HeyPapaya
HeyPapaya
The nFADP isn't a reason to give up on AI, it's a framework to put in place from the design stage. Here, in plain terms and without legal jargon, are the five points that actually matter: where to host the data, how to mask the sensitive parts, what a DPA is, and who is responsible for what.
The new Swiss Federal Act on Data Protection (nFADP), which came into force in September 2023, governs the processing of personal data. Many leaders see it as an obstacle to AI. In reality, it's mostly a matter of sequence: if data protection is designed into the agent from the start, it's perfectly manageable for an SME. If it's tackled after the fact, you often have to rebuild everything. Here are the five concrete levers.
The first question your customers, and the authority, will ask is: where does the data go? The sound answer for a Swiss SME is to host by default in Switzerland or the European Union, jurisdictions with adequate protection. In practice, that means providers like Infomaniak in Geneva for infrastructure, and choosing EU regions for third-party services. This avoids transfers to countries without a recognised level of protection, or strictly frames them when they're unavoidable. It's an architectural choice, to be made from the outset.
Not everything that passes through a language model needs to contain personal data in the clear. The principle of minimisation requires sending only what's strictly necessary. Concretely, you mask or pseudonymise sensitive information, name, AVS number, contact details, health data, before it leaves your environment. The agent works on minimised data, and the real identity stays on your side. This limits exposure and considerably simplifies compliance.
As soon as a provider processes personal data on your behalf, a data processing agreement (DPA) must frame the relationship. It sets out the purpose of the processing, the categories of data, the security measures, the authorised sub-processors, and the obligations in the event of an incident. It's not a decorative formality: it's the document that records that everyone knows what they do with the data. A serious AI deployment always comes with a signed DPA.
Keeping data indefinitely is both a risk and a non-compliance. The nFADP requires you to define retention periods proportionate to the purpose, then to delete or anonymise. For an AI agent, that means clear retention windows on conversations, transcripts and logs: you keep what serves quality and support, and purge the rest on a defined schedule. To be set up from the start.
This is the most misunderstood distinction, and yet the most structuring. The controller is the one who decides why and how the data is processed: that's you, the SME. The processor is the one who carries out the processing on your behalf, following your instructions: that's your AI provider. This split determines responsibilities. At HeyPapaya, the model is explicit: you remain the controller, we are the processor, and the DPA puts that relationship on record.
None of these points requires an army of lawyers. They require being set up from the design stage, by a partner who builds them in by default rather than bolting them on at the end. That's our approach: Swiss/EU hosting, masking, DPA and retention are part of the standard, not an option. The compliance strategy fits into a broader adoption effort, see our AI Strategy & Adoption service and our guide to AI for Swiss SMEs.
Disclaimer. This article is for information purposes and does not constitute legal advice. Compliance depends on your specific situation. For an analysis tailored to your case, consult a qualified legal advisor or a data protection specialist.
Book a 30-minute call. We look at your workflows and your data framework together, and you leave with three concrete agent ideas, nFADP-compliant.