The law that binds you
Secrecy is not optional. LEMIA is designed around it.
Depending on your profession, a law requires you to keep silent about what is entrusted to you — and breaching it is, for many, a criminal offence, not a mere contractual failing. This page is the legal panorama: which secrets and which laws bind you, article by article and profession by profession, and what LEMIA protects for each. The question of sovereignty — why hosting in Switzerland is not enough on its own — is covered separately: see “Sovereignty”.
The secrecy that binds you, by profession
Every profession has its secret — and its article of law
The core of the law that binds you often fits in a single article: Art. 321 of the Swiss Criminal Code punishes whoever unlawfully discloses a secret entrusted to them in the practice of their profession — an offence prosecuted on complaint, punishable by a custodial sentence of up to three years or a monetary penalty. It covers a closed circle of professions; other regimes add to it or extend it. A reassuring point: Art. 321 para. 2 of the Swiss Criminal Code makes disclosure non-punishable with the consent of the person concerned or the authorisation of the supervisory authority — this is what founds the lawful access of an auxiliary without lifting the secrecy.
Doctors and healthcare professions
Medical secrecy falls under Art. 321 of the Swiss Criminal Code, complemented by Art. 40 of the Medical Professions Act (MedPA/LPMéd) and cantonal law. Health, diagnoses, patient records: these are, in addition, sensitive data within the meaning of the Swiss Federal Act on Data Protection (nFADP).
Lawyers
On top of the secrecy of Art. 321 of the Swiss Criminal Code comes Art. 13 of the Lawyers Act (LLCA): a reinforced secrecy, covering all matters entrusted, unlimited in time and enforceable against third parties.
Notaries
Notaries are covered by Art. 321 of the Swiss Criminal Code and by cantonal law (for instance, in Geneva, Art. 7 of the Notarial Act, LNot). The exact scope varies from canton to canton.
Public sector and administration
Civil servants and public officials — civil registry, disability insurance offices, land registry, tax assessment — are bound by official secrecy (Art. 320 of the Swiss Criminal Code). Lifting it requires the written consent of the superior authority.
Banking and audit
Banking secrecy (Art. 47 of the Banking Act, BankA/LB) is a criminal-law regime; the licensed audit body is bound by the secrecy of Art. 730b of the Swiss Code of Obligations — the only fiduciary flow backed by a criminal-law secret.
“Pure” fiduciaries (outside Art. 321)
Fiduciaries (Swiss accounting & trust firms) not covered by Art. 321 remain bound by business secrecy (Art. 162 of the Swiss Criminal Code / Art. 6 of the Unfair Competition Act, UCA/LCD) and by the fallback regime of the nFADP (Art. 62). The duty of discretion exists; only its legal basis changes.
Two points to remember: a breach of Art. 321 of the Swiss Criminal Code is an offence prosecuted on complaint (custodial sentence of up to three years or a monetary penalty); and your auxiliaries are covered — lawful access by a third party, with the consent of the person concerned or the authorisation of the authority, does not in itself constitute a disclosure (Art. 321 para. 2 of the Swiss Criminal Code).
Data protection, on top
The nFADP adds to secrecy — it does not replace it
On top of professional secrecy sits a second, cumulative regime: the new Swiss Federal Act on Data Protection (nFADP). It applies to any personal data, and its requirements apply whether or not you fall under Art. 321.
- Mere routing is already “processing” (Art. 5 FADP/LPD) — even without reading. Passing a piece of data through a third-party service means processing it; the same article defines sensitive data (health, intimate sphere, genetic or biometric data, criminal proceedings and sanctions…).
- Sub-processing (Art. 9 FADP/LPD) governs processing entrusted to a third party, under instruction and with security: this is the basis of the data processing agreement (DPA) between your firm or practice and the vendor.
- Automated individual decisions (Art. 21 FADP/LPD) govern decisions taken “exclusively by automated means”: human approval avoids this.
- And above all: the fine (Art. 60-61 FADP/LPD) — up to CHF 250,000, imposed on the responsible natural person, not only the company. The most concrete lever of the law that binds you.
If your firm or practice has exposure to the European Union, the GDPR applies in addition (processing on behalf of a controller, Art. 28; impact assessment, Art. 35).
What LEMIA does with it
So that AI serves your obligation, instead of threatening it
In one sentence: your content is processed in Switzerland — by design, without exception —, it is never read by the vendor, and every output is approved by you before anything is written or sent. Sovereign processing answers the question of transfers abroad; human approval answers automated decision-making; content never read and the data processing agreement answer secrecy and the nFADP.
The mechanisms that uphold these commitments — sovereign processing, encryption, minimised logging, human approval — are described on the “Security” page. And why Swiss hosting is not enough on its own: “Sovereignty”.
What we do not claim
A duty of best efforts, stated honestly
Our commitments are obligations of means, not an absolute guarantee of results — and never a promise of total impermeability. Only technical metadata for licensing and orchestration transits to our servers — never your content. Compliance does not come down to our measures alone: it also depends on the data processing agreement (DPA) and on the qualification of your situation. You remain the data controller within the meaning of the nFADP, and your external sends remain your decision.
Your situation, your secrecy, your regime
Let's talk about your profession and the law that binds you — and how LEMIA fits in.