Data Security in Swiss Home Care: FADP & Cloud

The Revised FADP: What Changed for Swiss Home Care

Switzerland's revised Federal Act on Data Protection (Datenschutzgesetz, nDSG) came into force on 1 September 2023. For home care providers — Spitex organizations, private care services, and facility operators — it introduced substantive new obligations that directly affect how you select, configure, and use software.

Unlike the previous law, the revised FADP aligns closely with the EU's GDPR in key areas: enhanced individual rights, mandatory data breach notification, data protection impact assessments (DPIAs), and stricter rules around automated decision-making. But it retains distinctly Swiss characteristics: the Swiss Federal Data Protection and Information Commissioner (FDPIC) enforces it, and some obligations diverge meaningfully from the EU framework.

Why Health Data Deserves Special Attention

The FADP categorizes health data as particularly sensitive ("besonders schützenswerte Personendaten"). Processing this data requires explicit consent or a specific legal basis. For home care organizations, the practical implications are significant:

• Client care records (medical history, diagnoses, medication) require documented consent or a statutory basis
• Caregiver location data collected via GPS-based mobile apps requires both contractual justification and clear retention limits
• Third-party data sharing (with hospitals, GPs, insurance companies) requires data processing agreements and, often, explicit client consent

If your organization processes client data using cloud software — and almost every modern home care platform does — you are acting as a data controller and your software vendor is a data processor. The FADP requires a formal written contract governing this relationship.

Cloud Software and Swiss Data Residency

A common question from Swiss home care operators is whether data must be stored in Switzerland. The short answer: not necessarily, but the transfer must be legally justified.

The FADP permits personal data transfers to countries that the FDPIC has recognized as providing adequate protection. The EU/EEA qualifies (post-Schrems II adjustments aside), as does a growing list of other jurisdictions. For transfers to countries without adequacy status, you need appropriate safeguards — typically Standard Contractual Clauses (SCCs).

In practice, many Swiss organizations prefer Switzerland- or EU-based data residency for cloud software to simplify compliance, minimize cross-border transfer complexity, and reassure clients. When evaluating platforms like BackOffice, always verify:

1. Where data is stored at rest (data center location)
2. Where data is processed (compute infrastructure)
3. Sub-processors (third-party services the vendor uses, such as cloud storage or AI providers)
4. Data processing agreement (DPA) availability and terms

Key FADP Obligations for Home Care Software

Transparency and Privacy Notices

You must inform clients clearly and in plain language about what data you collect, why, how long you retain it, and who you share it with. This means updating your privacy notice to reflect the specific software tools you use, including back-office platforms and mobile caregiver apps.

Data Breach Notification

The revised FADP requires notification to the FDPIC "as quickly as possible" when a data breach is likely to result in high risk to individuals. For health data, the threshold for "high risk" is low. Your software vendor must be contractually required to notify you promptly of any breach on their systems, and you must have an incident response plan in place.

Data Subject Rights

Clients have the right to access, correct, and request deletion of their personal data. Your software platform must support these rights operationally — meaning you can export or delete a specific client's data on request, and your vendor can support this for data processed in their infrastructure.

Automated Decision-Making

If your home care platform uses AI to make or influence care decisions — risk scoring, visit frequency recommendations — the FADP's provisions on automated decision-making apply. Clients have the right to request human review of automated decisions.

Practical Steps for SPITEX Compliance

1. Map your data flows. Document every system that processes client or caregiver personal data, including mobile apps, scheduling platforms, and billing tools.
2. Sign DPAs with all software vendors. A compliant vendor like BackOffice should have a standard DPA available.
3. Update your privacy notice. Include specific references to the tools you use and the data they process.
4. Review sub-processor lists. Ask vendors which third parties they use and where those parties are located.
5. Test your breach response process. Simulate a data breach scenario and verify you can notify the FDPIC within the required timeframe.
6. Train staff. Caregivers using mobile apps need to understand what data is collected and how to handle incidents involving client data.

Choosing Compliant Home Care Software

When selecting or auditing your current home care platform, compliance should be a first-order evaluation criterion alongside functionality. Look for vendors who offer a signed DPA as standard, publish their sub-processor list, have clear data retention policies, and can demonstrate audit logs for all data access and modifications.

BackOffice is designed with Swiss compliance requirements in mind — including support for FADP-compliant data processing agreements, configurable retention policies, and comprehensive audit logging.

The revised FADP is not a checklist to complete once — it is a continuous obligation. Regular reviews of your software stack, data flows, and vendor agreements are now a necessary part of running a home care organization in Switzerland.