Data Retention for Patient Notes & Audio: A Practical Policy for Small Clinics (Switzerland/EU, 2026)

You've started using an AI scribe. The transcripts pile up alongside session notes, audio files, exported PDFs, and consent forms. Six months in, you realise nobody in your clinic can answer a basic question: how long do we keep each of these, and who's allowed to see them?

If you're a small clinic — two to fifteen practitioners — in Switzerland or the EU, the answer isn't one number. It's a matrix. Audio recordings have different rules than clinical notes. Transcripts occupy a grey area. Access logs carry their own timeline. And the consequences of getting it wrong are personal: under Swiss law, fines up to CHF 250,000 can be imposed on the responsible individual, not the clinic entity.

This article gives you a practical, copy-and-adapt retention policy. It includes a complete retention table, role-based access controls, deletion routines, and the legal basis behind every decision.

Why Small Clinics Need a Written Retention Policy

Large hospitals have compliance departments, legal counsel, and dedicated data protection officers. Small clinics have a practice manager who also handles billing and a therapist who set up the cloud storage. The regulatory obligations, however, are identical.

Both the Swiss Federal Act on Data Protection (FADP) and the EU General Data Protection Regulation (GDPR) require you to:

Define retention periods for every category of personal data you process
Document the legal basis for keeping data beyond the immediate treatment purpose
Delete or anonymise data once the retention period expires
Restrict access to personal data on a need-to-know basis
Maintain records of processing activities (ROPA) — including retention periods — and make them available upon request

For clinics using AI transcription tools, the stakes are higher. Audio recordings of patient sessions are classified as sensitive personal data under both the FADP (Article 5(c)) and GDPR (Article 9). Voice data can additionally qualify as biometric data. Processing without a clear policy isn't just sloppy — it's a compliance violation waiting to be discovered.

A written policy protects you. It demonstrates to patients, regulators, and insurers that you've thought through the lifecycle of every data type in your practice. And it takes less time to create than you think.

The Legal Landscape: Switzerland vs. EU

Before building the retention table, you need to understand the rules that drive each number.

Switzerland (FADP + Cantonal Health Laws)

The FADP does not prescribe a single retention period for medical records. Instead, the timeline is shaped by multiple overlapping obligations:

Swiss Code of Obligations (CO), Articles 60 and 128a. Since January 2020, the limitation period for personal injury claims — including medical malpractice — is 20 years from the date of the act or omission that caused the damage. This is the primary driver of medical record retention in Switzerland.
FMH Code of Professional Conduct, Article 12. The Swiss Medical Association requires members to keep adequate records for at least 20 years following the last entry.
Cantonal health laws. Individual cantons regulate documentation obligations for healthcare providers. Most have updated or are updating their retention requirements to align with the 20-year limitation period, though some still reference the older 10-year standard. Check your canton's current health law.
Electronic Patient Record Ordinance (EPRO), Article 10. Medical data in electronic patient records must be destroyed after 20 years. Access logs must remain accessible for 10 years and cannot be deleted during that period.
FADP, Article 6 (proportionality and purpose limitation). Data must be deleted or anonymised once the purpose of processing has been fulfilled — but the legal retention obligations described above provide a valid purpose for continued storage.

The practical rule for Switzerland: plan for 20-year retention of clinical records, and build everything else around that anchor.

The GDPR follows the same principle as the FADP: keep data only as long as necessary, but comply with sector-specific retention obligations. The key difference is that retention periods vary by member state:

Country	Typical medical record retention	Legal basis
Germany	10 years after treatment	§ 10(3) MBO-Ä, § 630f(3) BGB
France	20 years from last treatment	Art. R. 1112-7 CSP
Netherlands	20 years from last visit	Art. 7:454(3) BW
Austria	10 years (30 years for radiation records)	§ 10(1) ÄrzteG, § 39 StrSchG
Italy	Indefinite (public), 10 years (private)	Various ministerial decrees
Belgium	30 years	Art. 46 KVG/Loi AMI

The practical rule for EU clinics: check your member state's medical records law, use that as your anchor, and apply GDPR's data minimisation principle to everything else.

The Retention Table: What to Keep, How Long, and Why

Here is a ready-to-use retention schedule covering the data types that small clinics using AI documentation tools typically handle. Adapt the specific periods to your jurisdiction.

