The guide, without the legal jargon

AI and the LPD/nLPD in Switzerland: what it means

A clear overview of what the new Data Protection Act changes for your AI projects, and how we build while respecting data residency. Important: we do not give legal advice.

European hostingOpen sourceTraceable

14'036+ sites created in the last 30 days

actif
🇪🇺 Europe
Falkenstein
Helsinki
Nürnberg

Hetzner · Europe

US cloud
European hosting
Open source
Traceable

Since 1 September 2023, Switzerland's revised Federal Act on Data Protection (FADP) has been in force. It does not mention artificial intelligence by name, and this is intentional: the law is written in a technologically neutral way. The direct consequence is that any AI system that processes personal data of natural persons is subject to the FADP, full stop. This guide explains what this means in practice for a Swiss company that deploys or is considering deploying AI tools, whether an internal chatbot, an automated recruitment tool, a recommendation engine or a customer analytics solution.

14'036+
sites created in the last 30 days
16
languages
100%
European hosting
0
US cloud

The key points to know

The essentials, explained simply.

Data residency

Where your data is stored and processed matters. We build with European hosting and open source models.

Minimization

Process only the data you need: a simple principle that reduces risk.

Transparency and traceability

Know what AI does with your data, with logged and auditable processing.

Subprocessors

Choose providers that don't expose your data to uncontrolled third-party clouds.

The FADP and AI: the principle of technological neutrality

The Federal Data Protection and Information Commissioner (FDPIC) confirmed its position in November 2023: the current data protection law applies directly to AI. Switzerland has no specific artificial intelligence law, unlike the European Union with its AI Act. The Swiss legislature deliberately chose an approach based on technological neutrality: existing rules (FADP, Code of Obligations, LDPA) apply to any technology, including AI. This means your AI-powered CRM, predictive analytics tool or internal conversational assistant all fall within the scope of the FADP as soon as they process data relating to an identifiable individual.

  • No dedicated AI law in Switzerland to date: the FADP serves as the primary framework
  • Technological neutrality: the legal text does not mention AI but applies to it in full
  • The FDPIC officially confirmed this interpretation in November 2023
  • The Council of Europe Framework Convention on AI (signed by Switzerland on 27 March 2025) will reinforce this framework by 2026-2027
  • The EU AI Act may indirectly apply to Swiss companies that process data of EU residents

The five fundamental obligations for any use of AI

Regardless of the nature of the AI system deployed, five FADP principles are binding on the company responsible for the processing.

  • Transparency: data subjects must know that an AI system is processing their data, for what purpose and on what legal basis. Deliberate opacity is a violation.
  • Defined purpose: data collected for a specific purpose cannot be freely reused to train or improve an AI model without a separate legal basis.
  • Data minimisation: an AI system must only process the data strictly necessary for the objective pursued. Aggregating data 'just in case' would violate this principle.
  • Accuracy: data feeding an AI system must be kept up to date. An automated decision based on outdated data engages the liability of the company.
  • Security and traceability: AI processing must be logged and access controlled. In the event of a data breach, the FADP requires notification to the authorities without undue delay (compared to 72 hours under the GDPR).

Automated decisions and the right to object: what your users can demand

The FADP grants data subjects a right to object to decisions made solely on the basis of automated processing, where those decisions have legal or similarly significant effects on them. In practice: if your AI tool automatically rejects a job application, sets an insurance premium or refuses credit without human intervention, the data subject can demand that a natural person reviews the decision. The FDPIC frames this in terms of high digital self-determination: companies must give data subjects the means to understand and, if necessary, to challenge automated decisions that affect them. This right to object is not optional: it must be operational before the system is deployed, not after.

  • Right to object to automated decisions with legal or significant effects
  • Obligation to provide a human review mechanism upon request
  • Transparency about how the algorithm works is a prerequisite for this right
  • Particularly exposed sectors: HR (candidate screening), insurance (pricing), banks (credit scoring), e-commerce (discriminatory personalisation)

When is a Data Protection Impact Assessment (DPIA) mandatory?

The FADP introduces the obligation to carry out a Data Protection Impact Assessment (DPIA) before any processing likely to present a high risk to the fundamental rights and freedoms of data subjects. For AI systems, the high-risk threshold is quickly reached. A DPIA is required in particular when: the processing involves sensitive data on a large scale (health, political opinions, biometric data), the system carries out extensive profiling of individuals, automated decisions have significant legal or economic effects, or the processing involves the systematic monitoring of a publicly accessible space. The DPIA must be carried out before launch, documented, and updated if the system evolves. If the assessment reveals a high residual risk that cannot be mitigated, the FDPIC may be consulted.

