Switzerland's revised Federal Act on Data Protection (nFADP, known in German as revDSG or nDSG, and colloquially as nLPD) entered into force on 1 September 2023. For legal professionals, it introduces obligations that go beyond previous requirements — and using digital tools in your practice without understanding them is no longer acceptable.
This article focuses specifically on what Swiss lawyers need to know when using AI-powered software, cloud storage, document management platforms, and communication tools.
What changed from the old FADP
The previous Swiss data protection framework dated to 1992. The nLPD brings Switzerland broadly in line with GDPR principles while maintaining Swiss specificity. Key changes relevant to legal professionals include:
- Mandatory data protection impact assessments (DPIA) for high-risk processing
- Explicit obligations around automated decision-making
- Stricter rules on cross-border data transfers outside Switzerland
- Mandatory breach notification to the FDPIC within 72 hours of awareness
- New rights for data subjects: right to data portability, right to explanation of automated decisions
How it applies to lawyers specifically
Lawyers are not exempt from the nLPD by virtue of professional secrecy. The two obligations coexist: you must protect client confidences under professional secrecy rules and comply with data protection law when processing personal data.
The key intersection is in practice management software. When you store client files, correspondence, court documents, or case notes in any digital system, you are processing personal data. If that system is provided by a third party — a SaaS vendor, a cloud storage provider, a dictation service — you are engaging a data processor.
Discover Whisperit
The AI workspace built for legal work
Dictate, draft, and organise your cases — with full data sovereignty and no prompt engineering required.
Try Whisperit free →Data processing agreements: what you need
Under the nLPD, where a lawyer (as controller) engages a software vendor (as processor), a data processing agreement (DPA) is required. This agreement must specify: the nature and purpose of processing, the categories of data involved, the technical and organisational security measures in place, sub-processor arrangements, and deletion obligations.
If your SaaS vendor cannot provide a compliant DPA — or if they store data outside Switzerland without adequate safeguards — you face potential nLPD liability.
Cross-border transfers and Swiss hosting
One of the most practically significant issues for Swiss lawyers is data transfers outside Switzerland. The nLPD requires adequate protection before personal data can be transferred abroad. The FDPIC maintains a list of countries deemed adequate.
In practice, this means that legal AI tools processing Swiss client data on servers in the US or EU require either an adequacy finding, standard contractual clauses, or binding corporate rules. Many international SaaS vendors have not adequately addressed Swiss-specific requirements — relying solely on GDPR compliance is not sufficient.
For this reason, Swiss-hosted solutions — where data is processed and stored within Swiss territory — represent the cleaner compliance path for law firms.
Practical checklist for legal tech compliance
Before deploying any digital tool in your practice, run through the following:
- Has the vendor provided a nLPD-compliant DPA?
- Where is data processed and stored — Switzerland, EU, or elsewhere?
- Has a DPIA been completed for high-risk processing (e.g., AI-assisted document analysis)?
- Are sub-processors disclosed and covered by appropriate agreements?
- What is the vendor's breach notification process and SLA?
- Can client data be deleted or exported on request?