nFADP Compliance for AI Products and Data Processing
Switzerland’s revised data protection law applies to your AI product. Most non-Swiss teams haven’t checked.
nFADP — in force since September 2023
The revised Federal Act on Data Protection — nFADP, also known as revDSG — entered into force on 1 September 2023. It replaced Switzerland’s original 1992 data protection law with a framework substantially modernised to align with GDPR — stricter, more comprehensive, and with direct applicability to organisations outside Switzerland that process Swiss personal data.
If your AI system processes data about Swiss residents — through SaaS access, API integration, enterprise contracts, or any other means — nFADP applies to it. Switzerland is not an EU member state and is not covered by GDPR.
Swiss data protection is a separate regime with its own requirements, its own supervisory authority — the Federal Data Protection and Information Commissioner — and its own enforcement framework.
For AI systems, nFADP creates specific obligations around data processing transparency, automated decision-making, data subject rights, privacy by design, and cross-border data transfer that sit alongside EU AI Act obligations for organisations operating in both markets simultaneously. The two regimes are broadly aligned but diverge in important areas — and compliance with GDPR does not automatically satisfy nFADP.
European Compliance Suite provides specialist nFADP compliance assessments for AI products processing Swiss personal data. We assess your AI system’s nFADP obligations, identify where GDPR compliance contributes to nFADP compliance and where distinct Swiss requirements apply, and deliver a documented compliance record specific to your product.
nFADP Compliance Assessment for Your AI System
A lawyer-built assessment of your AI system’s nFADP obligations — lawful basis for processing, automated decision-making requirements, data subject rights implementation, privacy by design assessment, cross-border transfer analysis, and a documented compliance record your Swiss clients, enterprise buyers, and the FDPIC can rely on.
How nFADP works for AI products
Six principles. One Swiss framework. Direct obligations for every AI system processing Swiss personal data.
nFADP establishes core data protection principles that apply to every processing activity — including AI training, inference, automated decision-making, and output generation involving Swiss personal data.
Lawfulness and good faith
Every processing activity must have a legal basis — consent, legitimate interests, legal obligation, or overriding private or public interest. For AI systems processing Swiss personal data, the lawful basis must be established for every distinct processing activity — training, inference, logging, and model improvement each require their own analysis. Unlike GDPR, nFADP does not require an explicit lawful basis for all processing of non-sensitive data — processing is permissible unless it violates the principle of good faith or is otherwise unlawful. The distinction matters for AI training data specifically.
Purpose limitation and proportionality
Personal data may only be processed for the purpose for which it was collected, and only to the extent necessary for that purpose. AI systems that repurpose interaction data for model improvement, or that process more data than any specific function requires, face purpose limitation and proportionality challenges under nFADP that are substantively similar to GDPR but assessed under Swiss law by the FDPIC.
Transparency
Data subjects must be informed of the processing of their personal data — who processes it, for what purpose, and to whom it is disclosed. For AI systems, transparency obligations extend to automated decision-making and profiling. Where an AI system makes significant decisions about individuals, the transparency requirement is more demanding — data subjects must be informed of the logic involved and the significance of the decision.
Data security
Appropriate technical and organisational measures must be implemented to protect personal data against unauthorised processing — including against accidental loss, destruction, or damage. For AI systems, security obligations cover training data, model weights, inference infrastructure, interaction logs, and output storage. The security standard under nFADP is risk-based — the measures must be proportionate to the risk the processing creates.
Data retention
Personal data must not be retained longer than necessary for the processing purpose. AI-specific retention issues — model weights that embed personal data, interaction logs retained for model improvement, training datasets held beyond their useful life — must be assessed and documented under nFADP’s retention obligations.
Rights of data subjects
nFADP provides data subjects with the right of access, the right to rectification, the right to erasure, the right to restriction, and — for automated decision-making — the right to human review. For AI systems, implementing these rights creates technical challenges that must be addressed at product architecture level, not as a policy afterthought.
Who DORA applies to
nFADP applies based on the location of the data subject, not the location of the organisation processing their data. The extraterritorial scope mirrors GDPR’s approach and reaches non-Swiss organisations in the same way.
| Entity type | In scope of nFADP? | Key obligation |
|---|---|---|
| Swiss-based AI company processing Swiss personal data | Yes — directly | Full nFADP compliance including registration of processing activities, DPIA equivalent, data subject rights |
| Non-Swiss AI company with Swiss SaaS users | Yes — extraterritorial | Full nFADP obligations where Swiss personal data is processed |
| EU-based AI company with Swiss enterprise clients | Yes — even where GDPR-compliant | Distinct nFADP obligations — GDPR compliance does not satisfy nFADP automatically |
| UK AI company with Swiss users post-Brexit | Yes | Full nFADP obligations where Swiss personal data is processed |
| US AI company offering services to Swiss residents | Yes | Full nFADP obligations — Swiss representation may be required |
| AI company processing only anonymised data about Swiss individuals | No — anonymised data is not personal data | No nFADP obligations — but anonymisation standard must be robust |
| AI company processing personal data about Swiss employees | Yes | nFADP plus Swiss employment law data protection requirements |
| Processor handling Swiss personal data on behalf of a controller | Yes — processor obligations apply | Data processing agreement, security measures, sub-processor restrictions |
| AI company with no Swiss users and no Swiss commercial activity | No | Not in scope — but document this determination |
Automated decision-making: nFADP’s AI-specific provision
Article 21 of nFADP addresses automated decision-making — decisions made solely by automated means that produce legal effects or significantly affect the data subject. It is the Swiss equivalent of GDPR Article 22, but with important differences that matter for AI products operating in both markets.
Three things AI teams processing Swiss personal data consistently misunderstand:
- Unlike GDPR, nFADP does not frame automated decision-making as a right not to be subject to such decisions. Instead, it requires the controller to inform the data subject that a decision has been made solely by automated means, and to offer the data subject the opportunity to express their view and request human review. The obligation is one of transparency and procedural fairness — not an outright prohibition subject to specific exemptions as under GDPR.
- The threshold for triggering nFADP’s automated decision-making obligation is legal effect or significant impact on the data subject — the same functional threshold as GDPR Article 22. Credit decisions, employment decisions, insurance pricing, and access decisions all meet this threshold for Swiss data subjects in the same way as for EU data subjects.
- nFADP’s automated decision-making provision applies to decisions made solely by automated means. A nominal human reviewer who does not exercise genuine individual discretion does not break the solely automated chain — the same principle as under GDPR, applied consistently by the FDPIC.
What DORA compliance requires for AI products
These are the nFADP requirements that apply most directly to AI products processing Swiss personal data — with specific attention to where Swiss law diverges from GDPR.
Swiss representation assessment — where a non-Swiss controller processes Swiss personal data on a large scale or processes sensitive personal data, nFADP may require appointment of a Swiss representative — the Swiss equivalent of GDPR’s Article 27 representative obligation.
Territorial scope determination — confirmation that your AI system processes personal data about Swiss residents and that nFADP applies, including identification of every processing activity that touches Swiss personal data — collection, training, inference, logging, output, and model improvement.
Lawful basis assessment — establishment of the legal basis for every processing activity under nFADP’s framework, noting where Swiss law differs from GDPR — particularly for non-sensitive personal data where nFADP’s approach is less prescriptive than GDPR’s six-basis framework.
Sensitive personal data assessment — identification of sensitive personal data your AI system processes or infers, including health data, biometric data, data revealing racial or ethnic origin, political opinion, religious or philosophical beliefs, trade union membership, and data on administrative or criminal proceedings — nFADP’s sensitive data categories are broader than GDPR’s special category data in some respects.
Automated decision-making compliance — assessment of whether your AI system makes decisions solely by automated means with legal or significant effects on Swiss data subjects, and implementation of the nFADP Article 21 obligations — transparency about the automated nature of the decision and a genuine opportunity for human review.
Privacy by design and default — nFADP expressly requires privacy by design and privacy by default — technical and organisational measures that implement data protection principles from the earliest stage of system design, and default settings that process only the minimum personal data necessary for each function.
