Liechtenstein - National GDPR Implementation Overview
1.1. National implementing legislation of the GDPR
The EEA Joint Committee announced the incorporation of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') into the EEA agreement by way of Decision of the EEA Joint Committee No 154/2018 of 6 July 2018 Amending Annex XI (Electronic Communication, Audiovisual Services and Information Society) and Protocol 37 (Containing the List Provided For in Article 101) to the EEA Agreement, making the GDPR directly applicable in Liechtenstein as of 20 July 2018.
As a result of the entry into force of the GDPR, Liechtenstein implemented its amended Data Protection Act of 4 October 2018 (unofficial translation) ('DSG'), the Data Protection Ordinance of 11 December 2018 (unofficial translation) ('DSV') , and amended or supplemented a number of other national acts.
The DSG is closely aligned with the German Federal Data Protection Act of 30 June 2017 ('BDSG'). In fact, the DSG basically adopted the BDSG in a wide range.
The Liechtensteiner data protection authority ('DSS') has issued guidelines and templates for various topics, including data processing records, data processing agreements and privacy statements, and provides various tips and recommendations, available on its website.
1.3. Case Law
Until now, no relevant rulings or decisions have been issued by the Liechtenstein Courts or the DSS with regards to the GDPR or the corresponding national data protection provisions. The DSS however, has started providing companies with a self-evaluation sheets regarding their GDPR-compliance. In the future, this questionnaire might be sent to companies as a first step of compliance check. There is no legal obligation to complete the questionnaire. However, if not completed this might result in a visit by the DSS. The DSS has already begun conducting on-the-spot-investigations. However, the results of such investigations have not yet been published.
2. DATA PROTECTION AUTHORITY | REGULATORY AUTHORITY
2.1. Main regulator for data protection
The DSS is the main regulatory authority and is seated in Städtle 38, 9490 Vaduz, Liechtenstein.
2.2. Main powers, duties and responsibilities
According to Article 10 of the DSG, the DSS is competent to supervise public and private bodies.
Article 15 of the DSG lists the tasks of the DSS complementing the duties of a supervisory authority in accordance with the GDPR. These tasks include:
- to monitor and enforce the application of and compliance with the DSG and other data protection legislation;
- to promote awareness in relation to data processing;
- to suggest to the Parliament of the Principality of Liechtenstein, Government of the Principality of Liechtenstein and other institutions measures to protect the rights and freedoms of natural persons in regards to the processing of their data;
- to handle complaints by data subjects;
- to cooperate with other national and foreign supervisory authorities; and
- to conduct investigations on compliance with the DSG and other data protection legislation.
The DSS has been entrusted by the DSG with the powers necessary to perform the tasks mentioned above. According to Article 17(4)(a) of the DSG, any entity supervised by the DSS has to grant access to the DSS or any public body which has been entrusted by the DSS with this task to its premises and in particular, to its data processing systems. This power granted to the DSS has been heavily criticised by interest representatives, in particular, because no decision of a court is needed in order to access the premises. Some see this as a violation of a fundamental right.
In addition, any data breach must be reported to the DSS and the DSS is empowered to impose measures and fines in case of violations of data protection provisions.
3.1. National requirements
In general, no notification or registration is required. However, any data protection officer ('DPO') appointed by a data controller must be notified to the DSS. Also, any video surveillance activity of data controllers must be notified to the DSS with a detailed description. Otherwise, the notification obligations of the GDPR shall apply.
4. DATA SUBJECT RIGHTS
Liechtenstein has restricted data subject rights granted under the GDPR by making use of the relevant opening clauses. Below (as well as in section 12), you will find the most important restrictions that were introduced with the amendments to the DSG and the amendments and supplementation of other national law acts. Article 2(2) of the DSG stipulates that obligations to maintain professional secrecy (for example, under the Persons and Company Act of 20 January 1926 (LGBl 2016.402) (only available in German here)) remain unaffected by data protection provisions. The report and motion in relation to the DSG (only available in German here) explicitly states that it must be clear that professional secrecy obligations cannot be overridden by data subject rights.
Articles 30, 32, and 33 of the DSG list circumstances in which information must not be provided to the data subject.
