A summary of Philippe Ehrenström, The employer’s duty to provide information and the employee’s right of access when processing data using AI tools, in: Valérie Defago/Jean-Philippe Dunand/Florence Guillaume/David Raedler/Aurélien Witzig (eds.), Algorithms, Artificial Intelligence and Labour Law, Basel-Neuchâtel, 2026, pp. 151–177:
The article examines the employer’s duty to provide information and the employee’s right of access when the employer processes data using artificial intelligence tools.
AI did not begin with generative AI. It has existed since the 1950s and has taken various forms, notably symbolic AI and connectionist AI. Human resources departments have long been using tools incorporating certain forms of AI. The recent emergence of generative AI therefore does not entirely create a new problem, but rather brings to the fore an existing challenge: how to apply labour law and data protection law to tools capable of classifying, recommending, assessing, monitoring or influencing decisions concerning workers.
The article begins by defining an artificial intelligence system. It notes that the Council of Europe’s Framework Convention on AI, signed by Switzerland on 27 March 2025, and the European Regulation on Artificial Intelligence adopt a similar approach. An AI system is thus an automated, machine-based system which, based on input data, produces outputs such as predictions, content, recommendations or decisions that may influence a physical or virtual environment. It may exhibit varying degrees of autonomy and adaptability following its deployment. However, this definition is not always easy to apply to older software or traditional tools that already contain elements of AI. In the workplace, there are numerous applications: recruitment, HR management, monitoring, performance appraisal, allocation of benefits, drafting of documents and organisation of tasks.
The article then examines the issue within the context of Swiss law. Article 328b of the Swiss Code of Obligations (CO) permits an employer to process an employee’s data only if it relates to their ability to perform their job or if it is necessary for the performance of the contract. The Federal Act on Data Protection (FADP) also applies to such processing. Article 328b of the CO therefore creates a presumption of lawfulness for certain work-related processing operations, but this lawfulness remains conditional upon compliance with the general principles of the FADP, in particular good faith, proportionality, transparency and accuracy.
In an employment relationship, the employer is the data controller and the employee is the data subject. However, this transposition is not without implications. Labour law results from an unequal relationship and serves a protective function. Data protection law is more often based on the idea of an autonomous individual who is informed and capable of exercising their rights. In the world of work, this legal fiction must be corrected: the employee is not a free consumer in relation to the employer.
The article then discusses the employer’s duty to provide information. Under Swiss law, this duty may arise from several sources: the Swiss Code of Obligations (CO), the Labour Act (LTr), the Accident Insurance Act (LAA), the Act on Employee Participation, collective agreements, company regulations and case law. With regard to AI, it may also be informed by European law, in particular the AI Regulation, the GDPR and legislation relating to platform work. Some national laws already go further: Italy requires employers to inform employees about the use of AI at work; in France, the Social and Economic Committee must be consulted before the implementation of AI applications that alter working conditions.
Under Swiss law, the article distinguishes between a collective duty to provide information and an individual duty to provide information. The collective duty stems in particular from the Law on Participation and the rules on health protection. Workers’ representatives must be informed in good time and in full on matters necessary for the performance of their duties. This duty becomes particularly important when the employer introduces surveillance or monitoring systems. Article 26 of OLT 3 prohibits systems designed to monitor workers’ behaviour at their workstations. Systems required for other reasons remain permissible, but they must be designed in such a way as not to harm health or restrict freedom of movement. According to SECO’s commentary, this rule also applies to IT tools using AI to analyse or evaluate data relating to employees, such as models of vision, movement, speech, communication or psychological state. The Federal Supreme Court, however, interprets the prohibition narrowly: the decisive factor is the impact on health. The installation of a surveillance or monitoring system using AI therefore requires prior information and consultation with employees or their representatives.
