Contributed by Wanger Advokaturbüro General I Data Protection Laws National Legislation General data protection laws The Data Protection Act (the DPA ) dated 14 March 2002 and the relevant Ordinance on the Data Protection Act (Data Protection Ordinance, DPO ) dated 9 July 2002, implemented the Data Protection Directive. The Liechtenstein Government has also published a Ordinance on Data Protection certification (Verordnung vom 10. Dezember 2013 über die Datenschutzzertifizierungen, VDSZ ) to improve data protection and data security. Entry into force The DPA came into force on 1 August 2002. National Regulatory Authority Details of the competent national regulatory authority Datenschutzbeauftragter ( The Data Protection Commissioner ) Dr. Philipp Mittelberger Data Protection Unit (Datenschutzstelle) Kirchstrasse 8 Post box 684 FL-9490 Vaduz Liechtenstein www.llv.li/#/1758/datenschutzstelle Notification or registration scheme and timing Under the DPA, data controllers in the private sector who regularly: (i) process sensitive data; (ii) process personal profiles; or (iii) communicate personal data to a third party must notify the Data Protection Commissioner prior to processing if this operation is not subject to a legal requirement or the persons affected are unaware that such data are being processed. The Data Protection Commissioner is in charge of the register of data collections. Data controllers in the public sector must notify the Data Protection Commissioner in all cases. Exemptions The Government may make exceptions to the notification obligation. Appointment of a data protection officer According to the DPA it is optional to appoint a data protection officer. This officer will be registered at the data protection unit and some duties are then delegated to him, such as keeping a list of the collected data. Personal Data What is personal data? The definition of personal data in the DPA is based on the standard definition of personal data. Is information about legal entities personal data? Yes. The DPA applies to both individuals and legal entities. What are the rules for processing personal data? The processing conditions in the DPA distinguish between data controllers in the private and public sector. Data controllers in the private sector must satisfy processing conditions that are broadly similar to the standard conditions for processing personal data. For example, instead of a legitimate interest condition, there is a right to process data if there is an overriding public or private interest. The processing conditions for data controllers in the public sector are far more restrictive and they may only process data if there is a legal basis to do so. Are there any formalities to obtain consent to process personal data? If required, consent is only valid if the data subject is given full information about the circumstances of the processing and such consent only extends to those circumstances. 159 September 2016 Global data protection legislation
Sensitive Personal Data What is sensitive personal data? Sensitive personal data include: (i) the standard types of sensitive personal data (though these do not include trade union information); (ii) social security files; and (iii) criminal or administrative proceedings and penalties. The processing for personality profiles, which are a collection of data that allow the appraisal of fundamental characteristics of the personality of a natural person, is also subject to additional controls. Are there additional rules for processing sensitive personal data? Both sensitive personal data and data constituting a personality profile are subject to specific rules. A private sector entity may only process sensitive data if the standard conditions for processing sensitive personal data are satisfied. A public sector entity may only process sensitive personal data if: (i) it is indispensible in order to fulfil a specific legal obligation; (ii) the Government has authorised the processing; or (iii) the data subject has granted express consent or made the information public. Are there any formalities to obtain consent to process sensitive personal data? The consent of the data subject must be explicit. Scope of Application What is the territorial scope of application? The DPA applies the standard territorial test. Who is subject to data protection legislation? The data controller is primarily responsible for compliance with the DPA. However, data processors also have an obligation to comply with the DPA and must respect the privacy of persons affected. Are both manual and electronic records subject to data protection legislation? The DPA applies to both manual and electronic records, as it does not differentiate between the two. Rights of Data Subjects Compensation Data subjects may be entitled to compensation if they suffer damage as a result of a breach of the DPA. This is especially the case if the person in breach of the DPA is a private sector entity. Fair processing information A data controller must provide the fair processing information to data subjects, which must also include information about: (i) the categories of data processed; (ii) the recipients of the data; (iii) the data subject s rights to information and correction; and (iv) the consequences of any refusal of the data subjec to provide the personal data requested. If the personal data have been