Data type	Description	Retention period (CH)	Retention period (EU)	Legal basis	Action after expiry
Raw audio recording	Audio captured during patient session by AI scribe	Delete within 48 hours of transcription validation	Delete within 48 hours of transcription validation	Data minimisation (FADP Art. 6 / GDPR Art. 5(1)(e))	Permanent deletion from all systems including backups
AI-generated transcript	Verbatim or near-verbatim text output from AI tool	Delete within 7 days if not incorporated into clinical record; 20 years if part of patient file	Delete within 7 days if not incorporated into clinical record; per member state law if part of patient file	Data minimisation; cantonal health laws / member state law	Permanent deletion or anonymisation
Structured session notes	Clinician-reviewed clinical notes (SOAP, DAP, etc.)	20 years from last entry	Per member state law (10–30 years)	FMH Art. 12; CO Art. 128a / member state medical records law	Permanent deletion or anonymisation
Patient summary PDFs	Exported reports, referral letters, discharge summaries	20 years from creation	Per member state law	Part of clinical record	Permanent deletion
Consent forms	AI transcription consent, treatment consent	Duration of treatment + 20 years	Duration of treatment + per member state limitation period	Evidentiary requirement; FADP Art. 6 / GDPR Art. 7(1)	Permanent deletion
Access/audit logs	Records of who accessed what and when	10 years (non-deletable)	Per member state law; minimum recommended 10 years	EPRO Art. 10 / GDPR Art. 5(2) accountability principle	Permanent deletion
Session metadata	Date, time, duration, practitioner ID	20 years (part of patient file)	Per member state law	Part of clinical record	Permanent deletion
Patient contact details	Name, address, phone, email	20 years from last clinical entry, or until patient requests deletion (whichever is later, considering legal obligations)	Per member state law	Part of clinical record + correspondence	Permanent deletion
Billing/insurance records	Invoices, insurance correspondence	10 years from creation	10 years (common across EU)	CO Art. 958f (business records) / local tax and commercial law	Permanent deletion

Key Principles Behind This Table

Audio is the most sensitive item. Raw recordings capture everything — side comments, family conversations, ambient noise. There is rarely a legal basis for keeping audio once the transcript has been validated. The data minimisation principle under both FADP and GDPR demands prompt deletion. A 48-hour window gives clinicians time to review and approve the transcript before the source material is destroyed.

Transcripts are clinical records only if you make them so. An AI-generated transcript that sits in a tool's dashboard but never enters the patient file is not part of the clinical record. It should be treated as temporary processing data and deleted within days. A transcript that the clinician reviews, edits, and incorporates into the patient file becomes a clinical record and inherits the full retention period.

Consent forms outlive the data they authorise. You may need to prove that consent was obtained long after the associated data has been deleted. Retain consent records for the full limitation period.

Access Control: Who Can See What

A retention policy is meaningless without access controls. If everyone in your clinic can access everything, retention periods don't protect patient privacy — they just define how long privacy is violated.

Role-Based Access Control (RBAC) Matrix

The following matrix defines minimum access levels for a small clinic. Adapt roles to your team structure.

Data type	Treating clinician	Supervising clinician	Practice manager / admin	Billing staff	IT support / vendor
Raw audio	Full access (own patients)	No access	No access	No access	No access
AI transcript (pre-approval)	Full access (own patients)	No access	No access	No access	No access
Approved session notes	Full access (own patients)	Read-only (supervised patients)	No access	No access	No access
Patient summary PDFs	Full access (own patients)	Read-only (supervised patients)	Read-only (for scheduling/referrals)	No access	No access
Consent forms	Read (own patients)	No access	Read/write (all patients — manages intake)	No access	No access
Access/audit logs	No access	No access	Read-only	No access	Read-only (for technical audits)
Session metadata	Read (own patients)	Read (supervised patients)	Read (all — for scheduling)	No access	No access
Billing records	No access	No access	Full access	Full access	No access
Patient contact details	Read (own patients)	Read (supervised patients)	Full access	Read (for billing)	No access

