Security & data

nFADP and medical AI in Switzerland: what every physician needs to know

13 April 2026 8 min read Clinovus AI Team

Since 1 September 2023, Switzerland's revised Federal Act on Data Protection (nFADP) has been in force. It applies to any processing of personal data — including when carried out by an artificial intelligence system. For physicians who use or plan to use AI in their practice, the implications are concrete and the responsibility, personal.

Why the nFADP changes the rules for medical AI

The 2023 revision adapts the legal framework to digital realities: cloud, artificial intelligence, automated decisions, international data transfers. The Federal Data Protection and Information Commissioner (FDPIC) has been clear: the nFADP applies directly to AI tools, with no need for a specific AI law.^[1]

Health data: a special category

Health data are sensitive personal data under Art. 5(c) nFADP.^[2] Their processing requires an explicit legal basis, and any breach must be reported to the FDPIC without delay (Art. 24 nFADP).

Explicit legal basis: consent, contract or overriding interest (Art. 6 nFADP)
Record of processing activities mandatory (Art. 24 nFADP)
Data protection impact assessment for high-risk processing (Art. 22 nFADP)
Breach notification to the FDPIC without delay

The physician remains responsible — even with a processor

The physician or medical practice is the data controller for patient data. This responsibility does not transfer to the AI provider.^[3]

The nFADP provides for criminal fines of up to CHF 250,000 for intentional violations (Art. 60 nFADP). These sanctions are personal: the physician, as data controller, is exposed — not just the software provider.

The 5 concrete obligations

The 5 concrete nFADP obligations for every physician using AI

1. Conclude a data processing agreement

Any AI provider processing data on your behalf must be covered by a data processing agreement (Art. 9 nFADP).

2. Maintain a record of processing activities

Practices processing sensitive data must document their activities (Art. 24 nFADP). The FMH provides templates on its website.^[4]

3. Ensure recognisability

AI processing must be recognisable to the patient (Art. 6(3) nFADP). A mention in the practice's privacy notice is generally sufficient.

4. Guarantee AI transparency

Users of AI systems must provide transparent information on the purpose, functioning and data sources of the system.^[1]

5. Provide for human oversight

The nFADP gives data subjects the right to request that an automated decision be reviewed by a human (Art. 21 nFADP). AI outputs must be systematically validated before any clinical use.

The CLOUD Act trap

The CLOUD Act (2018) allows US authorities to access data held by US companies, regardless of the physical location of the servers. A tool operated by a US company, even hosted in Europe, remains potentially accessible.

What "Swiss hosting" really means

Hosting exclusively on Swiss servers, operated by a company not subject to the CLOUD Act, eliminates this risk. This is the safest position under the nFADP and medical professional secrecy (Art. 321 SCC).

Checklist — 7 questions to ask your AI provider

Question	What to verify
Where is data hosted?	Swiss servers or adequacy-recognised country
Is the company subject to the CLOUD Act?	No US parent company
Is a data processing agreement offered?	Mandatory under Art. 9 nFADP
Is data used to train the AI?	No, unless explicit consent
What encryption is applied?	TLS 1.3 in transit, encryption at rest
How are breaches managed?	Notification and documented procedure
Can data be retrieved?	Full export and certified deletion

What the nFADP does not prohibit

The nFADP does not prohibit AI in the medical field. AI-based processing is permitted, provided adequate measures are in place.^[1] A well-designed tool, hosted in Switzerland, with a data processing agreement, is fully nFADP-compliant.

Frequently asked questions

Do I need my patient's consent to use AI during a consultation?

Not necessarily as a systematic signature. The nFADP requires that processing be recognisable to the patient. A clear mention in the practice's privacy notice, combined with a verbal explanation at the first visit, is generally sufficient. For audio recording, however, explicit consent is recommended.

Are ChatGPT or other generative AI tools nFADP-compliant for medical use?

Using tools like ChatGPT to process identifiable patient data is problematic: no data processing agreement, hosting on US servers subject to the CLOUD Act, and potential use of data for model training. For clinical use, rely on tools specifically designed for the medical sector, with Swiss hosting and a data processing agreement.

What penalties apply for nFADP violations?

The nFADP provides for criminal fines of up to CHF 250,000 for intentional violations. These sanctions are personal: it is the physician, as the data controller, who is exposed — not just the software provider.

Does the nFADP also apply to paper records?

Yes. The nFADP covers any processing of personal data, whether electronic or not. Consulting a paper file or dictating a note constitutes data processing under the law. AI creates no new obligations — it simply moves processing into a digital environment subject to the same principles.

Sources and references

FDPIC (2023). The current data protection law applies directly to AI. edoeb.admin.ch
Swiss Confederation. nFADP, SR 235.1, art. 5(c). fedlex.admin.ch
FMH / SAMS (2024). Practical guide, chap. 7.2. leitfaden.samw.fmh.ch
FMH (2023). nFADP templates for medical practices. fmh.ch
Caisse des Médecins (2023). The nFADP and medical practices. snm.ch

Disclaimer: this article is for informational purposes only. It does not constitute legal advice. For specific legal questions, please consult a data protection specialist.

Clinovus AI — hosted in Switzerland, nFADP-compliant

Data processing agreement included. Data exclusively on Infomaniak servers.

Try free →

A question about this article? Our team replies within 24h.

support@clinovusai.com