CASUS Logo white
Casus Logo

CASUS Blog

Swiss Bar Association AI Guidelines: A Practical Guide

Last updated on

by

Fabian Staub

Fabian Staub

|

Co-Founder & CEO

The Swiss Bar Association (SAV/FSA) adopted its "Guidelines on the Use of Artificial Intelligence" in June 2024 (published in Anwaltsrevue 9/2024, consolidated version dated 16 February 2025). The document is not an independent disciplinary rule but an interpretation of existing professional duties – professional secrecy, due diligence, data protection – applied to generative AI tools.

TL;DR: What the SAV guidelines require – in 5 points

  • No client data in consumer tools: Identifying client data must not be entered into tools that lack a data processing agreement and zero data retention.

  • Always review AI output: The lawyer remains responsible. AI outputs must be verified for substance and accuracy – the duty of diligent professional conduct (Art. 12 BGFA) does not fall away.

  • Professional secrecy applies without restriction: Art. 13 BGFA and Art. 321 StGB apply equally to AI services and their sub-processors.

  • Data protection under the revDSG: Where personal data is processed, a legal basis is required and – when using third-party providers – a data processing agreement.

  • Transparency towards clients: Lawyers should inform clients when AI tools are materially involved in the work.

What are the SAV AI guidelines – and who do they apply to?

The SAV guidelines are not a statute or ordinance. They are an interpretive instrument showing how existing professional duties apply to the use of AI tools.

The Swiss Bar Association first adopted the guidelines in June 2024. The current consolidated version is dated 16 February 2025 and is available directly from the SAV. They apply to all lawyers subject to the BGFA – that is, those entered in a cantonal bar register and active in the area of judicial representation.

Since the guidelines contain no independent sanction, the question arises why they matter. The answer lies in the provisions they interpret: a breach of professional secrecy or insufficient diligence in handling a mandate can have disciplinary and criminal consequences – regardless of whether an AI tool was involved. The guidelines make clear that AI does not create a professional-conduct-free zone.

For day-to-day practice, this means: anyone who wants to use AI tools productively needs to understand the requirements and implement them internally. Done well, that is not a constraint but a stable foundation.

What core duties apply in practice?

The guidelines identify five areas directly relevant to AI use.

Professional secrecy (Art. 13 BGFA, Art. 321 StGB)

The lawyer's duty of confidentiality protects all information entrusted in the course of professional activity. Under Art. 13 para. 2 BGFA, this duty extends to auxiliaries – and under a widely held interpretation, an AI service running on a third-party server that accesses client data qualifies as an auxiliary.

In concrete terms: entering identifying client data (name, file number, party details, facts of the case) into a system where the provider has not given adequate confidentiality guarantees can constitute a breach of professional secrecy. The criminal provision in Art. 321 StGB does not require intent – negligence can suffice.

Duty of care and output review (Art. 12 BGFA)

The duty of diligent and conscientious professional conduct under Art. 12 lit. a BGFA is the key norm. It requires that AI outputs be verified for substance and legal accuracy before being used in a mandate. "Hallucinations" – invented court decisions or non-existent statutory provisions – are not a theoretical risk. They occur, and the responsibility for the result lies with the lawyer, not the tool.

In practice, this means an AI output does not replace independent review; it structures and accelerates it. Lawyers who do not internalize this risk professional consequences.

Data protection (revDSG)

Where AI tools process personal data – and that is the case in virtually every mandate-related use – the processing principles of Art. 6 revDSG apply: lawfulness, proportionality, and purpose limitation. If processing is delegated to a third-party provider, a data processing agreement under Art. 9 revDSG is required.

The question of cross-border data transfers also arises: if the provider's server is outside Switzerland or the EU, it must be established whether the level of protection in the destination country is adequate or whether additional safeguards are needed. The FDPIC (EDÖB) supervises compliance with the revDSG; violations can trigger administrative measures and, for natural persons, sanctions.