Limitations in relation to Article 13 of the GDPR (Article 32 of the DSG)
The information must not be provided to data subjects if the controller intends to process the data for a purpose other than the original purpose for which the data was collected if:
- the further processing concerns data stored in an analogue form where the data controller directly contacts the data subject through the further processing, the original and further purposes are compatible, the communication with the data subject does not take place digitally, and the interest of the data subject in receiving the information can be regarded as minimal, especially in the specific context;
- in cases of public bodies, it would endanger the proper performance of the task as referred to in Article 23(1)(a) to (e) of the GDPR;
- would endanger public security; or
- would interfere with the assertion, exercise or defence of legal claims, as long as the data subject's interest in providing information does not prevail the interests of the data processor.
Limitations in relation to Article 14 of the GDPR (Article 33 of the DSG)
The obligation to provide information to the data subject shall not apply if:
- in cases of public bodies, it would endanger the proper performance of the task as referred to in Article 23(1)(a) to (e) of the GDPR;
- would endanger public security;
- or in case of non-public bodies, it would interfere with the assertion, exercise or defence of legal claims as long as the data subject's interest in providing information does not prevail the interests of the data processor; or
- a public body has determined that the provision of information would endanger public security.
Protection of professional secrecy rules (Article 30 of the DSG)
In addition to the exception provided for in Article 14(5) of the GDPR, the obligation to provide information to the data subject according to Articles 14, 15, and 34 of the GDPR shall not apply as far as meeting this obligation would disclose information which is subject to a legal obligation of secrecy or the information must by its nature be kept secret, in particular, because of the overriding legitimate interest of a third party.
Article 35(1) of the DSG stipulates that data subjects do not have a right to erasure in cases of non-automated processing if the erasure would be impossible or involve a disproportionate effort due to the mode of storage, provided that the data subject's interest in erasure may be regarded as minimal and the data was processed lawfully.
Article 27(4) of the DSG limits data subjects' right to restriction of processing under Article 18 of the GDPR, inasmuch as these rights are likely to render impossible or seriously impair the achievement of research or statistical purposes, and such limits are necessary for the fulfilment of the research and statistical purposes.
Article 29(6) of the DSG stipulates that in cases of data processing for archiving purposes in the public interest, the right to restriction of processing does not apply as far as it renders impossible or seriously impairs the achievement of the archiving purposes and the limitation is necessary to fulfil these purposes. The DSG does not provide any other variations of the right of restriction of processing as granted under the GDPR.
According to Article 29(6) of the DSG in cases of data processing for archiving purposes in the public interest, the right to data portability granted according to Article 20 of the GDPR does not apply as far as it renders impossible or seriously impairs the achievement of the purposes and the limitation is necessary to fulfil those purposes. The DSG does not provide any other variation of the right to data portability as granted under the GDPR.
According to Article 37 of the DSG, the right not to be subject to a decision based only on automated processing granted to data subjects under the GDPR does not apply (in addition to the exceptions included in the GDPR) if the decision is made in a context of:
- providing services under an insurance contract and where either the decision concerns the setting of the insurance premium, any requests for performance of the data subject were fulfilled, or the decision is based on the application of binding rules for the remuneration of therapeutic treatment;
- Articles 5, 9 and 9a of the Act of 11 December 2008 on Professional Due Diligence for the Prevention of Money Laundering, Organised Crime and Financing of Terrorism (LGBl 2017.161). Therefore, for carrying out controlling measures to evaluate the risks before establishing business relations, risk appropriate monitoring as well as in the context of the required and appropriate risk analysis;
- credit transactions according to Article 3(3)(b) of the Banking Act of 21 October 1992 (LGBl 1992.108) ('the Banking Act'); and
- providing investment services according to Article 3(4) of the Banking Act (LGBl. 2007.261) ('the 2007 Banking Act') and Article 4 of the Act of 25 November 2005 on Asset Management (LGBl. 2017.398).
According to Article 37(2) of the DSG, the data controller has to take suitable measures to safeguard the legitimate interests of the data subjects, such as granting the right to obtain the intervention of a person, providing the opportunity for the data subject to express their point of view, and to contest the automated decision.
Article 37(3) of the DSG clarifies that decisions made in the context of an insurance contract may be based on the processing of health data.
5.1. National regulation of the processing of children's data and age of consent
The age of consent in Liechtenstein is 16 as the Liechtensteiner legislator, the Landtag of the Principality of Liechtenstein ('the Landtag'),has not made use of its right to provide for a lower age of consent in relation to information society services as permitted under Article 8 of the GDPR.
