LPD and medical website in Switzerland: what your practice needs to put in place

The new Federal Data Protection Act, which came into force in September 2023, has changed the obligations of healthcare professionals who collect personal data online. For many doctors, dentists and other practitioners, the concrete impact on their website remains unclear. What you need to do isn't complicated, but ignoring these requirements puts your practice at real risk.

Here's what's involved and what it means in practice.

What the LPD considers sensitive data

The DPA distinguishes ordinary personal data from sensitive personal data. Health data is part of the second category, with a higher level of protection.

On a medical practice website, sensitive data appears faster than you might think. A contact form with a “reason for consultation” field collects health data. An appointment booking form with a “consultation type” drop-down list collects health data. An online pre-consultation questionnaire collects health data.

Even a simple email sent via your site's contact form, if the patient describes their symptoms, is covered by these rules.

Concrete obligations for your site

The first obligation is the privacy policy. Any website that collects personal data, even just a name and email via a contact form, must display a privacy policy accessible from every page. This text should explain what data you collect, why, how you store it, how long you keep it, and how users can request its deletion.

The second obligation concerns consent. For sensitive data such as health information, the individual's consent must be explicit. An appointment booking form with a “reason” field must therefore include a checkbox indicating that the patient accepts that this information is processed by your practice.

The third obligation concerns accommodation. Health data should not be stored on servers whose location you do not control. A form that sends data to an American service without contractual guarantees on their processing creates a regulatory risk. Choose hosts based in Switzerland or the EU, with explicit guarantees.

What many medical sites forgot to do

When the LPD came into force, many healthcare professionals added a confidentiality policy copied from a generic model. This is a common mistake. Generic text that does not correspond to the reality of your site, your forms and your data processing practices is not compliant.

Another common oversight: analytical cookies. If your site uses Google Analytics or a similar tool, you collect behavioral data about your visitors. In Switzerland, you must inform users of these cookies and give them the opportunity to refuse them before they are placed. The cookie banner is not an administrative formality. It is legally necessary if you use tracking tools.

The real risks in the event of non-compliance

The Federal Data Protection Commissioner can investigate and order corrective measures, or even impose sanctions. For a medical practice, the risks are not only regulatory. Even a minor data incident in healthcare has an impact on patient trust that can last.

What changes in the construction of a site

The LPD is not a constraint that we resolve after having created the site. It’s something that is thought out in advance. What forms will you have? What data do you actually collect? How will you store contact requests? Can your host provide you with a contractual commitment on data localization?

These questions influence technical choices. A site built with these requirements built in from the start is more robust and less expensive to maintain than a site that is tried to bring into compliance after the fact.