Swiss Biohealth AG

Version: June 2025 — Revision for Swiss revFADP & EU GDPR Compliance

1  Introduction

Swiss Biohealth AG ("we", "our", "us") is committed to protecting your personal and health‑related data in accordance with:

• Swiss Federal Act on Data Protection (revFADP, 1 Sept 2023),

• EU General Data Protection Regulation (GDPR, Regulation ( EU) 2016/679) where we offer services to, or monitor the behaviour of, persons in the European Economic Area (EEA),

• Swiss Penal Code Art. 321 (medical professional secrecy), and

• Relevant cantonal health‑authority guidance.

This Privacy Policy explains how we collect, use, store, and share your data—including medical history and diagnostic images—and describes your rights under revFADP and GDPR.

2  Controller & Contacts

Controller (Art. 4 revFADP / Art. 4 §7 GDPR)
Swiss Biohealth AG – Biological Medical & Dental Clinic
Brückenstrasse 15, CH‑8280 Kreuzlingen, Switzerland
☎ +41 (0)71 678 2000  ✉ reception@swiss‑biohealth.com

EU Representative (Art. 27 GDPR)
DDSK GmbH, Dr‑Klein‑Str. 29, 88069 Tettnang, Germany
✉ datenschutz@swissdentalsolutions.com

Data Protection Officer (Switzerland / EU)
Annalena Arndt (DDSK GmbH) – same contact as above.

3  Legal Bases & Principles

We only process personal data when at least one of the following applies:

Health data is “particularly sensitive” (revFADP) / “special category” (GDPR Art. 9). We apply stricter protection, encryption and access controls.

4  Medical Confidentiality (Art. 321 SCC)

All healthcare professionals working for or with Swiss Biohealth AG are bound by Swiss medical professional secrecy. Unauthorised disclosure—even within the organisation—is a criminal offence. Access to patient data is strictly role‑based, logged and periodically audited.

5  Purposes of Processing Medical & Other Data

Website visitors may voluntarily:

• Submit medical history and treatment questionnaires,

• Upload diagnostic images (e.g. X‑rays),

• Book or prepare appointments,

• Communicate with our clinic.

We process this data solely to:

1. Perform pre‑clinical assessments and prepare treatment (§6 §1 (b) GDPR / Art. 31 §2 (a) revFADP),

2. Securely communicate with you (legitimate interest / consent),

3. Comply with legal medical‑record obligations.

6  Explicit Consent for Health Data (Art. 9 §2 (a) GDPR)

Before sending medical information or uploading X‑rays, you must give explicit informed consent via a mandatory checkbox & consent form that states:

• the categories of health data collected;

• purposes & legal bases for processing;

• storage in Switzerland/EEA for 10 years;

• your right to withdraw consent at any time.

Without this consent, no upload or questionnaire submission is possible.

7  Hosting, Data Residency & International Transfers

• Health data is stored on ISO‑27001 certified servers located in Switzerland.

• Non‑health data (e.g., analytics, newsletters) may be processed in the EEA or selected third countries.

• Any transfer outside Switzerland/EEA occurs only with:

  • An FDPIC or EU adequacy decision or

  • Standard Contractual Clauses (SCCs) plus risk assessment & supplementary safeguards.

• We never use cloud services that cannot guarantee Swiss/EU jurisdictional control for health data.

8  Logging, Access Control & Encryption

• End‑to‑end TLS 1.3 encryption in transit; AES‑256 at rest.

• Multi‑factor authentication & least‑privilege role‑based access.

• Immutable audit logs are retained for ≥10 years for patient records.

• Annual penetration testing & continuous vulnerability management.

9  Cookies & Online Tracking

Essential cookies run on the basis of legitimate interest / Art. 45 revFADP and Art. 6 §1 (f) GDPR. Non‑essential cookies (analytics, marketing) are set only after consent via our Consent Management Platform (CMP), fulfilling Art. 45 revFADP, GDPR Art. 6 §1 (a) and ePrivacy requirements. Full details are available in our separate Cookie Policy.

10  Data Portability

• Swiss visitors: No automatic right (Art. 28 revFADP). Requests are evaluated case‑by‑case.

• EEA visitors: You may receive the personal data you provided in a structured, common, machine‑readable format and have it transmitted to another controller where technically feasible (Art. 20 GDPR).

11  Retention Periods

12  Your Rights

You may exercise these rights at any time by contacting us at the addresses in Section 2. You also have the right to lodge a complaint with the Swiss FDPIC or the competent EU supervisory authority in the Member State of your habitual residence.

13  Automated Decision‑Making & Profiling

We do not engage in automated decision‑making producing legal effects or similarly significant impacts (Art. 22 GDPR / Art. 21 revFADP). Any profiling for marketing purposes is performed only with prior consent.

14  Security Measures

We maintain comprehensive Technical & Organisational Measures (TOMs) such as network segmentation, continuous monitoring, encryption, and incident‑response plans. A full TOMs register is available on request.

15  Contact & Complaints

Questions or requests regarding data protection:
✉ datenschutz@swissdentalsolutions.com
☎ +41 (0)71 678 2000

Supervisory authorities:

• Swiss FDPIC – Feldeggweg 1, 3003 Bern, Switzerland

• EU – contact the Data Protection Authority in your Member State (e.g., BfDI in Germany, CNIL in France, etc.).

16  Changes

We may update this Privacy Policy to reflect legal or operational changes. The latest version is always available on our website; previous versions are archived.