obtained from a third party rather than the data subject, then the fair processing information need not be provided if: (i) it would involve unreasonable expense; or (ii) the processing is necessary for compliance with a legal obligation or research. Rights to access information Data subjects should, as a general rule, obtain their subject access information by written request to data controllers. The requested information will be basically provided free of charge. The information should, as a general rule, be submitted within 30 days in writing in printed form or as a photocopy. The right of access to personal data may be pursued under a special non-contentious civil proceeding (AusserstreitverfahrenG). Objection to direct marketing A data subject may require that a data controller stop processing data for direct marketing purposes. Data subjects also have to be notified in the event data are processed for the purpose of direct marketing. Other rights Data subjects have the right to require the rectification, erasure or blocking of personal data if the data are incomplete or inaccurate. Unless the processing is authorised by law, data subjects have the right to object to the processing by the data controller of personal data on the grounds of predominant interests which are worthy of protection and which relate to the data subject s particular situation. Where there is a justified objection, the processing undertaken by the data controller may no longer involve the personal data in regard to which the objection was made. Global data protection legislation September 2016 160
Security Security requirements in order to protect personal data Data controllers must comply with the general data security obligations. Specific rules governing processing by third party agents (processors) The processing of personal data may be entrusted to a data processor provided: (i) the data controller ensures that no processing occurs that it would not be permitted to carry out itself; and (ii) the processing is not prohibited by a legal or contractual duty of confidentiality. Some parts of the contract between the data processor and the data controller must be documented in written or another permanent form. The data processor will be subject to the same duties and may assert the same grounds of lawful justification as the data controller. If personal data are to be shared with other data processors abroad, written contracts are necessary to limit the disclosure, processing and sharing to between other companies who support the service of the data controller or owner of the data. Notice of breach laws The DPA does not contain any obligation to inform the Data Protection Commissioner or data subjects of a security breach. However, data controllers in certain sectors may be required to inform competent regulators of any breach. Specific notice of breach laws will apply to the electronic communications sector once the amendments to the Privacy and Electronic Communications Directive made by the Citizens Rights Directive have been implemented into national law. Transfer of Personal Data to Third Countries Restrictions on transfers to third countries Save for transfers to whitelisted countries, personal data may not be transferred outside of the EEA if the privacy of the persons affected could be seriously endangered. This applies especially if these countries do not have data protection laws granting a similar level of protection to those in Liechtenstein. Notification and approval of national regulator (including notification of use of Model Contracts) The Data Protection Commissioner must be notified of any transborder dataflow unless: (i) there is a legal obligation to disclose the data and the persons affected have knowledge of the transmission; or (ii) the transmission of files is to a state with equivalent data protection legislation (see Annex 2 to the DPO) and the files do not contain sensitive data or personal profiles. In particular, the Data Protection Commissioner has to be notified if Model Contracts are being used. Use of binding corporate rules Although the Data Protection Commissioner supports the use of binding corporate rules there is no formal recognition of them currently as a means to justify transborder dataflows. Enforcement Sanctions Private individuals who wilfully breach the DPA can receive a fine of up to CHF 20,000 and be imprisoned for up to three months in the event the fine is not paid. A person who wilfully breaches the DPA in the context of his professional activities can be imprisoned for up to one year or fined up to 360 daily rates (which is a figure calculated by reference to the income of the offender). Practice In the year 2012, the Data Protection Commissioner dealt with 640 inquiries in total. This is an increase of 81 on the 559 inquiries received in 2011. Information about the numbers of investigations and penalties imposed is not published. Enforcement authority The Data Protection Commissioner can investigate cases on his own initiative or at the request of third parties. For this purpose he may request the production of documents, obtain information and have data processing activities explained to him. On that basis the Data Protection Commissioner may recommend improvements and in some cases he also may inform the government about such recommendations. However, civil procedures and prosecutions for criminal offence can only be carried out by the Princely Court. 161 September 2016 Global data protection legislation
