<aside>
💡
DRAFT: This is a working document that will evolve. AI generated from internal sources, so re-check relevant information before acting.
</aside>
1. Purpose and scope
Consolidate Denteo's data-retention and deletion rules into a single Löschkonzept that, per data category, states how long data is kept, on what legal basis, from which trigger, and how it is deleted/anonymized — and reconciles the documented posture (AVV, TOM, privacy notice) with what the system actually does. Closes the open Review-3 (Jan 2026) action item "Consolidate Data retention policy".
Scope: primary = customer (dental-practice) + patient data in the Denteo PMS; secondary = internal/operational data (logs, backups, monitoring, HR, AI/DSFA).
2. Roles
- Controller = the dental practice (decides purpose/means for patient data).
- Processor (Auftragsbearbeiter) = Denteo AG (per the finalized AVV).
- Denteo's deletion duties flow from controller instructions + AVV §12.4 (delete 3 months post-termination unless law requires retention). For legally mandated minimums (accounting, medical records), the practice is keeper of record — Denteo must enable, not obstruct, compliance.
3. Legal framework (summary)
Swiss law layers a floor of minimum-keep duties under a ceiling of delete-when-done:
- FADP/revDSG (SR 235.1, in force 1 Sep 2023) — no fixed periods, but Art. 6 Abs. 4 mandates destruction/anonymization "as soon as no longer necessary for the purpose." Health data = besonders schützenswert (Art. 5 lit. c Ziff. 2). The records-of-processing duty (Art. 12) binds Denteo as processor and controller for its own data; the <250-employee exemption is void here because health data is processed at scale (Art. 24 DSV). A DSFA/DPIA (Art. 22) is very likely required for large-scale health-data processing.
- GDPR — applies only if Denteo has an EU establishment or targets/monitors EU data subjects (Art. 3); fact-specific → flag for counsel. If in scope, storage-limitation (Art. 5(1)(e)) points the same way as FADP. Denteo is typically the processor.
- Medical/dental records — cantonal baseline 10 years after last treatment, but the 2020 OR reform set a 20-year absolute prescription for bodily-injury/death claims (Art. 60 Abs. 1bis / 128a OR); EDÖB and FMH Standesordnung Art. 12 both land on ~20 years as the practical retention. Some cantons mandate 20y (Bern) and some require deletion at 20y. → per-canton confirmation needed.
- Accounting / VAT — 10 years from end of fiscal year (OR 958f; MWSTG Art. 70/42); 20y for immovable-property VAT docs. Electronic archives OK under GeBüV if integrity + legibility ensured.
- KVG insurer billing — no separate numbered period found; accounting law (10y) governs.
- SMS reminders — Denteo carries no FMG/BÜPF retention duty (that falls on eCall/the carrier); keep SMS only under FADP storage-limitation.
- HR/payroll — 10 years (OR 958f). Rejected-applicant data: delete after selection (~3–6mo convention, not a statutory figure).
<aside>
⚖️
Operating rule (the Löschkonzept hinge): retention = the maximum of all applicable legal minimums, measured from the correct trigger; once it lapses, deletion/anonymization is mandatory. Keeping longer without a justifying purpose itself breaches FADP Art. 6 Abs. 4.
</aside>
<aside>
🔎
Re-verify before any external/legal use: cantonal article numbers (ZH §18 LS 813.13, GE Art. 57, BE in BSG 811.011), the (not-found) SSO dental-specific figure, federal 20y special cases (radiation/transplant), and GDPR applicability. Primary-source citations: FADP/OR/MWSTG on fedlex.admin.ch; EDÖB patient-data guidance; FMH archiving guide.
</aside>
4. Data inventory and categories