Swiss Federal Act on Data Protection (FADP)

Overview

The revised Swiss Federal Act on Data Protection (FADP), effective September 1, 2023, significantly modernizes Switzerland's data protection framework, aligning it more closely with the EU GDPR while maintaining Swiss-specific provisions. This comprehensive guide covers Healthcare Manufaktur's compliance obligations under Swiss law.

Key Changes from Old DSG

Enhanced Data Subject Rights

• Right to data portability: New right aligned with GDPR
• Profiling protections: Expanded rights regarding automated decisions
• Information obligations: More detailed transparency requirements
• Breach notification: New mandatory notification system

Increased Penalties

• Criminal penalties: Up to CHF 250,000 for individuals
• Administrative fines: Potential penalties for organizations
• Enforcement mechanisms: Strengthened supervisory powers
• Professional liability: Increased accountability for data processors

Expanded Scope

• Territorial application: Processing data of persons in Switzerland
• Representative obligations: Non-Swiss entities may need representation
• Cross-border transfers: Strengthened adequacy and safeguard requirements
• Data Processing Agreements: Mandatory for controller-processor relationships

🌍� Fundamental Principles

Good Faith and Proportionality

• Principle of good faith: Processing must be conducted honestly and fairly
• Proportionality: Processing must be proportionate to the purpose
• Purpose limitation: Data used only for declared purposes
• Necessity: Only necessary data may be processed

Lawfulness and Transparency

• Legal basis requirements: Clear legal foundation for all processing
• Transparency obligations: Clear information about data processing
• Data subject notification: Proactive information provision
• Processing records: Comprehensive documentation requirements

Data Security

• Appropriate security measures: Technical and organizational measures
• Risk-based approach: Security measures proportionate to risk
• Data breach prevention: Proactive security management
• Access controls: Strict access limitation principles

� Legal Basis for Processing

Consent

FADP Requirements:

• Free, specific, informed, and unambiguous
• Explicit consent for sensitive personal data
• Revocable at any time
• Documented and verifiable

Healthcare Applications:

• Patient treatment consent
• Research participation
• Data sharing agreements
• Marketing communications

Overriding Interests

Legitimate Interests Equivalent:

• Processing necessary for legitimate interests
• Interests must not be outweighed by data subject interests
• Balancing test documentation required
• Regular reassessment obligations

Healthcare Examples:

• Medical research in public interest
• Healthcare system administration
• Quality improvement initiatives
• Patient safety monitoring

Legal Obligation

Statutory Requirements:

• Swiss healthcare law obligations
• Medical professional duties
• Public health reporting
• Insurance requirements

Vital Interests

Emergency Situations:

• Medical emergencies
• Life-threatening circumstances
• Unconscious patient treatment
• Public health crises

Contract Performance

Healthcare Services:

• Patient care agreements
• Insurance processing
• Service provider contracts
• Employment relationships

🌍� Sensitive Personal Data (Health Data)

Definition and Scope

FADP Article 5(c) Coverage:

• Health and illness information
• Genetic and biometric data
• Medical treatment records
• Healthcare provider notes
• Pharmaceutical data

Enhanced Protections

Additional Requirements:

• Explicit consent or statutory authorization
• Heightened security measures
• Restricted access controls
• Enhanced breach notification
• Special transfer requirements

Healthcare Professional Privilege

Medical Confidentiality:

• Professional secrecy obligations
• Patient-physician privilege
• Data sharing limitations
• Third-party disclosure restrictions
• Research and statistics exceptions

✅ Data Subject Rights

Right to Information (Article 19)

Information Requirements:

• Controller identity and contact details
• Processing purposes and legal basis
• Data categories and recipients
• Storage periods and criteria
• Data subject rights and complaint procedures
• Transfers to third countries
• Automated decision-making information

Healthcare Specifics:

• Patient-friendly language
• Treatment-related disclosures
• Research participation information
• Insurance processing notices
• Emergency treatment notifications

Right of Access (Article 8)

