Liechtenstein
In this chapter:
Q1/ Applicable legislation
(a) Have the requirements of the GDPR been addressed by introducing a new law, or by updating existing legislation?
New legislation has been passed.
———
(b) Relevant legislation includes:
- Datenschutzgesetz (the “Data Protection Act”)
- Date in force: 1 January 2019
- Link: see here
- Datenschutzverordnung (the “Privacy Regulation”)
- Date in force: 1 January 2019
- Link: see here
———
(c) What is the status of national pre-GDPR data protection law?
The relevant pre-GDPR legislation has been repealed in full.
Q2/ Personal data of deceased persons
Does national law make specific rules regarding the processing of personal data of deceased persons?
There are no specific rules regarding the processing of personal data of deceased persons. However, obligations of confidentiality apply to doctors, lawyers and hospitals in respect of deceased persons.
Q3/ Legal bases for processing
(a) Does national law make specific rules regarding the processing of personal data in compliance with a legal obligation?
There are no specific rules governing this issue.
———
(b) Does national law make specific rules regarding the processing of personal data for the performance of tasks carried out in the public interest?
There are no specific rules governing this issue.
———
(c) Does national law make specific rules regarding the processing of personal data in the exercise of official authority vested in the controller?
There are no specific rules governing this issue.
———
(d) Does national law contain criteria in addition to those listed in the GDPR, to determine whether processing for a new purpose is compatible with the purpose for which the personal data were initially collected?
There are no specific additional criteria governing this issue.
Q4/ Consent of children
At what age can a child give their consent to processing in relation to ISS?
16 years of age.
Q5/ Processing of sensitive personal data
(a) Are there any sensitive personal data which cannot be processed on the basis of a data subject’s consent?
All sensitive personal data can be processed if the data subject’s valid consent has been obtained.
———
b) Does national law contain any specific requirements regarding the processing of sensitive personal data in respect of the following:
(i) Employment, social security and/or social protection law
Employers may not process personal data of employees, including personal data relating to criminal convictions and offences, unless such processing is necessary for:
- making a decision on the establishment of an employment relationship;
- the performance or termination of an employment relationship; or
- to comply with applicable laws.
Processing sensitive personal data is permitted where it is necessary to:
- exercise rights and obligations set out in legislation relating to employment, social security and social protection; and
- the interests of the data subject do not override the purpose of such processing.
(ii) Substantial public interest
There are no specific rules on processing this category of data.
(iii) Preventative or occupational medicine; employee working capacity, medical diagnosis, provision of health or social care, or management of health or social care systems or services
There are no specific rules on processing this category of data.
(iv) Public interest in the area of public health
There are no specific rules on processing this category of data.
(v) Archiving purposes, scientific or historical research purposes or statistical purposes
There are no specific rules on processing this category of data.
———
(c) Has national law introduced any further conditions and/ or limitations with regard to the processing of genetic data, biometric data, or health data?
There are various sector-specific rules.
Q6/ Data relating to criminal offences or convictions
Under what conditions does national law permit the processing of personal data relating to criminal convictions?
There are various sector-specific rules providing safeguards. Provided that the general requirements of the GDPR and data protection legislation are met, processing personal data relating to criminal convictions and offences is permissible if:
- an explicit legal authorisation or obligation to process such data exists; or
- the legitimacy of the processing of such data is based on legal assistance in criminal matters treaties, statutory duties of diligence, or the processing is necessary in case of legitimate interest, and the manner in which the data are processed safeguards the interests of the data subject.
Q7/ Exemptions
(a) Does national law specify exemptions to a data subject’s right to erasure?
The following specific exemptions apply to the right to erasure:
- compulsory archiving provisions may provide exemptions from the right to erasure; and
- where processing of sensitive personal data is carried out for scientific or historical research purposes or for statistical purposes, the data subject’s right to erasure may be limited if:
- such processing is necessary for the achievement of those purposes; and
- the interests of the controller in the processing outweigh the interests of the data subject.
———
(b) Does national law specify exemptions to a data subject’s right to be provided information under Art. 14 GDPR where the personal data has not been obtained from the data subject?
There are no specific exemptions to the right to be provided information.
———
(c) Does national law specify exemptions to a data subject’s right to not be subject to a decision based solely on automated processing, including profiling?
