When a Zurich‑based fintech launched its credit‑scoring chatbot on 12 March 2026, it was forced to halt the service within 48 hours after the Swiss Federal Data Protection Authority flagged a single paragraph of the FADP that GDPR never mentioned. 1. The regulatory baseline – GDPR vs. the revised FADP Scope of personal data Both regimes protect “personal data”, but the new FADP widens the definition to include any biometric or behavioural identifier that can be linked to a natural person, even if the data never leaves Swiss territory. GDPR still treats such data as “special category”, but it does not require a separate record‑of‑processing for domestic‑only models. Legal basis for processing GDPR gives you six lawful bases; the most common for AI is “legitimate interests”. The FADP, however, adds a mandatory “explicit consent for profiling” clause when the processing outcome produces legal or similarly significant effects.…