An individual duty to provide information arises from the FADP. The employer must inform the data subject at the time of data collection, regardless of whether the data is collected directly from them or not. The information must be provided no later than at the time of collection. It must be concise, transparent, understandable and easily accessible. It must specify at least the identity and contact details of the data controller, the purpose of the processing and the recipients or categories of recipients. If the data is not collected from the data subject, the employer must also specify the categories of data being processed. In the event of a transfer abroad, the employer must specify the recipient state or organisation, as well as the applicable safeguards or the exception invoked.
The article then examines automated individual decision-making. Under the FADP, the employer must inform the data subject when a decision is taken solely on the basis of automated processing and produces legal effects or significantly affects them. There must be a genuine absence of human intervention. A person who simply relies on an automated tool, amongst other factors, to make a recruitment decision is not necessarily making an automated individual decision. There must also be a certain degree of complexity or discretion; simple mechanical ‘if… then…’ rules are not sufficient. In the case of an automated individual decision, the information must state that such a decision has been made and set out the means by which the data subject can exercise their rights, in particular the right to express their point of view, to request a human review and to obtain information on the logic behind the decision.
The central point of the article, however, lies elsewhere: what should be done when the AI system does not make an automated individual decision, but merely produces recommendations, rankings or assessments? The article argues that an enhanced duty to provide information may exist even in the absence of an automated individual decision. Article 19 FADP sets out only a minimum standard. The scope of the information depends on the type of data, the nature of the processing, its scale and, above all, the risk of infringement of personal rights. An AI recruitment system, even one limited to making recommendations, may present high risks. Indeed, the EU AI Act classifies systems used for recruitment, selection, promotion, dismissal, task allocation, monitoring or performance evaluation as ‘high-risk’. These systems can affect workers’ career prospects, livelihoods and rights. They can also perpetuate historical forms of discrimination. This reasoning can be applied to Swiss law: the significance of the risk justifies specific information, even in the absence of an automated individual decision.
The article provides further examples. Augmented reality glasses used at work may enable constant monitoring of the wearer or third parties, biometric analysis or covert processing. Their use should therefore be accompanied by information provided to the workers concerned and to those likely to be captured by the system. Similarly, the right to erasure becomes difficult to exercise when the data has been used to train or fine-tune an AI system. Simply deleting the original data may not remove all traces embedded in the model. ‘Machine unlearning’ does not yet guarantee complete erasure. This creates tension with the FADP’s principle of technological neutrality: in theory, the law applies regardless of the tool; in practice, certain tools make it much more difficult to exercise one’s rights. The article adds that AI can also cause more diffuse harm: loss of autonomy, erosion of skills, and a diminished sense of professional worth. If these effects reach a certain level of severity, they may also relate to personality rights.
The article then emphasises that the data protection impact assessment does not necessarily have to be communicated to employees. In the event of a high risk to personal rights or fundamental rights, Article 22 of the FADP requires a prior impact assessment. This describes the processing, assesses the risks and sets out the measures planned. However, it remains an internal compliance document. Unlike the GDPR, the FADP does not, moreover, provide for mandatory consultation with data subjects when drawing it up.
The article emphasises the important practical role of the data processing register. This register contains, in particular, the identity of the data controller, the purposes of processing, the categories of data subjects and data, the recipients, retention periods, security measures and transfers abroad. Even where a company with fewer than 250 employees might qualify for an exemption, the register remains practically indispensable. It enables organisations to properly inform employees, respond to requests for access, identify processing operations affected by a data breach and manage compliance. Without a register, the duty to provide information remains abstract.
The difficulty, however, may lie in identifying AI-based processing operations. Many HR tools had already incorporated AI before the current FADP came into force. They are sometimes treated as routine and remain invisible within the organisation. It is therefore necessary to identify legacy systems, including general-purpose tools such as transcription software, which raise issues regarding consent, the recording of third parties, data retention and transfers abroad. Updates further complicate the situation. Open updates announce changes and require validation; there are already many of these and they are difficult to keep track of. Silent updates are even more problematic: they can modify software or a model in the background, without immediate notification. In the field of AI, an update can alter the system’s behaviour, its tone, its settings, its security rules or the way it handles certain topics. The employer may then find themselves obliged to inform or consult without even being fully aware of the change.
