GDPR and LLMs: when the EU General Data Protection Regulation applies directly to Swiss companies

What is the GDPR?

The General Data Protection Regulation (Regulation (EU) 2016/679) has been the EU-wide basis for personal data protection since 25 May 2018. It takes precedence over member-state law and applies without national transposition. For language-model use it is relevant on two paths: first as direct EU law for EU establishments, second as market-location law for Swiss companies that offer goods or services to persons in the EU or monitor their behaviour (Art. 3(2)).

In practice: a Zurich law firm with clients in Munich, a Geneva fiduciary office with customers in Lyon, a Bern e-commerce shop shipping to Vienna – all are directly subject to the GDPR, in parallel with the revised Swiss FADP. The Swiss FADP has been closely aligned with the GDPR since 1 September 2023; some duties still apply only under EU law (data protection officer from 250 staff, fines up to EUR 20 million or 4 % of group turnover, EU representative under Art. 27 GDPR).

For LLM applications the GDPR bites particularly hard, because generative AI processes large volumes of personal data – often more than the operator realises. The EDPB Opinion 28/2024 of 17 December 2024 settled central questions on the anonymisation threshold, on legitimate interest as a legal basis, and on the effect of unlawful processing during training on the inference operation. It is required reading for anyone running an LLM in production.

Why it matters

Three risk articles are practically relevant for LLM setups. They often apply at the same time and multiply the fine exposure.

Art. 5 – Principles. Lawfulness, fairness, transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity and confidentiality. Data minimisation is structurally violated by LLMs: an employee pasting a 30-page contract into ChatGPT typically transmits ten times more data than the actual question requires. The accuracy principle clashes with hallucinations – passing on an unchecked LLM result can spread incorrect data.

Art. 6 – Legal basis. Six grounds are possible; practically only three fit LLM use. Consent (lit. a) is fragile – revocable at any time and must be informed, which is hard to demonstrate across LLM-provider chains. Contract performance (lit. b) carries when the AI use is part of the service (e.g. a chatbot inside a SaaS product), but not for internal efficiency. Legitimate interest (lit. f) is the most common case – EDPB Opinion 28/2024 accepted it in principle for LLM development and deployment, but requires a documented three-step test (purpose, necessity, balancing against data-subject rights) and transparent communication.

Art. 25 – Privacy by Design and by Default. Duty to set privacy-friendly defaults. For LLM setups: system-prompt logging only opt-in, short default retention, mask personal-data fields before sending them to US models, review the sub-processor list before every new model rollout.

Art. 35 – DPIA. Data Protection Impact Assessment mandatory at high risk – practically always when an LLM does profiling, automated decisions, large datasets, or special categories (Art. 9: health, religion, court matters). See the separate DPIA methodology page.

Art. 44-49 – Cross-border transfer. Transfer to countries without an adequacy decision (the US after Privacy Shield fell) requires Standard Contractual Clauses plus a Transfer Impact Assessment. Since the EU-US Data Privacy Framework (July 2023) certified US companies are admissible again – but the list is revocable and must be checked before each onboarding.

How the GDPR bites in daily LLM use

The GDPR distinguishes between controller and processor. Whoever embeds the LLM in their own process is the controller; OpenAI, Anthropic, Google are processors – provided a valid Data Processing Agreement (DPA under Art. 28) is signed.

The DPA covers: which data, for which purpose, for which duration, which sub-processors, which security measures (Art. 32), how data-subject requests are handled (Art. 12-22), how data breaches are managed (Art. 33-34). OpenAI offers a standard DPA with zero-retention options (no training, no storage > 30 days) and EU region (Frankfurt/Paris) endpoints; Anthropic offers a comparable DPA with AWS-EU hosting; Google Vertex AI with EU data residency.

Training-data trap per EDPB 28/2024. If an LLM was trained on unlawfully collected data, the supervisory authority may order the downstream inference operation to be stopped – unless effective anonymisation was achieved. Provider selection becomes a compliance question: who can prove the training data was lawful? Anthropic publishes a training-data declaration; OpenAI has responded in more detail to such enquiries since 2025.

Data-subject rights under Art. 15-22. Access, rectification, erasure, restriction, portability, objection, no solely-automated-decisions. In practice: you must be able to extract, and where necessary delete, all data on a subject from your LLM logging, the prompt cache, and the provider logs. This requires searchable logs.

