DPO and Swiss FADP in the face of AI: practical obligations for Swiss SMEs (2026)
The role of the Data Protection Officer (DPO) in AI projects in Swiss SMEs: Swiss FADP Art. 8, mandatory DPIA, register of automated processing, FDPIC audit.
DPO and Swiss FADP in the face of AI: practical obligations for Swiss SMEs (2026)
The Data Protection Officer (DPO), sometimes called a Data Protection Advisor in Switzerland, has become an indispensable actor in AI projects at Swiss SMEs since the Swiss FADP (nFADP) entered into force on 1 September 2023. This practical guide is aimed at DPOs, SME executives and AI project managers who want to integrate compliance from the outset.
For the general context: pillar guide on AI automation for Swiss SMEs.
1. DPO in Switzerland: when is one mandatory?
The Swiss FADP does not make a DPO mandatory for most Swiss SMEs. However, one is strongly recommended when:
- Regular processing of sensitive data (health, religious opinions, genetic data).
- More than 50 employees with extensive digitalised processing.
- Automated profiling of clients or employees.
- AI projects processing personal data.
2. The 7 DPO obligations linked directly to AI
Obligation 1 — Register of automated processing (Art. 12 Swiss FADP)
Mandatory content: nature of automated processing, categories of data concerned, purposes, retention period, technical security measures.
Obligation 2 — Data Protection Impact Assessment (DPIA, Art. 22 Swiss FADP)
Mandatory at high risk: chatbots, agents with semi-automated decisions, AI-HR, video analysis.
Obligation 3 — Information to data subjects (Art. 19 Swiss FADP)
Clear and accessible information when a partially or fully automated decision is taken.
Obligation 4 — Right to object (Art. 21 Swiss FADP)
Simple procedure: "speak to a human" button, review request process, documented response deadlines.
Obligation 5 — Technical security (Art. 8 Swiss FADP)
Encryption, CH/EU hosting, strong access management, regular token rotation.
Obligation 6 — AI sub-processors
DPA with each AI provider (OpenAI, Anthropic, Mistral, Microsoft, Google). Map all data flows between the SME and each AI tool.
Obligation 7 — Breach notification (Art. 24 Swiss FADP)
Notify the FDPIC in case of high risk. Recommended timeframe: 72 hours, aligned with GDPR.
3. Internal DPO vs. external DPO for a Swiss SME
| Criterion | Internal | External | |---|---|---| | Cost | Part-time or full-time employee | Monthly retainer | | Business knowledge | High | More distant | | Independence | Harder to guarantee | High | | Relevant for | SME 50+ | SME 5–50 |
4. Conclusion
A well-integrated DPO is an accelerator rather than a brake for AI projects in Swiss SMEs. They secure the legal foundation, reassure clients, prepare FDPIC audits and allow the SME to communicate compliance as a commercial differentiator.