Privacy Law at Liechtenstein
Liechtenstein's data protection framework is primarily governed by the Data Protection Act (DSG), which was revised in 2018 to align with the European Union's General Data Protection Regulation (GDPR) and the Law Enforcement Directive (EU 2016/680).
🇱🇮 Key Provisions of the Data Protection Act (DSG)
1. Scope and Applicability
Territorial Reach The DSG applies to both public and private entities processing personal data within Liechtenstein and those outside Liechtenstein processing data of Liechtenstein resident.
Data Controllers and Processors Organizations that determine the purposes and means of processing personal data (controllers) and those who process data on behalf of controllers (processors) are subject to the DS.
2. Principles of Data Processing
The DSG mandates that personal data b:
Processed Lawfully and Transparently Data must be handled in a manner that is lawful, fair, and transparent to the data subject.
Collected for Specific Purposes Data should be collected for explicit, legitimate purposes and not further processed in a manner incompatible with those purpose.
Adequate, Relevant, and Limited Only data necessary for the intended purposes should be collected.
Accurate and Up-to-Date Data must be accurate and kept up to dat.
Retained No Longer Than Necessary Data should not be kept in a form that permits identification of data subjects for longer than necessary.
Processed Securely Appropriate technical and organizational measures must be implemented to ensure data security.
3. Rights of Data Subjects
Individuals have the right t:
Access Obtain information about their personal data held by a data controller or processor.
Rectification Request amendments to inaccurate or incomplete dat.
Erasure Request the removal of their data under certain condition.
Restriction of Processing Request the limitation of data processing under specific circumstance.
Data Portability Receive their personal data in a structured, commonly used, and machine-readable format and transmit it to another controller.
Objection Object to the processing of their personal data on grounds relating to their particular situation.
Lodge a Complaint File a complaint with the relevant supervisory authority if they believe their data protection rights have been infringing.
4. Consent and Lawful Processing
Personal data processing is lawful only if:
Consent The data subject has given explicit consent.
Contractual Necessity For the performance of a contract to which the data subject is a part.
Legal Obligation Compliance with a legal obligation to which the controller is subject.
Vital Interests Protection of the vital interests of the data subject or another person.
Public Interest or Official Authority In the exercise of official authority vested in the controlled.
Legitimate Interests Pursuit of legitimate interests by the controller or a third party, provided these are not overridden by the data subject's rights and freedom.
5. Data Protection Officer (DPO)
Organizations may appoint a DPO to oversee data protection activities. The DPO should have relevant qualifications and expertise in data protection matter. Their responsibilities include advising on data processing requirements, ensuring compliance with the DSG, and serving as a point of contact for data subjects and the Data Protection Authority.
6. Cross-Border Data Transfers
Transfers of personal data outside Liechtenstein are permitted only i:
Adequate Protection The receiving country ensures an adequate level of data protection.
Consent The data subject has given explicit consent.
Contractual Necessity The transfer is necessary for the performance of a contract.
Public Interest The transfer is in the public interest.
Legal Claims The transfer is necessary for the establishment, exercise, or defence of legal claim.
7. Penalties for Non-Compliance
Violations of the DSG may result i:
Fines Up to €20 million or 4% of annual revenue.
Imprisonment In certain cases, imprisonment may be impose.
Both Fines and imprisonment. Specific offenses, such as using personal data for commercial purposes without consent or obstructing investigations, carry additional penalties.
✅ Compliance Recommendations for Organizations
Organizations operating in Liechtenstein should:
Register With the Data Protection Authority as data controllers or processor.
Appoint a DPO If required, to oversee data protection activities.
Implement Policies Establish data protection policies and procedure.
Conduct DPIAs For processing operations that may pose high risks to data subject.
Provide Training To staff on data protection principles and practice.
Ensure Data Security Implement appropriate technical and organizational measures to protect personal dat.
Monitor Compliance Regularly audit data processing activities to ensure adherence to the DS.
RELATED Blog
0 comments