Key takeaways<\/h3>\n\n- FADP 2023<\/strong> boosts transparency<\/strong> and grants parents and children<\/strong> clearer rights to access<\/strong>, correct<\/strong>, delete<\/strong>, and object<\/strong>.<\/li>\n
- Breach notifications<\/strong>: controllers must notify the FDPIC<\/strong> and affected individuals when a personal-data breach creates a high risk<\/strong>.<\/li>\n
- Cross-border transfers<\/strong>: Switzerland benefits from an EU adequacy decision<\/strong>, so transfers from the EU are straightforward. Transfers to non-adequate countries<\/strong> require documented safeguards such as standard contractual clauses<\/strong> or equivalent measures.<\/li>\n
- Practical actions for families<\/strong>: update consent and privacy notices; map where student and health records are stored; encrypt sensitive fields; enable two-factor authentication; and use password managers.<\/li>\n
- Enforcement and remediation<\/strong>: the FDPIC<\/strong> has broader enforcement powers. Keep written records of requests. Escalate unresolved issues. Request breach reports and evidence that notifications were sent.<\/li>\n<\/ul>\n
What changed (brief)<\/h3>\n
The 2023 FADP<\/strong> clarifies individual rights and strengthens obligations on controllers. The FDPIC<\/strong> can now require notifications, conduct more invasive supervision, and impose stronger remedial measures. The threshold for notifying affected individuals is when a breach creates a high risk<\/strong> to rights and freedoms.<\/p>\nCross-border transfers<\/h3>\n
Switzerland<\/strong> benefits from an EU adequacy decision<\/strong>, which means data flows from EU countries into Switzerland remain simple<\/strong> and do not require additional transfer mechanisms. For transfers to countries that are not recognised as adequate, controllers must put in place documented safeguards such as standard contractual clauses<\/strong>, binding corporate rules, or equivalent technical and organisational measures.<\/p>\nPractical actions for families<\/h3>\n\n- Update privacy notices and consents<\/strong> \u2014 ensure language is clear about rights, retention periods, and contact details for the data controller.<\/li>\n
- Map records<\/strong> \u2014 identify where student<\/strong> and health records<\/strong> are stored (cloud providers, local servers, third-party services).<\/li>\n
- Encrypt sensitive fields<\/strong> \u2014 encrypt health and other highly sensitive data at rest and in transit.<\/li>\n
- Enable two-factor authentication (2FA)<\/strong> \u2014 protect accounts that access school or health systems with strong authentication.<\/li>\n
- Use password managers<\/strong> \u2014 generate and store unique strong passwords for each service.<\/li>\n
- Document processors and transfers<\/strong> \u2014 keep records of subprocessors and any cross-border transfers, and confirm safeguards for non-adequate destinations.<\/li>\n<\/ol>\n
Enforcement and remediation<\/h3>\n
The FDPIC<\/strong> now has broader supervisory and enforcement powers. If you suspect misuse or insufficient protection of your child\u2019s data, keep written records<\/strong> of all requests and responses. If an incident occurs, request a breach report<\/strong> and evidence that notifications were sent to the FDPIC<\/strong> and affected individuals. If issues remain unresolved, escalate<\/strong> within the controller organisation and consider contacting the FDPIC<\/strong> directly.<\/p>\nNext steps<\/h3>\n
For families: review your school and health-provider privacy notices, update consents where needed, and implement the technical steps above. For organisations handling children\u2019s data: ensure processes for handling access, correction, deletion, and breach notification are in place and documented.<\/p>\n
If you\u2019d like, we can help draft a checklist tailored to your family or school to implement these recommendations.<\/p>\n
https:\/\/youtu.be\/5n7h0J-X1WI<\/p>\n
Quick legal snapshot and cross-border transfers<\/h2>\n
We, at the Young Explorers Club<\/strong>, treat Swiss data protection<\/strong> as operational law<\/strong>. The Federal Act on Data Protection (FADP)<\/strong> was revised and came into force on 1 September 2023<\/strong> (FADP 1 September 2023<\/strong>). The Ordinance on Data Protection (ODP)<\/strong> complements the FADP. The Federal Data Protection and Information Commissioner (FDPIC)<\/strong> enforces the rules, runs investigations, issues guidance and handles complaints (Federal Data Protection and Information Commissioner (FDPIC)<\/strong>).<\/p>\nWhat changed for families \u2014 practical points<\/h3>\n
