- FDPIC published strict information sheet on patient forms, based on the FADP, expects service providers to adapt forms.
- Duty to inform in accordance with Art. 19 FADP: active, immediately accessible information required; signature not required to confirm acknowledgement.
- Consent is not generally required under the FADP; if necessary, the FDPIC demands strict requirements for information and specificity.
- Data minimization and security: only collect necessary data, unsecured electronic transmission problematic, encryption recommended.
On September 30, 2025, the FDPIC published an undated and in places very strict information sheet “Explanations on patient forms for medical and therapeutic consultations”. published. This has also Attorney Martin Steiger reports.
The information sheet is based on the DSG and therefore not on cantonal data protection law, which applies to cantonal hospitals, and not on professional secrets protected by criminal law. It considers the Doctor/patient relationshipbut should also largely apply to other therapeutic professions. The background to the information sheet is the fact that many umbrella organizations and associations of service providers provide templates for declarations of consent (such as the FMH), which raise questions regarding data protection, which is why the FDPIC wants to raise awareness among service providers (“Lerb”). He expressly expects a Customization of formswhere necessary.
Information
First of all, the leaflet addresses the Duty to inform according to Art. 19 f. FADP, but contains nothing new or surprising here. At most, it indicates a tendency towards a strict attitude with regard to the availability of information:
In addition, the controller must actively provide information; when obtaining the data, the controller must ensure that the data subject does not have to search for or request the information first, but can access it immediately. In other words, the doctor must ensure that the patient can take note of the information in an appropriate manner; however, he or she does not have to ensure that the patient actually does so.
It is of course correct to point out that the Lerb No confirmation of acknowledgement needs:
It should be emphasized here that, in contrast to consent (see chapter 2), this is “only” information, and explicit acknowledgement is not a prerequisite for validity. Whether the doctor complies with the duty to inform is therefore not dependent on the patient’s signature. The patient is not obliged to confirm that he or she has taken note of the information. To avoid creating unnecessary problems, it is therefore better not to require a signature.
Consent
The information sheet begins the topic of consent with a sentence that can be underlined twice:
According to the DSG Consent not a prerequisite for doctors to process the personal data of patients.
This applies to all particularly sensitive data (and even more so to all other data). Consent may of course be required, but this is not always the case.
If consent is required, the usual requirements apply, which the FDPIC intends to apply very strictly:
- Informed: Here, the FDPIC first assumes that Art. 19 FADP the minimum content of what information is required for informed consent:
The data subject must therefore receive at least the information specified in Article 19 FADP. Depending on the context and type of data processed, further explanations may be required to enable the data subject to assess the scope of the consent.
It is questionable whether this applies in absolute terms, but in practice it is likely to apply as a rule because and as long as no high requirements are placed on the duty to provide information, which is ultimately only intended to enable a request for information.
However, it is wrong to state that the information “must” be “as comprehensive as possible” – it only has to be sufficient, more is always possible. The statement that the declaration of consent must also include the “Consequences of non-consent” and “the way in which the person uses his or her Revoke consent or can assert their right of access”. It can hardly be argued that a patient cannot form a genuine will to consent without this information.
- Specific: Here, the FDPIC does not allow blanket consent, and rightly so, of course. However, he is also very strict here when he writes that prior consent to the disclosure of the dossier to a medical specialist is invalid; the consent can be given in writing. only be obtained when the question specifically arises. Prior consent “to the forwarding of any debt collection proceedings to a third-party company” is also invalid. There is no justification here either.
Ultimately, however, the FDPIC’s position here boils down to either a kind of Forfeiture of consent over time or to assume that a patient cannot accept a certain lack of clarity. There is no basis for either in the case of responsible patients. Moreover, the FDPIC’s position would not be limited to the healthcare sector – all sectors with sensitive data, including the financial sector, could no longer obtain such consent in general terms and conditions. However, the FDPIC only comments on data protection, not on criminal law. A different standard may very well apply here.
- Voluntarinessno comments.
Secure electronic data disclosure
Consent to “unsecured electronic data disclosure” is problematic. Even purely administrative exchanges involve data that is particularly worthy of protection and must therefore be secured, e.g. through encryption. Consent to unsecured exchange is only possible if the patient has been informed of the risks and has agreed to it voluntarily, which requires, among other things, an effective choice.
Proportionality
According to this, the employee may not obtain more data than necessary. Data such as maiden name, marital status, nationality, business telephone number, occupation and name of employer are generally not necessary, subject to individual cases – in any case, the data controller must always be able to justify specific data processing. Excessive questionnaires should therefore be corrected.
This is of course correct in principle, but only in principle. Firstly, the principle of proportionality by definition allows for broad discretion, and data protection authorities – or the FDPIC – cannot substitute their discretion for that of the controller (a non-emergency practice would be correct). Secondly, a violation can be justified, possibly also by practicability considerations (insofar as these are not already taken into account in the application of proportionality itself).