If you serve customers in Switzerland and the EU, the short answer is: GDPR-compliant operations cover roughly 85 % of revFADP requirements out of the box — but the remaining 15 % decide whether you face criminal penalties or administrative ones. The Swiss revFADP, fully effective since 1 September 2023, deliberately stays close to GDPR but adds two teeth that don't exist in EU law: criminal liability for individuals (not just companies) and a stricter consent regime for profiling. For AI specifically, Switzerland diverges harder still, because there is no Swiss equivalent of the EU AI Act — yet — which creates both a regulatory gap and a competitive opportunity for Swiss-hosted AI services.

This guide compares the revFADP and GDPR for AI use cases head to head, lays out the five concrete differences that change how you build (data subject rights, consent, fines, profiling, DPO obligations), and gives you a decision matrix for the three common SME setups: Swiss-only, Swiss + EU, and EU primary with Swiss exposure. Sources: PwC's revFADP/GDPR comparison, Adnovum's seven-differences breakdown and DLA Piper's Swiss data-protection summary.

85 %of GDPR controls translate directly to revFADP requirements
CHF 250kmax criminal fine for individuals under revFADP (vs €0 personal liability under GDPR)
0Swiss equivalent of EU AI Act in force as of April 2026
Sep 2023revFADP fully effective — no grace period remaining

The headline answer for 5- to 500-employee SMEs

If your AI tooling is GDPR-compliant and EU-hosted, you are roughly 85 % covered for Switzerland — but you still need to address five revFADP-specific items: (1) criminal liability disclosures in employment contracts of senior decision-makers, (2) explicit consent for high-risk profiling (stricter than GDPR), (3) a Swiss representative if you have no Swiss subsidiary, (4) FDPIC-specific breach notification within 72 hours, and (5) updated DPA templates referencing Swiss law alongside the GDPR.

What does not exist in Switzerland yet: an EU-AI-Act equivalent. The Federal Council's consultation on a Swiss AI law is ongoing as of April 2026 — most observers expect a 2027–2028 effective date. Until then, your AI risk classification, training-data documentation, and bias-audit obligations under EU AI Act Articles 9–15 simply do not have a Swiss counterpart. That's the regulatory gap. It also means: if you sell AI services into Switzerland from Switzerland, you face fewer formal AI obligations than your EU competitors right now — a 12- to 24-month competitive window.

FADP vs GDPR: the side-by-side that matters for AI

The two regimes overlap on intent (protect personal data, give individuals control) and disagree on enforcement (criminal vs administrative penalties), profiling thresholds (Swiss is stricter), and AI specificity (EU has the AI Act layer, Switzerland doesn't yet). The table below covers the dimensions that actually shape your AI build.

DimensionEU GDPRSwitzerland revFADPAI impact
Penalty regimeAdministrative fines up to €20m or 4 % global turnover

Criminal fines up to CHF 250,000 against individuals

Senior decision-makers personally exposed in CH
Profiling consentConsent for fully automated decisions only

Explicit consent for high-risk profiling, even if not fully automated

AI scoring tools need explicit CH consent flow
Sensitive dataRace, ethnicity, health, biometric identification, sexual orientation

Same + genetic data + biometric data explicitly listed

AI systems using biometrics need stricter Swiss safeguards
DPO requirementMandatory for public bodies + large-scale processingRecommended, not mandatoryCH companies can run leaner; cross-border best practice still says appoint one
Breach notification72 hours to supervisory authority"As soon as possible" to FDPIC (interpreted ~72h)Same operational SLA, different routing
AI Act layerEU AI Act Art. 9–15 applies (Aug 2026 high-risk)

No equivalent yet — consultation phase

12–24 months CH competitive window for AI deployment
AdequacySwitzerland holds GDPR adequacy decision (mutual)EU recognised, US-DPF Swiss extension required for US transfersCH ↔ EU AI data flows OK, US AI vendors need Swiss-DPF cover

Map your AI systems to FADP and GDPR in one go

A 12-minute AI governance assessment shows which Swiss + EU obligations apply to each of your AI systems — and where the revFADP overlay actually changes what you need to build.

Try It Free

Switzerland's missing AI Act equivalent: gap or opportunity?

Switzerland has no in-force AI-specific law as of April 2026, and the Federal Council's consultation suggests a principle-based approach rather than the EU's risk-classification model. For SMEs that operate AI products from Switzerland, this is a real competitive advantage — for the next 12 to 24 months. After that, expect Swiss law to land somewhere between EU AI Act and Council of Europe AI Convention principles, with sector-specific overlays (finance, health, employment).

Practical implication: don't build to the missing Swiss AI law. Build to EU AI Act high-risk requirements as your baseline, even for Swiss-only operations. When the Swiss law lands, it will be GDPR-style adequate to or stricter than the EU benchmark — never weaker. The cost of over-compliance is a lost competitive window. The cost of under-compliance is rebuilding under regulatory pressure with shrinking timelines. Pick the cheaper mistake.