The right not to be subject to a decision based solely on automated processing is limited where the decision is taken for the following purposes:
- for the provision of services under insurance contracts, where:
- the decision concerns the fixing of insurance premiums;
- the request of the data subject has been granted; or
- the decision is based on the application of binding remuneration schemes for medical treatment;
- for the exercise of due diligence carried out to enter into a business relationship, including risk monitoring in accordance with applicable law;
- for credit transactions conducted in accordance with specific banking legislation; or
- for the provision of investment services and ancillary investment services in accordance with specific banking and asset management legislation.
Q8/ Restrictions on data subjects’ rights
Aside from the exemptions noted in Q7, does national law contain any other restrictions on the rights of data subjects under Chapter III GDPR?
The right in Art. 17 GDPR may be limited if, and to the extent that, the controller has reason to believe that deletion would undermine the interests of the data subject in a way that is worthy of protection. The controller must inform the data subject that his or her right has been limited in this manner, unless informing the data subject proves impossible or requires disproportionate effort.
The right in Art. 17 GDPR may not be exercised if deletion conflicts with statutory or contractual retention periods.
Q9/ Joint controllership
Does national law provide rules or guidance on the apportionment of responsibility between joint controllers?
There are no additional rules on apportionment of liability between joint controllers.
Q10/ Processor
In addition to the contract between controller and processor, are there any pieces of legislation which govern processing by a processor?
There are no additional pieces of legislation.
Q11/ Impact Assessments
Are there any circumstances in which national law requires an Impact Assessment to be carried out, where the GDPR would not otherwise require such an assessment?
Impact Assessments are only required in accordance with the provisions of the GDPR.
Q12/ Prior authorisation and public interest
Are there any circumstances in which national law requires controllers to consult with, or obtain prior authorisation from, the DPA in relation to processing for the performance of a task carried out by the controller in the public interest (including processing in relation to social protection and public health)?
Prior authorisation from the DPA is only required in accordance with the provisions of the GDPR.
Q13/ DPOs
(a) Does national law require controllers to appoint a DPO in circumstances other than those in Art. 37(1) GDPR?
DPOs are only mandatory in the circumstances set out in Art. 37(1) GDPR.
———
(b) Does national law impose secrecy and confidentiality obligations on DPOs and if so, in what circumstances do they apply?
The DPO is obligated to maintain secrecy regarding the identity of the data subject as well as circumstances which could lead to conclusions about the person concerned, provided the DPO is not prevented from doing so by the relevant data subject. In addition, DPOs are bound by the general confidentiality obligation imposed by the Data Protection Act on anyone who processes personal data or has access to personal data as a result of their professional activity.
Q14/ International data transfers
(a) Does national law make specific rules about transfers of personal data from public registers?
Data transfers from public registers are not subject to specific rules.
———
(b) Does national law restrict the transfer of specific categories of personal data to third countries?
Further restrictions are in place regarding transfers of personal data by banks or telecommunication companies to third countries.
Q15/ DPAs
(a) Details of the DPA(s).
- Name of DPA: Datenschutzstelle/ DPA
- Address: Staedtle 38, Postfach 684, FL-9490 Vaduz, Liechtenstein
- Website: datenschutzstelle.li
———
(b) If more than one national DPA has been established, what is the rationale behind multiple DPAs?
Not applicable as there is only one DPA.
———
(c) How does national law ensure consistent application of the GDPR by the various DPAs in accordance with Art. 63 GDPR?
Not applicable.
———
(d) Does national law grant the relevant DPA additional powers beyond those set out in Art. 58 GDPR?
The law in Liechtenstein does not grant the DPA any additional powers; however, it is more specific on the form of those powers. For example, it includes specific provisions for the notification by the DPA to another EEA Member State’s DPA of suspected breaches of the GDPR.
———
(e) What national appeals process exists to enable parties to challenge the decisions of the DPA?
Decisions and orders issued by the DPA may be appealed, in the first instance, by lodging a complaint with the Appeals Commission for administrative matters. Appeals against decisions of the Appeals Commission may be made to the Administrative Court within four weeks of the decisions being issued. This right of appeal is also granted to the DPA.
———
(f) Have specific national rules been adopted regarding the DPA’s power to obtain information from controllers or processors that are subject to obligations of professional secrecy (or equivalent)?
The DPA may, after notifying the relevant controller or processor, access all information necessary for the performance of their duties, including personal data subject to official secrecy. Representatives of non-public bodies may refuse to provide information if provision of such information would expose him or her to criminal prosecution.