6.1. National regulation concerning the processing of special categories of data and criminal conviction data
Processing of special categories of personal data
The DSG contains various derogations from the general prohibition to process special categories of data according to Article 9 of the GDPR.
Article 21 of the DSG stipulates general derogations, whereas Articles 27 et seq of the DSG provides for specific derogations relating to processing for scientific or historical research purposes and statistical, genealogical research and archiving purposes in the public interest.
Of particular interest are the general derogations provided by Article 21(1) of the DSG. The processing of special categories of personal data is permitted by public and private bodies if:
- processing is necessary to exercise the right arising from the rights of social security and social protection, and to meet related obligations;
- processing is necessary for the purposes of preventive health care, the assessment of the working capacity of the employee, medical diagnostics, the provision of health or social care, treatment or management of health, or social care systems and services, or pursuant to the data subjects' contracts with a health professional, and if this data is processed by health professionals or other persons subject to the obligation of professional secrecy or under their supervision; or
- processing is necessary for reasons of public interest in the area of public health, such as protection against serious cross-border threats to health or ensuring high standards of quality and safety of health care, and of medical products or medical devices.
In addition, public bodies are permitted to process special categories of personal data if:
- mandatory for reasons of overriding public interests;
- it is in order to prevent a serious threat to public security;
- it is in order to prevent serious disadvantages for the common good or for the purpose of safeguarding the common good; or
- it is for imperative reasons of defence or to fulfil intergovernmental obligations of a public body on crisis management, conflict prevention, or humanitarian purposes.
However, in order to be able to make use of the above-mentioned derogations especially of those in the first list, the data controller must take appropriate measures to safeguard the interests of the data subject. In this context, Article 21(2) of the DSG provides for a list of measures that may be appropriate, inter alia, implementing technical and organisational measures, raising awareness of the persons involved, designating a DPO, restricting access to personal data, and pseudonymising as well as encrypting data.
Processing of criminal convictions data
The DSG does not contain rules for the processing of criminal conviction data.
Specific provisions regarding the processing of criminal convictions data are included in, for example, Articles 31(b) and 32 of the 2007 Banking Act. It is stipulated there, that public bodies overseeing banks and other financial institutions are allowed to process criminal convictions data of people in charge for the management or administration of a bank, investment firm of a financial institution if necessary for fulfilling their obligations. There are several provisions in different legal acts that enable public bodies to process criminal convictions data when it is necessary for fulfilling their obligations.
7.1. Additional/varied requirements on DPO appointment, role and tasks
Entities which have appointed a DPO must notify the DSS of the name, address, phone number and email address of the DPO, as well as where the contact details have been published. The DSS has also published information regarding DPO registration (only available in German here).
There are no additional/varied requirements on DPO appointment, role, and tasks for the private sector. However, the DSG provides for specific provisions regarding the removal of the DPO (see Article 38(1) of the DSG), confidentiality (see Article 38(2) of the DSG), and the right to refuse to give evidence (see Article 38(3) of the DSG). Moreover, Article 21(2) of the DSG stipulates that bodies processing data of a special category according to Article 21(1) of the DSG in general must appoint a DPO.
8.1. Variation/exemptions on breach notification obligation
Article 30(1)(c) of the DSG stipulates that the obligation to inform data subjects of a personal data breach shall not apply to the extent that meeting this obligation would disclose information which by law or its nature must be kept secret, in particular, because of an overriding legitimate interests of a third-party.
However, the data subject must nonetheless be informed of a data breach if his/her overriding interests supersede the secrecy interests of the data subject, in particular considering the threat of damage.
8.2. Sectoral obligations
9.1. National activities subject to prior consultation/authorisation
The DSS has issued its Data Protection Impact Assessment ('DPIA') blacklist. This non-exhaustive list provides for examples of data processing activities, which require a DPIA.
According to the blacklist, some processing operations require a DPIA without additional conditions. Regarding other processing operations, it is mandatory for a DPIA to be carried out when one or more of the criteria which are set out and explained in the Guidelines on DPIA and Determining Whether Processing Is "Likely To Result in a High Risk" For the Purposes of the GDPR ('the Guidelines') from the Article 29 Working Party, adopted on 4 April 2017, and confirmed by the European Data Protection Board ('EDPB') are fulfilled.
