IN CONSULTATION SINCE 5 MARCH 2026

Vaud LPrD Revision: What Communes and Public Entities Need to Do

The LPrD applies only to Vaud public bodies, not private companies. The revision introduces six new obligations. Here is what changes, who is affected, and how to prepare during the consultation phase.

LawLPrD, Canton of Vaud
StatusUnder consultation
Applies toVaud public bodies
Updated17.06.2026
Scope of application

What is the LPrD, and who does it apply to?

The LPrD applies exclusively to Vaud public bodies, and not to private companies, which fall under federal law (LPD). It governs how public bodies in the canton collect, store, share, and destroy personal data, protecting individuals from misuse of their data by the authorities.

Subject to the LPrD

Vaud public bodies

  • Cantonal administration and its departments
  • Municipalities and their services
  • Public law institutions
  • Private entities carrying out a cantonal public task
Subject to the federal LPD

The private and federal sector

  • Private companies, SMEs, sole traders
  • Associations acting in a private capacity
  • Federal bodies and federal administration
  • Mixed entities: determined activity by activity
Legislative context

Why this revision, and why now?

The revision responds to a need for alignment. The federal data protection law (LPD) entered into force on 1 September 2023 and raised the standard across Switzerland. Cantonal law needs to follow so that Vaud public bodies offer the same level of protection as required at the federal and European level.

The Council of State authorised the consultation on 5 March 2026. The project goes beyond the LPrD itself: it extends its principles to all cantonal special laws and introduces a new law on video surveillance. The consultation phase allows municipalities, associations, and other stakeholders to submit observations before adoption by the Grand Council. This is precisely the window in which a public entity has every reason to measure its compliance gap, because the obligations are already known and the time to prepare is still available.

Comparison

LPrD, LPD and GDPR

The three regimes share the same philosophy but apply to different actors and designate different authorities. A municipality reasons with the LPrD, a company with the LPD, and any organisation processing data of EU residents with the GDPR.

LPrD, LPD and GDPR compared
CriterionLPrD (Vaud)LPD (Federal)GDPR (EU)
Who is coveredVaud public bodiesPrivate persons and federal bodiesOrganisations processing EU residents' data
Supervisory authorityCantonal commissioner for data protection and transparencyFDPICNational authorities and EDPB
RegisterProcessing activities register (new)Processing activities registerProcessing activities register (Art. 30)
Impact assessmentDPIA procedure (new)DPIA for high-risk processingDPIA (Art. 35)
Security breachesMandatory formal notification (new)Notification to FDPIC72-hour notification (Art. 33)
Sensitive dataExtended to genetic and biometric dataIncludes genetic and biometricSpecial categories (Art. 9)
What is new

The six changes introduced by the revision

Here is what each change means in practice for a public entity.

Expanded sensitive data

Genetic and biometric data now qualify as sensitive. Any processing that uses fingerprints, facial recognition, or genetic data requires a stricter legal basis and, in most cases, a prior impact assessment.

Profiling and automated decisions

Profiling becomes a specifically regulated type of processing. Entities using scoring algorithms or decision-support tools must be able to explain the logic applied and preserve human oversight.

Data protection contact person

Each public entity must designate a data protection contact person: the point of contact and guardian of obligations. The role can be held internally or delegated through an external mandate.

Data protection impact assessment (DPIA)

A formal DPIA procedure applies to high-risk processing activities, conducted before the processing begins.

Processing activities register

The file register becomes a processing activities register, more comprehensive and process-oriented.

Breach notification

Security breaches must be formally notified. Entities must be able to detect, classify, and report, and know who decides and within what timeframe.

The draft extends these principles to all cantonal special laws and is accompanied by a new law on video surveillance. Source: Council of State press release, 5 March 2026.

Practical scope

Who is affected in practice?

Any Vaud public body that processes personal data in the course of its mission falls under the LPrD. This covers a broad range of entities and activities.

MunicipalitiesCivil status officesSocial servicesPublic schools and universitiesPublic hospitalsCantonal tax authoritiesPolice forcesPara-public bodies and foundationsCantonal agencies

If your entity carries out a public task on behalf of the Canton of Vaud, regardless of its legal form, the LPrD likely applies. A compliance assessment will confirm your scope with certainty.

Confirm my compliance scope
Compliance roadmap

What does a Vaud municipality need to do to comply?

Compliance requires six steps. The mapping comes first: everything else depends on it.

Map

Inventory all processing activities: civil status, schools, social services, police, human resources, video surveillance, online forms, and digital tools.

Govern

Designate the data protection contact person and clarify responsibilities, internally or through an external mandate. Smaller municipalities without in-house resources can outsource this role.

Document

Build the processing activities register from the mapping, replacing the previous file register with a more comprehensive, process-oriented inventory.