Focus on these changes that matter to families, all stemming from the 2023 revision (FADP 1 September 2023<\/strong>):<\/p>\n\n- Stronger transparency and individual rights:<\/strong> parents and children<\/strong> get clearer rights to access, correct and delete personal data. Review your privacy notices and consent forms.<\/strong><\/li>\n
- New breach-notification obligation:<\/strong> organisations must notify the FDPIC<\/strong> and affected individuals when a personal-data breach creates a high risk<\/strong> (breach notification obligation<\/strong>).<\/li>\n
- Clearer rules on cross-border data transfers and sensitive data:<\/strong> processing of health<\/strong> or similar sensitive data now needs stricter safeguards<\/strong> and documented legal bases (FADP 1 September 2023<\/strong>).<\/li>\n
- Greater enforcement powers for the supervisor:<\/strong> the FDPIC<\/strong> can levy administrative measures<\/strong> and demand corrective steps (Federal Data Protection and Information Commissioner (FDPIC)<\/strong>).<\/li>\n<\/ul>\n
Practical steps we recommend:<\/strong> update parent-facing notices, map where student and health records live, encrypt sensitive fields, and assign a data-incident lead who knows the breach-notification obligation<\/strong>.<\/p>\nCross-border transfers: simple rules and an example<\/h3>\n
Switzerland holds an EU adequacy decision<\/strong>, so transfers from the EU to Switzerland are straightforward (EU adequacy decision<\/strong>). Transfers from Switzerland to countries without an adequacy decision require appropriate safeguards<\/strong>. Acceptable measures include:<\/p>\n\n- An adequacy decision<\/strong> by the receiving jurisdiction,<\/li>\n
- Standard Contractual Clauses (SCCs)<\/strong> or contractual clauses modeled on SCCs,<\/li>\n
- Other documented suitable safeguards<\/strong> that provide equivalent protection (cross-border data transfers, standard contractual clauses<\/strong>).<\/li>\n<\/ul>\n
Practical example:<\/strong> if a school’s student-record database is hacked<\/strong>, we must evaluate the risk and, when the breach creates a high risk to individuals<\/strong>, notify the FDPIC<\/strong> and affected parents under the breach-notification obligation<\/strong> (Federal Data Protection and Information Commissioner (FDPIC); FADP 1 September 2023<\/strong>).<\/p>\n\n- Immediate containment and forensic check<\/strong><\/li>\n
- Prompt parent communication<\/strong> with clear next steps<\/li>\n
- Review of whether records were transferred abroad<\/strong> and, if so, which safeguard applies<\/li>\n<\/ul>\n
For a deeper look at how we assess operational safeguards alongside safety, see our page on camp safety<\/a>.<\/p>\n![\"Summer](\"https:\/\/youngexplorersclub.ch\/wp-content\/uploads\/2025\/11\/IMG_6804-1.jpg\" "\\"\\"")
<\/p>\n
Core rights families should expect (plain-language explanations)<\/h2>\n
We<\/strong>, at the young explorers club<\/strong>, expect families to have clear, usable data rights under Swiss law<\/strong>. We’ll explain each right in plain language and give practical steps you can follow.<\/p>\nRight to be informed (transparency)<\/h3>\n
Controllers<\/strong> must tell you what personal data they collect about your child, why<\/strong> they collect it, how long<\/strong> they’ll keep it, and who<\/strong> they share it with. Ask for that explanation in simple terms. For example, if an app collects location<\/strong> or profile data<\/strong> to show nearby activities, the app provider must explain that use and the retention period<\/strong>. This is the right to be informed<\/strong>.<\/p>\nRight of access<\/h3>\n
You can ask a controller what data they hold about your child and request a copy. Make the request in writing if you want a clear record. A straightforward question to use is: “What data do you hold about my child?”<\/strong> Keep a copy of your request and note the date.<\/p>\nRight of correction \/ rectification<\/h3>\n
You can ask for factual errors to be fixed. This is the right of correction<\/strong>. Common examples include wrong birthdates, misspelled names, or incorrect medical notes in school records. Correct records quickly to avoid future problems.<\/p>\nHow to correct data \u2014 a short flow<\/h3>\n\n- Identify the controller<\/strong> responsible for the record (school, app provider, camp admin).<\/li>\n
- Send a written request<\/strong> citing the FADP<\/strong> right of correction and clearly state the change needed.<\/li>\n
- Set an expectation<\/strong> of two weeks<\/strong> for a response.<\/li>\n
- If the controller ignores the request, escalate<\/strong> to the FDPIC<\/strong>.<\/li>\n<\/ol>\n
Right to deletion \/ erasure (where applicable)<\/h3>\n