Implementation Rules

Individual accounts only. Shared logins destroy audit trails. Every person accessing patient data must have their own credentials. This is non-negotiable under both FADP and GDPR.
Multi-factor authentication (MFA). Required for any system storing health data. SMS-based MFA is better than nothing; authenticator apps or hardware keys are better.
Automatic session timeouts. Systems should lock after 10–15 minutes of inactivity. A clinician's unlocked laptop in an empty consultation room is an access control failure.
Device policies. Define which devices may access clinical data. Personal phones without encryption, screen locks, or remote-wipe capability should not have access to patient records.
Vendor access. If your AI transcription vendor can access patient data for support or debugging, this must be documented in your Data Processing Agreement (DPA), limited to specific circumstances, and logged.
Quarterly access reviews. Every three months, review who has access to what. Remove accounts for departed staff immediately — not "when someone remembers." This is a common audit finding.
Log everything. Under the Swiss Electronic Patient Record Ordinance, access logs must be retained for 10 years and cannot be deleted. Even if you're not subject to EPRO directly, maintaining access logs is a GDPR best practice and your strongest evidence in case of a breach investigation.

Deletion Routines: How to Actually Enforce the Policy

A policy that says "delete after 48 hours" means nothing if nobody checks. Small clinics need automated or semi-automated deletion routines.

Audio Recording Deletion

Trigger: Clinician marks transcript as "approved" in the documentation tool
Timeline: Audio deleted within 48 hours of approval
Method: Automated deletion by the AI tool (verify with your vendor that this is the default behaviour and that audio is deleted from all storage layers, including backups and caches)
Verification: Monthly spot-check — pull a sample of 5 recent sessions and confirm no audio files remain after the 48-hour window
Fallback: If automated deletion fails or isn't available, assign a weekly manual deletion task to the practice manager

Transcript Cleanup

For transcripts incorporated into patient files: No deletion needed until the full clinical record retention period expires
For transcripts NOT incorporated: Delete within 7 days of session date
Method: Weekly review of the AI tool's dashboard for orphaned transcripts — any transcript older than 7 days that hasn't been linked to a patient record gets deleted
Responsibility: Treating clinician (for their own transcripts) or practice manager (for oversight)

End-of-Retention Deletion

Trigger: Patient's last clinical entry reaches the retention period threshold (20 years in Switzerland, per member state law in the EU)
Scope: All data in the retention table — notes, PDFs, metadata, consent forms, contact details
Method: Annual review of patient records approaching the retention deadline. Flag records 6 months before expiry. Confirm no ongoing treatment or legal proceedings before deletion.
Exception: If the patient has an active complaint, pending litigation, or ongoing treatment, extend retention until the matter is resolved plus any applicable limitation period
Documentation: Log every deletion action — what was deleted, when, by whom, and under what authority. Retain the deletion log for 10 years.

The "Right to Erasure" Complication

Under both FADP and GDPR, patients can request deletion of their data. In healthcare, this right is not absolute:

You cannot delete data that you are legally required to retain (e.g., clinical records during the statutory retention period)
You can delete data that exceeds legal retention requirements — for example, raw audio recordings, marketing communications, or contact details not needed for treatment
You must respond to erasure requests within 30 days and explain which data was deleted, which was retained, and why

Draft a standard response template for erasure requests so your team doesn't improvise under pressure.

Putting It All Together: A Policy Template

Below is a condensed policy template you can adapt for your clinic. Replace bracketed items with your specifics.

[Clinic Name] — Data Retention and Access Control Policy

Effective date: [Date] Last reviewed: [Date] Responsible person: [Name, title]

1. Scope. This policy covers all personal data processed in connection with patient care at [Clinic Name], including audio recordings, transcripts, clinical notes, patient reports, consent forms, access logs, and billing records.

2. Legal basis. This policy implements the requirements of the Swiss Federal Act on Data Protection (FADP) / EU General Data Protection Regulation (GDPR), [cantonal health law / member state medical records law], the Swiss Code of Obligations, and the FMH Code of Professional Conduct.

3. Retention schedule. [Insert your adapted version of the retention table above.]

4. Access control. Access to patient data is governed by the role-based access matrix attached as Appendix A. All access requires individual credentials and multi-factor authentication.

