AI Medical Transcription in Switzerland (2026): FADP-Compliant Setup Checklist for Therapists
A practical FADP compliance checklist for Swiss therapists adopting AI medical transcription in 2026. Covers consent language, data storage, access control, retention policies, and DPIA requirements.
Written by
Dya Clinical Team
Clinical Documentation Experts
Swiss therapists are increasingly adopting AI-powered transcription to cut documentation time and stay present with patients. But in a country where health data carries strict legal protections, "switching on a tool" isn't enough. The Federal Act on Data Protection (FADP) — in force since September 2023 and actively enforced — classifies health information as sensitive personal data, triggering higher consent thresholds, mandatory impact assessments, and significant penalties for non-compliance (up to CHF 250,000).
This article provides a practical, step-by-step checklist for therapists and clinic managers who want to deploy AI medical transcription in Switzerland while staying fully FADP-compliant in 2026.
Why Switzerland-Specific Compliance Matters
The FADP is not a copy of the GDPR. While it shares core principles — purpose limitation, data minimization, transparency — several differences directly affect how you set up AI transcription:
- Sensitive data requires explicit consent. Under Articles 6(6) and 6(7) FADP, processing health data demands express, informed, and freely given consent. Implied consent or pre-ticked boxes are not valid.
- Automated decision-making carries disclosure obligations. Article 21 FADP requires you to inform patients whenever a decision is based exclusively on automated processing and has a significant effect on them.
- Fines target individuals, not just organisations. Unlike the GDPR, FADP penalties can be imposed on the responsible natural person — meaning the therapist or clinic director, not just the practice entity.
- The FDPIC confirmed the FADP applies to AI. In May 2025, the Federal Data Protection and Information Commissioner explicitly stated that the technology-neutral FADP covers all AI-based data processing, including transcription.
With Switzerland having signed the Council of Europe Framework Convention on AI in March 2025, and a draft AI bill expected for consultation by end of 2026, the regulatory bar is only going up.
The 2026 FADP-Compliant Setup Checklist
Use the following checklist to assess and configure your AI transcription workflow. Each item maps to a specific FADP requirement.
1. Patient Consent
FADP basis: Articles 6, 7, 8, 19
Before recording any session, you need documented, explicit consent. Here's what "explicit" means under Swiss law:
- Separate consent form. Do not bury transcription consent inside a general treatment agreement. Create a standalone document or a clearly separated section.
- Plain language. Describe the process in terms the patient understands — avoid legal jargon.
- Specific purpose. State exactly what the AI tool does: "This tool records our conversation and generates a written summary to support your clinical documentation."
- Active opt-in. Use a checkbox or signature — not a pre-ticked box, not silence, not "continuing the session implies consent."
- Right to refuse without consequence. Make clear that declining AI transcription does not affect treatment quality.
- Withdrawal mechanism. Explain how the patient can revoke consent at any time and what happens to already-processed data.
Sample consent language:
I consent to the audio recording of this session using an AI-powered
transcription tool. The recording will be processed to generate written
clinical notes for my treatment file.
I understand that:
- The recording is processed on servers located in Switzerland
- No audio or text is used to train AI models
- I may withdraw this consent at any time by informing my therapist
- Withdrawing consent does not affect my right to receive treatment
- My data will be retained according to the practice's retention policy
(see details below)
☐ I agree ☐ I do not agree
Signature: _______________ Date: _______________
2. Data Storage and Localisation
FADP basis: Articles 16, 17 (cross-border transfers)
Where your data is stored and processed is a critical compliance decision.
- Prioritise Swiss-hosted infrastructure. The FADP permits cross-border transfers only to countries with adequate protection (as determined by the Federal Council) or with appropriate safeguards. Using Swiss-based servers avoids this complexity entirely.
- Verify your vendor's data residency. Confirm in writing that audio files and transcription outputs are processed and stored in Switzerland. Some vendors route data through US or EU cloud providers despite marketing themselves as "Swiss."
- No training on your data. Ensure the vendor's terms of service explicitly state that patient recordings and transcriptions are not used to train or improve AI models.
- Encryption at rest and in transit. Data should be encrypted with industry-standard protocols (AES-256 for storage, TLS 1.3 for transmission at minimum).
- Backup location. If backups exist, they must also reside in Switzerland or an adequate jurisdiction, with the same access controls as primary storage.
Questions to ask your vendor:
| Question | Expected answer |
|---|---|
| Where are audio files processed? | Switzerland-based servers |
| Where is transcription output stored? | Switzerland-based servers |
| Is patient data used for model training? | No |
| What encryption standards do you use? | AES-256 at rest, TLS 1.3 in transit |
| Can I get a Data Processing Agreement (DPA)? | Yes, FADP-compliant |
| Do you subcontract to non-Swiss processors? | No, or with adequate safeguards |
3. Access Control
FADP basis: Articles 7, 8 (data security obligations)
Limiting who can access patient transcriptions is both a legal obligation and a practical safeguard.
- Role-based access. Only the treating therapist and authorised clinical staff should access a patient's transcriptions. Implement role-based access control (RBAC) in your system.
- Individual accounts. Shared logins make it impossible to audit who accessed what. Every team member needs their own credentials.
- Multi-factor authentication (MFA). Require MFA for any system storing health data. This is standard practice and increasingly expected by Swiss regulators.
- Audit logging. Log every access to patient transcriptions — who viewed or edited what, and when. Under the Swiss Electronic Patient Record Ordinance (EPRO), access logs must be retained for 10 years.
- Device management. Define which devices may access transcription data. Personal smartphones without encryption or screen-lock policies are a risk.
- Vendor admin access. Clarify whether the AI vendor can access your patient data for support or debugging, and under what conditions.
Minimum access control matrix:
| Role | Record session | View transcription | Edit transcription | Delete transcription | Manage users |
|---|---|---|---|---|---|
| Treating therapist | Yes | Yes | Yes | No | No |
| Supervising clinician | No | Yes (own patients) | No | No | No |
| Practice admin | No | No | No | No | Yes |
| IT administrator | No | No | No | No | Yes |
4. Data Retention and Deletion
FADP basis: Article 6 (proportionality, purpose limitation)
Swiss law requires that you keep data only as long as it serves a documented purpose — but also mandates minimum retention for medical records.
- Audio recordings: delete promptly. Once the transcription is generated and validated by the therapist, delete the original audio. There is rarely a legal basis to store raw recordings long-term.
- Transcriptions in patient files: 20-year retention. Under Swiss cantonal health laws and the Code of Obligations (personal injury limitation period), patient records — including transcriptions that form part of the clinical file — should be retained for 20 years from the last entry.
- Access logs: 10-year retention. Per the Electronic Patient Record Ordinance, access logs must be retained for 10 years and cannot be deleted during that period.
- Post-retention deletion. After the retention period, data must be deleted unless the patient provides explicit consent to continued storage.
- Document your policy. Write a data retention schedule that covers audio files, transcription text, metadata, and access logs. Make this available to patients upon request.
Recommended retention schedule:
| Data type | Retention period | Basis |
|---|---|---|
| Raw audio recording | Delete after transcription validation (max 48h) | Data minimisation principle |
| Transcription (in patient file) | 20 years from last entry | Cantonal health laws, CO Art. 128a |
| Session metadata (date, duration) | 20 years (part of patient file) | Cantonal health laws |
| Access/audit logs | 10 years | EPRO Art. 10 |
| Consent records | Duration of treatment + 20 years | FADP Art. 6 + evidentiary requirement |
5. Data Protection Impact Assessment (DPIA)
FADP basis: Article 22
A DPIA is mandatory when data processing is likely to result in a high risk to individuals' rights. AI-based transcription of therapy sessions — involving sensitive health data, new technology, and potentially vulnerable data subjects — clearly meets this threshold.
Your DPIA should cover:
- Description of processing. What data is collected, how is it processed, and by whom?
- Purpose and necessity. Why is AI transcription needed, and is it proportionate?
- Risk assessment. What are the risks of data breach, inaccurate transcription, unauthorised access, or re-identification?
- Mitigation measures. How do encryption, access controls, consent, and vendor agreements reduce each risk?
- Residual risk evaluation. After mitigation, does high risk remain? If so, you must consult the FDPIC before proceeding.
Resources for Swiss DPIAs:
- The FDPIC factsheet on DPIAs: published at edoeb.admin.ch
- The VUD (Association for Corporate Data Protection) DPIA template: available at vud.ch/dpia, includes an AI-assisted fill-in tool
If you operate a solo practice, a DPIA may feel disproportionate — but the FADP does not exempt small practitioners from this obligation when processing sensitive data at scale with AI tools.
6. Transparency and Patient Information
FADP basis: Articles 19, 20, 21
Beyond consent, you have ongoing duties to inform patients about how their data is handled.
- Privacy notice. Update your practice's privacy policy to mention AI transcription, including the vendor name, processing location, and data flows.
