FADP and AI: Complying with Swiss Data Protection Law

Since September 1, 2023, the revised Federal Act on Data Protection (FADP) has been in effect in Switzerland. For companies using or planning AI systems, this creates specific requirements. This guide shows what you need to consider.

What Is the FADP?

The revised FADP is Switzerland's answer to the GDPR. It strengthens the rights of data subjects, tightens information obligations, and introduces significant fines for violations. Particularly relevant for AI projects: the transparency requirements for automated individual decisions.

Key changes from the old DPA:

• Extended information obligations when collecting personal data
• Privacy by Design and Privacy by Default as legal requirements
• Mandatory Data Protection Impact Assessment (DPIA) for high-risk processing
• Mandatory reporting of data breaches to the FDPIC
• Fines up to CHF 250,000 for intentional violations

Why Is the FADP Particularly Relevant for AI?

AI systems process large volumes of data, often including personal data. Machine learning models are trained on historical data and make automated decisions. Both touch core areas of data protection law.

Particularly sensitive are AI applications in areas like HR (applicant screening), creditworthiness, insurance risk assessment, and customer profiling. Here, an automated decision can have direct impact on individuals.

5 Core Requirements for AI Projects

1. Transparency and Information Obligations

Data subjects must know that an AI system is processing their data. Actively inform about the use of AI, the types of data processed, and the purpose of processing. This also applies to existing systems that are subsequently enhanced with AI.

2. Purpose Limitation and Data Minimization

AI models may only be trained with data collected for the defined purpose. Avoid using customer data for training purposes without an explicit legal basis. Use anonymization and synthetic data wherever possible.

3. Data Protection Impact Assessment

For high-risk AI projects, a DPIA is mandatory. Systematically document the risks: What personal data is processed? What automated decisions are made? What impact do these have on data subjects?

4. Right to Explanation of Automated Decisions

Data subjects have the right to request an explanation when an automated individual decision significantly affects them. Ensure your AI systems make traceable decisions or that a human review process is in place.

5. Data Hosting in Switzerland

The FADP sets high standards for data transfers abroad. For AI projects this means: Prefer Swiss cloud providers and ensure that training data and models are hosted in Switzerland.

Practical Implementation: Step by Step

1. Inventory: Record all AI systems and the personal data they process
2. Risk analysis: Assess each system by data type, decision impact, and affected persons
3. Conduct DPIA: Create a formal impact assessment for high-risk systems
4. Implement information obligations: Update privacy policy, transparently communicate AI usage
5. Technical measures: Implement Swiss hosting, encryption, and access controls

Checklist for FADP-Compliant AI

• Privacy policy covers AI processing
• DPIA available for high-risk AI systems
• Processing register includes all AI systems
• Training data anonymized or on valid legal basis
• Data processing in Switzerland or countries with adequate protection
• Human review process defined for automated decisions

Conclusion

The FADP is not an obstacle to AI projects but a quality seal. Companies that work in a data protection-compliant manner from the start build trust with customers and partners. With proper planning, FADP-compliant AI automation is efficiently implementable.