Data Privacy

• The Data Protection Act of 4 October 2018;
• The Data Protection Ordinance of 11 December 2018; and
• Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation (GDPR)).

Special provisions exist in the following regulations, as well predominantly referring to the GDPR or the Data Protection Act:

• the Communication Act of 17 March 2006;
• the Media Act of 19 October 2005;
• the Law on Banks and Investment Firms;
• the Law on Asset Management;
• the Ordinance on the Law on Banks and Investment Firms;
• the Ordinance on the Law on Asset Management; and
• amendments to the Law on the Financial Market Authority regarding aspects of data privacy deriving from the implementation of the Second Markets in Financial Instruments Directive (2014/65/EU).

Adequacy decisions of the European Commission according to Article 45 of the GDPR, concerning whether a country outside the European Union offers an adequate level of data protection. So far, the European Commission has recognised Andorra, Argentina, Canada (commercial organisations), Faroe Islands, Guernsey, Israel, the Isle of Man, Japan, Jersey, New Zealand, Switzerland, Uruguay and the United States (limited to the Privacy Shield framework) as providing adequate protection. Adequacy talks are ongoing with South Korea.

The Council of Europe Convention 108/108 + for the Protection of Individuals with regard to Automatic Processing of Personal Data is also applicable; as are the Schengen Information System (SIS and (SIS II), and the SIS Supervision Coordination Group.

According to Article 10 of the Data Protection Act, the Data Protection Authority is responsible for supervising the processing of data by public and non-public bodies.

The authority monitors and enforces the application of this act and other data protection regulations, as well as all laws and regulations implementing the EU Data Protection Directive (2016/680). Among other things, it:

• handles complaints lodged by a data subject, or by a body, organisation or association in accordance with Article 55 of the directive;
• investigates, to the extent appropriate, the subject matter of the complaint; and
• informs the complainant of the progress and the outcome of the investigation within a reasonable period – in particular, if further investigation or coordination with another supervisory authority is necessary.

It also investigates the application of the Data Protection Act and other data protection legislation, including legislation adopted to implement the Data Protection Directive, including on the basis of information received from another supervisory authority or other public authority.

Within the scope of the GDPR, the Data Protection Authority has the powers referred to in Article 58 of the GDPR.

If the Data Protection Authority concludes that there has been a breach of the data protection regulations or that there are other shortcomings regarding the processing of personal data, it will inform the competent supervisory authority.

Before exercising its powers pursuant to Articles 58(2)(b) to (g), (i) and (j) of the GDPR, the Data Protection Authority will notify the controller of its intention to do so within a reasonable period. However, the Data Protection Authority may refrain from doing so where immediate action is required due to imminent danger, reasons of public security or in the public interest, or if this would conflict with compelling public interests.

According to Article 40 of the Data Protection Act, the Data Protection Authority will impose fines pursuant to paragraph 2 for violations of the GDPR – including where the violation is determined to be negligent – according to Articles 83(4) to (6) of the GDPR.

In cases pursuant to Article 83(4) of the GDPR, fines may be imposed of up to CHF 11 million or up to 2% of total worldwide annual turnover in the preceding financial year, whichever is higher. In cases pursuant to Articles 83(5) and (6) of the GDPR, fines may be imposed of up to CHF 22 million or up to 4% of total worldwide annual turnover in the preceding financial year, whichever is higher.

As data privacy is a fundamental human right according to Article 8 of the Charter of Fundamental Rights of the European Union, the Data Protection Agency fulfils its task in a serious and professional manner.

Information and counselling are core tasks of national data protection supervisory authorities, and therefore the national Data Protection Agency also fulfils these tasks – primarily, although not exclusively, through its new website, which informs citizens, companies and public and private institutions and associations on the complex subject of data protection (www.datenschutzstelle.li/)

Public bodies that process personal data. For non-public bodies, the Data Protection Act shall apply to:

• the processing of personal data wholly or partly by automated means; and
• processing other than by automated means of personal data which forms part of a filing system or is intended to form part of a filing system.

Processing by a natural person in the course of a purely personal or domestic activity is exempt from the regime.

The exceptions to the scope of the General Data Protection Regulation (GDPR) are listed exhaustively in the GDPR. There is one exception for data processing by private individuals exclusively for “personal or family activities”.

Circumstances might arise where extra-terrestrial application of the GDPR in conjunction with the Data Protection Act is possible. As regards the territorial scope of the GDPR (Article 3), which includes the possibility of extra-territorial effect or application, the European Data Protection Board has published Guidelines 3/2018 on the territorial scope of the GDPR (Article 3) Version 2.0 of 12 November 2019.

(a) Data processing

The gathering, processing or use of personal data by a processor in accordance with the instructions of the controller based on a contract.

