Data protection in Switzerland is not the GDPR (but it looks like it)
Switzerland has its own law: the revised Federal Act on Data Protection — revFADP in English, also known as revDSG in German and nLPD in French — has been in force since 1 September 2023. It is not the European GDPR, but it closely resembles it.
The principles are familiar: lawfulness and transparency of processing, data minimisation, security, and strong accountability for whoever processes the data. Companies must keep a record of processing activities, notify breaches to the Federal Data Protection and Information Commissioner (FDPIC) and, in several cases, carry out an impact assessment.
The practical difference for those adopting AI does not lie in the principles but in a cultural sensitivity: in Switzerland, data residency and confidentiality carry more weight than elsewhere. Before sending a single document to an AI model, a Swiss bank or pharmaceutical company wants to know exactly where that data ends up and who can see it.
The real sticking point with AI: where the data ends up
When you use a language model, the question that matters is one: is my data used to train the model, and where is it processed?
This is where many Swiss companies get stuck. The fear — often legitimate for free consumer tools — is that confidential data ends up in the model's training or on servers whose jurisdiction is unknown. For a company bound by banking or professional secrecy, that is a risk you cannot take.
The good news is that this concern, with the right enterprise tools, is solvable at the contractual and architectural level. It is not a matter of blind trust: it is a matter of written guarantees and deployment choices.
Claude and compliance: what Anthropic actually offers
With Claude, the levers for compliance are there, and they are concrete.
No training on company data: on the Claude for Work plans (Team and Enterprise) and via the API, Anthropic does not use the contents of conversations or API calls to train its models. It is a contractual guarantee, not a checkbox setting.
Data Processing Agreement and configurable retention: Anthropic provides a DPA and, on the enterprise and API plans, reduced or zero retention options for those who need them.
Choice of processing region: by using Claude through Amazon Bedrock or Google Vertex AI you can pin inference to specific European regions, keeping processing within the EU/EEA — recognised as adequate by Switzerland.
Enterprise controls: SSO, audit logs, role management and usage policies, which map directly onto the accountability requirements of the revFADP. For the broader European picture see our guide on data sovereignty and AI in Europe and the one on Claude and the GDPR.
Want to use Claude in Switzerland, compliant with the revFADP?
30 minutes to discuss your specific case.
Banking secrecy, professional secrecy and health data
The three most sensitive Swiss sectors deserve specific attention.
Banks and wealth management: banking secrecy (Art. 47 of the Banking Act) and FINMA supervision impose strong caution. Sending identifiable client data to an external service requires minimisation (pseudonymisation or removal of identifiers), no-training guarantees and, ideally, processing in a controlled region. With these measures, document analysis, research synthesis and report preparation become viable.
Pharma and life sciences: pharmacovigilance data, clinical trials and health data are sensitive personal data. The same principles apply: minimisation, DPA, controlled deployment. We explore the topic in Claude for pharmacovigilance.
Law firms: attorney professional secrecy is almost absolute. The path is the same as for law firms: no identifiable data in prompts without the right guarantees, and an architecture that keeps control of the data.
A privacy-by-design architecture for Switzerland
Compliance is not bought: it is designed. A Claude deployment built for the Swiss context starts from four choices.
Data residency: choosing the access channel (direct API, Bedrock, Vertex) and the region according to where the data is allowed to sit.
Upstream minimisation: filtering and pseudonymising data before it reaches the model, so that sensitive data never leaves the perimeter.
Contracts and documentation: a signed DPA, an up-to-date record of processing activities and, where needed, a data protection impact assessment.
Control and traceability: audit logs, access management and internal usage policies. On these pillars you build a system that an auditor — or FINMA — can verify. It is the same approach we take with the GDPR for companies: privacy-by-design, not a rubber stamp after the fact.
How to get started, without risk
The practical path is simple and prudent.
You start with an assessment: which processes carry the most value, which data they touch, what level of sensitivity. Then a pilot on a low-risk use case — internal documentation, research, synthesis — with the right data and the right guarantees. You measure, you validate compliance, and only then do you scale.
Maverick AI supports Swiss companies — in Ticino, in the French-speaking region and in German-speaking Switzerland — along this path: from choosing a revFADP-compliant architecture through to implementation and team training. If you are evaluating Claude for your organisation, let's talk.