Breach notification under Art. 33. Within 72 hours of awareness. An accidental publication of an employee prompt containing client data in a public ChatGPT forum is a breach – regardless of whether damage occurred.

Fine ceiling under Art. 83. Up to EUR 20 million or 4 % of worldwide annual turnover of the preceding financial year, whichever is higher. DE (BfDI), FR (CNIL), IT (Garante) have been imposing seven-figure fines on companies with poor LLM governance regularly since 2024.

GDPR compliance check for LLMs in 7 steps

1. 01Check applicability: establishment, market location, behaviour monitoring – one trigger suffices. For Swiss firms with EU customers it is practically always "yes".
2. 02Determine and document the legal basis under Art. 6: legitimate interest with three-step test (EDPB 28/2024-compliant), contract performance, or consent.
3. 03Sign a DPA with every LLM provider (OpenAI, Anthropic, Google) – check Art. 28 mandatory content, choose zero-retention and EU region as default.
4. 04Standard Contractual Clauses + Transfer Impact Assessment for every US transfer; check provider EU-US Data Privacy Framework certification monthly.
5. 05Run a DPIA under Art. 35 when risk is high (profiling, automated decisions, special categories, new technologies) – see the separate page.
6. 06Update the privacy notice under Art. 13/14: providers, region, legal basis, retention, sub-processors, data-subject rights, EU representative.
7. 07Set up the audit trail: searchable logs for subject requests, deletion paths, the 72-hour breach-notification process (Art. 33).

When the GDPR applies (Swiss perspective)

From a Swiss perspective the GDPR applies via three paths:

Establishment principle (Art. 3(1)). If the Swiss company has a branch, subsidiary or affiliate in the EU, that establishment is subject to the GDPR – and the Swiss parent is typically jointly liable. A Geneva bank with a Frankfurt subsidiary, a Zug insurer with a Vienna office: GDPR applies directly.

Market-location principle (Art. 3(2)(a)). Offering goods or services to persons in the EU. Triggers: EU languages on the website (DE/FR is ambiguous, IT/EN clearer), EUR prices, EU shipping, EU phone number, EU advertising. A Swiss law firm advising German clients meets the criterion.

Behaviour monitoring (Art. 3(2)(b)). Profiling, tracking, behavioural targeting. A Swiss website running Google Analytics or a Facebook pixel that tracks EU visitors is in scope.

LLM-specific triggers: a voice agent recording EU callers; a chatbot serving EU customers on a multilingual site; a recruiting tool scoring EU applications; a marketing tool analysing EU user behaviour. As soon as the service targets EU persons, the GDPR is in play.

Practical consequence: most Swiss companies with cross-border business must satisfy both regimes – FADP and GDPR. Since the GDPR is stricter (particularly on fine ceiling and the EU-representative duty), meeting the GDPR duties is usually enough; the FADP duties are then largely covered.

When the GDPR does not apply

The GDPR does not apply when (a) only Swiss personal data without an EU link is processed, (b) processing is purely private or domestic (Art. 2(2)(c)), (c) only anonymous data without re-identification risk is processed (recital 26).

For LLM setups (c) is the most attempted escape route – and rarely successful. Genuine anonymisation in the GDPR sense has a very high threshold: even aggregated postcodes plus profession plus age band can be re-identifiable via auxiliary data. EDPB Opinion 28/2024 requires for an AI model to be anonymous that the probability of extracting personal data is negligible for each data subject – a hard threshold to meet.

Processing only legal entities (companies) falls outside the GDPR for that part. But as soon as contact persons, directors or beneficial owners appear by name, those are personal data – an LLM contract analysis is practically always GDPR-relevant.

This is not legal advice. For binding interpretation of GDPR applicability to your specific LLM setup, please consult a Swiss attorney specialised in EU data protection or an external EU data protection advisor. *Dies ist keine Rechtsberatung. Für verbindliche Auslegung CH-Anwalt / Datenschutzberater.*

Trade-offs

FAQ

Related topics

Sources

1. Verordnung (EU) 2016/679 (DSGVO) – EUR-Lex Volltext · 2016-04
2. EDPB Opinion 28/2024 – Personal Data Processing in AI Models · 2024-12
3. EU-US Data Privacy Framework – Certification List (US Department of Commerce) · 2026-05
4. CNIL – AI System Development Recommendations to Comply with GDPR · 2025-02
5. European Data Protection Supervisor – Generative AI Orientations (revised) · 2025-10