Therefore, a DPIA must be carried out in the following cases:
- large scale processing of data protected by social and professional secrecy (e.g. major law firms specialising in family law or contract law);
- systematic processing of data using innovative technologies (e.g. artificial intelligence) if at least one other criteria of the Guidelines is met;
- systematic tracking if at least one other criteria of the Guidelines is met;
- merging and/or cross-checking data sets from several different processing operations if at least one other criteria of the Guidelines is met (e.g. fraud or anti-money laundering prevention systems);
- denial of services based (not solely) on automated decision-making (including profiling) if at least one additional criterion as set out in the Guidelines is met (e.g. credit scoring if the credit application is rejected);
- systematic monitoring at work (e.g. monitoring of emails); and
- large scale application of Article 14(5)(b) of the GDPR on a large scale (e.g. brokering of data or processing of data in archives).
9.2. National activities not subject to prior consultation/authorisation
10.1. National implementation of Article 89 of the GDPR
Articles 27, 28, and 29 of the DSG (in conjunction with Article 21(1) of the DSG) implement Article 89 of the GDPR (regarding Article 21(2) of the DSG please refer to section 6 above). In particular, the Landtag has made extensive use of the possibility to implement derogations provided by Article 89(2) and (3) of the GDPR.
Article 27(4) of the DSG stipulates that in cases of data processing for scientific or historical research or statistical purposes, the following rights of data subjects are limited to the extent that these rights are likely to render impossible or seriously impair the achievement of the research or statistical purposes, and such limits are necessary for the fulfilment of the research or statistical purposes:
- right of access (Article 15 of the GDPR);
- right to rectification (Article 16 of the GDPR);
- right to restriction of processing (Article 18 of the GDPR); and
- right to object (Article 21 of the GDPR).
Article 29(4) and (6) of the DSG stipulate that in cases of data processing for archiving purposes in the public interest, the following data subject rights may be limited in certain circumstances:
- right of access (Article 15 of the GDPR);
- right to rectification (Article 16 of the GDPR);
- right to restriction of processing (Article 18 of the GDPR);
- right to data portability (Article 20 of the GDPR); and
- right to object (Article 21 of the GDPR).
According to Article 10 of the DSG, the DSS is the competent authority for supervising compliance with data protection provisions and to impose measures according to Article 83 of the GDPR, and as set out in various provisions in national data protection law acts.
Other than initially foreseen in the legislative process, Article 40 of the DSG empowers the DSS, rather than the national courts, to impose measures or administrative fines when data protection provisions are violated. The courts are competent to impose penalties for criminal offences.
According to Article 40(6) of the DSG, the DSS can issue warnings (and is even encouraged to do so in the case of first-time infringements). However, other than what was discussed heavily in the legislation process and required by interest representatives, there is no obligation to do so, and therefore fines can still be imposed without warning.
Any injured party has the right to either approach the DSS or, if the general requirements are fulfilled, the competent court in cases of a violation of data protection provisions.
According to Article 40 of the DSG, the DSS can impose fines of up to CHF 11 million (approx. €10.4M) or in cases of a legal entity, of up to 2% of the worldwide annual revenue of the prior financial year (whichever is higher), in cases of infringements according to Article 83(4) of the GDPR.
In cases of infringements according to Article 83(5) and (6) of the GDPR, fines of up to CHF 22 million (approx. €20.8M) or in cases of a legal entity, of up to 4% of the worldwide annual revenue of the prior financial year (whichever is higher), can be imposed by the DSS.
Any person (individuals as well as legal entities) violating data protection provisions can be subject to measures imposed by the DSS.
Legal entities are principally liable for the actions of their representatives or controlling persons according to Article 40(3) of the DSG. In addition, legal entities can also be held liable for infringements of their employees, in cases where the infringement was enabled or significantly facilitated by an authorised representative or controlling person.
The fine imposed to the legal entity does not necessarily exclude the imposing of a penalty on the employee for the misconduct (see Article 40(5) of the DSG). However, in such cases, the DSS can abstain from imposing a fine to the employee if the legal entity has been fined for the same infringement previously, and the special circumstances of the case do not require the penalty.
Appeals against decisions of the DSS
According to Article 20 of the DSG, any person subject to a decision of (and therefore measures imposed by) the DSS, has the right to file an appeal with the Administration and Appeal Commission ('the Commission').