The criminal-liability detail nobody mentions in vendor pitches

Under revFADP Articles 60–61, individuals — not just companies — can face criminal fines up to CHF 250,000 for intentional or grossly negligent breaches. This is the single biggest structural difference from GDPR, where personal liability for executives is almost non-existent. Practical implications: your CISO, DPO and AI-system owner names are now on a list. Their employment contracts in CH need an explicit indemnification clause and a D&O policy that explicitly covers criminal-defence costs (most don't by default). If you're hiring for those roles in Switzerland in 2026, expect candidates to negotiate this — and rightly so.

Implementation: 5 differences that change your build

If your stack is GDPR-mature, these are the five concrete changes the revFADP forces you to make. None of them is expensive in isolation — together they're a half-day of legal work plus contract updates.

1

1. Add Swiss-law clauses to your existing DPAs

Your existing GDPR DPAs need a Swiss-law overlay clause: This DPA is interpreted in line with revFADP requirements where Swiss data subjects are processed; in case of conflict, the stricter regime applies. One-page addendum, signed once with each vendor.

2

2. Appoint a Swiss representative if you have no CH establishment

If you process Swiss data subjects' data and have no Swiss subsidiary, you must appoint a representative in Switzerland under revFADP Art. 14. Service providers exist for CHF 200–600 per month. Same shape as the GDPR Art. 27 representative — different jurisdiction, separate appointment.

3

3. Tighten profiling consent flows for Swiss users

AI scoring, recommendation systems, and behavioural analytics that process Swiss users need explicit consent — not legitimate interest, not contract necessity — under revFADP. Add a Swiss-specific consent layer in the cookie banner / signup flow that triggers when you detect a Swiss IP or address. Most CMP tools (Usercentrics, OneTrust, Cookiebot) support this geo-routing natively.

4

4. Update employment contracts of senior data + AI roles

Roles with personal criminal exposure under revFADP (CISO, DPO, AI-system owner, Head of Data) need an indemnification clause + criminal-defence cost coverage in your D&O policy. Standard D&O often excludes criminal proceedings — confirm in writing with your insurer. Cost: CHF 0–2,000 in policy adjustments per role per year.

5

5. Set up a separate FDPIC breach-notification channel

Your existing GDPR breach SOP routes to the lead supervisory authority. Switzerland's FDPIC is a separate channel: incidents involving Swiss data subjects must be reported to the FDPIC "as soon as possible" (interpreted as 72 hours). Add a step to your incident response runbook: parallel notification, not sequential.

Decision matrix by company setup

Three setups cover ~95 % of SMEs we work with. The right play differs sharply between them — picking the wrong one means either over-spending on representatives and consents you don't legally need, or under-spending and carrying personal liability for senior people.

SetupPrimary regimeWhat you must addWhat you can skip

Swiss-only (no EU customers)

revFADPFDPIC reporting, criminal-liability D&O coverage, Swiss-law DPA templatesMandatory DPO, 4 % global-turnover penalty modelling, EU-Rep

Swiss + EU (most common SME)

Both — stricter winsAll five revFADP-specific items above + GDPR compliance, plus Swiss representativeAlmost nothing — this is the most demanding setup

EU primary, occasional CH exposure

GDPR with revFADP overlayDPA Swiss addendum, geo-routed consent for CH IPs, FDPIC breach channelSwiss representative if you process <CHF 250k turnover from CH (low-volume threshold)

Quick AI readiness check — Swiss + EU specific

Find out which AI compliance obligations actually hit your business in 12 minutes. Includes Swiss-specific items most generic checks miss.

Try It Free

5 common mistakes companies make at the FADP/GDPR seam

From audit work and onboarding conversations across Swiss + EU SMEs in 2025/2026, the same five mistakes recur. Three of them get caught only in an audit — at which point fixing them is 10× the cost of avoiding them upfront.

The cost of treating revFADP as GDPR-lite isn't the audit fine. It's the senior data-protection candidate who reads the criminal-liability clause and walks away from your offer.

— From audit work with Swiss + EU SMEs, 2025–2026

5 rules for FADP + GDPR for AI

GDPR maturity gives you ~85 % of revFADP. The remaining 15 % is where audits hit — don't skip it.

Build to EU AI Act high-risk requirements, even in Switzerland-only operations. The Swiss law will land at or above EU level.

Personal criminal liability is real. Adjust senior contracts and D&O cover before you make offers in Switzerland.

Confirm Swiss-US DPF extension for any US AI vendor processing Swiss subjects' data. EU-only certification is not enough.

Use the 12–24 month Swiss AI-Act-gap as a deployment window — not as a permanent exemption.