AI and Data Protection in Switzerland: What SMEs Must Know About the revDSG and EU AI Act
AI data protection in Switzerland: how SMEs can use ChatGPT, Claude and automation compliantly under the revDSG, and when the EU AI Act applies. With compliance checklist.
AI can be data protection compliant in Switzerland if you set it up correctly. The revDSG does not ban AI; it simply requires what good data protection has always required: data minimisation, transparency and human oversight. This article shows SMEs what matters when using AI under the revDSG, and when the EU AI Act comes into play.
Many SMEs use ChatGPT, Claude or automations in their daily work today without systematically reviewing the data protection side. This does not have to be complicated, but it does require a few clear guardrails.
What does the revDSG require when using AI?
The revised Federal Act on Data Protection (revDSG) has been in force since 1 September 2023 and applies to the processing of the personal data of natural persons. As soon as an AI system works with names, email addresses, application documents or customer histories, its principles apply. The most important ones are:
- Lawfulness, good faith and proportionality: Data may only be processed to the extent necessary.
- Transparency and purpose limitation: Data subjects must be able to understand what happens with their data and why.
- Data accuracy and data security: Data must be correct and appropriately protected.
- Rights of data subjects: in particular access, rectification and erasure.
- Record of processing activities and, where applicable, a data protection impact assessment where a high risk is likely.
- Privacy by design / by default: Data protection is considered from the outset, not bolted on afterwards.
In addition, there is a duty to notify the Swiss data protection authority (EDÖB/FDPIC) of data security breaches likely to result in a high risk to the data subjects.
Where does using AI become tricky?
The most common pitfall is the data location. Many AI providers process data abroad, often in the US. Disclosing personal data abroad requires an appropriate legal basis, such as suitable safeguards in the contract. This is solvable, but not to be taken for granted.
The second pitfall is sensitive personal data such as health data, creditworthiness data, or data on religious and political views. This demands heightened care and certainly does not belong in public consumer tools.
The third point is processing on behalf of a controller: anyone using an AI service that processes personal data on their behalf should review the contractual basis (often referred to as a data processing agreement, or DPA) and ensure that the provider does not use the data for training without permission.
When does the EU AI Act reach a Swiss SME?
Switzerland is not part of the EU, so the EU AI Act does not apply directly to Swiss companies. However, it can affect a Swiss SME extraterritorially: namely, when the company offers AI systems or their outputs on the EU market, or works closely with EU customers. Anyone already subject to the GDPR is effectively affected as well.
In practical terms, this means: as long as you use AI purely internally and for Swiss customers, the revDSG is the priority. As soon as your AI-supported products or services address the EU market, a closer look is worthwhile. We have broken down the details in our article EU AI Act 2026 for SMEs.
Compliance checklist for using AI in an SME
This checklist is not a substitute for a legal review, but it helps clarify the most important questions early on:
| Area | Question | Done |
|---|---|---|
| Data minimisation | Do we enter only the data that is truly necessary into the AI tool? | ☐ |
| No sensitive data | Is sensitive personal data excluded from public tools? | ☐ |
| Processing on behalf | Is there a DPA / data processing agreement in place, and is training on our data excluded? | ☐ |
| Data location | Has an EU/CH location been chosen, or is there an appropriate basis for the transfer abroad? | ☐ |
| Transparency | Do customers know where and for what purpose AI is used? | ☐ |
| Human oversight | Does a human review the outputs before they take effect (human-in-the-loop)? | ☐ |
| Documentation | Is the use of AI recorded in the record of processing activities? | ☐ |
| Erasure & rights | Can we fulfil requests for access, rectification and erasure? | ☐ |
A simple principle sums much of this up: No personal data in public consumer tools. Anyone who uses business accounts with clear contractual commitments and an appropriate data location has already defused the biggest risks.
What does data protection compliant AI look like in practice?
Data protection compliant AI is a question of architecture, not of doing without. In well-built systems, personal data is minimised or anonymised wherever it is not strictly necessary for the result. Sensitive processes run through providers with a European data location and contractual guarantees. And at the decisive points, a human reviews before anything goes to customers or authorities.
This is exactly how we think about process automation for SMEs and the use of ChatGPT in the company: the data flow first, then the tool. The message to SMEs is therefore not to avoid AI, but to set it up cleanly. AI can be compliant if it is built correctly.
If you want to use AI in your company without taking on data protection risks, talk to us. We help SMEs in Zurich and across Switzerland build AI solutions with the necessary diligence, from the data flow through tool selection to human oversight.
Frequently asked questions
- Does the revDSG also apply to the use of AI in an SME?
- Yes. The revised Federal Act on Data Protection (revDSG) has been in force since 1 September 2023 and applies to any processing of the personal data of natural persons, including when that data is processed by an AI system. Anyone using ChatGPT, Claude or automations with customer, employee or supplier data must comply with the principles of the revDSG.
- Does the EU AI Act apply to Swiss companies?
- Switzerland is not part of the EU, so the EU AI Act does not apply directly to Swiss companies. However, it can reach a Swiss SME extraterritorially if the company offers AI systems or their outputs on the EU market, or works closely with EU customers. Anyone already subject to the GDPR should keep the EU AI Act in mind.
- May personal data be entered into public AI tools such as ChatGPT?
- As a rule, personal data does not belong in public consumer versions of AI tools, because it is unclear where and how that data is further processed. Sensitive personal data in particular, such as health or creditworthiness data, demands heightened care. Professional use requires business accounts with clear contractual guarantees regarding data processing.
- Who is the data protection supervisory authority in Switzerland?
- The competent supervisory authority is the Swiss data protection authority (EDÖB/FDPIC), the Federal Data Protection and Information Commissioner. Data security breaches likely to result in a high risk to the data subjects must be reported to the EDÖB/FDPIC. The authority also publishes guidance and recommendations on practical data protection.