Professional secrecy (Art. 321 SCC) and AI use: what lawyers, notaries, physicians and auditors must observe

What does Art. 321 SCC regulate?

Art. 321 of the Swiss Criminal Code protects professional secrecy. The list is exhaustive: clergy, attorneys, defenders, notaries, patent attorneys bound by law, physicians, dentists, chiropractors, pharmacists, midwives, psychologists and their auxiliary staff. Anyone disclosing a secret entrusted by virtue of their profession is liable to up to three years of custodial sentence or a monetary penalty. The offense is prosecuted on complaint; the entitled person must file the complaint.

Fiduciaries are NOT in the Art. 321 catalogue. Confidentiality obligations for fiduciaries still exist, but from other sources: the auditor secret under Art. 730b CO for licensed auditors, the banking secret under Art. 47 BA for bank staff, contractual NDA, data-protection duties under revFADP, and professional-association rules (Treuhand Suisse, EXPERTsuisse). Where a person is doubly qualified as lawyer and fiduciary, the stricter Art. 321 standard applies to data entrusted in the lawyer role.

What counts as a "secret"? Under doctrine and the Federal Supreme Court (BGE 137 IV 269), any fact that is not generally known, that the entitled person has a protection-worthy interest in keeping confidential, and that the secret-holder learnt in the course of their professional activity. The threshold is low: identity of a client, draft contracts, marital property regimes, diagnoses, tax situation, liquidity problems of a SME.

Why AI use touches the secret

Anyone typing client data into a cloud LLM prompt transmits it to a third party. OpenAI, Anthropic, Google are US companies with US servers; Mistral and Aleph Alpha are EU providers. Whether that transmission counts as "disclosure" under Art. 321 SCC has been actively debated in Swiss doctrine since 2023.

The prevailing view (Thouvenin, Schwarzenegger, Schiller – opinion for SAV 2021; Bracher-Suter commentary 2024) classifies the LLM provider as an auxiliary person under Art. 321 para. 1 no. 1 SCC – by analogy with the cloud doctrine. Disclosure to an auxiliary person is NOT an offence, BUT only under preconditions: (a) the secret-holder supervises the auxiliary, (b) the auxiliary is contractually bound to confidentiality and can exonerate the secret-holder, (c) the auxiliary has its own confidentiality structure compatible with professional secrecy. With a US provider subject to the CLOUD Act, these conditions can only be met through significant technical and contractual measures.

The SAV guideline "AI in legal practice" from 14 June 2024 (updated May 2026 for the Zurich Lawyers Day) accordingly formulates the principle: client-identifying data may only enter cloud LLMs if (a) the client has explicitly consented, or (b) the data is pseudonymised before transmission, or (c) the provider can contractually and technically guarantee no US-authority access. In practice, only variant (b) or the use of EU/CH-hosted models (Mistral on Hetzner, Aleph Alpha PhariaAI, or self-hosted Llama 3.1 / Qwen) is workable.

How an Art. 321-compliant AI setup looks

Four building blocks are needed in practice.

Data classification: Before AI processes mandate-relevant data, the firm or practice classifies its data categories. Client name, unique case numbers, person identifiers, diagnoses are Art. 321 data. Generic texts without reference (standard contract, published court judgment, textbook text) are free. A classification matrix is a precondition of any compliance architecture.

Routing: The multi-LLM gateway (see Multi-LLM Routing Strategies) decides per request which model is addressed. Art. 321 data only goes to models in the class "EU/CH-hosted" or "local" – typically Mistral Large 2 on Hetzner FSN1, Aleph Alpha PhariaAI on Swiss infrastructure, or Llama 3.1 70B / Qwen 2.5 72B on-prem. Cloud-US models (OpenAI, Anthropic, Google) are blocked for this class.

Pseudonymisation: Where a stronger cloud model is unavoidable, a pseudonymisation layer is inserted before transmission. Proper names, addresses, dates of birth, AHV numbers are replaced by placeholders. Re-substitution happens locally after the model response is received. Tools: Microsoft Presidio (open source), custom regex pipelines, or specialised solutions like privatGPT.

