Compliance Pillar
revDSG-compliant AI in Swiss companies
What the revised Swiss Federal Act on Data Protection concretely means for AI use. And how you become compliant pragmatically, without lawyer theatre.
⚠️ This guide is orientation, not legal advice.
Concrete revDSG compliance for your company can only be assessed by a Swiss lawyer focused on data protection. We describe how we at Waldsee handle revDSG with AI implementations. Your legal department or data protection officer must make the final assessment.
What is revDSG
The revised Swiss Federal Act on Data Protection (revDSG), in force since 1 September 2023, replaces the old data protection act. It is not identical to the EU GDPR, but closely modelled on it. The most important points for AI use: processing register, informing data subjects, data processing agreements with third-country providers, risk assessments for automated decisions.
Source: fedlex.admin.ch.
What does revDSG concretely mean for AI use
1: Processing register
You must know which personal data is processed in which tools. If employees feed ChatGPT with client data, that belongs in the register. Shadow AI makes that impossible. Hence point 1: an AI inventory.
2: Data processing
Cloud AI with a US provider (OpenAI, Anthropic, Microsoft) = data transfer to a third country. Requires: a data transfer agreement (DPA), risk assessment, possibly additional protective measures.
3: Informing data subjects
If personal data is processed via AI, the data subjects must be informed. The privacy policy must mention the AI use.
4: Automated individual decisions
If AI decides alone (job application, credit decision), Art. 21 revDSG applies: an obligation to inform and a right to human review.
5: Data security
Technical and organisational measures (TOMs). For AI this means, among other things: controlled access, logs in place, no data flow into shadow tools.
Pragmatic compliance paths
Path A: Cloud AI with a DPA
- ChatGPT Enterprise / Microsoft Copilot with a data transfer agreement
- Informing data subjects via the privacy policy
- Maintain the processing register
- Train employees on what may go in, what may not
- Works for many office workflows
Path B: On-prem AI
- Hardware on-site with you (e.g. Lenovo ThinkStation PGX)
- No third-country transfer. Period.
- Still maintain the processing register
- Still inform the data subjects
- Structurally easier to be compliant
Path C: Hybrid
- Sensitive workflows on-prem, generic ones in the cloud
- Clear rules on which data goes where
What you as a management board should concretely do
- AI inventory: Who uses what? (an hour in the leadership circle is enough)
- Rules of the game: a 1-page "AI house rules" for employees
- Sanctioned tool: ChatGPT Enterprise with a DPA, Copilot, or on-prem
- Adjust the privacy policy: mention the AI use
- Maintain the processing register: keep it current
Frequently asked questions
Is ChatGPT illegal in Switzerland?
No. With a data transfer agreement and correct information to the data subjects, it is usable in a revDSG-compliant way. It is not "illegal".
Do I need Swiss-hosted AI?
Not necessarily. Swiss hosting solves the third-country question structurally, but it is not the only compliance option.
What about the EU GDPR?
If you process data of EU citizens, GDPR also applies. For purely Swiss data flows, revDSG is enough.
Do I need a data protection officer?
revDSG only requires one in certain cases. Recommendation: someone internally responsible, with an external lawyer on board.
How high are the fines?
The fine level varies depending on the offence. Please verify the concrete range and personal vs. company-related liability with a Swiss lawyer.
Can revDSG-compliant AI work without on-prem?
Yes, with a DPA contract and a clean configuration. On-prem is one option, not the only one.