Darf ich ChatGPT für Kundendaten nutzen?

Ja, ABER: 1) Enterprise-Plan nutzen (nicht Free/Plus - die haben keine AVV-Option), 2) AVV mit OpenAI abschliessen, 3) Keine hochsensiblen Daten (Gesundheit, Finanzen) ohne Anonymisierung, 4) Kunden informieren (falls KI Entscheidungen trifft). Für sensible Branchen: Lieber EU/CH-Alternativen (Claude EU, Infomaniak EURIA).

Was ist ein AVV und brauche ich einen?

AVV = Auftragsverarbeitungsvertrag. Pflicht (DSGVO Art. 28), wenn ein Dienstleister (z.B. OpenAI, Google) personenbezogene Daten für Sie verarbeitet. Inhalt: Datenschutz-Massnahmen, Subunternehmer-Liste, Löschpflichten. Die meisten KI-Anbieter bieten AVVs an (Enterprise-Pläne) - einfach anfordern und unterschreiben.

Sind Open-Source-LLMs automatisch DSGVO-konform?

Nein! Auch Self-Hosted LLMs (Llama, Mistral) müssen DSGVO-konform betrieben werden: EU/CH-Server, sichere Infrastruktur, Zugriffskontrolle, Logs. Vorteil: Volle Datenkontrolle (nichts verlässt Ihr System). Nachteil: Sie sind verantwortlich für Security, Updates, Backups.

Was ist der EU AI Act und betrifft er die Schweiz?

EU AI Act (ab 2025): Reguliert KI-Systeme nach Risiko (minimal, begrenzt, hoch, unakzeptabel). Hochrisiko (z.B. Kredit-Scoring, Bewerbungsauswahl): Strenge Auflagen. Schweiz ist NICHT direkt betroffen, aber: Wenn Sie mit EU-Kunden arbeiten oder EU-Daten verarbeiten, müssen Sie compliant sein.

AI & GDPR: Compliance-Safe in Switzerland

AI vs. Data Protection: The Dilemma

Scenario: You use ChatGPT to analyze customer data. An employee copies email addresses, names, purchase history into the prompt.

Problem: This data ends up on OpenAI servers in the USA. Without DPA. Without customer consent. GDPR violation.

Consequence: Fines up to CHF 250,000 (FADP) or 4% of annual revenue (GDPR).

The good news:

With the right tools and processes, you can use AI in compliance with data protection - even in regulated industries.

The 3 Compliance Pillars

Pillar 1: Tool Choice - Where does your data end up?

3 Options:

Option A: US tools with Data Privacy Framework

OpenAI ChatGPT (certified since Sept. 2024)
Anthropic Claude (EU data centers available)
Google Gemini (multi-region support)
Requirement: Sign DPA, Enterprise plan, no sensitive data

Option B: EU-hosted tools

Aleph Alpha (Germany)
Mistral AI (France)
Advantage: GDPR compliance out-of-the-box
Disadvantage: Partially more expensive, fewer features

Option C: Swiss hosting (highest security)

Infomaniak EURIA (Swiss LLM)
Custom deployment via schnellstart.ai (Self-hosted LLMs)
Ideal for: Healthcare, finance, lawyers

Pillar 2: Process Design - Human-in-the-Loop

Never let AI decide alone for:

Personal data (GDPR Art. 22 - automated individual decisions)
Contract conclusions, terminations, rejections
Creditworthiness assessments, insurance classifications

Rule: AI suggests, human decides.

Pillar 3: Documentation - Proof obligation

What you must document:

Record of processing activities (GDPR Art. 30)
Data Processing Agreements (DPA) with all AI providers
Data Protection Impact Assessment (DPIA) for high-risk use
Employee training (when can they use AI, when not?)

Industry-specific requirements

Healthcare (KVG, HMG)

Requirement: Patient data only on Swiss servers
Solution: Infomaniak EURIA, Self-hosted LLMs
Use case: Summarize medical letters (AI writes, doctor checks)

Financial services (FINMA)

Requirement: Transparency, traceability, risk controls
Solution: EU LLMs + audit logs + human approval
Use case: Fraud detection (AI detects anomalies, compliance checks)

Lawyers & Fiduciaries

Requirement: Professional secrecy, client confidentiality
Solution: Swiss hosting or EU with strict data separation
Use case: Contract analysis (AI marks risks, lawyer decides)

Practice checklist: Is your AI use compliant?

1. Document data flow

What data does AI process? (Names, emails, sensitive info?)
Where does the data end up? (USA, EU, Switzerland?)
Who has access? (AI provider, subcontractors?)

2. Check DPA

Do you have a DPA with every AI provider?
Does it include: Data deletion, subcontractor list, EU standard contractual clauses?

3. Train employees

Does everyone know which data does NOT belong in ChatGPT?
Are there clear guidelines? (e.g. "No customer names, only anonymized data")

4. Ensure Human-in-the-Loop

Does AI ever make decisions without human approval?
If yes: Conduct DPIA + inform customers

Your next steps:

Document data flow for your AI tools (30 min with ChatGPT/Claude)
Check DPAs with all providers (if missing: request)
Create employee guidelines (1-page checklist is enough)
If high-risk area: Conduct DPIA or involve data protection consultant

Further resources

EDÖB Switzerland - Data Protection Commissioner
schnellstart.ai Compliance Audit
lhubertreuhand.ch - GDPR-compliant fiduciary processes

About schnellstart.ai: We help Swiss SMEs use AI compliantly - from tool selection through DPAs to data protection audits.