Total revision of the Cantonal Data Protection Act of the Canton of Graubünden

Starting from January 1, 2026, the total revision of the Cantonal Data Protection Act of the Canton of Graubünden (hereinafter: nLCPD) will come into force. The current law, in effect since 2002, has only undergone occasional amendments since then. However, over the past twenty years, the landscape of data protection has undergone significant transformations. The reduction in storage costs and the expansion of the internet have greatly facilitated the collection, transmission, and storage of personal data across networks, to a much greater extent than in the past. At the same time, the cross-border dimension of data processing has gained increasing importance.

In response to these technological changes, European regulations, including the GDPR, and the Federal Data Protection Act (LPD) have emerged. These developments have made it necessary to adjust cantonal law, also to ensure compliance with the European standards Switzerland is committed to respecting. The amendment to the LCPD is substantial, with the text expanding from 13 to 41 articles.

The main changes

The current law contains numerous references to federal legislation (cf. art. 1 para. 4, art. 2 para. 2/3, art. 4 para. 2, and art. 5 para. 3 LCPD). This choice, while allowing for quick alignment with federal regulations, makes the text difficult to understand. With the revision, these references are replaced by autonomous regulation, without, in principle, imposing more stringent requirements than the previous legislation. Many provisions of the LPD are, in fact, transferred into the new cantonal legal framework without substantial changes.

There are some differences in the terminology used, which, however, do not alter the material content of the law. A significant example is the term “personality profiles” (cf. art. 3 para. 4 and 8 para. 1 nLCPD), which corresponds to the definition of “high-risk profiling” used by the LPD.

Starting from 2026, cantonal, regional, and municipal public bodies will have to comply with a series of new obligations, which reflect those already established by federal regulations. The main ones include:

• 5 nLCPD – The Government will issue provisions on the minimum requirements for data security;
• 9 nLCPD – If a Data Controller entrusts data processing to an external processor, they must ensure the security of the data;
• 19 nLCPD: Obligation to conduct a Data Protection Impact Assessment (DPIA) for data processing that involves a high risk to the fundamental rights of the data subjects (cf. art. 22 LPD);
• 20 nLCPD: Certain personal data processing activities that involve a high risk to the fundamental rights of data subjects must be submitted to the supervisory authority (Cantonal Privacy Officer) for prior consultation (cf. art. 23 LPD);
• 21 nLCPD: The supervisory authority (Cantonal Privacy Officer) must be informed as soon as possible in case of Data Breaches that pose a likely risk to the data of the affected individuals. In certain cases, the affected individuals must also be informed (cf. art. 24 LPD);
• 24 nLCPD: The data subject will have the right to a response within 30 days of the request, including information on the origin of the data and its retention.

Unlike the LPD, which under articles 10 and 12 requires all federal public bodies to maintain a record of data processing activities and appoint a Data Protection Consultant (DPO), in the Canton of Graubünden, these obligations will only apply to public bodies falling within the scope of EU Directive 2016/680; namely, the police, public prosecutors, etc. It should be noted that this rule is not explicitly stated in articles 22 and 23 of the new LCPD, which merely refer to “public bodies designated by the Government.” Currently, there is no precise list. However, in the related Message, the Graubünden government clarified that the obligation will apply exclusively to public bodies included in the Schengen agreements.

The new regulations also address a frequently encountered practical issue: the conditions for municipalities to install surveillance cameras. The right of public bodies to monitor through the acquisition of images of public spaces is governed by articles 14 and 15 of the new law.

Finally, the revision significantly increases the importance of the cantonal supervisory authority (Privacy Commissioner): Ten articles of the law are dedicated to this authority (cf. art. 30-39 nLCPD). The independence of the cantonal officer is strengthened with election for a four-year term, revocable only for exceptional reasons (art. 32 nLCPD). The powers of the supervisory authority are also enhanced. It will have the ability to issue decisions subject to appeal, rather than just simple recommendations (art. 37 nLCPD). Finally, the officer will be required to produce an annual public report on their activities (art. 38 nLCPD).