Insights

AI and Data Protection in Switzerland: revised FADP

What Swiss companies must consider on data protection when using AI: the duties under the revised FADP, the FDPIC's stance on AI, the record of processing activities and the data protection impact assessment - with reference to official sources and a clear note on when legal advice is needed.

AetherDigital· AI Engineering & StrategyPublished 11 July 202612 min read

AI and data protection in Switzerland: what really applies

Direct answer: The revised Swiss Federal Act on Data Protection (revFADP, in force since 1 September 2023) is technology-neutral and, per the FDPIC, directly applicable to AI-based data processing. For companies that means: transparency about AI use, a record of processing activities, and a data protection impact assessment where the risk is high. Updated: July 2026.

This guide explains what that concretely means when you use AI with personal data - in plain terms, with reference to official sources, and with one clear boundary: it does not replace legal advice. Data protection is a field where the specific case matters; the points below help you ask the right questions and recognize when to bring in a professional.

Does the data protection act even apply to AI?

Yes. The Swiss Federal Data Protection and Information Commissioner (FDPIC) has made clear that the applicable data protection act applies directly to AI - it is drafted technology-neutrally and needs no separate AI law to take effect. As soon as an AI application processes personal data, the usual principles apply: lawfulness, good faith, proportionality, purpose limitation, data accuracy and transparency.

The consequence matters: there is no "it was the AI" loophole. Whoever deploys an AI remains responsible for the data processing - whether or not the model comes from a third-party provider. That is why data protection belongs in every AI project from the start, not in an audit afterwards, as we also stress in the guide to introducing AI in your company.

(Source: FDPIC, information on AI and data protection, admin.ch. The revFADP has been in force since 1 September 2023.)

The concrete duties for AI with personal data

These duties follow from the revFADP and FDPIC practice. The table places them - it is orientation, not a conclusive legal opinion.

DutyWhat it means for AISource / note
Transparency / informationPeople must know when personal data is processed - and per the FDPIC, whether they are communicating with a machine and whether inputs are reusedFDPIC, AI and data protection (admin.ch)
Record of processing activitiesAI-based processing belongs in the record of processing (purpose, data categories, recipients, retention)revFADP; exemption for SMEs under 250 staff at low risk
Data protection impact assessment (DPIA)For high risk - such as high-risk profiling or extensive processing of sensitive data - a DPIA is requiredrevFADP; independent of company size
Data processing (processor) agreementIf you use an external AI tool, you need a processor agreement and must assess any transfers abroadrevFADP; due diligence in vendor selection
Data minimization & purpose limitationOnly the necessary data in prompts, logs and training data; no repurposing without a basisrevFADP principles

This overview is deliberately general and does not replace an assessment of your specific case. For binding interpretation, involve a data-protection legal professional.

When is a data protection impact assessment (DPIA) required?

Under the revFADP, a DPIA is required when a planned processing may involve a high risk to the personality or fundamental rights of the data subjects. High risk includes in particular extensive high-risk profiling and the extensive processing of sensitive personal data (such as health, religious or biometric data).

For AI projects this means concretely: a knowledge bot answering public product information usually does not trigger a DPIA. A system that automatically scores applicants, builds customer profiles for decisions, or processes health data very likely does.

Important: the 250-staff threshold concerns only the exemption from the record of processing - not the DPIA duty. A small company can be partly exempt from the record duty and still have to carry out a DPIA if the processing is risky. The DPIA belongs in the design phase, because it co-determines the architecture (hosting, logging, access control).

(Source: revFADP; FDPIC basics on the DPIA, admin.ch.)

Practical data-protection guardrails for AI projects

These technical and organizational measures address the most common AI data-protection risks. They complement, not replace, the legal review.

  1. Data minimization in prompts and logs

    Put only the truly necessary personal data into the system. Check what is logged and for how long - logs are an often-overlooked store of personal data.

  2. No training on your data without a basis

    Clarify contractually whether the provider uses your inputs for model training. For business use with personal data you usually need a training opt-out.

  3. Appropriate hosting location

    Check where the data is processed. For many Swiss sectors, Swiss or EU hosting is a prerequisite; transfers to third countries need a legal basis.

  4. Processor agreement

    Every external AI service that processes personal data needs a corresponding agreement with clear duties on security, reuse and deletion.

  5. Transparency toward data subjects

    Make it transparent in the privacy notice and at the interface that and why AI is used - and where people are talking to a machine.

  6. Human-in-the-loop for decisions

    For decisions affecting people (application, credit, performance), human review and traceability are needed rather than automatic black-box output.

When you need a lawyer or data-protection professional

This guide helps you ask the right questions and set the technical guardrails. But it does not replace legal advice, and in the following situations you should involve a data-protection professional:

Sensitive data. Health, biometric, religious or criminal-proceedings data requires stricter review and often a DPIA.

Automated individual decisions. Where an AI makes decisions with legal effects or significant impact on people, special information and review duties apply.

Transfers abroad. As soon as data touches providers or servers outside Switzerland and the EU, the legal basis must be carefully clarified.

Cross-border activity / GDPR. If you address people in the EU, the GDPR additionally comes into play - with requirements in parts stricter than the revFADP.

The honest stance: as an AI integration partner we implement the privacy-friendly architecture and work with your legal advisers - but we do not give binding legal advice. That clarity is part of a serious AI project.

Frequently asked questions

  • Does the Swiss data protection act apply to AI applications?

    Yes. The FDPIC has made clear that the revised FADP (in force since 1 September 2023) is technology-neutral and directly applicable to AI-based data processing. As soon as an AI processes personal data, the FADP principles apply - transparency, purpose limitation, data minimization - and responsibility stays with the company, even when the model comes from a third-party provider.

  • Do I need a data protection impact assessment for an AI project?

    A DPIA is required when the processing may involve a high risk to data subjects, in particular for extensive high-risk profiling or extensive processing of sensitive data. A simple knowledge bot with public information usually does not need one; a system that automatically scores people or processes health data very likely does. The duty depends on the risk, not on company size.

  • Must I record AI use in the record of processing activities?

    Generally yes: AI-based processing of personal data belongs in the record of processing with purpose, data categories, recipients and retention. Companies under 250 staff have a partial exemption from the record duty at low risk - but this exemption does not cover the DPIA duty.

  • May staff enter personal data into an AI tool?

    Not into arbitrary, free consumer tools. Personal data may only enter systems with a clear legal basis, a processor agreement, a training opt-out and an appropriate hosting location. Unregulated inputs into open tools are one of the most common data-protection breaches - a short usage policy prevents this.

  • What is the difference between the revFADP and GDPR for AI?

    The revFADP is Swiss law and governs Swiss processing; the GDPR is EU law and becomes additionally relevant as soon as you process or address people in the EU. The core principles are similar, and the GDPR is in parts stricter (for example on fines and certain duties). For cross-border activity, both must be considered - legal advice pays off here.

  • Does AETHER Digital help implement AI in a data-protection-compliant way?

    Yes - on the technical and organizational level. We build the privacy-friendly architecture (hosting, data minimization, access control, processor agreement) and work with your legal advisers. We deliberately do not give binding legal advice; instead we make sure the technology meets the legal requirements and say clearly when a professional is needed.

Related case studies

Continue reading

Use AI and comply with Swiss data protection - both are possible

Data protection is not a reason to skip AI - it is a reason to build it right. We implement the privacy-friendly architecture and say honestly when you need legal advice.

One call. Thirty minutes. A clear view of what's possible and what it would take. No slide decks, no pressure.

Free 30-min discovery · No pricing pressure · Swiss confidentiality