(b) Data processor

Pursuant to Article 4 of the General Data Protection Regulation, a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

(c) Data controller

A natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. Where the purposes and means of such processing are determined by EU or member state law, the controller or the specific criteria for its nomination may be provided for by EU or member state law.

(d) Data subject

An identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly – in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

(e) Personal data

Any information relating to an identified or identifiable natural person.

(f) Sensitive personal data

Personal data revealing an individual’s racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership; genetic data; biometric data for the purpose of uniquely identifying a natural person; data concerning health; and data concerning a natural person’s sex life or sexual orientation.

N/A.

No.

N/A.

N/A.

The law provides six legal bases for processing:

• consent;
• performance of a contract;
• a legitimate interest;
• a vital interest;
• a legal requirement; and
• a public interest.

At least one of these must apply whenever personal data is processed. No single basis is ‘better’ or more important than the others – the basis which is most appropriate to use will depend on the purpose and relationship with the individual.

The General Data Protection Regulation (GDPR) sets out seven key principles:

• lawfulness, fairness and transparency;
• purpose limitation;
• data minimisation;
• accuracy;
• storage limitation;
• integrity and confidentiality (security); and
• accountability.

As per the General Data Protection Regulation (GDPR), a ‘third party’ is a natural or legal person, public authority, agency or body other than the data subject, controller, processor or persons that, under the direct authority of the controller or processor, are authorised to process personal data.

The third party will be considered a recipient once personal data is disclosed to it; and the legitimate interests of third parties can also be used as a legal basis to justify the processing of personal data by the controller where relevant.

A company may rely on legitimate interests to disclose personal data to a third party. These might include its own interests, the interests of the third party or both.

The GDPR restricts the transfer of personal data to countries outside the European Economic Area, and international organisations. These restrictions apply to all transfers, no matter what the size of the transfer or how often transfers are carried out.

The European Commission has the power to determine, on the basis of Article 45 of the GDPR, whether a country outside the European Union offers an adequate level of data protection.

The European Commission has so far recognised Andorra, Argentina, Canada (commercial organisations), the Faroe Islands, Guernsey, Israel, the Isle of Man, Japan, Jersey, New Zealand, Switzerland and Uruguay as providing adequate protection. Adequacy talks are ongoing with South Korea.

Under Article 26 of the Data Protection Directive, member states may authorise a transfer or a set of transfers of personal data to a third country which does not ensure an adequate level of protection within the meaning of Article 25(2) where the chief processor adduces adequate safeguards with respect to the protection of the privacy and fundamental rights and freedoms of individuals and as regards the exercise of the corresponding rights; such safeguards may in particular result from appropriate contractual clauses.

Under the Data Protection Act, data subjects have the following rights with regard to their personal information:

• the right to be informed about the collection and the use of their personal data;
• the right to access personal data and supplementary information;
• the right to have inaccurate personal data rectified or completed;
• the right to erasure (to be forgotten) in certain circumstances;
• the right to restrict processing in certain circumstances;
• the right to data portability, which allows the data subject to obtain and reuse his or her personal data for his or her own purposes across different services;
• the right to object to processing in certain circumstances;
• rights in relation to automated decision making and profiling;
• the right to withdraw consent at any time (where relevant); and
• the right to complain.

A data subject has the right to obtain from the data controller confirmation as to whether his or her personal data is being processed, and if so, to access the personal data.

For complaints, the Data Protection Authority provides electronical complaint forms, which can be downloaded at https://formulare.llv.li/formserver_DSS/start.do;jsessionid=F9B72489053C08CB5C4F281930A90385?wfjs_enabled=true&vid=c4b2dadf97cea2a7&wfjs_orig_req=%2Fstart.do%3Fgeneralid%3DDSS_BF%26lang%3Den&txid=6cdcf0565eb5e23e7f8b20a6999979f6dacd6666#.

• Article 77 of the General Data Protection Regulation (GDPR): right to lodge a complaint with a supervisory authority; and
• Article 83 of the GDPR: right to compensation and liability.

Article 37 of the GDPR sets out three primary scenarios in which the appointment of a data protection officer (DPO) is mandatory, as follows:

• The data processing is carried out by a public authority or body;
• The core activities of the controller or the processor consist of processing operations which require the regular and systematic monitoring of data subjects on a large scale; or
• The core activities of the controller or the processor consist of processing on a large scale of sensitive personal data or personal data relating to criminal convictions and offences.

There is currently no uniform training through which a prospective DPO can acquire the necessary skills. The requirement profile – that is, the necessary qualifications of a DPO – will also depend on the specific data processing processes carried out in the company and the necessary protection of the personal data processed. In companies that conduct complex data processing activities or that process sensitive data on a large scale, the DPO may need to have a higher level of professional competence than in a company with less complex data processing activities.