Data processing agreement: Every LLM provider that even sees pseudonymised secrecy-protected data needs a contract containing EDÖB-conforming processor clauses, plus a sub-processor list, plus an obligation to state-of-the-art security measures. OpenAI has offered a "Zero Data Retention" add-on since May 2024; Anthropic via Workspace contract with BAA options; Mistral by default EU-hosted.

Audit-ready documentation of the setup (data classification, routing policy, pseudonymisation test, contract status) is part of the duty of care. In a criminal investigation against a lawyer for Art. 321 SCC violation, this documentation is the main exculpation evidence.

Art. 321 SCC compliance workflow in 6 steps

1. 01Create a data classification: which categories are Art. 321 data, which revFADP personal, which free?
2. 02Define multi-LLM routing: Art. 321 class → EU/CH/local only. Other classes → cloud models with ZDR contract.
3. 03Build a pseudonymisation layer: Presidio + custom patterns for AHV, IBAN, CH case numbers, first-name lists.
4. 04Add a client clause in the power of attorney: information + consent for AI use with provider list.
5. 05File data-processing agreements: per provider keep DPA, sub-processor list, security certificates.
6. 06Set up an audit trail: log every AI request with date, class, model, pseudonymisation status (see AI Audit Trail Design).

When AI use is admissible under Art. 321

Clearly admissible: AI research in public sources (Federal Supreme Court decisions, statutes, commentaries in OpenJur), draft of standard clauses without client reference, general language polishing of already anonymised text, internal knowledge-base search via RAG over the firm's own documents on a local vector database.

Admissible with client consent: Concrete mandate questions to cloud LLMs, provided the client has consented in writing after being informed about the data transmission. The SAV guideline 2024/2026 recommends a standard clause in the power of attorney: "The client permits the firm to use AI-supported tools to process the mandate, including the transmission of pseudonymised data to established providers (OpenAI, Anthropic, Mistral, Aleph Alpha)."

Admissible without consent given a correctly implemented pseudonymisation: If the transmitted data no longer has a personal reference and re-identification is practically impossible, no "disclosure of a secret" exists. Caveat: pseudonyms the provider can link with other data are not genuine anonymisation – see FADP Art. 5 lit. a and EDÖB guideline 2024.

Admissible in a local setup: Llama 3.1, Qwen 2.5, Mistral, DeepSeek-R1 run locally on own hardware. Data does not leave the server. This is the most legally robust variant, but costlier to set up (see Self-hosted vs. Cloud LLM).

When AI use is NOT admissible

Never admissible: Direct entry of full case files into ChatGPT, Claude, Gemini without pseudonymisation and without explicit client consent. Even if the provider promises "we do not train on your data" – that does not eliminate the CLOUD Act risk.

Never admissible: Use of free consumer-tier versions (ChatGPT Free, Claude.ai Free, Gemini Free). These tiers reserve training use, lack data-processing agreements, and lack SOC2/ISO security attestations. The SAV guideline names this explicitly as a breach of the duty of care.

Never admissible: Uploading files to AI services whose provider, hosting location or sub-processor list is unknown. "A nice app in the App Store" is not enough – the firm bears the full responsibility for choosing the auxiliary.

Borderline: Pseudonymisation layer with a distinctive background. With prominent clients (CEOs, politicians) the mere combination of industry, location and matter may allow re-identification, even without a name. Only local hosting remains.

Trade-offs

FAQ

Related topics

Sources

1. StGB Art. 321 – Verletzung des Berufsgeheimnisses (fedlex.admin.ch) · 2026-01
2. SAV-Wegleitung Umgang mit künstlicher Intelligenz (Anwaltsrevue 9/2024, aktualisiert 2026) · 2024-09
3. Thouvenin / Schwarzenegger / Schiller – Gutachten zur Nutzung von Cloud-Diensten durch Anwältinnen und Anwälte (UZH / SAV) · 2021-03
4. BGE 137 IV 269 – Bundesgerichtsentscheid zum Begriff des Berufsgeheimnisses · 2011-11
5. Art. 730b OR – Revisionsgeheimnis (fedlex.admin.ch) · 2026-01