  • Large-scale processing of sensitive data: DPIA mandatory
  • Extensive profiling or automated scoring: DPIA mandatory
  • Automated decisions with significant legal or economic effects: DPIA mandatory
  • Systematic monitoring of public spaces: DPIA mandatory
  • The DPIA must be carried out before deployment, not after an incident
  • The FDPIC may be consulted if a high residual risk remains

AI practices prohibited by the FADP

While the FADP does not establish an exhaustive list of prohibited AI uses, certain practices are clearly incompatible with the fundamental rights it protects, as well as with the FDPIC's stated positions.

  • Real-time facial recognition at large scale in public spaces: incompatible with the FADP and fundamental rights
  • Social scoring systems that systematically evaluate individuals across all their behaviour: incompatible with the right to informational self-determination protected by the FADP
  • Collecting and processing biometric data without a solid legal basis and without a legitimate and documented purpose
  • Training AI models with personal data diverted from their original purpose, without a separate legal basis
  • Processing sensitive data (health, racial origin, political opinions) without explicit consent or without another permitted legal basis

Training an AI model with your internal data: what the FADP says

One of the most common scenarios in business: using internal data (emails, HR files, customer histories, contracts) to train or fine-tune an AI model. The FADP imposes several safeguards. First, purpose: data collected to manage customer contracts cannot be reused to train an AI model without a separate legal basis. Second, location: if the model is hosted by a provider outside Switzerland or outside the EEA, an international data transfer occurs, subject to adequate guarantees under the FADP. Finally, model opacity: once trained, it is difficult to guarantee that no personal data can be extracted or inferred. A sovereign architecture, with a model deployed on European infrastructure or on your own servers, is the most robust response to this problem.

  • Verify the legal basis before reusing any internal data for AI
  • Document the training purpose and ensure its compatibility with the original collection
  • Identify whether an international transfer occurs (US provider, cloud outside the EEA) and put adequate safeguards in place
  • Classify your data (public, internal, confidential, sensitive) before deciding which can feed a model
  • Favour open-source models deployed on European infrastructure to avoid extraterritoriality
  • Document architecture decisions in a processing register

FADP sanctions: personal liability and amounts

A point that is often underestimated: unlike the GDPR, which sanctions the company, the FADP primarily sanctions natural persons. It is the executives, IT managers and certain employees who may be prosecuted and fined personally. The maximum amount is 250'000 CHF per violation. The most exposed violations concern: failure to comply with the obligation to inform, failure to notify a data breach to the competent authority, or violation of the rules on automated individual decisions. Sanctions are not automatic: a complaint must be filed. But the reputational risk, if the proceedings become public, can be greater than the fine itself.

  • Maximum sanction: 250'000 CHF per violation (personal fine, not a corporate fine)
  • Persons at risk: executives, IT managers, DPOs, employees involved
  • Most commonly sanctioned violations: failure to inform, absence of breach notification, violation of rules on automated decisions
  • No automatic fine: a complaint is required (unlike the GDPR)
  • Reputational risk potentially higher than the fine itself

FADP vs GDPR: key differences for AI projects

Many Swiss companies also process data of EU residents and are therefore subject to the GDPR alongside the FADP. The two frameworks are broadly similar but diverge on several important points. Below are the most significant differences for an AI project.

  • Sanctions: GDPR targets companies (up to 4% of global turnover), FADP targets natural persons (max 250'000 CHF)
  • DPO: mandatory in certain cases under GDPR, recommended but not mandatory under FADP
  • Breach notification: 72 hours for the GDPR, without undue delay for the FADP (more flexible but also more vague)
  • Consent: the FADP does not require explicit consent as the sole legal basis, unlike the GDPR which makes it a central foundation
  • Extraterritorial scope: GDPR applies as soon as an EU resident is concerned, even if the company is in Switzerland
  • EU AI Act: does not directly apply in Switzerland, but a Swiss company marketing in the EU may be subject to it

Regulatory outlook 2025-2027: what is coming

The Swiss legal framework on AI is evolving. Several developments need to be anticipated by companies deploying AI systems.

