Nectos logo
Back to Resources
Compliance

The Swiss nDSG and AI: what every organization needs to know

The Swiss Federal Act on Data Protection came into force in September 2023. How does it apply to AI assistants, and what do Swiss organizations need to do to comply?

Adopt-AI SA 2026-02-15 8 min

The nDSG in brief

In force since September 1, 2023, the new Swiss Federal Act on Data Protection (nDSG/FADP) represents the most significant overhaul of Switzerland's data protection framework since 1992. It aligns Switzerland with European GDPR standards while maintaining the specificities of Swiss law.

For Swiss organizations using artificial intelligence tools, it creates new and concrete obligations.

The 6 key nDSG obligations applicable to AI

1. Privacy by design

Article 7 nDSG requires that data protection be integrated from the design of systems and processes. If you deploy an AI assistant for your organization, you must be able to demonstrate that data protection was considered before deployment — not after.

2. Data minimization

Only data strictly necessary for defined purposes may be processed. In an AI context, this means evaluating whether the information your employees transmit to the assistant is proportionate to the purpose.

3. Purpose limitation

Data collected may only be used for the purposes for which it was collected. This is where the AI training question becomes critical: if a provider uses your data to improve its models, it is processing your data for a purpose you did not authorize.

4. Processing activity register

Organizations processing personal data on a large scale must maintain a register of processing activities (Art. 12 nDSG). This register must include processing performed via AI tools.

5. Impact assessment (DPIA)

For processing likely to result in high risk for data subjects, a data protection impact assessment (DPIA) is mandatory. Using AI to process sensitive data — medical, legal, financial — typically falls into this category.

6. International data transfers

Article 16 nDSG governs transfers abroad. To be lawful, a transfer must be to a country recognized as providing adequate protection, or accompanied by appropriate safeguards.

What this means in practice

If you are currently using ChatGPT, Microsoft Copilot, or any other mainstream AI assistant to process Swiss client, employee, or third-party data, you need to verify:

  1. Do you have a DPA with the provider?
  2. Does that DPA cover the prohibition on training?
  3. Have you documented the cross-border transfers?
  4. Are your employees trained?

Nectos: designed for nDSG compliance

Nectos meets each of these requirements by design: Swiss processing only, no training on customer data, full audit logs, DPA available for all organizations.

Compliance with the nDSG should not be an obstacle to AI adoption. It should be a baseline condition — that your AI provider either meets or does not.

Related articles

Sovereignty

Why your AI assistant should never leave Switzerland

Read
Finance

AI and banking secrecy: navigating the tension

Read
Comparison

Swiss AI sovereignty vs. ChatGPT: the real difference

Read

Ready to try Nectos?

The sovereign AI workspace built for Switzerland.

Choose Plan