Data Protection Act 2018 Liechtenstein

    Overview

    The Liechtenstein Data Protection Act 2018 (DSG), enacted on October 4, 2018, aligns the country's data protection framework with the EU General Data Protection Regulation (GDPR). As a member of the European Economic Area (EEA), Liechtenstein follows GDPR principles while incorporating national-specific provisions. The law governs personal data processing, ensuring transparency, security, and the protection of individuals’ rights. 

     

    Regulation Summary

    Timeline

    • Enacted: October 4, 2018

    • Effective: January 1, 2019

    Applies To

    • Entities: Public bodies (state organs, municipalities) and private organizations involved in data processing activities.

    • Geographical Scope: Covers controllers/processors in Liechtenstein or where data processing occurs in relation to Liechtenstein establishments. It extends to entities outside the EEA targeting data subjects in Liechtenstein.

    • Exemptions: Excludes activities such as purely personal/domestic activities, certain parliamentary, judicial, or financial audit functions.

    What Businesses Are Affected?
    • Entities processing personal data in Liechtenstein.
    • Foreign businesses offering services to Liechtenstein residents.
    • Public sector organizations handling personal data.
    Exemptions
    • Personal and household data processing.
    • Processing for national security and law enforcement purposes.
    • Anonymous data that cannot be linked to individuals.
    Responsibilities for Businesses
    • Obtain informed consent before processing personal data.
    • Provide clear and transparent privacy policies.
    • Implement strong security measures.
    • Allow individuals to access and correct their personal data.
    • Report data breaches within 72 hours.
    Specific Website Owner Responsibilities
    • Publish a privacy notice that is clear and accessible.
    • Allow users to withdraw consent easily.
    • Ensure adequate data security protections.
    • Provide clear information about direct marketing practices and allow users to opt out.
    Additional Requirements
    • Restrictions on cross-border data transfers unless safeguards are in place.
    • Parental consent required for processing children’s data (age threshold set at 16 years, unless adjusted by national law).
    • Maintain processing records for regulatory compliance.
    Data Subject Rights
    • Right to access and correct data.
    • Right to request data deletion.
    • Right to withdraw consent at any time.
    • Right to object to data processing.
    • Right to file complaints with the Datenschutzstelle.
    Enforcement
    • Regulated by the Data Protection Authority of Liechtenstein (Datenschutzstelle).
    • Fines up to €20 million or 4% of annual revenue.
    • Potential audits, corrective measures, and sanctions.
    illustration of contact means

    Questions?

    If you would like to learn more, our compliance experts are happy to support you.

    Leave us a Message
    support@clym.io
    +1 980 446 8535 +1 866 275 2596