Copyright

Lawyers who incorporate AI-generated text into submissions or contracts should note: under Swiss copyright law (Art. 6 URG), the author is the natural person who created the work. AI-generated content does not enjoy copyright protection. In most law firm contexts that is not a practical problem, but it limits the ability to assert proprietary rights over such content. More relevant is the reverse question: whether the training of the AI model used has drawn on third-party copyrighted material.

Transparency towards clients

The guidelines recommend informing clients about material AI use. This is not a rigid statutory disclosure obligation, but flows from the general duty of loyalty. In practice, it can be handled through engagement letters or general terms and conditions – a brief clause naming the use of AI tools is generally sufficient.

Can a lawyer use ChatGPT for law firm work?

In principle yes – but not without conditions. The guidelines do not prohibit generative AI; they set a framework.

The free or standard version of ChatGPT is unsuitable for mandate-related work involving identifying data. OpenAI does offer more privacy-friendly configurations for enterprise customers, but the lawyer must verify independently whether a data processing agreement is in place, whether the hosting meets the requirements, and whether no model training occurs on the data entered.

For general, non-mandate-specific tasks – draft texts without concrete case references, summaries of public decisions, literature research – the threshold is lower. But as soon as a genuine mandate context exists, professional secrecy and data protection apply in full.

The practical implication: consumer tools without a clear contractual basis and technical guarantees (no data training, no disclosure to sub-processors, hosting in Switzerland or the EU) are not suitable for actual mandate work. That holds regardless of how capable the underlying model is.

How to select a privacy-compliant AI tool for a law firm?

A compliant AI tool for law firm use meets at least four requirements: hosting in Switzerland or the EU, zero data retention, a clear data processing agreement, and no training on firm data.

Hosting: The server location determines which data protection law applies and whether a cross-border data transfer is involved. Hosting in Switzerland or the EU eliminates the risk of uncontrolled third-country transmission.

Zero data retention: If queries and documents are not stored after processing, they cannot be compromised. For client data, this is not a nice-to-have but a baseline requirement.

Data processing agreement: Art. 9 revDSG requires a written contract when data processing is outsourced to a third party, governing the purpose, scope, and obligations of the processor. Without that contract, the outsourcing has no data protection basis.

No model training on client data: Some providers reserve the right to use inputs for model improvement. That is incompatible with professional secrecy.

Access controls: Who in the team has access to which client data? A tool that does not support role-based permissions creates new internal risks.

CASUS, the Swiss legal AI platform, is built to meet these requirements: hosting in Switzerland and the EU, zero data retention, no training on client data, no data transfer to the US, and a regulated data processing agreement. The compliance details are available on the CASUS security page.

Firms that want to test CASUS in practice can get started directly at app.getcasus.com/signup – no setup required, available in the browser or as a Microsoft Word add-in. As of June 2026, pricing is CHF 125 per seat per month (regular CHF 145), or CHF 100 on annual billing.

Practical checklist: implementing the SAV guidelines in your firm

The checklist below covers the key implementation steps. It does not substitute for legal advice in individual cases, but provides a structured starting point.

1. Compile a tool inventory Which AI tools are already being used in the firm – officially or unofficially? Consumer tools on personal devices are often the biggest blind spot.

2. Define data categories What data is typically entered into AI tools? Mandate-related data, personal data, public texts – the categorization determines which requirements apply.

3. Review data processing agreements For every tool that processes personal or client data: is a data processing agreement in place under Art. 9 revDSG?

4. Clarify hosting and data flows Where is data processed and stored? Are there sub-processors in third countries? Is zero data retention confirmed?

5. Issue an internal AI policy A firm-level policy defines which tools may be used for which tasks, which data may be entered, and who bears responsibility.

6. Train all staff Art. 13 para. 2 BGFA extends professional secrecy to auxiliaries. That presupposes that all team members understand what this means in the context of AI tools.

7. Define an output-review process How are AI-generated texts, legal research outputs, or contract analyses verified before use? Who is responsible? Is there a documentation requirement?