You can ask for data to be deleted when there\u2019s no lawful basis<\/strong> to keep it. Deletion isn’t absolute. Controllers can refuse if law requires them to retain data (for example, mandatory reporting or accounting rules). Ask the controller to explain any refusal in writing<\/strong>.<\/p>\nRight to object<\/h3>\n
You can object to certain processing, like profiling<\/strong> or direct marketing<\/strong>. The controller must consider your objection and either stop the processing or show compelling lawful grounds to continue. If the objection concerns marketing, controllers usually must stop.<\/p>\nSensitive personal data protections<\/h3>\n
Some categories get stricter treatment. Examples include health and vaccination records<\/strong>, genetic data<\/strong>, biometric identifiers<\/strong> (like facial recognition), religion<\/strong>, and political opinions<\/strong>. These often require explicit consent<\/strong>, especially for children, or another strong legal basis before processing.<\/p>\nLawful basis for processing<\/h3>\n
Any processing must be lawful<\/strong>, fair<\/strong> and tied to a specified purpose<\/strong>. Consent is required in many cases, particularly for sensitive personal data and when children are involved. Other lawful bases include:<\/p>\n\n- Contract performance<\/strong> \u2014 for instance, school administration needs certain data to provide education;<\/li>\n
- Legal obligation<\/strong> \u2014 such as mandatory health reporting.<\/li>\n<\/ul>\n
Quick one-line examples<\/h3>\n\n- Right of access<\/strong> \u2014 “What data do you hold about my child?”<\/li>\n
- Right to be informed<\/strong> \u2014 “This app will collect microphone and location data to provide X features.”<\/li>\n
- Right of correction<\/strong> \u2014 “Please correct my child\u2019s birthdate in school records.”<\/li>\n
- Right to deletion<\/strong> \u2014 “Please delete photos of my child taken after the end of camp if you lack a lawful basis to keep them.”<\/li>\n
- Right to object<\/strong> \u2014 “I object to profiling for targeted ads; please stop processing my child’s data for that purpose.”<\/li>\n<\/ul>\n
If you want practical follow-up tips after camp or examples of parent conversations about data handling, see what parents notice<\/a> for common points families raise.<\/p>\n![\"Summer](\"https:\/\/youngexplorersclub.ch\/wp-content\/uploads\/2025\/10\/Young-Explorers-Camps-2024-Bike-Travel-July-647-Copy.jpg\" "\\"\\"")
<\/p>\n
Children, parental consent and practical age considerations<\/h2>\n
We, at the young explorers club<\/strong>, treat children’s personal data<\/strong> as especially sensitive. Many online services set age limits<\/strong> and often require parental consent<\/strong> to create accounts. Parents and guardians can be held responsible for consenting to processing of minors’ data in schools<\/strong>, apps<\/strong> and health settings<\/strong>, so I recommend reviewing every privacy notice<\/strong> you encounter.<\/p>\nParental responsibility and common contexts<\/h3>\n
Parents should expect children’s data to appear in several predictable places: schools and school platforms<\/strong>, extracurricular providers and camps<\/strong>, health professionals and patient records<\/strong>, and apps or games used at home<\/strong>. Always check the terms and privacy notices<\/strong> before agreeing to anything. You should confirm whether the organisation acts as controller<\/strong> or processor<\/strong>, since that determines who answers your questions and who must fulfil data subject rights<\/strong>.<\/p>\nWhat to ask providers<\/h3>\n
Ask providers these direct questions before consenting; I’ve listed phrases you can reuse when needed:<\/p>\n
\n- Who<\/strong> is the data controller<\/strong> and who is your contact for privacy questions<\/strong>?<\/li>\n
- What categories of personal data<\/strong> do you collect about my child?<\/li>\n
- Do you share<\/strong> any of this data with third parties<\/strong>, and which ones? Are transfers made to other countries?<\/li>\n
- What is the retention period<\/strong> and how do you decide when to delete data<\/strong>?<\/li>\n
- What legal basis<\/strong> do you use for processing my child’s data (consent, contract, public interest, etc.)?<\/li>\n
- Do you require explicit consent<\/strong> for sensitive data<\/strong> (health, biometric, special categories)?<\/li>\n
- Ready-to-use sentence to send providers: Under the Swiss FADP<\/strong>, please provide (1) the categories of personal data<\/strong> you hold about my child, (2) the retention period<\/strong>, and (3) any third parties<\/strong> receiving this data.<\/li>\n<\/ul>\n
