TL;DRThe revised nLPD (also known as FADP in English), effective from September 1, 2023, combined with the extraterritorial effect of the European AI Act from August 2026, creates a three-tier framework for any Swiss company operating a voice AI agent: the right to know one is speaking to a machine, transparency obligations, sovereign hosting. Banks, law firms, and SMEs in the Romandy region must establish a compliance matrix before summer 2026. VOCALIS AI provides pre-configured technical and legal components, with EU hosting and native nLPD compliance.
Analysis intended for Swiss DPOs, legal departments of SMEs/ETIs in Switzerland, compliance officers of banks and law firms in the Romandy region. Publication April 20, 2026 · Approved by Laurent Duplat, Publishing Director VOCALIS AI.
The revised nLPD / FADP since September 2023
The new Federal Act on Data Protection (nLPD), in English Federal Act on Data Protection (FADP), came into effect on September 1, 2023. It modernizes the Swiss framework based on the GDPR model while preserving important Swiss specificities. The supervisory authority is the Federal Data Protection and Transparency Officer (PFPDT).
For a Swiss company operating a voice AI agent, four nLPD pillars structure compliance: prior information, proportional consent, processing register (>250 employees or sensitive processing), notification of breaches as soon as possible. Analyses from Digicomp on nLPD vs GDPR + AI Act and ICTjournal on the LPD applied to AI confirm this interpretation.
Scope of application to voice AI agents
A voice AI agent processes three categories of high-stakes nLPD data:
- Audio recording: personal data as defined by art. 5 let. a nLPD
- Conversation transcription: personal data + potentially sensitive (health, opinions, financial situation)
- Voice biometrics: sensitive data as defined by art. 5 let. c ch. 4 nLPD, requiring explicit consent
The firm BCG Switzerland estimates that 62% of Swiss SMEs deploying a voicebot in 2025-2026 have not formalized the legal basis for voice biometric processing. A documented risk for the PFPDT that could lead to sanctions.
Right to know one is speaking to a machine
The nLPD does not contain an explicit article on "AI information" like the AI Act art. 50. However, three provisions stack up to create this obligation de facto:
- Art. 19 nLPD: obligation of prior information during collection
- Art. 21 nLPD: automated individual decisions (notification + right to object)
- Extraterritorial effect of the AI Act for any Swiss company addressing EU residents
Practically: a Swiss voice AI agent must announce its AI nature at the beginning of the call, inform the interlocutor about the purpose, and offer access to a human if requested.
Identifiable voice modification: specific obligations
If your voicebot clones a real human voice (voice cloning for spokespersons, executives), two additional obligations:
- Explicit and documented consent from the source person
- Transparency AI Act art. 50 §4 (disclosure of "deep fake")
Vocalis offers controlled voice cloning + integrated consent log, compliant with PFPDT recommendations.
Differences FADP vs GDPR: comparative table
| Criterion | GDPR (EU) | nLPD/FADP (CH) |
|---|---|---|
| Legal basis | Consent + 5 other bases | More flexible principle + increased obligations on sensitive data |
| Processing register | Mandatory from 1 processing | Threshold: 250 employees or high risk |
| DPO mandatory | Yes in defined cases | Data protection advisor recommended |
| Max sanctions | €20M or 4% of global turnover | CHF 250,000 to the responsible person |
| Voice biometrics | Art. 9 GDPR | Art. 5 let. c ch. 4 nLPD |
| Notification of breach | 72 hours to the supervisor | "As soon as possible" to the PFPDT |
| Transfers outside CH/EU | Standard clauses + DPA | Adequate country or contractual guarantees |
AI Act and extraterritorial effect on Swiss SMEs
Many Swiss leaders believe the AI Act does not concern them. This is a mistake. The European regulation applies to "outputs" used in the EU: as soon as a Swiss voicebot processes EU residents (outgoing calls to France, German clients, Italian tourists), it falls within the scope.
Specifically, for a high-end jewelry store in Geneva that receives 40% of European tourist calls, or for a private bank in Romandy with EU clientele, both frameworks overlap.
