1. Introduction
POLARIS (hereinafter also referred to as the ‘platform’) is a club management system developed and operated by Rotary Communication Services Switzerland-Liechtenstein, an association under Swiss law based in Zug (‘RCS’). It is used by organizations affiliated with POLARIS, in particular Rotary, Rotaract, Interact and Inner Wheel, as well as their clubs, districts and other organizational units (hereinafter collectively referred to as the ‘community’).
All users of POLARIS accept the ‘General Terms and Conditions for the Use of POLARIS’ (‘GTC’) and the ‘Privacy Policy for Users of POLARIS’ (‘Privacy Policy’) when they first use the platform. These documents define terms, regulate the use of the platform and define the conditions for the processing of personal data.
This confidentiality declaration (‘Declaration’) supplements these documents. It is binding for all persons who are granted administrative rights within POLARIS (‘administrators’). It regulates the handling of personal data, club data and other confidential information to which administrators have access in the course of their work and provides the necessary legal basis for this extended role. In the event of any conflict between the GTC, the Privacy Policy and this Declaration, the provisions of the Declaration shall prevail.
2. Scope and purpose
This declaration applies to all administrators who, due to their role, are granted special access rights to personal data, club data and technical administration data.
The purpose of this declaration is to ensure a heightened awareness of security and responsibility among administrators, to guarantee compliance with data protection regulations (in particular the GDPR and FADP) and to establish binding rules for the confidential handling of all data to which administrators have access.
3. Access and data categories
Administrators are granted access to the following data categories exclusively within the scope of their administrative tasks:
Member data (e.g. contact details, functions, club membership)
Club and organizational data (e.g. structures, events, internal communication)
Technical administration data (e.g. log files, user rights)
Access is always granted according to the need-to-know principle, i.e. only to the extent necessary for the performance of administrative tasks.
4. Duties of the administrator
The administrator expressly undertakes to
a) Confidentiality
treat all personal data, club data and other confidential information to which they have access in the course of their work as strictly confidential and not to allow unauthorized persons access to such data.
b) Purpose limitation
process confidential information exclusively for the administrative tasks assigned to them by the respective organizational unit.
c) Prohibition of misuse
refrain from
using confidential information for private or non-community purposes,
making copies, exports or screenshots or storing them locally, unless this is expressly necessary or approved,
passing on data to unauthorized third parties or making it accessible to them.
d) Technical and organizational security measures
comply with all appropriate protective measures to ensure the confidentiality, availability and integrity of personal data, club data and other confidential information in order to ensure an adequate level of protection and, in particular, to prevent unauthorized or accidental destruction, accidental loss, theft or unlawful use of this data, unauthorized modification, unauthorized copying or any other unauthorized processing, including by:
Using strong and secret passwords,
Using two-factor authentication,
Using up-to-date and secure end devices,
Regular updates, firewall and virus protection measures,
Transmitting personal data exclusively via encrypted connections.
e) Return and deletion
immediately delete all accesses, export files, copies and other locally stored data upon termination of their administrator function, or to hand them over to the responsible organizational unit.
5. Handling the rights of data subjects
The administrator supports the respective organizational unit in fulfilling the rights of data subjects (in particular information, correction, deletion, restriction of processing), but does not make any independent, legally binding decisions. Administrative actions are only carried out within the scope of explicit instructions or clearly defined powers.
6. Reporting security incidents and damage limitation
The administrator is obliged to report any actual or suspected unauthorized access to personal data or other security-related incidents to the responsible organizational unit without delay.
He must take all reasonable measures to limit damage, in particular by:
Immediately preventing further unauthorized access,
recovery of affected data, if permissible,
ensuring the deletion or handover of local copies.
These obligations exist regardless of any fault on the part of the administrator.
7. No granting of intellectual property rights
The administration rights do not confer any intellectual property rights to data, content or system components. All rights remain with RCS or the respective organizational unit. The administrator is only granted the non-transferable, revocable right to use data within the scope of his administrative tasks.
8. Sanctions and liability
In the event of a culpable breach of obligations under this Declaration, the administrator shall be liable for any resulting damages within the scope of the statutory provisions.
RCS and the respective organizational unit reserve the right to take the following measures in the event of violations:
Withdraw administration rights
Initiate measures under association law
Consider possible civil or criminal proceedings
9. Term of validity of the declaration
This declaration shall enter into force upon activation of administration rights by the relevant organizational unit.
It does not automatically end with the loss of administrative rights but applies indefinitely to all data and information that the administrator has become aware of during their work.
10. Applicable law and place of jurisdiction
This declaration is subject to the substantive law of the country in which the organizational unit for which the administrator works has its registered office or business domicile.
The same place shall be the exclusive place of jurisdiction for all disputes arising from this declaration.
Polaris Confidential Declaration / Version 1.0, March 2026