Swiss FADP and Chatbots: the 2026 Compliance Checklist

If your business operates in Switzerland and runs a chatbot — on your website, on WhatsApp, on Messenger, anywhere — you are processing personal data under the revised Swiss Federal Act on Data Protection (revDSG, often referred to as nFADP). In force since 1 September 2023, it brings Swiss data protection broadly in line with the EU's GDPR, with some specifically Swiss expectations. This article is a practical compliance checklist — not legal advice, but the kind of due-diligence framework a Swiss procurement or legal team will use.

What changed with the revised FADP?

The revised FADP modernised Switzerland's data protection regime, broadly aligning it with GDPR while keeping some Swiss-specific characteristics. The main changes that affect chatbot deployments include:

Broader definition of personal data — including chat transcripts that contain identifiers, IP addresses, and identifiable patterns of behaviour.
Privacy by design and default — vendors should ship with privacy-protective defaults rather than requiring you to harden them.
Mandatory data processing inventory — every processing activity, including chatbot conversations, should be documented.
Stricter rules for cross-border transfers — transfers to countries without an "adequate level" of protection require additional safeguards.
Higher penalties — fines up to CHF 250,000 for natural persons (not just companies).

Personal data in chatbot conversations

A chatbot conversation almost always contains personal data — even when no name or email is asked for. IP addresses are personal data. Browser fingerprints are personal data. Free-text messages that reveal medical, financial, or legal information are personal data, often of the "sensitive" kind that triggers heightened obligations.

That means every chatbot deployment needs: a documented lawful basis for processing, a retention policy with a defined deletion schedule, a way for users to exercise their access and deletion rights, and a record in your privacy notice that the chatbot exists and what it does with what it collects.

Data residency — where can conversations live?

The revised FADP does not require data to be stored in Switzerland. It does require that transfers to countries without "adequate" protection (as recognised by the Swiss Federal Council) include additional safeguards — typically standard contractual clauses, supplementary measures, or binding corporate rules.

In practice, most Swiss businesses choose EU-region storage (which the Swiss Federal Council recognises as adequate) or Swiss-region storage for enterprise deployments. US-region storage requires more paperwork and is harder to justify to a Swiss data-protection officer. Ask vendors explicitly where conversation data is stored at rest.

Data Processing Agreement (DPA)

If a vendor processes personal data on your behalf — and a chatbot vendor almost always does — you need a Data Processing Agreement. The DPA should specify: the categories of data processed, the purposes, the duration, the sub-processors, the security measures, the breach-notification process, and the rights of the data subject. Any vendor that cannot provide a signed DPA on request should be considered a compliance risk.

Audit logging and retention windows

For regulated industries (banking, insurance, healthcare, legal, pharma — common categories in Switzerland), audit logging of every conversation and every system action taken on a customer's behalf is increasingly an expectation. The relevant questions to ask: are audit logs exportable, are they tamper-evident, and what is the retention policy?

Retention windows should be configurable per data category. A typical Swiss configuration might keep conversation transcripts for 90 days, qualified-lead data in the CRM for the duration of the customer relationship, and anonymised analytics indefinitely. Whatever you choose, document it.

Cross-border data transfers and AI model providers

AI chatbots typically use large language models hosted by major providers (OpenAI, Anthropic, Google, Mistral). These providers operate globally, which means conversation data may transit the US or other jurisdictions. The compliance question is whether the data is sent in identifiable form, what controls exist (encryption, data minimisation, opt-out from training), and whether the contractual chain (your vendor → model provider) is documented.

For sensitive deployments — private banking, healthcare, legal — many Swiss firms now require EU-hosted model endpoints, where the data never leaves European jurisdiction. Ask vendors about this explicitly.

The practical compliance checklist

Signed Data Processing Agreement (DPA) on file.
Conversation data stored in EU or Swiss region — documented at the contract level.
Retention policy defined per data category, with an automatic deletion mechanism.
Privacy notice updated to disclose the chatbot, what it collects, and the lawful basis.
User rights (access, deletion, rectification) operationalised — not just stated.
Audit log enabled, exportable, retained per regulatory requirements.
Cross-border AI-model usage understood and documented; sensitive deployments use EU-hosted endpoints.
Vendor security posture reviewed — at minimum encryption at rest and in transit, SSO for admin access, role-based access for the dashboard.
Incident response and breach notification process agreed.

For Swiss businesses ready to start

intoCHAT is designed for the Swiss compliance environment from the ground up — revDSG-aligned data processing, EU-region hosting by default with Swiss-region available on enterprise, DPA signed at contract, and audit logging on every plan. See the AI chatbot for Switzerland page for an overview, or the AI agent for Switzerland page if you need enterprise-grade controls (SSO, RBAC, configurable approval gates per action).

This article is informational and not legal advice. For a binding interpretation of revDSG as it applies to your specific business, consult a Swiss data-protection lawyer.