AI and data protection in Switzerland: what an SME needs to know
nFADP, data location, confidentiality: what a Swiss SME must check before entrusting its information to an AI solution, without paralysing its projects.
Published on 14 June 2026 by Lumineth
Entrusting your information to an AI raises a legitimate question: where does my data go, and who can access it? In Switzerland, the subject is governed by the new Federal Act on Data Protection (nFADP) and remains a real barrier to adoption. The good news: these requirements can be handled from the design stage, without paralysing your projects. It’s a central principle of our AI solutions.
This article offers practical guidance for an SME; it does not replace legal advice tailored to your situation.
The Swiss framework: the nFADP
Since September 2023, the new Federal Act on Data Protection (nFADP) has imposed clear principles on Swiss companies: transparency about data use, a defined purpose, adequate security and respect for the rights of the people concerned. For an SME, AI doesn’t change these principles — it simply makes them more concrete, since you potentially entrust it with customer or internal data. The reflex to have: know which data enters the system, and why.
Where is your data stored and processed?
The key question is that of location and processing. Using a “consumer” public AI to enter sensitive data doesn’t offer the same guarantees as a controlled architecture, where you choose where the information is stored and how it is queried. For an SME, the challenge is to map the data’s journey: what stays with you, what passes through a provider, and under what contractual conditions.
The right reflex: minimisation
The most protective principle is also the simplest: give the AI only what it needs. A few best practices:
- Limit the data transmitted to the strict minimum for the intended task.
- Anonymise or pseudonymise when the person’s identity isn’t essential.
- Control access — who, within the tool, can see what.
- Document the purposes and the processing, as the nFADP requires.
Keeping your documents under control
That’s the whole point of an architecture where the AI draws on your own documents within a controlled perimeter, rather than “sending the company” into a public model. A well-designed AI knowledge base (RAG) does exactly that: it provides the AI with the right information while keeping control of its storage and access. Confidentiality isn’t an option added at the end: it’s decided at the moment of architecture.
Transparency and trust
Data protection isn’t just a legal constraint: it’s a trust argument with your customers. Clearly stating how you use AI and their information strengthens your credibility — including with the search engines and AIs that cite you, a stake detailed in our GEO guide. Done well, compliance becomes an asset, not an obstacle.
In practice, it’s better to address these questions at the start of the project than at the end. Choosing where the data is stored, who can access it and how long it is kept costs little if decided at the design stage; it becomes a heavy rework if added afterwards. That’s why we treat confidentiality as a design criterion, on a par with the reliability of answers or ease of use — and not as a formality to settle last.
Want to adopt AI without compromising your data? Lumineth, AI agency in Geneva, designs privacy-respecting solutions from the architecture stage.
Discuss your project →— FAQ
Frequently asked questions
Is AI compatible with data protection in Switzerland?
Yes, provided you respect the principles of the nFADP: transparency, a defined purpose, minimisation and security. These requirements are handled from the design stage of the project, by controlling which data enters the system and where it is processed.
What is the nFADP for an SME?
The new Federal Act on Data Protection, in force since September 2023, imposes on Swiss companies transparency, a defined purpose, adequate security and respect for people’s rights. AI doesn’t change these principles, it makes them more concrete.
Should you avoid public AIs for sensitive data?
For sensitive data, a consumer AI doesn’t offer the same guarantees as a controlled architecture, where you choose the storage and the querying method. The right reflex is to limit the data transmitted and to map its journey.
How do you reduce the risk on data?
By applying minimisation: transmit only what is necessary, anonymise when identity isn’t required, control access and document the processing. A knowledge base within a controlled perimeter helps keep control.
— Free audit
Discover your SEO & GEO visibility in Geneva — for free.
Lumineth analyses your website and hands you a concrete action plan to rank higher on Google and get cited by AI.