AI and data protection in Switzerland: what really applies
Direct answer: The revised Swiss Federal Act on Data Protection (revFADP, in force since 1 September 2023) is technology-neutral and, per the FDPIC, directly applicable to AI-based data processing. For companies that means: transparency about AI use, a record of processing activities, and a data protection impact assessment where the risk is high. Updated: July 2026.
This guide explains what that concretely means when you use AI with personal data - in plain terms, with reference to official sources, and with one clear boundary: it does not replace legal advice. Data protection is a field where the specific case matters; the points below help you ask the right questions and recognize when to bring in a professional.
Does the data protection act even apply to AI?
Yes. The Swiss Federal Data Protection and Information Commissioner (FDPIC) has made clear that the applicable data protection act applies directly to AI - it is drafted technology-neutrally and needs no separate AI law to take effect. As soon as an AI application processes personal data, the usual principles apply: lawfulness, good faith, proportionality, purpose limitation, data accuracy and transparency.
The consequence matters: there is no "it was the AI" loophole. Whoever deploys an AI remains responsible for the data processing - whether or not the model comes from a third-party provider. That is why data protection belongs in every AI project from the start, not in an audit afterwards, as we also stress in the guide to introducing AI in your company.
(Source: FDPIC, information on AI and data protection, admin.ch. The revFADP has been in force since 1 September 2023.)
The concrete duties for AI with personal data
These duties follow from the revFADP and FDPIC practice. The table places them - it is orientation, not a conclusive legal opinion.
| Duty | What it means for AI | Source / note |
|---|---|---|
| Transparency / information | People must know when personal data is processed - and per the FDPIC, whether they are communicating with a machine and whether inputs are reused | FDPIC, AI and data protection (admin.ch) |
| Record of processing activities | AI-based processing belongs in the record of processing (purpose, data categories, recipients, retention) | revFADP; exemption for SMEs under 250 staff at low risk |
| Data protection impact assessment (DPIA) | For high risk - such as high-risk profiling or extensive processing of sensitive data - a DPIA is required | revFADP; independent of company size |
| Data processing (processor) agreement | If you use an external AI tool, you need a processor agreement and must assess any transfers abroad | revFADP; due diligence in vendor selection |
| Data minimization & purpose limitation | Only the necessary data in prompts, logs and training data; no repurposing without a basis | revFADP principles |
This overview is deliberately general and does not replace an assessment of your specific case. For binding interpretation, involve a data-protection legal professional.
When is a data protection impact assessment (DPIA) required?
Under the revFADP, a DPIA is required when a planned processing may involve a high risk to the personality or fundamental rights of the data subjects. High risk includes in particular extensive high-risk profiling and the extensive processing of sensitive personal data (such as health, religious or biometric data).
For AI projects this means concretely: a knowledge bot answering public product information usually does not trigger a DPIA. A system that automatically scores applicants, builds customer profiles for decisions, or processes health data very likely does.
Important: the 250-staff threshold concerns only the exemption from the record of processing - not the DPIA duty. A small company can be partly exempt from the record duty and still have to carry out a DPIA if the processing is risky. The DPIA belongs in the design phase, because it co-determines the architecture (hosting, logging, access control).
(Source: revFADP; FDPIC basics on the DPIA, admin.ch.)
Practical data-protection guardrails for AI projects
These technical and organizational measures address the most common AI data-protection risks. They complement, not replace, the legal review.
Data minimization in prompts and logs
Put only the truly necessary personal data into the system. Check what is logged and for how long - logs are an often-overlooked store of personal data.
No training on your data without a basis
Clarify contractually whether the provider uses your inputs for model training. For business use with personal data you usually need a training opt-out.
Appropriate hosting location
Check where the data is processed. For many Swiss sectors, Swiss or EU hosting is a prerequisite; transfers to third countries need a legal basis.
Processor agreement
Every external AI service that processes personal data needs a corresponding agreement with clear duties on security, reuse and deletion.
Transparency toward data subjects
Make it transparent in the privacy notice and at the interface that and why AI is used - and where people are talking to a machine.
Human-in-the-loop for decisions
For decisions affecting people (application, credit, performance), human review and traceability are needed rather than automatic black-box output.
When you need a lawyer or data-protection professional
This guide helps you ask the right questions and set the technical guardrails. But it does not replace legal advice, and in the following situations you should involve a data-protection professional:
Sensitive data. Health, biometric, religious or criminal-proceedings data requires stricter review and often a DPIA.
Automated individual decisions. Where an AI makes decisions with legal effects or significant impact on people, special information and review duties apply.
Transfers abroad. As soon as data touches providers or servers outside Switzerland and the EU, the legal basis must be carefully clarified.
Cross-border activity / GDPR. If you address people in the EU, the GDPR additionally comes into play - with requirements in parts stricter than the revFADP.
The honest stance: as an AI integration partner we implement the privacy-friendly architecture and work with your legal advisers - but we do not give binding legal advice. That clarity is part of a serious AI project.
Frequently asked questions
Does the Swiss data protection act apply to AI applications?
Yes. The FDPIC has made clear that the revised FADP (in force since 1 September 2023) is technology-neutral and directly applicable to AI-based data processing. As soon as an AI processes personal data, the FADP principles apply - transparency, purpose limitation, data minimization - and responsibility stays with the company, even when the model comes from a third-party provider.
Do I need a data protection impact assessment for an AI project?
A DPIA is required when the processing may involve a high risk to data subjects, in particular for extensive high-risk profiling or extensive processing of sensitive data. A simple knowledge bot with public information usually does not need one; a system that automatically scores people or processes health data very likely does. The duty depends on the risk, not on company size.
Must I record AI use in the record of processing activities?
Generally yes: AI-based processing of personal data belongs in the record of processing with purpose, data categories, recipients and retention. Companies under 250 staff have a partial exemption from the record duty at low risk - but this exemption does not cover the DPIA duty.
May staff enter personal data into an AI tool?
Not into arbitrary, free consumer tools. Personal data may only enter systems with a clear legal basis, a processor agreement, a training opt-out and an appropriate hosting location. Unregulated inputs into open tools are one of the most common data-protection breaches - a short usage policy prevents this.
What is the difference between the revFADP and GDPR for AI?
The revFADP is Swiss law and governs Swiss processing; the GDPR is EU law and becomes additionally relevant as soon as you process or address people in the EU. The core principles are similar, and the GDPR is in parts stricter (for example on fines and certain duties). For cross-border activity, both must be considered - legal advice pays off here.
Does AETHER Digital help implement AI in a data-protection-compliant way?
Yes - on the technical and organizational level. We build the privacy-friendly architecture (hosting, data minimization, access control, processor agreement) and work with your legal advisers. We deliberately do not give binding legal advice; instead we make sure the technology meets the legal requirements and say clearly when a professional is needed.
Related case studies
Continue reading
A transparent look at what AI consulting really costs in Switzerland in 2026: cited market ranges for day rates, typical project sizes, the five cost drivers, and how to tell a fair quote from a black box.
A vendor-neutral overview of the 2026 AI tool landscape for SMEs: organized by function rather than brand names, with honest selection criteria, a warning about the tool zoo, and the data-protection point many people miss.
An honest guide to ChatGPT in the workplace: clear governance rules, use cases that genuinely work, the limits (hallucinations, confidentiality, data protection) and the cases where you should deliberately not use it.