  • Council of Europe Convention on AI (CETS 225): Switzerland signed on 27 March 2025. Its ratification will create additional obligations, particularly for high-risk AI systems and supervision by authorities
  • EU AI Act gradually entering into force until 2026: Swiss companies operating on the EU market may be affected, in particular for high-risk AI systems (HR, credit, health, critical infrastructure)
  • Potential revision of the FADP: the Federal Council is monitoring European developments and an adaptation is conceivable by 2026-2027
  • Federal ordinance on the use of AI in public administration: under consultation, could inspire private sector standards
  • Growing role of the FDPIC: more sector-specific positions on specific AI uses (chatbots, profiling, generative AI)

Checklist: ten concrete actions for AI compliant with the FADP

Here is an operational starting point for companies that deploy or are considering deploying AI tools. This list is not legal advice: consult a specialist lawyer for your specific situation.

  • 1. Map: draw up a list of all AI tools used in your organisation and identify which ones process personal data
  • 2. Classify data: distinguish public, internal, confidential and sensitive data before deciding which can feed a model
  • 3. Document the purpose: for each AI processing activity, document the precise purpose in your processing activity register
  • 4. Assess the risk: determine whether a processing activity requires a DPIA (sensitive data, profiling, impactful automated decisions)
  • 5. Inform: ensure that information notices (privacy policy, processing notices) explicitly cover AI uses
  • 6. Provide for objection: put in place an operational human review mechanism for any significant automated decision
  • 7. Control sub-processors: verify the guarantees offered by your AI providers (location, transfers, certifications)
  • 8. Train teams: raise awareness among employees of FADP obligations in the AI context, in particular HR, marketing and IT teams
  • 9. Test and audit: plan regular audits of AI systems to check compliance and the absence of discriminatory bias
  • 10. Maintain a living register: update documentation each time the AI system or regulations change

FADP vs GDPR: the essential differences for your AI projects

Most Swiss companies have to navigate both frameworks. Here are the most important differences to understand when structuring your AI projects.

CriterionFADP (Switzerland)GDPR (EU)
Entry into force1 September 202325 May 2018
SanctionsMax 250'000 CHF, personal fineUp to 4% of global turnover, corporate fine
DPO (Data Protection Officer)Recommended, not mandatory for SMEsMandatory in certain cases
Breach notification deadlineWithout undue delay (more flexible)Maximum 72 hours
Consent as legal basisOne basis among several (more flexible)Central but regulated
DPIA mandatoryYes, for high-risk processingYes, for high-risk processing
Extraterritorial scopeApplies if the company processes data of persons in SwitzerlandApplies whenever an EU resident is concerned
Specific AI lawNone (technological neutrality)AI Act gradually entering into force until 2026

Our role

We build while respecting your data

We don't practice law, but we build AI in a way that respects the residency and confidentiality of your data.

European hosting

Infrastructure in Europe (Hetzner), no US cloud.

Open source

Open source models on our infrastructure; your data is not used to train any model.

Traceable

Logged and auditable processing.

swissIa.lpdNlpdSuisse.localContextTitle

Switzerland has a dedicated independent authority: the Federal Data Protection and Information Commissioner (FDPIC), based in Bern, which issues recommendations and can open preliminary investigations.
The cantons of Vaud, Genève, Fribourg and Neuchâtel have their own cantonal data protection legislation, applicable to cantonal public entities. For private companies, the federal FADP takes precedence.
French-speaking Switzerland has several actors specialised in FADP and AI compliance: specialist law firms (particularly in Genève and Lausanne), data protection consultants and technology providers that integrate compliance by design.
The Swiss financial sector (banks, insurers, wealth management) is particularly exposed to FADP obligations in the AI context, given the sensitive nature of the data processed and the frequent automated decisions (scoring, fraud detection, automated advice).
The Council of Europe Framework Convention on AI (signed by Switzerland on 27 March 2025) is the first legally binding international treaty on AI. Its ratification by the Swiss Parliament will create additional formal obligations.

Frequently asked questions

Does the FADP apply to AI tools such as ChatGPT or Copilot used in business?

Yes. As soon as these tools process personal data of identifiable natural persons (names, emails, information about employees or customers), the FADP applies. The company using these tools is responsible for the processing. It must ensure that the purpose is documented, that individuals are informed and that data is not reused for purposes not provided for by the provider. A review of the provider's contractual terms is essential, in particular regarding data location and reuse for model training.

