Vaud LPrD Revision: What Communes and Public Entities Need to Do
The LPrD applies only to Vaud public bodies, not private companies. The revision introduces six new obligations. Here is what changes, who is affected, and how to prepare during the consultation phase.
What is the LPrD, and who does it apply to?
The LPrD applies exclusively to Vaud public bodies, and not to private companies, which fall under federal law (LPD). It governs how public bodies in the canton collect, store, share, and destroy personal data, protecting individuals from misuse of their data by the authorities.
Vaud public bodies
- Cantonal administration and its departments
- Municipalities and their services
- Public law institutions
- Private entities carrying out a cantonal public task
The private and federal sector
- Private companies, SMEs, sole traders
- Associations acting in a private capacity
- Federal bodies and federal administration
- Mixed entities: determined activity by activity
Why this revision, and why now?
The revision responds to a need for alignment. The federal data protection law (LPD) entered into force on 1 September 2023 and raised the standard across Switzerland. Cantonal law needs to follow so that Vaud public bodies offer the same level of protection as required at the federal and European level.
The Council of State authorised the consultation on 5 March 2026. The project goes beyond the LPrD itself: it extends its principles to all cantonal special laws and introduces a new law on video surveillance. The consultation phase allows municipalities, associations, and other stakeholders to submit observations before adoption by the Grand Council. This is precisely the window in which a public entity has every reason to measure its compliance gap, because the obligations are already known and the time to prepare is still available.
LPrD, LPD and GDPR
The three regimes share the same philosophy but apply to different actors and designate different authorities. A municipality reasons with the LPrD, a company with the LPD, and any organisation processing data of EU residents with the GDPR.
| Criterion | LPrD (Vaud) | LPD (Federal) | GDPR (EU) |
|---|---|---|---|
| Who is covered | Vaud public bodies | Private persons and federal bodies | Organisations processing EU residents' data |
| Supervisory authority | Cantonal commissioner for data protection and transparency | FDPIC | National authorities and EDPB |
| Register | Processing activities register (new) | Processing activities register | Processing activities register (Art. 30) |
| Impact assessment | DPIA procedure (new) | DPIA for high-risk processing | DPIA (Art. 35) |
| Security breaches | Mandatory formal notification (new) | Notification to FDPIC | 72-hour notification (Art. 33) |
| Sensitive data | Extended to genetic and biometric data | Includes genetic and biometric | Special categories (Art. 9) |
The six changes introduced by the revision
Here is what each change means in practice for a public entity.
Expanded sensitive data
Genetic and biometric data now qualify as sensitive. Any processing that uses fingerprints, facial recognition, or genetic data requires a stricter legal basis and, in most cases, a prior impact assessment.
Profiling and automated decisions
Profiling becomes a specifically regulated type of processing. Entities using scoring algorithms or decision-support tools must be able to explain the logic applied and preserve human oversight.
Data protection contact person
Each public entity must designate a data protection contact person: the point of contact and guardian of obligations. The role can be held internally or delegated through an external mandate.
Data protection impact assessment (DPIA)
A formal DPIA procedure applies to high-risk processing activities, conducted before the processing begins.
Processing activities register
The file register becomes a processing activities register, more comprehensive and process-oriented.
Breach notification
Security breaches must be formally notified. Entities must be able to detect, classify, and report, and know who decides and within what timeframe.
The draft extends these principles to all cantonal special laws and is accompanied by a new law on video surveillance. Source: Council of State press release, 5 March 2026.
Who is affected in practice?
Any Vaud public body that processes personal data in the course of its mission falls under the LPrD. This covers a broad range of entities and activities.
If your entity carries out a public task on behalf of the Canton of Vaud, regardless of its legal form, the LPrD likely applies. A compliance assessment will confirm your scope with certainty.
What does a Vaud municipality need to do to comply?
Compliance requires six steps. The mapping comes first: everything else depends on it.
Map
Inventory all processing activities: civil status, schools, social services, police, human resources, video surveillance, online forms, and digital tools.
Govern
Designate the data protection contact person and clarify responsibilities, internally or through an external mandate. Smaller municipalities without in-house resources can outsource this role.
Document
Build the processing activities register from the mapping, replacing the previous file register with a more comprehensive, process-oriented inventory.
Assess risks
Conduct a DPIA for high-risk processing activities. Start with video surveillance, profiling, and any processing of genetic or biometric data.
Manage processors
Identify IT providers, cloud services, and software vendors processing data on behalf of the municipality. Formalise contractual guarantees. The public entity remains responsible even when it delegates.
Prepare for breaches, then maintain
Put the breach notification procedure in place. Keep the framework up to date as new processing activities are introduced.
What to do during the consultation phase
Waiting for the law to be adopted before acting is the costliest mistake. The obligations are already known, and the processing mapping, which takes the most time, can begin immediately.
An entity that uses the consultation window to inventory its processing activities and designate its contact person will enter into force ready. This is also the opportunity for municipalities and umbrella associations to submit observations on the operational feasibility of the draft before the Grand Council vote.
Start your gap assessment nowCommon mistakes to avoid
Thinking the revision applies to private companies
The LPrD targets Vaud public bodies exclusively. Private companies, including those based in Vaud, fall under the federal LPD. This is the most frequent confusion.
Treating compliance as a one-off project
Compliance is a permanent operational framework. It must be updated each time a new processing activity is introduced, a tool is changed, or a processor is replaced.
Overlooking processors
The public entity remains responsible for the data even when it delegates processing to a provider. Processor management is a central compliance checkpoint under the LPrD.
Are you subject to the LPrD or the LPD?
Answer a few questions to identify the law that applies to your organisation and your main obligations.
Step 1 of 1
What type of organisation do you represent?
Questions and answers
Who is subject to the LPrD?
When will the LPrD revision enter into force?
Does the revision create GDPR-style fines?
Is an association or foundation subject to the LPrD?
Does a public entity remain responsible for its processors?
How to manage LPrD, LPD and GDPR compliance without duplicating everything?
Who must designate a data protection contact person?
What is a processing activities register and how is it built?
When is a DPIA mandatory for a Vaud public entity?
Where to start?
Written by a specialist
Sources: Council of State press release, 5 March 2026 · Federal data protection law (LPD), in force since 1 September 2023 · Vaud cantonal commissioner for data protection and transparency · Federal Data Protection and Information Commissioner (FDPIC).
Related pages
Start your LPrD readiness assessment today
The obligations are known, the consultation window is open. The entities that act now will enter into force ready. We guide Vaud public bodies through the mapping, the register, the DPIA, and the contact person mandate.