eprivacy I Marketing and cookies National Legislation Cookies eprivacy laws The Communication Act dated 17 March 2006, which came into force on 6 June 2006 (the CA ), implemented Article 13 of the Privacy and Electronic Communications Directive. The CA has not been amended yet to implement the amendments to the Privacy and Electronic Communications Directive made by the Citizens Rights Directive. The implementation will be arranged by the Office for Communication as the regulatory, supervisory administrative authority for telecommunications in Liechtenstein in the fields of telecommunication, radio, television, cable television and Internet. Conditions for use of cookies Currently, it is only necessary to inform users of the use of cookies and offer them the right to refuse their use. However, when the CA is amended to implement the Citizens Rights Directive it will be necessary to obtain consent to the use of cookies unless the cookie is strictly necessary for the provision of a service to that subscriber or user. Regulatory guidance on the use of cookies None. Marketing by E-mail Conditions for direct marketing by e-mail to individual subscribers Under the CA it is not permitted to transmit messages for the purpose of direct marketing by e-mail unless the recipient has previously consented explicitly to the transmission. In addition, an organisation can send one single e-mail to customers asking them if they consent to further direct marketing. Conditions for direct marketing by e-mail to corporate subscribers The same conditions apply as for direct marketing by e-mail to individual subscribers. Under the CA it is permitted to transmit messages if the similar products and services exemption applies. Notwithstanding this exemption or the receipt of consent from the recipient, the transmission of messages is not permitted if: (i) the recipient s contact details have been obtained by chance; (ii) the sender is informed or should be informed about the recipient s subsequent refusal of consent; or (iii) the transmission violates any other provision of Liechtenstein law. Finally, the CA also prohibits direct marketing e-mails from being sent if: (i) the identity of the sender is disguised or concealed; or (ii) an opt-out address is not provided. The sender must also include the ecommerce information. Marketing by Telephone Conditions for direct marketing by telephone to individual subscribers (excludes automated calls) Under the Distance Selling Act it is only permitted to make direct marketing calls to customers if they would not obviously object to that call. This provision is only applicable to telecommunications between an individual subscriber and a seller of goods or services where such telecommunication is used for the initiating and signing of a contract relating to such goods and services. Conditions for direct marketing by telephone to corporate subscribers (excludes automated calls) There are no relevant provisions. There are exemptions for agreements relating to: (i) the partial utilisation of a residential building; (ii) the supply of financial services according to the Distance Financial Services Act; (iii) the building and selling of real estate or other rights of real estate not including letting; (iv) the delivery of groceries, beverages and other household articles of daily use, which are delivered by the seller to the customer s domicile, whereabouts or place of employment in the framework of frequent and recurring delivery drives; and (v) the supply of services in the range of accommodation, carriage, delivery Global data protection legislation September 2016 162
of meals and drinks as well as recreational activities, if the seller engages at the time of contracting to render service at a certain time or within a certain time limit. According to the Distance Selling Act a caller should identify themselves to the recipient. Marketing by Fax Conditions for direct marketing by fax to individual subscribers Under the CA it is not permitted to transmit messages for the purpose of direct marketing by fax unless the recipient has previously consented explicitly to the transmission. Conditions for direct marketing by fax to corporate subscribers The same conditions apply as for direct marketing by fax to individual subscribers. Under the CA it is permitted to transmit messages for the purpose of direct marketing by fax where the recipient (as the sender s customer) has provided to the sender his contact details in accordance with the similar products and services exemption and has not objected to their use for direct marketing. In order to obtain consent the sender shall transmit a relevant request by fax. In this request, the sender must include in clear, explicit and noticeable form information that the recipient is entitled to refuse each further fax. Notwithstanding this exemption or the receipt of consent from the recipient, the transmission of messages is not permitted if: (i) the recipient s contact details have been obtained by chance; (ii) the sender is informed or should be informed about the recipient s subsequent refusal of consent; or (iii) the transmission violates any other provision of Liechtenstein law. 163 September 2016 Global data protection legislation