ChatGPT, Claude and Gemini at work: allowed — but not in every version.
Yes, you may use the major AI assistants for business, even with personal data — provided you pick the right licence tier and have a contract with the provider. The tools themselves are rarely the problem. The problem is that many companies use the free version in their day-to-day work and assume it is the same as the business variant. It is not.
The one difference that decides everything
With the consumer and free versions (ChatGPT Free/Plus, Claude Free/Pro, Gemini on personal accounts), your inputs can in principle be reused to improve the models. Fine for a private chat. For a quote with a client's name in it: risky.
With the business licences — Claude Team and Enterprise, ChatGPT Team/Enterprise/Business, Google Gemini Enterprise (Workspace) — the default is the opposite: the provider does not train on your inputs, retains them only for a limited time, and you get a contract with it. That very jump from «free» to «Team/Enterprise» is the most important step an SME takes — more important than the question of which provider is «the safest».
Two things that get confused
If you use AI for business and process personal data in doing so, Swiss data protection law requires two things — and they are constantly mixed up:
- A contract with the provider (a data processing agreement, DPA). It governs how the provider handles your data on your behalf. You always need it once personal data is involved — whatever the provider, whatever the country.
- A permitted route to the US. All three providers process data in the US. There are two legal routes for that: either the company is certified under the Swiss-U.S. Data Privacy Framework (an official list, recognised by the Swiss Federal Council), or it uses so-called standard contractual clauses with a Swiss addendum. Both routes are equally valid.
The common error: «The company isn't on the DPF list, so it's forbidden.» DPF certification is easily mistaken for an exclusion criterion — but it isn't. No DPF simply means the route runs via the standard contractual clauses rather than via the list.
Where do the three actually stand? (As of June 2026)
- Anthropic (Claude): not on the DPF list, works with standard contractual clauses.
- OpenAI (ChatGPT): status mixed and in flux — historically via standard contractual clauses. Anyone relying on it should check the current entry themselves.
- Google (Gemini): certified on the DPF list — but, by its own account, also uses the contractual clauses for Switzerland.
Bottom line: all three are legally workable — via the contract. The DPF list is not the criterion the decision hangs on.
What an SME should do in practice
- Book Team/Enterprise/Business instead of free or personal accounts for work.
- Sign the DPA (available online with all three) — and check whether it includes a Swiss addendum. Pure EU clauses do not automatically cover Switzerland.
- Tell your staff which account is the business one — this prevents the «quick jump into private ChatGPT» reflex.
- Particularly sensitive data (health, professional secrecy, third-party strategy) should be reviewed separately before first use.
The problem is rarely the tool. It's the version.
We guide Swiss SMEs along this path — human, competent, holistic.
Important note. This article is general orientation, not legal advice. We are not lawyers, and no text on the internet can give a binding assessment of your specific situation — it depends on your data, your sector and your contracts. Before you rely on anything, have your specific case reviewed by a data protection law professional. Details on provider certifications can change at any time; as of June 2026.