Data processing record — nFADP requires controllers with 250 or more employees, and processors regardless of size, to maintain a record of processing activities — for AI systems this includes training data sources, inference processes, logging activities, and model improvement cycles involving Swiss personal data.
Data protection impact assessment — a DPIA-equivalent assessment is required under nFADP where processing is likely to result in high risk to data subjects — the same functional threshold as GDPR, applied to AI systems involving large-scale processing of sensitive data, systematic monitoring, or automated decision-making with significant effects.
Cross-border transfer assessment — Swiss data transfer rules are distinct from GDPR’s transfer framework — Switzerland maintains its own adequacy list and standard contractual clauses. Transfers of Swiss personal data to countries not on Switzerland’s adequacy list require a Swiss-law transfer mechanism, not just a GDPR mechanism.
Data subject rights implementation — technical and organisational measures enabling Swiss data subjects to exercise their nFADP rights — access, rectification, erasure, restriction, and human review of automated decisions — assessed against your AI system’s architecture.
One engagement. Every nFADP obligation mapped for your AI system.
A lawyer-built nFADP assessment covering territorial scope, lawful basis for every processing activity, sensitive personal data assessment, automated decision-making compliance, privacy by design review, data processing record, DPIA scoping, cross-border transfer analysis, data subject rights implementation, and Swiss representation assessment — documented and specific to your product, mapped against your EU AI Act and GDPR position where both apply.
Frequently Asked Questions About nFADP Compliance
What is nFADP and how does it differ from GDPR?
The revised Federal Act on Data Protection — nFADP or revDSG — is Switzerland’s modernised data protection law, in force since 1 September 2023. It is broadly aligned with GDPR in structure and approach but is a distinct Swiss law administered by the Federal Data Protection and Information Commissioner.
Key differences include a less prescriptive lawful basis framework for non-sensitive personal data, a broader definition of sensitive personal data, a distinct approach to automated decision-making under Article 21, separate cross-border transfer rules based on Switzerland’s own adequacy list, and different administrative sanction mechanisms. GDPR compliance provides a useful foundation but does not automatically satisfy nFADP.
Does nFADP apply to organisations outside Switzerland?
Yes. nFADP applies extraterritorially — it reaches any organisation that processes personal data about Swiss residents, regardless of where the organisation is established. An EU-based AI company with Swiss enterprise clients, a US company offering SaaS to Swiss users, or a UK company with Swiss employees all fall within nFADP’s scope where they process Swiss personal data. The territorial reach mirrors GDPR’s approach and is applied by the FDPIC on the same basis.
Does GDPR compliance satisfy nFADP obligations?
Not automatically. The two regimes are substantially aligned but diverge in important areas. The lawful basis framework differs — nFADP is less prescriptive for non-sensitive data processing. The sensitive data categories are not identical — nFADP includes data on administrative proceedings that GDPR does not list as special category data.
The automated decision-making framework is procedurally different — nFADP creates a transparency and human review obligation rather than GDPR’s right not to be subject to automated decisions.
Cross-border transfer rules are entirely separate — Swiss adequacy decisions and Swiss SCCs are required, not EU adequacy decisions and EU SCCs. An organisation that is fully GDPR-compliant requires a gap analysis to establish what additional nFADP obligations apply.
What is the nFADP approach to automated decision-making for AI systems?
Article 21 of nFADP requires controllers to inform data subjects when a decision has been made solely by automated means that produces legal effects or significantly affects them, and to offer a genuine opportunity to express their view and request human review. Unlike GDPR Article 22, nFADP does not frame this as a right not to be subject to automated decisions — it is a transparency and procedural fairness obligation. The threshold for triggering the obligation is the same — legal effect or significant impact — and the solely automated test applies on the same basis as under GDPR.
What are nFADP’s sensitive personal data categories? How do they differ from GDPR?
nFADP defines sensitive personal data to include religious, ideological, political, or trade union-related views or activities; health and private life data; racial and ethnic origin; genetic data; biometric data uniquely identifying a person; administrative and criminal proceedings and sanctions; and social welfare measures.
