: get signed releases for close-ups or commercial uses; keep digital copies linked to image metadata.
• Post-event verification: tag-and-check every image against consent records before publication.

Do/don’t essentials (apply these immediately)

• Do:
  • Get written or digital consent for commercial use.
  • Document consents and use event signage.
  • Keep records with metadata.
  • Accept withdrawals and act promptly.
• Don’t:
  • Assume platform terms cover your legal duties.
  • Use photos of minors for promotion without parental opt-in.
  • Rely on verbal consent without a record.
  • Force employees to consent for marketing.

Sample event flow I recommend

Pre-event: sign-up with a consent tickbox. On-site: visible signage and staff reminders; photographers collect signed releases for subject-specific shots. Post-event: tag-and-check linking images to consent records before any publication.

Enforcement and remedies

FDPIC — the supervisory authority — handles complaints. Available remedies include deletion, objection, and civil damages (see Art. 28 CC). Expect complaints, civil liability, and reputational harm if you skip steps.

Three short hypotheticals illustrating risk

• Festival: a photographer publishes images commercially without releases — likely complaints, takedown requests, civil claims and reputational damage.
• Protest: a news outlet uses a protest photo for reporting — the editorial exception can apply, but you must balance public interest and Art. 28 CC.
• Workplace: a company posts employee marketing images without contractual consent — power imbalance may make processing unlawful; remediation and damages can follow.

Immediate actions for photographers (do these now)

1. Ask before shooting close-ups.
2. Capture consent on-site whenever possible.
3. Tag images with consent metadata.
4. Restrict publishing until consent verification completes.

For events with children, link policy to your camp supervision guidance such as camp supervision so parents see both safety and consent practices.

Sources

Fedlex — Bundesgesetz über den Datenschutz (FADP)
Fedlex — Schweizerisches Zivilgesetzbuch (ZGB), Art. 28 Schutz der Persönlichkeit
FDPIC (EDÖB) — Fotografieren und Datenschutz (Hinweise und Guidance)
European Commission — Adequacy decision: Swiss Confederation
Swissinfo — What changes under the new Swiss data protection law?
PwC Schweiz — The revised Swiss Data Protection Act (FADP): key changes
DocuSign — What is an electronic signature?
OneTrust — Consent Management Platform
FotoWare — Digital Asset Management (DAM)
Phil Harvey — ExifTool: Read and write meta information in files
ImageMagick — ImageMagick: Image processing software