An appeal against the decisions of the Commission to the Administrative Court is possible.
All criminal provisions provided in the DSG are only prosecuted upon request of the injured party. The competent authority for deciding upon criminal convictions is the Princely Court. Therefore, the injured party can file a criminal complaint with the Princely Court in cases where the processor has committed a criminal offence.
The criminal offences
According to Article 41 of the DSG, the unauthorised collection of personal data which is not publicly available may result in imprisonment of up to six months or alternatively in a fine of up to 360 daily rates.
According to Article 42 of the DSG, imprisonment of up to six months or to a fine of up to 360 daily rates may be ordered when data is made available to other parties or to the public, or data processed was made available following the disclosure, and was necessary in the course of the performance of the employer's profession, without authorisation. If the crime was committed with the intention of enrichment, even for a third party, under Article 42(2) of the DSG, the same penalty be may imposed. According to Article 42(3) of the DSG, employees or trainees of the processor can be sentenced for infringements committed during their employment.
Besides the DSG, other laws also contain criminal provisions which forbid certain processing activities of personal data, including criminal provisions for employees of public authorities to ensure (despite the exempt in Article 40(7) of the DSG) that unlawful processing of personal data has consequences for public bodies.
Any person responsible for the unlawful processing of personal data constituting a criminal offence can be subject to a conviction sentence (see above).
Appeals against a criminal conviction
Decisions of the Princely Court can be appealed with the Higher Court.
According to Article 78 of the GDPR, the injured party must also have the possibility to claim their rights regarding the processing of their personal data with the competent courts. Moreover, Article 44 of the DSG provides for the possibility of an injured party to claim damages resulting from violations of data protection provisions in civil proceedings.
12. OTHER SPECIFIC JURISDICTIONAL ISSUES
12.1. Variation of GDPR on the right to access
In addition to the already above mentioned (see section 4.1), the DSG stipulates further important restrictions to data subjects' right of access as granted under Article 15 of the GDPR. In this context, Article 30 of the DSG should be mentioned here, which will be explained in more detail below.
In any case, the refusal of granting access needs to be documented and explained to the data subject as far as explaining the reason does not conflict with the purpose of refusing to provide the information.
12.1.1. Restrictions in the context of freedom of expression and information (Article 25 of the DSG)
According to Article 25 of the DSG, the right to access may be denied, limited or delayed, if the personal data is processed by a periodical media and if:
- the personal data reveals the source of information;
- this would require giving insights in drafts of publications; or
- the freedom of the public to form its opinion would be prejudiced.
In addition, the access may be denied if the personal data is being used exclusively as a working instrument for personal purposes.
12.1.2. Legal professional secrecy and legitimate interest of third parties (Article 30 of the DSG)
As already mentioned above (see section 4.1), the the Landtag wanted to ensure that the professional secrecy obligations are protected. Therefore, Article 2(2) of the DSG in conjunction with Article 30 of the DSG provides for an exemption to ensure that professional secrecy obligations are not circumvented based on data protection provisions. Article 30 of the DSG does not only provide for an exemption to Article 15 of the GDPR, but also Articles 14 and 34 of the GDPR.
The obligation to provide information to the data subject according to Articles 14, 15 and 34 of the GDPR shall not apply as far as meeting this obligation would disclose information which is subject to a legal obligation of secrecy, or the information must, by its nature be kept secret, in particular, because of overriding legitimate interest of a third party.
12.2. Processing of personal data in the context of employment relationship
Article 28a(1) of the Civil Code (only available in German here) ('the Civil Code') provides for general permission for the processing of personal data in the context of an employment relationship if the data is processed for the following purposes:
- decision on the establishment of an employment relationship (in particular, the suitability of the employee for the employment relationship);
- the performance or termination of the employment relationship; or
- the fulfilment of the rights and obligations arising from the Civil Code.
Moreover, a permission for processing sensitive data in cases where the processing is necessary to fulfil duties arising from employment law or social security law or whenever the processing does not affect the legitimate interest of the employee is stipulated in Article 28a(2) of the Civil Code.
12.3. Processing personal data for scoring and credit reports
The processing of personal data in the form of probability values for scoring or regarding the valuation of a data subject's solvency and willingness to pay as well as the usage of probabilistic values determined by a credit agency is restricted and only allowed under very limited conditions listed in Article 31 of the DSG.