Does the FADP apply to AI tools such as ChatGPT or Copilot used in business?
Yes. As soon as these tools process personal data of identifiable natural persons (names, emails, information about employees or customers), the FADP applies. The company using these tools is responsible for the processing. It must ensure that the purpose is documented, that individuals are informed and that data is not reused for purposes not provided for by the provider. A review of the provider's contractual terms is essential, in particular regarding data location and reuse for model training.
Does my company need to appoint a Data Protection Officer (DPO) to use AI?
The FADP does not make the DPO mandatory under the same conditions as the GDPR. However, appointing or mandating a data protection officer is strongly recommended when your company deploys AI systems that process personal data on a large scale or sensitive data. This officer can be internal or external (legal counsel, specialist consultant). Their role: supervise compliance, carry out DPIAs, handle requests from data subjects and liaise with the FDPIC where necessary.
What is a DPIA and in which cases is it mandatory for an AI project?
A Data Protection Impact Assessment (DPIA) is a documented evaluation of the risks that a data processing activity poses to the rights and freedoms of data subjects. It is mandatory under the FADP when the processing is likely to present a high risk: large-scale processing of sensitive data, extensive profiling, automated decisions with significant effects, or systematic monitoring. For most ambitious AI projects in business (HR AI, customer scoring, behavioural analysis), a DPIA is necessary. It must be carried out before deployment.
Can an AI model be trained using the company's customer or employee data?
Yes, under conditions. First, a valid legal basis is required for this new processing (the initial collection of data is not sufficient if the purpose was different). Data subjects must be informed of this use. If the data is sensitive, explicit consent or another strong legal basis is required. The location of the model is decisive: a model hosted on servers outside Switzerland or outside the EEA involves an international data transfer, subject to additional safeguards. Documenting these decisions in your processing register is essential.
Which AI practices are prohibited by the FADP?
The FADP does not establish an exhaustive list, but the FDPIC has clarified that certain applications are incompatible with the fundamental rights it protects: generalised real-time facial recognition in public spaces, social scoring systems that systematically evaluate the behaviour of individuals, and any collection or processing of biometric or sensitive data without a solid legal basis. The EU AI Act, which explicitly prohibits certain of these practices, may apply indirectly to Swiss companies that process data of EU residents.
What are the penalties for violating the FADP in an AI context?
The FADP sanctions natural persons, not the company directly. Fines can reach 250'000 CHF per violation. Executives, IT managers and employees involved are personally exposed. The most sanctionable violations: failing to inform data subjects, failing to notify a data breach, or violating the rules on automated individual decisions. A complaint must be filed to initiate proceedings. The reputational risk is often more concerning than the fine itself.
Do the FADP and GDPR apply simultaneously to my Swiss company?
It depends on your activity. If you process data of EU residents (customers, partners, prospects), the GDPR applies to that processing, regardless of whether your company is in Switzerland. The FADP applies to all processing of data relating to persons in Switzerland. In practice, many Swiss companies must comply with both frameworks. The good news is that they are broadly aligned and a well-constructed compliance policy covers both, provided the few differences are taken into account (sanctions, DPO, notification deadlines).
Does the European AI Act concern companies based in Switzerland?
The EU AI Act does not apply directly in Switzerland, which is not an EU member. However, if your company places AI systems on the European market, or if your systems produce effects on people in the EU, the rules of the AI Act may concern you. Furthermore, Switzerland has signed the Council of Europe Convention on AI (March 2025), whose ratification will introduce complementary obligations, in particular for high-risk AI systems.
How do you choose an AI provider that complies with the FADP?
Three main criteria: data location (prefer servers in Switzerland or the EU/EEA to avoid unregulated international transfers), data reuse policy (does the provider use your data to train its models? If so, on what legal basis?), and contractual transparency (can the provider supply a sub-processor register, a DPA, documented security guarantees?). Open-source models deployed on your own infrastructure or on European infrastructure generally provide the best answer to all three criteria.
Does the FADP apply to open-source AI models deployed internally?
Yes. The FADP applies to the data controller, i.e. your company, regardless of the nature of the model (open source or proprietary, hosted internally or by a third party). If your open-source model processes personal data, all FADP obligations apply: information, minimisation, security, DPIA if high risk, etc. The advantage of open source deployed internally is precisely that it gives you full control over the data and eliminates the risk of an unwanted transfer to a third party.