New Data Privacy Law in Liechtenstein, the GDPR and EEA

Liechtenstein’s Data Protection Act (DSG) of 4 October 2018 or the DSG for short is a data protection law that was recently introduced in 2018. While the country of Liechtenstein is not an EU member state, they are a part of the European Economic Area or EEA for short and as such, falls under the jurisdiction of the General Data Protection Regulation or GDPR in accordance with Decision No. 154/2018, which made the provisions of the EU’s GDPR law applicable to all jurisdictions that were involved in the EEA but were not members of the EU. Subsequently, Liechtenstein’s DSG implements the provisions of the EU’s GDPR law into Liechtenstein State Law, and effectively establishes the legal basis for the collection and processing of personal data within the country.

What is the scope and application of Liechtenstein’s Data Protection Act?

In terms of the scope and application of the DSG, the law “applies to the processing of personal data by public bodies. For non-public bodies, this law applies to the fully or partially automated processing of personal data as well as the non-automated processing of personal data that is or should be stored in a file system, unless the processing by natural persons is exclusively personal or for the exercise of family activities.” Moreover, the law also applies to non-public bodies operating within Lichenstein under the following circumstances:

• The controller or processor processes personal data domestically.
• The processing of personal data takes place in the context of the activities of a domestic branch of the controller or processor; or
• The controller or processor does not have a branch in an EEA member state, but falls within the scope of Regulation (EU) 2016/679.

What are the variations between Liechtenstein’s Data Protection Act and the EU’s GPDR law?

Many of the provisions of Liechtenstein’s Data Protection Act remain unchanged when compared to the EU’s GDPR law. However, there are some variations between the two laws as it relates to the requirements for data controllers and processors operating within the country. For instance, Liechtenstein’s Data Protection Act mandates that the sensitive personal data of data subjects may be processed if the applicable data subject consents to the processing. More specifically, the DSG allows for the processing of sensitive personal data that relates to employment, social security, or social protection. Alternatively, the DSG prohibits the processing of sensitive personal data concerning criminal convictions or offenses, unless said processing is necessary for:

• Deciding whether an employer-employee relationship is to be established;
• Performing an employer-employee relationship or terminating it; or
• Compliance with applicable laws.

What are the rights of data subjects under Liechtenstein’s Data Protection Act?

The rights of data subjects under Liechtenstein’s Data Protection Act are largely the same as those provided to citizens residing within EU member states under the General Data Protection Regulation, albeit with certain exceptions. These rights include but are not limited to the right to be informed, the right to access, the right to data portability, and the right to be forgotten. As it pertains to the exceptions of the rights of data subjects, while data subjects are also entitled to the right to object to automated decision making, this right can be restricted if said automated decision making is related to credit transactions, certain investment services, and measures that may be automatically implemented for the purposes of combating fraud or money laundering, among others. Additionally, the right of data subjects to request the erasure of their personal data is also restricted under the DSG, in instances where the “automatic processing where the erasure would be impossible or would involve a disproportionate effort due to the mode of storage.”

In terms of the enforcement of Liechtenstein’s Data Protection Act, the Liechtensteiner data protection authority, or the DSS for short has the authority to impose a variety of sanctions and penalties against data controllers and processors who fail to comply with the regulations set forth in the law. To this point, data controllers and processors within Lichenstein who violate the provisions of the DSG are subject to the following punishments:

• A monetary penalty of up to “11 million francs ($11,948,816) or, in the case of a legal person, up to 2% of their total worldwide annual turnover in the previous financial year, depending on which the amount is higher;”
• A monetary penalty of up to “up to 22 million Swiss francs or, in the case of a legal entity, up to 4% of its total worldwide annual turnover in the previous financial year, depending on the situation which of the amounts is higher.”
• A term of imprisonment ranging from six months to a year depending on the scope and severity of the particular offense.

Through the EEA’s Decision No. 154/2018, the personal data protection landscape within the continent of Europe was only strengthened further. Through said decision, many citizens residing within non-EU member countries were also afforded the same level of data protection that is provided to citizens of EU member states under the EU’s GPDR law. As such, citizens of Lichenstein can have the assurance that their personal data is being protected at the highest level possible within their region, despite their nation’s status as a microstate. In this way, the European Union continues to push the boundaries on what it means to provide comprehensive data protection rights to individuals and organizations amidst our current digital age.