- Automated processing disclosure. If the AI tool makes any decisions that affect the patient (e.g., flagging clinical risk indicators), you must disclose this and offer the patient the right to request human review.
- Right of access. Patients can request a copy of their transcriptions at any time. You must respond within 30 days.
- Right to correction. If a transcription contains errors, the patient can request correction.
- Signage or verbal notice. Consider placing a brief notice in your consultation room: "This practice uses an AI tool to assist with session documentation. Details are available in our privacy policy."
7. Vendor Due Diligence
FADP basis: Article 9 (data processing by third parties)
When you use a third-party AI transcription service, you remain the data controller. The vendor is your processor — and you are responsible for their compliance.
- Data Processing Agreement (DPA). Execute a written DPA with your vendor that specifies processing scope, security measures, sub-processors, breach notification obligations, and data return/deletion terms.
- Security certifications. Look for ISO 27001 or ISO 13485 (medical device) certification, SOC 2 reports, or equivalent audits.
- Sub-processor transparency. Know whether the vendor subcontracts processing to other companies, and where those sub-processors are located.
- Breach notification clause. The vendor must notify you promptly of any data breach so you can assess whether to report to the FDPIC (required when a breach poses high risk to individuals' rights).
- Exit strategy. Ensure you can export and delete all data if you switch vendors.
Quick-Reference Summary
| Area | Key requirement | FADP article |
|---|---|---|
| Consent | Explicit, informed, specific, freely given | Art. 6(7) |
| Storage | Swiss-hosted preferred; encryption mandatory | Art. 7, 16 |
| Access control | Role-based, audited, MFA-protected | Art. 7, 8 |
| Retention | Audio: delete promptly; files: 20 years | Art. 6 + cantonal law |
| DPIA | Mandatory for AI + sensitive health data | Art. 22 |
| Transparency | Privacy notice, automated processing disclosure | Art. 19, 20, 21 |
| Vendor | Written DPA, security audit, sub-processor list | Art. 9 |
What's Coming Next
Switzerland's regulatory landscape is evolving. Key developments to watch in 2026 and beyond:
- Draft AI bill (expected late 2026). The Federal Council has tasked the FDJP with drafting legislation implementing the Council of Europe AI Convention. This could introduce expanded transparency obligations, risk management requirements, and sector-specific rules for healthcare AI.
- Swissmedic AI/ML strategy. The Swiss medical regulatory agency is increasing its own use of AI and may issue guidance on AI-powered documentation tools.
- New device registration timelines. UDI registration obligations enter into force 1 July 2026 — relevant if your AI transcription tool qualifies as a medical device.
The best preparation is to build compliant foundations now. Practices that already meet FADP requirements will find it far easier to adapt to incoming rules than those scrambling to catch up.
Sources
This article draws on the following official and specialist references:
- FDPIC: AI and Data Protection — The Swiss Federal Data Protection and Information Commissioner's guidance confirming the FADP applies to AI systems.
- FDPIC: Current Data Protection Legislation Is Directly Applicable to AI — May 2025 update on AI-specific FADP applicability.
- FDPIC: Inspection, Storage and Deletion of Patient Data — Official guidance on medical record retention and patient rights.
- FDPIC: Data Protection Impact Assessment Factsheet (PDF) — DPIA requirements under Article 22 FADP.
- VUD: Data Protection Impact Assessment Template — Swiss-specific DPIA template with AI-assisted fill-in tool.
- Swiss KMU Admin: New Federal Act on Data Protection (nFADP) — Federal government overview of the revised FADP.
- Pestalozzi Attorneys: Switzerland Sets Its Course on AI Legislation — Analysis of the Federal Council's AI regulatory approach and the expected 2026 draft bill.
- Lenz & Staehelin: Switzerland Outlines Regulatory Approach to AI — Legal analysis of Switzerland's sector-specific AI regulation strategy.
- ICLG: Digital Health Laws and Regulations — Switzerland — Overview of digital health compliance in Switzerland including medical device timelines.
- 360core: Swiss Legal Retention Periods for Medical Records — Reference for 20-year retention requirements under cantonal health laws.
Related articles:
- Complete Guide to AI Medical Transcription in 2025
- Session Report Template for Therapists: Structure, Examples & Common Mistakes
- AI Scribe vs Dictation vs Manual Note-Taking: What's Best for Your Practice?
Need a Swiss-hosted, FADP-compliant AI transcription tool for your practice? Try Dya Clinical free for 7 days.