Process Requirements:

• Identity verification procedures
• 30-day response timeline
• Free provision of information
• Reasonable requests assessment
• Third-party data protection

Healthcare Considerations:

• Medical record access
• Treatment history provision
• Provider communication records
• Insurance claim information
• Research data participation

Right to Rectification (Article 32)

• Correction of inaccurate data
• Completion of incomplete information
• Medical record updates
• Notification to third parties
• Documentation requirements

Right to Deletion (Article 32)

Grounds for Deletion:

• Purpose fulfillment
• Consent withdrawal
• Unlawful processing
• Legal deletion obligation

Healthcare Limitations:

• Medical record retention requirements
• Legal preservation obligations
• Insurance claim needs
• Research data value
• Public health interests

Right to Data Portability (Article 28)

Requirements:

• Structured, machine-readable format
• Direct transmission where feasible
• Personal data scope only
• Technical feasibility assessment
• Healthcare interoperability standards

Right to Object to Profiling (Article 21)

Automated Decision-Making:

• Profiling definition and scope
• Right to human intervention
• Objection procedures
• Medical decision safeguards
• Risk assessment requirements

🌍

International Data Transfers

Adequacy Assessment

Federal Council Decisions:

• EU/EEA adequacy maintenance
• Third country adequacy list
• Sector-specific adequacy
• Regular adequacy reviews
• Adequacy withdrawal procedures

Current Adequate Jurisdictions:

• European Union member states
• European Economic Area
• United Kingdom
• Selected other countries per FDPIC list

Appropriate Safeguards

Standard Contractual Clauses:

• Swiss-specific SCC adoption
• Transfer impact assessments
• Supplementary measures evaluation
• Regular effectiveness reviews
• Documentation requirements

Other Safeguard Mechanisms:

• Binding corporate rules
• Codes of conduct
• Certification mechanisms
• Ad hoc contractual clauses
• Professional rules compliance

Exceptions and Derogations

Limited Transfer Grounds:

• Explicit consent after information
• Contract performance necessity
• Important public interests
• Vital interests protection
• Legal claims establishment
• Public register disclosures

=� Data Breach Management

Breach Notification to FDPIC

Notification Requirements:

• High-risk breach notification within 72 hours
• Breach description and affected categories
• Controller contact information
• Likely consequences assessment
• Mitigation measures taken
• Risk assessment documentation

Data Subject Notification

High-Risk Scenarios:

• Immediate notification required
• Clear, understandable language
• Specific breach information
• Protective measures advised
• Contact information provided
• Exception for protective measures

Healthcare Breach Considerations

• Patient safety implications
• Medical confidentiality preservation
• Healthcare provider coordination
• Insurance notification requirements
• Professional body reporting
• Media and public communication

🌍� Federal Data Protection and Information Commissioner (FDPIC)

Supervisory Powers

Investigation Authority:

• Compliance investigations
• Information requests
• On-site inspections
• Document examinations
• Interview conduct
• Expert consultations

Corrective Measures

Administrative Actions:

• Processing prohibitions
• Data deletion orders
• Security measure requirements
• Certification withdrawals
• Publication of violations
• Cooperation with foreign authorities

Healthcare Sector Oversight

• Medical data processing monitoring
• Healthcare provider inspections
• Patient complaint investigations
• Professional body coordination
• Research oversight activities
• International cooperation

=� Compliance Implementation

Data Protection Officer (DPO)

Appointment Criteria:

• Large-scale systematic monitoring
• Large-scale sensitive data processing
• Core activity risk assessment
• Professional qualification requirements
• Independence and expertise
• Contact information publication

Privacy Impact Assessments

Assessment Requirements:

• High-risk processing identification
• Systematic impact evaluation
• Necessity and proportionality review
• Risk mitigation measures
• FDPIC consultation procedures
• Regular review requirements

Healthcare Applications:

• New medical technologies
• Large-scale patient monitoring
• Genetic data processing
• AI/ML implementation
• Cross-border data sharing
• Research project initiation