5. Deletion routines.

Audio recordings: deleted within 48 hours of transcript approval
Unincorporated transcripts: deleted within 7 days
Clinical records: deleted [20 years / per applicable law] after last entry
Billing records: deleted 10 years after creation
Deletion actions are logged and retained for 10 years

6. Patient rights. Patients may request access to, correction of, or deletion of their data. Requests are processed within 30 days. Data subject to legal retention obligations will be retained with an explanation provided to the patient.

7. Review. This policy is reviewed annually and updated when regulations, tools, or workflows change.

This doesn't need to be a 40-page document. A clear, honest two-to-three-page policy that your team actually reads and follows is worth more than a comprehensive document that sits in a drawer.

Common Mistakes Small Clinics Make

Keeping audio "just in case"

The instinct to keep recordings as a safety net is understandable. But under data minimisation principles, "just in case" is not a valid legal basis. If the transcript has been reviewed and approved, the audio has served its purpose. Delete it.

Treating all data the same

A consent form and a billing invoice have different retention requirements. A raw audio file and a structured clinical note are different data types with different sensitivity levels. One-size-fits-all retention ("we keep everything for 10 years") either over-retains sensitive data or under-retains legally required records.

No deletion routine

Having a policy that says "delete after X years" but no process for actually doing it means you're accumulating data indefinitely. Calendar a quarterly deletion review. Assign it to a specific person.

Shared logins

If three therapists share one login to your documentation tool, you cannot produce an audit trail showing who accessed which patient's data. This is a compliance failure that regulators specifically look for — and a Portuguese hospital was fined EUR 400,000 for exactly this kind of access control breakdown.

Ignoring the AI vendor's retention

Your policy controls your systems, but what does the AI vendor do with data on their end? Confirm in writing that the vendor deletes audio and transcription data according to your policy. This belongs in your Data Processing Agreement. If the vendor retains data for model training, you have a problem.

Frequently Asked Questions

Do I need a Data Protection Impact Assessment (DPIA) for this?

If you're processing sensitive health data with AI tools — yes. Both the FADP (Article 22) and GDPR (Article 35) require a DPIA when processing is likely to result in high risk to individuals. AI-based transcription of therapy sessions involving sensitive health data meets this threshold. See our FADP compliance checklist for a detailed walkthrough.

What if my canton still references a 10-year retention period?

Some cantons haven't updated their health laws to reflect the 20-year limitation period under the revised Code of Obligations. The safest approach is to follow the longer period. The FMH recommends 20 years, and in a malpractice claim, you'd want the records available for the full limitation window. Consult a local health law specialist if your canton's rules conflict.

Does this policy apply to paper records too?

Yes. The data protection principles are technology-neutral. Paper records containing patient data are subject to the same retention periods, access restrictions, and deletion requirements. The practical difference is that paper requires physical security (locked cabinets, restricted room access) rather than digital controls.

Can patients request their audio recordings before deletion?

Under both FADP and GDPR, patients have a right of access to their personal data. If a patient requests their audio recording before it's deleted, you must provide it. This is another reason to define a clear (and short) retention window for audio — once deleted, the obligation to provide access ends.

What about cross-border clinics (e.g., a Swiss clinic with EU patients)?

If you treat patients from EU member states, you may need to comply with both the FADP and GDPR. In practice, the two frameworks are largely compatible, but GDPR may impose additional requirements (e.g., appointing an EU representative under Article 27 GDPR if you have no EU establishment but regularly process EU residents' data). The retention periods in this article account for both frameworks.

Where This Fits in Your Compliance Stack

A retention policy doesn't exist in isolation. It connects to:

Your FADP/GDPR compliance checklist — retention is one component of broader data protection compliance
Your consent workflow — patients should be told retention periods before or at the point of data collection, as part of your consent process
Your vendor due diligence — the AI tool's data handling must align with your retention policy
Your DPIA — retention periods and deletion routines are key risk mitigation measures
Your template governance framework — if your clinic standardises note templates across practitioners, the retention policy applies uniformly to all templated outputs
EU AI Act compliance — if your AI tools fall under high-risk classification, data governance is one of the mandatory requirements

Think of the retention policy as the data lifecycle layer that sits beneath everything else. Every other compliance document references it.

Need a clinical documentation tool that handles audio deletion automatically and keeps your data in Switzerland? Try Dya Clinical free for 7 days.

Sources

Related articles: