Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Liechtenstein: DSS publishes guidance on data protection issues

On June 13, 2024, the Supervisory Authority of Liechtenstein (DSS) released a newsletter providing guidance on several data protection issues, including guidelines for accessing the email accounts of former employees, the disclosure of personal data by municipalities, and how to maintain data confidentiality on websites.

Access to email accounts of former employees

In the newsletter, the DSS explained that access to the email accounts of former employees is permissible under the following conditions:

  • the former employee is given a chance to sort out personal emails and notify private contacts of their departure;
  • an appropriate out-of-office message should be set up in the email account; and
  • access can be justified under Article 6(1)(f) of the General Data Protection Regulation (GDPR) if the employer has specific business interests.

However, the DSS noted that the duration of email account retention must align with the employer's business interests and once there are no valid business reasons, the data must be deleted.

Disclosure of personal data by municipalities

The DSS highlighted that the Ordinance of 11 December 2018 on the disclosure of certain personal data by municipalities, allows Liechtenstein municipalities to share specific personal data with third parties under the following conditions:

  • the disclosure is limited to the surname, first name, address, date of birth, and citizenship of the data subject;
  • the disclosure must promote social, cultural, and religious life;
  • each case must consider the legitimate interests of the requesting third party against the interests of the data subject;
  • the data cannot be further disclosed by the third party and must be used only for the specified purpose and it must be deleted afterward;
  • data subjects must be given the right to object to the processing of their personal data; and
  • for data disclosure in printed or electronic media, stricter conditions apply, including ensuring there is no objection from the data subject or obtaining their consent if the data is not publicly accessible.

Guidelines for ensuring data confidentiality on websites

Lastly, the DSS highlighted that to protect sensitive personal data on websites, organizations should:

  • ensure encryption of data during storage and transmission and implement restrictive access rights;
  • ensure web applications are configured correctly to prevent unauthorized access to sensitive data; and
  • perform regular audits and adjustments to security settings, especially after system updates or further developments.

You can read the newsletter, only available in German, here.