Records of Processing Activities

Documentation Requirements:

• Processing purpose and legal basis
• Data categories and subjects
• Recipient information
• Transfer documentation
• Retention periods
• Security measures description

Healthcare-Specific Records:

• Patient care activities
• Research processing
• Quality improvement programs
• Insurance processing
• Provider communications
• Emergency treatment procedures

= Technical and Organizational Measures

Security Requirements

Risk-Based Approach:

• Threat assessment procedures
• Vulnerability management
• Access control implementation
• Encryption requirements
• Audit logging systems
• Incident response procedures

Healthcare Security Standards

Medical Data Protection:

• Electronic health record security
• Telemedicine platform protection
• Medical device cybersecurity
• Healthcare network segmentation
• Backup and recovery procedures
• Physical security measures

Data Minimization

Processing Limitation:

• Purpose-specific data collection
• Regular data inventory reviews
• Automated deletion procedures
• Anonymization techniques
• Pseudonymization implementation
• Data lifecycle management

=� Healthcare-Specific Considerations

Medical Professional Obligations

Professional Secrecy:

• Hippocratic Oath compliance
• Professional body requirements
• Patient confidentiality duties
• Interdisciplinary communication
• Treatment coordination needs
• Emergency disclosure provisions

Swiss Healthcare System

Cantonal Variations:

• Regional healthcare laws
• Hospital governance structures
• Insurance system integration
• Professional licensing requirements
• Quality assurance programs
• Public health mandates

Clinical Research

Research Framework:

• Human Research Act compliance
• Ethics committee approvals
• Good Clinical Practice standards
• International research collaboration
• Data sharing agreements
• Publication requirements

Telemedicine and Digital Health

Remote Healthcare:

• Cross-cantonal treatment provision
• International consultation services
• Digital platform compliance
• Patient identity verification
• Secure communication requirements
• Remote monitoring systems

🌍� Training and Awareness

Staff Training Requirements

Comprehensive Programs:

• FADP awareness training
• Role-specific compliance education
• Healthcare sector requirements
• Incident response procedures
• Patient rights education
• Continuous professional development

Patient Education

Transparency Initiatives:

• Privacy notice distribution
• Consent process explanation
• Rights awareness campaigns
• Complaint procedure information
• Digital literacy support
• Multilingual resources

=� Compliance Checklist

Immediate Implementation

• Update privacy policies and notices
• Implement consent mechanisms
• Establish breach notification procedures
• Create processing records
• Conduct risk assessments
• Review vendor agreements
• Train staff on FADP requirements
• Establish FDPIC relationship

Ongoing Compliance

• Regular compliance audits
• Privacy impact assessments
• Staff training updates
• Policy review cycles
• Incident response testing
• Vendor monitoring
• Patient rights fulfillment
• Regulatory monitoring

Healthcare-Specific Actions

• Medical confidentiality procedures
• Patient consent processes
• Healthcare provider agreements
• Insurance processing compliance
• Research data governance
• Telemedicine platform security
• Medical device data protection
• Emergency treatment protocols

=� Resources and References

Official Sources

• Federal Act on Data Protection (FADP)
• Federal Data Protection and Information Commissioner
• Swiss Government Data Protection Portal

Healthcare Guidance

• Swiss Medical Association Guidelines
• Swiss Hospital Association Recommendations
• Cantonal Health Department Guidance
• Medical Professional Body Requirements

Implementation Tools

• FADP Compliance Templates
• Privacy Notice Generators
• Consent Form Libraries
• Breach Notification Templates
• Training Materials

International Cooperation

• EU-Swiss Data Exchange Mechanisms
• Adequacy Decision Monitoring
• International Healthcare Standards
• Cross-Border Transfer Procedures

---

This framework is maintained by Healthcare Manufaktur's Legal & Compliance team. For Swiss FADP questions, contact: swiss-compliance@healthcare-manufaktur.com

Last Updated: January 2025