Practical tips and immediate actions<\/h3>\n
I recommend you always review the service’s age limits<\/strong> in the terms of service<\/strong> and insist on explicit consent<\/strong> where sensitive information<\/strong> is involved. Keep records<\/strong> of any consents you give and the documents you receive. If a provider’s answers are vague, ask for them in writing and consider escalating to the controller’s designated privacy contact<\/strong>. For ongoing resources and examples about how we handle camp paperwork and parent communications, check terms<\/strong><\/a> and our posts for clear templates and sample requests.<\/p>\n\n
What changed (brief)<\/h3>\n
The 2023 FADP<\/strong> clarifies individual rights and strengthens obligations on controllers. The FDPIC<\/strong> can now require notifications, conduct more invasive supervision, and impose stronger remedial measures. The threshold for notifying affected individuals is when a breach creates a high risk<\/strong> to rights and freedoms.<\/p>\n Switzerland<\/strong> benefits from an EU adequacy decision<\/strong>, which means data flows from EU countries into Switzerland remain simple<\/strong> and do not require additional transfer mechanisms. For transfers to countries that are not recognised as adequate, controllers must put in place documented safeguards such as standard contractual clauses<\/strong>, binding corporate rules, or equivalent technical and organisational measures.<\/p>\n The FDPIC<\/strong> now has broader supervisory and enforcement powers. If you suspect misuse or insufficient protection of your child\u2019s data, keep written records<\/strong> of all requests and responses. If an incident occurs, request a breach report<\/strong> and evidence that notifications were sent to the FDPIC<\/strong> and affected individuals. If issues remain unresolved, escalate<\/strong> within the controller organisation and consider contacting the FDPIC<\/strong> directly.<\/p>\n For families: review your school and health-provider privacy notices, update consents where needed, and implement the technical steps above. For organisations handling children\u2019s data: ensure processes for handling access, correction, deletion, and breach notification are in place and documented.<\/p>\n If you\u2019d like, we can help draft a checklist tailored to your family or school to implement these recommendations.<\/p>\n https:\/\/youtu.be\/5n7h0J-X1WI<\/p>\n We, at the Young Explorers Club<\/strong>, treat Swiss data protection<\/strong> as operational law<\/strong>. The Federal Act on Data Protection (FADP)<\/strong> was revised and came into force on 1 September 2023<\/strong> (FADP 1 September 2023<\/strong>). The Ordinance on Data Protection (ODP)<\/strong> complements the FADP. The Federal Data Protection and Information Commissioner (FDPIC)<\/strong> enforces the rules, runs investigations, issues guidance and handles complaints (Federal Data Protection and Information Commissioner (FDPIC)<\/strong>).<\/p>\n Focus on these changes that matter to families, all stemming from the 2023 revision (FADP 1 September 2023<\/strong>):<\/p>\n Practical steps we recommend:<\/strong> update parent-facing notices, map where student and health records live, encrypt sensitive fields, and assign a data-incident lead who knows the breach-notification obligation<\/strong>.<\/p>\n Switzerland holds an EU adequacy decision<\/strong>, so transfers from the EU to Switzerland are straightforward (EU adequacy decision<\/strong>). Transfers from Switzerland to countries without an adequacy decision require appropriate safeguards<\/strong>. Acceptable measures include:<\/p>\n Practical example:<\/strong> if a school’s student-record database is hacked<\/strong>, we must evaluate the risk and, when the breach creates a high risk to individuals<\/strong>, notify the FDPIC<\/strong> and affected parents under the breach-notification obligation<\/strong> (Federal Data Protection and Information Commissioner (FDPIC); FADP 1 September 2023<\/strong>).<\/p>\n For a deeper look at how we assess operational safeguards alongside safety, see our page on camp safety<\/a>.<\/p>\n We<\/strong>, at the young explorers club<\/strong>, expect families to have clear, usable data rights under Swiss law<\/strong>. We’ll explain each right in plain language and give practical steps you can follow.<\/p>\n Controllers<\/strong> must tell you what personal data they collect about your child, why<\/strong> they collect it, how long<\/strong> they’ll keep it, and who<\/strong> they share it with. Ask for that explanation in simple terms. For example, if an app collects location<\/strong> or profile data<\/strong> to show nearby activities, the app provider must explain that use and the retention period<\/strong>. This is the right to be informed<\/strong>.