The inclusion of data on administrative proceedings and social welfare measures is broader than GDPR’s special category data list. AI systems that process or infer any of these categories must satisfy nFADP’s more demanding requirements for sensitive data, including stricter lawful basis requirements and mandatory DPIA-equivalent assessment.
When is a data protection impact assessment required under nFADP?
A DPIA-equivalent assessment is required under nFADP where processing is likely to result in high risk to the personality or fundamental rights of data subjects.
The functional threshold mirrors GDPR — large-scale processing of sensitive personal data, systematic monitoring, and automated decision-making with significant effects all trigger the requirement. Unlike GDPR, nFADP requires the controller to consult the FDPIC before undertaking high-risk processing where the DPIA assessment does not identify sufficient measures to mitigate the risk.
This prior consultation obligation is more explicit than GDPR’s equivalent requirement.
What are nFADP’s cross-border data transfer rules?
Switzerland maintains its own list of countries and international organisations providing adequate data protection — distinct from the EU’s adequacy decisions. The EU is on Switzerland’s adequacy list, but this does not mean that transfers from Switzerland to the EU via GDPR-compliant channels automatically satisfy nFADP.
Where a transfer goes to a country not on Switzerland’s adequacy list, a Swiss-law transfer mechanism is required — Swiss Standard Contractual Clauses issued by the FDPIC, binding corporate rules approved by the FDPIC, or another recognised safeguard. EU Standard Contractual Clauses do not satisfy Swiss transfer requirements.
Does nFADP require appointment of a Swiss representative?
Potentially, yes. Where a controller not established in Switzerland processes personal data of persons in Switzerland on a large scale, or regularly processes sensitive personal data, nFADP may require appointment of a representative in Switzerland.
The representative obligation is analogous to GDPR’s Article 27 requirement — a named point of contact for Swiss data subjects and the FDPIC. The thresholds are not precisely defined in the law and are subject to FDPIC guidance. Organisations in doubt should assess the obligation as part of their nFADP compliance review.
A cross-framework assessment maps where compliance with one regime contributes to compliance with the other, and where they impose distinct and non-overlapping obligations.
What are the penalties for nFADP non-compliance?
nFADP’s sanction regime differs from GDPR. Rather than imposing fines on organisations directly, nFADP provides for criminal sanctions against responsible individuals — natural persons — for intentional violations.
Fines reach CHF 250,000 for individuals responsible for violations including failing to provide required information to data subjects, failing to notify the FDPIC of data breaches, and failing to satisfy documentation requirements.
The FDPIC also has investigative and enforcement powers including the ability to issue recommendations and — where recommendations are not followed — to refer matters to competent authorities.
Reputational and commercial consequences of FDPIC enforcement are often more significant than the direct financial penalty.
How does nFADP interact with the EU AI Act for AI products operating in both markets?
The EU AI Act governs the AI system itself — risk classification, technical documentation, transparency, and human oversight. nFADP governs the personal data the system processes in Switzerland.
For AI companies operating in both the EU and Switzerland simultaneously, both apply — EU AI Act obligations on the product, GDPR obligations on EU personal data, and nFADP obligations on Swiss personal data.
The data protection obligations are largely parallel but require distinct compliance records — a Swiss data subject’s rights under nFADP must be satisfied under Swiss law, not GDPR.
A cross-framework assessment maps all applicable obligations against the same product and identifies where a single compliance record can satisfy multiple regimes.
How do I start nFADP compliance for my AI product?
Four steps in order. First, determine whether your AI system processes personal data about Swiss residents — if yes, nFADP applies regardless of where you are established. Second, assess your existing GDPR compliance position against nFADP’s specific requirements — identify the gaps where Swiss law diverges. Third, assess your automated decision-making processes against nFADP Article 21 and implement the transparency and human review obligations. Fourth, review your cross-border transfer arrangements for Swiss personal data and confirm that Swiss-law transfer mechanisms are in place where required.
A lawyer-built assessment covers all four steps and delivers a documented nFADP compliance position specific to your AI system — mapped against your EU AI Act and GDPR position where both apply.