Hosting: Switzerland vs EU vs outside EU
The nLPD does not fix the location in Switzerland. The applicable law is that of the adequate country. Specifically:
- Swiss hosting: ideal for sensitive data, maximum sovereignty
- EU hosting (Frankfurt, Paris, Dublin): recognized as adequate by the PFPDT
- US hosting: possible but requires enhanced contractual guarantees (SCC) and is exposed to the CLOUD Act
VOCALIS AI combines EU stack (AWS eu-west-1 Paris) + European bare-metal H100, ensuring a fully recognized regime by the PFPDT, detailed in our analysis sovereignty + bare-metal H100 FADP.
Priority sectors in Romandy
- Private banking and wealth management: sensitive financial data, FINMA requirement, see bank-insurance offer
- Law firms and notaries: professional secrecy, see legal professions offer
- Medical practices and clinics: health data, see medical practice and hospital offer
- Luxury real estate agencies: asset data, see real estate agency offer
- Watchmaking and jewelry: high-end client data, see jewelry-watchmaking offer
FADP checklist for a voice AI agent
Minimum validation before deployment on Swiss soil:
- Prior information nLPD art. 19 integrated into the opening script
- Documented voice biometric consent (art. 5 let. c ch. 4)
- DPA signed with the voicebot provider, annex for transfers outside CH if applicable
- Processing register if >250 employees or high risk
- DPIA if sensitive processing
- Notification procedure for breaches to the PFPDT as soon as possible
- Access, rectification, and deletion rights operational within 30 days
- Hosting in an adequate area (CH, EU)
- Exportable decision logs and configurable retention (see GDPR security docs)
- Cross-check AI Act if EU clientele (see article 50 AI Act voice agents)
Citations from authorities and firms
According to the analysis Deloitte Switzerland Digital Trust 2026, Romandy SMEs that anticipate nLPD + AI Act compliance before Q3 2026 reduce their compliance costs by 37% compared to latecomers. The report McKinsey Global Institute on the value of generative AI confirms the competitive advantage of early compliance: +11% on NPS and +6% on customer retention.
VOCALIS AI: FADP + AI Act + GDPR compliance by design
Our platform is operated by VOCALIS AI () from an EU infrastructure (AWS eu-west-1 Paris + bare-metal H100). Swiss clients benefit from:
- DPA signed nLPD-compliant + voice biometric annex
- AI Act art. 50 opening script + nLPD art. 19 information pre-configured
- Sector-specific agents pre-set for bank-insurance, lawyers-notaries, medical practices
- Sovereign EU hosting recognized as adequate by the PFPDT
- French-speaking + multilingual support FR-CH, IT, DE 40+ languages
To learn more about our sovereign approach: comparison of voice AI in Switzerland and nLPD and benchmark VOCALIS vs Fonio AI Switzerland.
FAQ: FADP / nLPD and Voice AI in Switzerland
Does the nLPD require hosting in Switzerland?
No: hosting in an adequate country (EU, UK post-adequacy) is accepted. Switzerland remains recommended for very sensitive data (health, defense, private banking).
Is a voice AI agent considered as "automated processing" under art. 21 nLPD?
Yes, as soon as it makes a decision (e.g., qualifying a lead, refusing a callback). The interlocutor has a right to information and objection.
Is consent required to record a call in Switzerland?
Yes, unless there is a justification for legitimate interest. In all cases, prior information is mandatory (art. 19 nLPD + 179 CP on recording without consent).
What are the sanctions for nLPD violations?
Up to CHF 250,000 for the responsible individual. Sanctions target individuals, not the company, which directly engages the executive.
Is a VOCALIS voicebot PFPDT-ready?
Yes: DPA, register, DPIA template, compliant script, adequate EU hosting. Our teams assist Romandy law firms with complete documentation.
How to manage an EU client and a Swiss client on the same agent?
A multi-jurisdictional script + differentiated consents + logs separated by jurisdiction. VOCALIS offers this natively.
What about voice biometric data (art. 5 let. c ch. 4)?
Processing is subject to explicit and documented consent. Our DPA includes the pre-drafted voice biometric annex.
Envie de tester VOCALIS AI ?
Réservez une démo personnalisée et découvrez en direct comment notre IA vocale émotionnelle transforme vos conversations.
Réserver une démo
