Data residency for clinics.
What the revised Swiss Federal Act on Data Protection (revFADP) actually requires for patient data — and what every practice manager should ask before signing a US-hosted document tool.
The 30-second summary
Patient data is "particularly sensitive personal data" under revFADP Art. 5(c). Processing it abroad — including by sub-processors of your tooling vendor — requires either (a) the country to have adequate data protection per the Federal Council's list, (b) appropriate safeguards (Standard Contractual Clauses, BCR), or (c) explicit patient consent for the specific transfer. The US is not on the adequacy list; it relies on safeguards. That is legally workable but operationally painful. The cleaner path for clinics is staying inside Switzerland.
What changed in September 2023
The revised FADP took effect on 1 September 2023. The headline differences from the old DPA: explicit data-breach notification obligations, a much broader requirement for processor agreements (Auftragsverarbeitungsverträge), a strengthened right to information, and material fines for individuals (yes, individuals — not companies) of up to CHF 250,000 for serious violations. For a small medical practice, the financial exposure is now real, not theoretical.
The CHF 250,000 fine attaches to the responsible natural person, not the practice. Your IT decision is now your personal liability.
Six questions to ask any document tool vendor
Before signing anything, paste these into an email to the vendor's sales team. Their answers (and how long they take to give them) tell you almost everything you need to know:
1. Where is patient data physically stored?
Not where the company is headquartered — where the actual servers live. "AWS eu-central-1" is a real answer; "in the cloud" is not. If they cannot tell you in two business days, walk away.
2. Where is patient data processed?
Storage and processing are different. A document might rest in Frankfurt but be sent to Virginia for OCR. Either is a transfer that triggers revFADP obligations. Ask explicitly: "Where does the processing happen, including all sub-processors?"
3. Do you have a Data Processing Agreement signed by Swiss counsel?
Required under revFADP Art. 9. The DPA must list every sub-processor and the country they operate in. If the vendor offers a generic GDPR DPA without revFADP-specific clauses, that is a red flag — not because GDPR is weaker, but because it tells you they haven't actually thought about Swiss requirements.
4. What happens if I get a data subject access request?
Patients have the right to know what data exists about them and to receive a copy in a portable format. The vendor must support exporting a single patient's data within 30 days. If they require you to file a support ticket and pay for it, that is itself a problem.
5. How do you handle a data breach?
revFADP requires notification to the FDPIC "as soon as possible" if the breach is likely to lead to high risk for affected individuals. Your vendor must notify you in time for you to meet that obligation. Ask for the SLA in writing.
6. Do you use AI on my data, and if so, where?
This is the question most clinics forget to ask. If the document tool uses AI for OCR, classification, or summarisation, that AI call is a processing activity. If it goes to OpenAI's US infrastructure, that is a US transfer of patient data. Whether or not it's legally workable with SCCs, it is a fact you need to disclose in your privacy notice to patients.
The Swiss-only stack that exists today
It is now genuinely possible to run a complete patient document pipeline without any data leaving Switzerland. The components:
- Document storage. Nextcloud on Infomaniak (Geneva), or your own Workspace tenant if you've configured EU+CH regions. Both are revFADP-clean and offer signed Swiss DPAs.
- Workflow engine. n8n self-hosted on Exoscale (Geneva), Swisscloud, or any Swiss VPS provider. The workflow configuration is yours; you control the entire data path.
- AI / LLM. The Swisscom AI Service (Mistral models hosted in Zurich data centres) became commercially available in 2024 and is the cleanest path. Self-hosted Llama on Exoscale is the alternative for clinics that want no third-party AI dependency at all.
- Email / messaging. Stays on your existing provider. SwissFlow workflows send through your Gmail or Outlook tenant; we never see the message body once it leaves.
This stack is what we deploy on our Regulated tier. It is neither exotic nor expensive — the per-token cost on Swisscom AI is roughly 3× Gemini, but for a single-practice workload that translates to a difference of CHF 30–80 per month. Real money, but not a barrier.
What about the clinic's own EMR?
Most Swiss EMRs (CompuMed, Pegasos, NarcoData, MedFolio) are already Swiss-hosted, but the document attachments stored alongside them often leave the perimeter via the EMR's "share with patient" features. Worth auditing. The pattern we recommend: keep the EMR for clinical records, run a separate Swiss-hosted document workflow for everything the patient needs to see or upload, and integrate the two only at the metadata layer.
The practical recommendation
For most Swiss clinics, the cost-benefit calculation is simple. The Standard tier (Gemini, EU region, with PII anonymisation upstream) is legally workable but requires a careful disclosure to patients and a signed Standard Contractual Clauses package — and it leaves a residual risk that the FDPIC's posture on US transfers will tighten. The Regulated tier (Swiss-only AI, Swiss-only storage, Swiss-only processing) eliminates the residual risk for ~CHF 50/month more. For data classified as particularly sensitive, that is the right decision.
If you'd like us to audit your current document pipeline and tell you which tier you actually need, email info@swissflow.org. We look at one process, give you a written summary, and walk away if there's nothing to automate.
Published April 2026.