iConference AG
AI that lands

ChatGPT, Claude and Gemini at work: allowed — but not in every version.

Yes, you may use the major AI assistants for business, even with personal data — provided you pick the right licence tier and have a contract with the provider. The tools themselves are rarely the problem. The problem is that many companies use the free version in their day-to-day work and assume it is the same as the business variant. It is not.

The one difference that decides everything

With the consumer and free versions (ChatGPT Free/Plus, Claude Free/Pro, Gemini on personal accounts), your inputs can in principle be reused to improve the models. Fine for a private chat. For a quote with a client's name in it: risky.

With the business licences — Claude Team and Enterprise, ChatGPT Team/Enterprise/Business, Google Gemini Enterprise (Workspace) — the default is the opposite: the provider does not train on your inputs, retains them only for a limited time, and you get a contract with it. That very jump from «free» to «Team/Enterprise» is the most important step an SME takes — more important than the question of which provider is «the safest».

Two things that get confused

If you use AI for business and process personal data in doing so, Swiss data protection law requires two things — and they are constantly mixed up:

The common error: «The company isn't on the DPF list, so it's forbidden.» DPF certification is easily mistaken for an exclusion criterion — but it isn't. No DPF simply means the route runs via the standard contractual clauses rather than via the list.

Where do the three actually stand? (As of June 2026)

Bottom line: all three are legally workable — via the contract. The DPF list is not the criterion the decision hangs on.

What an SME should do in practice

The problem is rarely the tool. It's the version.

We guide Swiss SMEs along this path — human, competent, holistic.

Important note. This article is general orientation, not legal advice. We are not lawyers, and no text on the internet can give a binding assessment of your specific situation — it depends on your data, your sector and your contracts. Before you rely on anything, have your specific case reviewed by a data protection law professional. Details on provider certifications can change at any time; as of June 2026.