Liechtenstein Data Protection Act (DSG) Analysis
Overview
The Liechtenstein Data Protection Act (DSG) of 2018 implements the EU General Data Protection Regulation (GDPR) and the EU Law Enforcement Directive 2016/680 into national law. The law establishes comprehensive rules for the processing of personal data by both public and private entities, with a particular focus on protecting individual privacy rights while enabling legitimate data processing activities.
The regulation aims to:
- Protect personal rights and fundamental freedoms of individuals regarding their personal data
- Establish clear rules for data processing
- Define responsibilities for data controllers and processors
- Create an independent supervisory authority
Key Components
Scope and Jurisdiction
- Applies to:
- Public authorities in Liechtenstein
- Private entities processing personal data
- Automated and non-automated data processing
- Data processing within filing systems
Data Protection Authority
The Datenschutzstelle (Data Protection Authority):
- Acts as independent supervisory authority
- Has investigation and enforcement powers
- Provides guidance and handles complaints
- Cooperates with other EU/EEA supervisory authorities
Technical Requirements
Key technical obligations include:
- Implementation of
appropriate technical and organizational measures
- Following
privacy by design and default principles
- Conducting
data protection impact assessments
- Maintaining
records of processing activities
Individual Rights
Protected rights include:
- Right to information
- Right to access
- Right to rectification
- Right to erasure
- Right to restriction of processing
- Right to data portability
Special Categories
The law provides enhanced protection for:
- Sensitive personal data
- Biometric data
- Genetic data
- Health data
- Criminal records data
Enforcement
The regulation includes:
- Administrative fines up to:
11 million CHF or 2% of global turnover
22 million CHF or 4% of global turnover
- Criminal penalties for specific violations
- Right to compensation for damages
Implementation Timeline
The law entered into force on January 1, 2019, with certain transitional provisions for:
- Existing data processing activities
- Appointed data protection officers
- Video surveillance authorizations
- Existing certifications and accreditations