The article also analyses the ‘Boss-as-a-Service’ phenomenon. The employer purchases external services for algorithmic staff management. They remain the data controller, but the provider has a better understanding of the tool, its parameters and its developments. This results in an information asymmetry between the employer and their subcontractor, which makes it more difficult to inform the employee. The risk is that managerial authority is partially outsourced to a service provider and its system.
The second main section concerns the employee’s right of access. Article 25 FADP allows any person to enquire whether data concerning them is being processed and to obtain the information necessary to exercise their rights and ensure transparency. This right complements the duty to provide information. It serves to verify the lawfulness of processing and to request the rectification, erasure, restriction of processing or destruction of data. More broadly, it protects personal rights. It is strictly personal, cannot be time-barred and cannot be waived in advance. Any clause in an employment contract that would limit this right would be null and void.
The right of access applies to the employer as the data controller, but may also apply to other entities processing work-related data. It is not limited to the traditional « dossier du personnel ». It covers all personal data processed in the context of the employment relationship. The data subject must be provided with, at a minimum, the identity of the data controller, the data being processed, the purposes of processing, the retention period or the criteria for determining the retention period, the source of the data if it was not collected directly from the data subject, the existence of any automated individual decision-making and the logic behind it, the recipients, and information regarding transfers abroad. The request must, in principle, be made in writing, including electronically. The response must be comprehensible and provided within 30 days, unless notice of an extended deadline has been given. It is, in principle, free of charge.
This right is subject to restrictions. The employer may refuse, restrict or defer disclosure if provided for by specific legislation, in particular to protect professional secrecy, if the overriding interests of a third party so require, or if the request is manifestly unfounded, contrary to data protection principles or vexatious. A private individual may also invoke their own overriding interests if they do not disclose the data to a third party. These exceptions are exhaustive and must be interpreted restrictively. Before refusing access entirely, the employer must consider less intrusive measures. Legal doctrine also recognises that a confidentiality agreement may be required in certain cases.
The article devotes particular attention to the abuse of the right of access. Even under the previous law, the Federal Supreme Court had held that this right should not be used solely to seek evidence for a trial. The new FADP takes up this idea. A request may be deemed abusive if it is aimed exclusively at investigating an opposing party or circumventing the rules of civil procedure. However, abuse must not be accepted too readily. If the request serves several purposes, including a genuine data protection objective, it should not be rejected. There is thus a tension between a broad, protective interpretation of the right of access in employment relationships, and a stricter interpretation, focused solely on verifying compliance with data processing requirements or respect for data protection law.
Finally, the article examines access to the rationale behind an individual automated decision. Under Swiss law, as under European law, the aim is not to obtain the source code, an incomprehensible mathematical formula or an exhaustive description of all the technical steps. The data subject must receive a useful, concise and intelligible explanation of the procedure and the principles applied. They must understand which personal data were used and how these influenced the outcome. Technical complexity does not relieve the data controller of their duty to provide an explanation. Relevant information could, for example, indicate to what extent a variation in certain data would have led to a different outcome.
The article concludes that AI in the workplace does not operate in a legal vacuum. Various legal norms already provide the necessary tools. However, AI systems place these tools under strain. They make it more difficult to identify processing operations, provide useful information, exercise the right of access, erase data and understand decisions. These difficulties are likely to increase with the outsourcing of algorithmic management and the development of AI agents capable of coordinating humans and other systems. The real challenge, therefore, is not merely whether AI is lawful in the workplace, but maintaining an effective capacity for information, oversight and redress within a relationship where the worker remains structurally dependent on the employer.
Philippe Ehrenström, attorney, LLM, CAS in Law and Artificial Intelligence, CAS in Data Protection – Business and Public Administration
Travail, protection des données et IA 