8. Regulate client disclosure In which mandates is AI materially involved? Is that reflected in the engagement letter or general terms and conditions?

9. Address copyright For AI-generated texts: do not assert copyright ownership; document the origin internally.

10. Schedule periodic reviews The SAV guidelines are updated on an ongoing basis. Firms that are compliant today should verify that position in twelve months.

FAQ

What are the SAV AI guidelines, and are they binding?

The SAV Guidelines on the Use of Artificial Intelligence (as of 16 February 2025) are not independent disciplinary rules with their own sanction, but an interpretive guidance document. They clarify how existing professional duties – particularly under the BGFA and the Swiss Criminal Code – apply to AI tools. In practice they carry real weight, because a breach of the underlying norms can have disciplinary and criminal consequences.

Does professional secrecy apply to AI services?

Yes. Art. 13 BGFA and Art. 321 StGB protect all information entrusted to a lawyer in the course of professional activity – regardless of the channel through which it is disclosed. An AI service that accesses client data is treated as an auxiliary under Art. 13 para. 2 BGFA. The provider must offer corresponding contractual and technical guarantees.

What data protection requirements apply to AI tools used by law firms?

The revised Swiss Data Protection Act (revDSG, in force since 1 September 2023) requires lawfulness, proportionality, and purpose limitation for any processing of personal data. When an external provider is used, a data processing agreement is required under Art. 9 revDSG. It must also be established whether the provider's hosting ensures an adequate level of data protection.

Can ChatGPT be used in a law firm for client matters?

For mandate-related work involving identifying data, only if a legally compliant data processing agreement is in place, the hosting meets the requirements, and no model training takes place on the data entered. The standard consumer version of ChatGPT generally does not meet these conditions. For anonymized or non-mandate-specific tasks the threshold is lower, but a case-by-case assessment remains necessary.

What must an AI tool fulfill to be used in a law firm in a privacy-compliant manner?

Minimum requirements are: hosting in Switzerland or the EU, confirmed zero data retention, a written data processing agreement, no training on mandate or client data, and clear disclosure of sub-processors. Role-based access controls for sensitive client data are also advisable.

What does "reviewing AI output" mean in practice?

AI-generated legal research, contract drafts, or submission passages must be verified for substance and legal accuracy before being used in a mandate. Generative models can invent court decisions or statutory provisions ("hallucinate"). The duty of care under Art. 12 BGFA does not fall away because an AI tool was used – responsibility remains with the lawyer.

Must clients be informed about the use of AI?

The guidelines recommend transparency when AI tools are materially involved in handling a mandate. A strict statutory disclosure obligation does not currently exist under Swiss law, but the general duty of loyalty supports including a corresponding clause in the engagement letter or general terms and conditions.

This article is intended for general orientation and does not substitute for legal advice in individual cases. For specific compliance questions relating to AI use in a law firm, consultation with a specialist in data protection and professional conduct law is recommended.

Casus Logo

Verträge auf Autopilot. Mit CASUS.

Capterra Logo
Innosuisse Logo
Venture Kick Logo
HSG Spin Off Logo

CASUS Technologies AG

Uraniastrasse 31

8001 Zurich

Switzerland

Copyright ©2025 CASUS Technologies AG — All rights reserved.

Linkedin Icon
Youtube Icon
Casus Logo

Verträge auf Autopilot. Mit CASUS.

Capterra Logo
Innosuisse Logo
Venture Kick Logo
HSG Spin Off Logo

CASUS Technologies AG

Uraniastrasse 31

8001 Zurich

Switzerland

Copyright ©2025 CASUS Technologies AG — All rights reserved.

Linkedin Icon
Youtube Icon
Casus Logo

Verträge auf Autopilot. Mit CASUS.

Capterra Logo
Innosuisse Logo
Venture Kick Logo
HSG Spin Off Logo

CASUS Technologies AG

Uraniastrasse 31

8001 Zurich

Switzerland

Copyright ©2025 CASUS Technologies AG — All rights reserved.

Linkedin Icon
Youtube Icon