GDPR Implementation Guide: Liechtenstein's National Adherence to Data Protection Regulation
In the small European country of Liechtenstein, the protection of personal data is regulated by the Datenschutzgesetz (Data Protection Act) and Datenschutzverordnung (Privacy Regulation), which came into effect on 1st January 2019, aligning with the General Data Protection Regulation (GDPR) of the European Union [1].
Scope of Personal Data Protection
The legislation in Liechtenstein distinguishes between personal data of living persons, which is protected, and data concerning deceased persons, which is excluded from these protections. Deceased persons' data is explicitly not considered personal data under the Data Protection Regulation (DPR) [1]. This means that the strict processing rules that apply to personal data under the DPR do not apply to data related to deceased persons.
Processing of Personal Data
When it comes to the processing of personal data, there are no specific rules governing the processing of personal data in compliance with a legal obligation, for the performance of tasks carried out in the public interest, or in the exercise of official authority vested in the controller in Liechtenstein.
Employers in Liechtenstein may not process personal data of employees, including personal data relating to criminal convictions and offences, unless such processing is necessary for making a decision on the establishment of an employment relationship, the performance or termination of an employment relationship, or to comply with applicable laws.
Controllers or processors who process personal data without authorisation may be liable for an offence punishable with imprisonment for up to six months, or a fine of up to 360 day-fines in Liechtenstein. Similarly, controllers or processors who breach their obligation of confidentiality in respect of the personal data in their possession may face the same penalties.
Data Protection Officers (DPOs)
Data Protection Officers (DPOs) are only mandatory in the circumstances set out in Art. 37(1) GDPR in Liechtenstein. DPOs in Liechtenstein are bound by the general confidentiality obligation imposed by the Data Protection Act on anyone who processes personal data or has access to personal data as a result of their professional activity.
Impact Assessments and Prior Authorisation
Impact Assessments are only required in accordance with the provisions of the GDPR in Liechtenstein, and prior authorisation from the DPA is only required in accordance with the same provisions.
Exemptions and Limitations
The right to erasure may not be exercised if deletion conflicts with statutory or contractual retention periods. The right to erasure may also be limited in certain circumstances, such as for the provision of services under insurance contracts, for the exercise of due diligence carried out to enter into a business relationship, for credit transactions conducted in accordance with specific banking legislation, or for the provision of investment services and ancillary investment services in accordance with specific banking and asset management legislation.
Enforcement and Penalties
No fines will be imposed on authorities and other public bodies in Liechtenstein for breaches of the GDPR. However, individuals who commit an offence to gain a financial advantage for themselves or another person or to inflict a disadvantage on another person may be liable of an offence punishable with imprisonment for up to one year, or a fine of up to 360 day-fines in Liechtenstein.
Data Transfers and Apportionment of Liability
Data transfers from public registers are not subject to specific rules in Liechtenstein. There are no additional rules on apportionment of liability between joint controllers in Liechtenstein.
Limitations on Automated Decisions
The right not to be subject to a decision based solely on automated processing is limited in certain circumstances in Liechtenstein.
No Not-for-Profit Bodies for Individual Claims
There are no not-for-profit bodies that are specifically mandated to bring claims on behalf of individuals without the specific mandate of those individuals in Liechtenstein.
Further Restrictions on Data Transfers
Further restrictions are in place regarding transfers of personal data by banks or telecommunication companies to third countries in Liechtenstein.
References: [1] Official sources providing detailed information on the Data Protection Act and Privacy Regulation in Liechtenstein.
- For internationally renowned legal services, White & Case offers comprehensive guidance on regulatory aspects of law, including cross-border data transfers, in various jurisdictions worldwide.
- In the practice of science and health-and-wellness sectors, intellectual property laws play a significant role in protecting clients' inventions and innovations.
- The scope of personal data protection in Liechtenstein excludes data concerning deceased persons, differing from the GDPR's definition of personal data.
- Controllers or processors in Liechtenstein handling personal data without authorization could face penalties such as imprisonment or fines for up to 360 day-fines.
- Employers in Liechtenstein must adhere to strict processing rules when handling personal data of employees, including data related to criminal convictions and offenses.
- White & Case boasts experts in compliance matters, providing news, publications, and resources to effectively address complex regulatory issues.
- Under certain circumstances, the right to erasure may be limited in Liechtenstein due to statutory retention periods or the performance of specific contracts and services, as in insurance contracts.
- In accordance with GDPR provisions, impact assessments and prior authorisation from the data protection authority are required in Liechtenstein for specific scenarios.
- In the event of transfers of personal data by banks or telecommunication companies to third countries, further restrictions are in place in Liechtenstein to ensure compliance with data protection regulations.