<\/p>\n You can ask a controller what data they hold about your child and request a copy. Make the request in writing if you want a clear record. A straightforward question to use is: “What data do you hold about my child?”<\/strong> Keep a copy of your request and note the date.<\/p>\n You can ask for factual errors to be fixed. This is the right of correction<\/strong>. Common examples include wrong birthdates, misspelled names, or incorrect medical notes in school records. Correct records quickly to avoid future problems.<\/p>\n You can ask for data to be deleted when there\u2019s no lawful basis<\/strong> to keep it. Deletion isn’t absolute. Controllers can refuse if law requires them to retain data (for example, mandatory reporting or accounting rules). Ask the controller to explain any refusal in writing<\/strong>.<\/p>\n You can object to certain processing, like profiling<\/strong> or direct marketing<\/strong>. The controller must consider your objection and either stop the processing or show compelling lawful grounds to continue. If the objection concerns marketing, controllers usually must stop.<\/p>\n Some categories get stricter treatment. Examples include health and vaccination records<\/strong>, genetic data<\/strong>, biometric identifiers<\/strong> (like facial recognition), religion<\/strong>, and political opinions<\/strong>. These often require explicit consent<\/strong>, especially for children, or another strong legal basis before processing.<\/p>\n Any processing must be lawful<\/strong>, fair<\/strong> and tied to a specified purpose<\/strong>. Consent is required in many cases, particularly for sensitive personal data and when children are involved. Other lawful bases include:<\/p>\n If you want practical follow-up tips after camp or examples of parent conversations about data handling, see what parents notice<\/a> for common points families raise.<\/p>\n We, at the young explorers club<\/strong>, treat children’s personal data<\/strong> as especially sensitive. Many online services set age limits<\/strong> and often require parental consent<\/strong> to create accounts. Parents and guardians can be held responsible for consenting to processing of minors’ data in schools<\/strong>, apps<\/strong> and health settings<\/strong>, so I recommend reviewing every privacy notice<\/strong> you encounter.<\/p>\n Parents should expect children’s data to appear in several predictable places: schools and school platforms<\/strong>, extracurricular providers and camps<\/strong>, health professionals and patient records<\/strong>, and apps or games used at home<\/strong>. Always check the terms and privacy notices<\/strong> before agreeing to anything. You should confirm whether the organisation acts as controller<\/strong> or processor<\/strong>, since that determines who answers your questions and who must fulfil data subject rights<\/strong>.<\/p>\n Ask providers these direct questions before consenting; I’ve listed phrases you can reuse when needed:<\/p>\n I recommend you always review the service’s age limits<\/strong> in the terms of service<\/strong> and insist on explicit consent<\/strong> where sensitive information<\/strong> is involved. Keep records<\/strong> of any consents you give and the documents you receive. If a provider’s answers are vague, ask for them in writing and consider escalating to the controller’s designated privacy contact<\/strong>. For ongoing resources and examples about how we handle camp paperwork and parent communications, check terms<\/strong><\/a> and our posts for clear templates and sample requests.<\/p>\n \nCross-border transfers<\/h3>\n
Practical actions for families<\/h3>\n
\n
Enforcement and remediation<\/h3>\n
Next steps<\/h3>\n
Quick legal snapshot and cross-border transfers<\/h2>\n
What changed for families \u2014 practical points<\/h3>\n
\n
Cross-border transfers: simple rules and an example<\/h3>\n
\n
\n
<\/p>\nCore rights families should expect (plain-language explanations)<\/h2>\n
Right to be informed (transparency)<\/h3>\n
Right of access<\/h3>\n
Right of correction \/ rectification<\/h3>\n
How to correct data \u2014 a short flow<\/h3>\n
\n
Right to deletion \/ erasure (where applicable)<\/h3>\n
Right to object<\/h3>\n
Sensitive personal data protections<\/h3>\n
Lawful basis for processing<\/h3>\n
\n
Quick one-line examples<\/h3>\n
\n
<\/p>\nChildren, parental consent and practical age considerations<\/h2>\n
Parental responsibility and common contexts<\/h3>\n
What to ask providers<\/h3>\n
\n
Practical tips and immediate actions<\/h3>\n