Assess risks

Conduct a DPIA for high-risk processing activities. Start with video surveillance, profiling, and any processing of genetic or biometric data.

Manage processors

Identify IT providers, cloud services, and software vendors processing data on behalf of the municipality. Formalise contractual guarantees. The public entity remains responsible even when it delegates.

Prepare for breaches, then maintain

Put the breach notification procedure in place. Keep the framework up to date as new processing activities are introduced.

Outsource the contact person role
Right now

What to do during the consultation phase

Waiting for the law to be adopted before acting is the costliest mistake. The obligations are already known, and the processing mapping, which takes the most time, can begin immediately.

An entity that uses the consultation window to inventory its processing activities and designate its contact person will enter into force ready. This is also the opportunity for municipalities and umbrella associations to submit observations on the operational feasibility of the draft before the Grand Council vote.

Start your gap assessment now
Watch out

Common mistakes to avoid

Thinking the revision applies to private companies

The LPrD targets Vaud public bodies exclusively. Private companies, including those based in Vaud, fall under the federal LPD. This is the most frequent confusion.

Treating compliance as a one-off project

Compliance is a permanent operational framework. It must be updated each time a new processing activity is introduced, a tool is changed, or a processor is replaced.

Overlooking processors

The public entity remains responsible for the data even when it delegates processing to a provider. Processor management is a central compliance checkpoint under the LPrD.

Self-assessment

Are you subject to the LPrD or the LPD?

Answer a few questions to identify the law that applies to your organisation and your main obligations.

Step 1 of 1

What type of organisation do you represent?

Frequently asked

Questions and answers

Who is subject to the LPrD?
Vaud public bodies: the cantonal administration, municipalities, public law institutions, and private entities carrying out a cantonal public task. Private companies and federal bodies are not covered.
When will the LPrD revision enter into force?
The draft was put out for consultation on 5 March 2026. Entry into force will follow the consultation period and adoption by the Grand Council, in line with the cantonal legislative calendar.
Does the revision create GDPR-style fines?
The LPrD falls under cantonal public law and does not provide for the administrative fine regime of the GDPR. The stakes for a public entity are compliance and accountability, not European-style financial penalties.
Is an association or foundation subject to the LPrD?
It depends on the activity. A private entity carrying out a cantonal public task falls under the LPrD for that portion of activity, and under the LPD for the rest.
Does a public entity remain responsible for its processors?
Yes. The public entity remains responsible for the processing even when it delegates data handling to a provider, such as an IT host, software vendor, or cloud service. It must govern that relationship by contract and verify the guarantees offered. Processor management is a central compliance checkpoint under the LPrD. Monitor supplier risk continuously with Supplier Shield.
How to manage LPrD, LPD and GDPR compliance without duplicating everything?
An entity subject to multiple regimes gains from consolidating its controls: map once, link each requirement to the same controls, and reuse the evidence. A GRC platform built for data protection enables this unified approach. Manage everything in one place with Acuna.
Who must designate a data protection contact person?
Every Vaud public entity subject to the LPrD must designate a data protection contact person under the revision. The role can be held internally or delegated through an external mandate. For smaller municipalities, an external mandate delivers the required expertise without a full-time position. Delegate this mandate to us.
What is a processing activities register and how is it built?
A processing activities register is a structured inventory of all data processing activities, covering the purpose, legal basis, data categories, data subjects, recipients, and retention periods. The revision makes it mandatory, replacing the previous file register. Building it starts with a processing activities mapping. Map your processing activities.
When is a DPIA mandatory for a Vaud public entity?
A DPIA is required for processing activities likely to generate a high risk to the rights of data subjects: for example, video surveillance, profiling, or automated decisions. The revision formally introduces this procedure for Vaud public bodies. Carry out your DPIA with us.
Where to start?
With the processing activities mapping, which forms the foundation for the register, impact assessments, and processor management. Use the self-assessment tool to identify your priorities.
Expertise and sources

Written by a specialist

Laura Menetrey

Senior Legal Advisor in Data Protection and Privacy Law, Abilene Advisors. Expertise: LPrD, LPD, GDPR, NIS2, DORA.

Sources: Council of State press release, 5 March 2026 · Federal data protection law (LPD), in force since 1 September 2023 · Vaud cantonal commissioner for data protection and transparency · Federal Data Protection and Information Commissioner (FDPIC).

Published 17.06.2026Updated 17.06.2026
Abilene Advisors

Start your LPrD readiness assessment today

The obligations are known, the consultation window is open. The entities that act now will enter into force ready. We guide Vaud public bodies through the mapping, the register, the DPIA, and the contact person mandate.

Request an assessmentCompliance Officer as a Service