Does my company need to appoint a Data Protection Officer (DPO) to use AI?

The FADP does not make the DPO mandatory under the same conditions as the GDPR. However, appointing or mandating a data protection officer is strongly recommended when your company deploys AI systems that process personal data on a large scale or sensitive data. This officer can be internal or external (legal counsel, specialist consultant). Their role: supervise compliance, carry out DPIAs, handle requests from data subjects and liaise with the FDPIC where necessary.

What is a DPIA and in which cases is it mandatory for an AI project?

A Data Protection Impact Assessment (DPIA) is a documented evaluation of the risks that a data processing activity poses to the rights and freedoms of data subjects. It is mandatory under the FADP when the processing is likely to present a high risk: large-scale processing of sensitive data, extensive profiling, automated decisions with significant effects, or systematic monitoring. For most ambitious AI projects in business (HR AI, customer scoring, behavioural analysis), a DPIA is necessary. It must be carried out before deployment.

Can an AI model be trained using the company's customer or employee data?

Yes, under conditions. First, a valid legal basis is required for this new processing (the initial collection of data is not sufficient if the purpose was different). Data subjects must be informed of this use. If the data is sensitive, explicit consent or another strong legal basis is required. The location of the model is decisive: a model hosted on servers outside Switzerland or outside the EEA involves an international data transfer, subject to additional safeguards. Documenting these decisions in your processing register is essential.

Which AI practices are prohibited by the FADP?

The FADP does not establish an exhaustive list, but the FDPIC has clarified that certain applications are incompatible with the fundamental rights it protects: generalised real-time facial recognition in public spaces, social scoring systems that systematically evaluate the behaviour of individuals, and any collection or processing of biometric or sensitive data without a solid legal basis. The EU AI Act, which explicitly prohibits certain of these practices, may apply indirectly to Swiss companies that process data of EU residents.

What are the penalties for violating the FADP in an AI context?

The FADP sanctions natural persons, not the company directly. Fines can reach 250'000 CHF per violation. Executives, IT managers and employees involved are personally exposed. The most sanctionable violations: failing to inform data subjects, failing to notify a data breach, or violating the rules on automated individual decisions. A complaint must be filed to initiate proceedings. The reputational risk is often more concerning than the fine itself.

Do the FADP and GDPR apply simultaneously to my Swiss company?

It depends on your activity. If you process data of EU residents (customers, partners, prospects), the GDPR applies to that processing, regardless of whether your company is in Switzerland. The FADP applies to all processing of data relating to persons in Switzerland. In practice, many Swiss companies must comply with both frameworks. The good news is that they are broadly aligned and a well-constructed compliance policy covers both, provided the few differences are taken into account (sanctions, DPO, notification deadlines).

Does the European AI Act concern companies based in Switzerland?

The EU AI Act does not apply directly in Switzerland, which is not an EU member. However, if your company places AI systems on the European market, or if your systems produce effects on people in the EU, the rules of the AI Act may concern you. Furthermore, Switzerland has signed the Council of Europe Convention on AI (March 2025), whose ratification will introduce complementary obligations, in particular for high-risk AI systems.

How do you choose an AI provider that complies with the FADP?

Three main criteria: data location (prefer servers in Switzerland or the EU/EEA to avoid unregulated international transfers), data reuse policy (does the provider use your data to train its models? If so, on what legal basis?), and contractual transparency (can the provider supply a sub-processor register, a DPA, documented security guarantees?). Open-source models deployed on your own infrastructure or on European infrastructure generally provide the best answer to all three criteria.

Does the FADP apply to open-source AI models deployed internally?

Yes. The FADP applies to the data controller, i.e. your company, regardless of the nature of the model (open source or proprietary, hosted internally or by a third party). If your open-source model processes personal data, all FADP obligations apply: information, minimisation, security, DPIA if high risk, etc. The advantage of open source deployed internally is precisely that it gives you full control over the data and eliminates the risk of an unwanted transfer to a third party.

An AI project that respects your data?

Let's talk about your case. We build with respect for data residency.

Request a Custom Demo

Tell us about your team and we'll reach out within 24 hours.

We'll never share your information. Expect a response within 24h.

AI and the LPD/nLPD in Switzerland | What It Means (guide)