Q16/ Claims by not-for-profit bodies
Does national law specify any not-for-profit bodies that are entitled to bring claims on behalf of individuals without the specific mandate of those individuals?
There are no not-for-profit bodies that are specifically mandated to bring such claims.
Q17/ Administrative fines, penalties and sanctions
(a) Does national law lay down rules on whether and to what extent administrative fines may be imposed on public authorities for breaches of the GDPR?
No fines will be imposed on authorities and other public bodies.
———
(b) Does national law impose penalties/sanctions in addition to those set out in the GDPR, for breaches of the GDPR not subject to administrative fines (e.g., criminal penalties)?
The following additional penalties/sanctions are available:
- controllers or processors who process personal data without authorisation may be liable for an offence punishable with imprisonment for up to six months, or a fine of up to 360 day-fines;
- controllers or processors who breach their obligation of confidentiality in respect of the personal data in their possession may be liable for an offence punishable with imprisonment for up to six months, or a fine of up to 360 day-fines; or
- anyone who commits an offence to gain a financial advantage for himself or another person or to inflict a disadvantage on another person may be liable of an offence punishable with imprisonment for up to one year, or a fine of up to 360 day-fines.
Q18/ Freedom of expression and information
(a) What (if anything) does national law do to balance the provisions of the GDPR against the right to freedom of expression and information?
See Q18(b) below.
———
(b) What derogations have been introduced by national law concerning the processing of personal data for the purpose of academic, artistic or literary expression?
Where not processing the personal data could jeopardise freedom of expression and information, personal data may be processed for the purpose of publication in the editorial section of periodically appearing media provided the controller meets the following criteria:
- the source of the personal data is indicated; and
- drafts of the publication can be consulted.
Q19/ National identification numbers
Does national law stipulate specific conditions for the processing of a national identification number, and if so, what are the conditions?
The law in Liechtenstein stipulates specific conditions for the processing of national identification numbers.
Q20/ Processing in the context of employment
(a) For what purposes can employees’ personal data in the employment context be processed under national law?
Employers may not process personal data of employees, including personal data relating to criminal convictions and offences, unless such processing is necessary for:
- making a decision on the establishment of an employment relationship;
- the performance or termination of an employment relationship; or
- to comply with applicable laws.
Processing sensitive personal data is permitted where it is necessary to:
- exercise rights and obligations set out in legislation relating to employment, social security and social protection; and
- the interests of the data subject do not override the purpose of such processing.
———
(b) Does national law provide safeguards for employees’ dignity, legitimate interests, and fundamental rights?
There are no specific safeguards of this nature.
Q21/ Other material derogations
Are there any other material derogations from, or additions to, the GDPR under national law?
There are no other material derogations.
Q22/ Current legal challenges
Are there any current legal challenges (e.g., court cases or regulatory appeals) regarding the validity or operation of the national GDPR implementation law (e.g., claims that the law incorrectly applies the GDPR; claims that the law is incompatible with constitutional principles; etc.)?
There are no current legal challenges ongoing.
Q23/ Enforcement
Has the local DPA issued any material fines or taken any material enforcement action to date for breaches of the GDPR?
The DPA has yet to take enforcement action for breaches of the GDPR.
Q24/ Regulatory Guidance
Has the DPA issued any significant guidance on the application of the GDPR or national implementation law?
The DPA has issued the following guidance on the application of the GDPR and/or GDPR implementation law:
WANGER contributor
Markus Wanger |
|
Markus advises multinational clients on a broad range of data protection, data security and IT matters, including European and Liechtenstein data protection law, compliance, information governance and cross-border data transfer issues. Markus was a member of the board of a Liechtenstein Telecommunication Provider and was advising on all related legal matters, including the application for their Liechtenstein License. Markus is frequently the Liechtenstein contributor relating to the aforementioned topics. Clients appreciate his expertise as a former judge. He was judge of the Liechtenstein Verwaltungsgerichtshof (Administrative Court) and is Fellow of the Chartered Institute of Arbitrators (CIArb), London. |
Other chapters
- Foreword and issue-by-issue comparison
- Country-by-country guides:
|
———
See also:
Our Global Data, Privacy & Cybersecurity Practice »
GDPR Handbook: Unlocking the EU General Data Protection Regulation »
———
This publication is provided for your convenience and does not constitute legal advice. This publication is protected by copyright.
© 2019 White & Case LLP