Swiss Data Protection Law (DSG/LPD)

What is the DSG?

The Datenschutzgesetz (DSG) — Loi fédérale sur la protection des données (LPD) in French, Legge federale sulla protezione dei dati (LPD) in Italian — is Switzerland's federal data protection law. The revised version came into force on 1 September 2023, replacing the original 1992 law and aligning Switzerland more closely with the European GDPR framework.

The DSG applies to all organisations processing personal data of persons in Switzerland — including healthcare providers, insurance companies, hospitals, pharmacies, and laboratories. It is enforced by the Federal Data Protection and Information Commissioner (FDPIC / EDÖB).

Health data as particularly sensitive data

The DSG classifies health data as "sensitive personal data" (besonders schützenswerte Personendaten), placing it in the highest protection category alongside genetic data, biometric data, religious beliefs, and criminal records. Processing sensitive data requires:

• An explicit legal basis (typically: your consent, a statutory obligation, or a legitimate interest that overrides your privacy)
• Information to you about what data is collected and why
• Technical and organisational measures appropriate to the sensitivity of the data

In practice, this means that your GP cannot share your medical records with another doctor without your consent (unless legally required), your insurer cannot access your full clinical record just because they pay the bills, and healthcare providers must have documented processes for securing and managing health data.

Your rights under the DSG

As a patient and insured person, the revised DSG grants you the following rights:

• Right of access (Auskunftsrecht): You can request, at any time and free of charge, a full disclosure of what personal data an organisation holds about you, where it came from, and who it has been shared with. Healthcare providers must respond within 30 days.
• Right to correction: If data about you is incorrect, you can request that it be corrected. If correction is disputed (e.g. the doctor believes the note is accurate and you disagree), you can request that a note of dispute be added to your file.
• Right to deletion: In certain circumstances, you can request that your data be deleted — though healthcare providers have legal retention obligations (typically 10 years for medical records) that take precedence over deletion requests.
• Right to data portability: You can request your data in a structured, commonly used, machine-readable format when technically feasible. This is relevant for electronic health records and insurer claim data.
• Right to object: You can object to certain types of processing — for example, you can tell your clinic that you do not consent to your data being used for research purposes.

Medical secrecy (Berufsgeheimnis / Schweigepflicht)

Separate from but reinforcing the DSG, Swiss law imposes medical secrecy obligations on healthcare professionals under the Swiss Criminal Code (Article 321). Doctors, nurses, pharmacists, and their staff are prohibited from disclosing patient information to third parties without the patient's consent.

Medical secrecy can only be broken in narrow legally defined situations:

• With your explicit consent
• Mandatory reporting of certain infectious diseases to the BAG
• Mandatory reporting of suspected child abuse or domestic violence (varies by canton)
• Court orders in legal proceedings
• Imminent serious threat to life (your own or others')

Importantly: your employer cannot require your GP to provide a medical report about you. Your insurer can see billing codes (diagnosis codes on invoices) but not your full clinical notes.

Electronic patient record (EPD)

Switzerland is progressively rolling out the Elektronisches Patientendossier (EPD) — a federally mandated electronic health record. Hospitals are required to connect; GPs and other providers are encouraged to participate. As a patient, you decide whether to open an EPD, who can access it, and what goes into it. The EPD is patient-controlled — you hold the master access.

The EPD is still in early stages of adoption. In practice, most patients are not yet using it widely. Over the coming years, as adoption grows, it will become an important tool for coordinating care across multiple providers.

Insurer access to your data

Your KVG insurer has access to:

• Billing invoices with diagnosis codes (ICD-10) and procedure codes (Tarmed/Tardoc)
• Prescription data through the pharmacy billing system
• Hospitalization data through SwissDRG invoices

Your insurer does not have automatic access to your clinical records, consultation notes, or specialist reports. If an insurer requests additional medical information (e.g. when evaluating a disability claim under supplementary insurance), they must request it from you explicitly and you must consent. You can engage a trusted doctor (Vertrauensarzt) to review requested information as an intermediary.