The primary role of the DPO is to ensure that his or her organisation processes the personal data of staff, customers, providers and other individuals in compliance with the applicable data protection rules.

It is possible to outsource the role of DPO; in such case the same principles apply as for an internal DPO. The DPO must be an expert in data protection. He or she must also have sufficient credibility both to report to the board (the GDPR states that the DPO must report to the top-level decision-making body in an organisation) and to liaise with the Data Protection Authority in a number of scenarios, including breach.

Article 30 of the GDPR deals with record keeping. All provisions and requirements are clearly laid out, so this is one article of the GDPR in relation to which there is little to no ambiguity.

The records should contain at least the following:

• the contact details of a person within the organisation;
• the purpose of the data processing, explained in detail;
• the categories of personal data processed;
• special categories of data (sensitive data), if any;
• any data transfers to third countries;
• any processing of the data of minors;
• the retention periods;
• an overview of security and technical data protection measures;
• a list of categories of recipients of personal data; and
• any additional information, if deemed necessary.

The Data Protection Authority provides extensive services in this regard, including tips, sample templates and guidelines. In case of doubt, the Data Protection Authority should be contacted as a best practice.

The General Data Protection Regulation (GDPR) refers to the obligation to have the ‘appropriate technical and organisational measures’ in place some 89 times, stressing the importance that is placed on such measures.

Technical and organisational measures include functions, processes, controls, systems, procedures and measures taken to protect and secure the personal information that an organisation processes.

The measures taken and implemented by an organisation will relate directly to its size, scope and activities; and will need to reflect the type and volume of personal data being processed. The scope and range of the GDPR’s technical and organisational measures are expansive, from assessment controls such as vulnerability scans and risk management to firewalls, strong passwords and third-party due diligence.

The GDPR obliges all organisations to report certain types of personal data breach to the relevant supervisory authority within 72 hours of becoming aware of the breach, where feasible.

If a breach presents a high risk that the rights and freedoms of individuals will be adversely affected, those individuals must be informed without undue delay.

The communication to the data subject should describe, in clear and plain language, the nature of the personal data breach and (at least) the information and measures referred to in Articles 33(3)(b) to (d) of the GDPR. In other words, it should:

• communicate the name and contact details of the data protection officer or other contact point where more information can be obtained;
• describe the likely consequences of the personal data breach; and
• describe the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.

Obtain professional help, respond in accordance with the legal framework and seek support from the Data Protection Authority. Best practice also includes prevention measures and preparation.

Employee data – such as payroll, reviews, identification numbers and travel expenses – falls under the requirements of the General Data Protection Regulation (GDPR) for data security and privacy. The GDPR also applies to personal data during the recruitment phase, personal data in employment and personal data after employment.

Monitoring and control systems that monitor the behaviour of workers in the workplace must not be used according to Article 59(V)III of the Regulation of 16 June 1998 on Health and Safety in the Workplace.

If supervisory or control systems are required for other reasons, they must, in particular, be designed and arranged in a way that safeguards the health and freedom of movement of employees.

The monitoring must also be GDPR compliant.

Best practice is to rely on information of the Date Protection Authority, as well as the guidelines issued by the Department of Economic Affairs (www.llv.li/inhalt/12481/amtsstellen/amt-fur-volkswirtschaft).

The General Data Protection Regulation (GDPR) is the most comprehensive data protection statute that has been passed by any governing body to date. However, throughout its 88 pages, it mentions cookies only once, in Recital 30.

Natural persons may be associated with online identifiers provided by their devices, applications, tools and protocols, including internet protocol addresses, cookie identifiers and other identifiers, such as radio frequency identification tags. This may leave traces which – particularly when combined with unique identifiers and other information received by the servers – may be used to identify and create profiles of natural persons.

What these two lines state is that cookies, insofar as they are used to identify users, qualify as personal data and are therefore subject to the GDPR. Companies have a right to process users’ data, as long as they obtain consent or have a legitimate interest in doing so.

To comply with the regulations governing cookies under the GDPR and the Communications Act, companies should do the following:

• Obtain users’ consent before using any cookies, except those which are strictly necessary;
• Provide accurate and specific information about the data that each cookie tracks and its purpose in plain language before consent is obtained;
• Document and retain consent obtained from users;
• Allow users to access services even if they refuse to allow the use of certain cookies; and
• Make it as easy for users to withdraw their consent as it was for them to give their consent in the first place.

In technical terms, cloud computing is a data processing contract. Hence, the cloud user should be fully aware of the way in which the provider processes its data at all times.

Cloud providers and resource providers merely support these functions and are dependent on the legal requirements of the responsible authority. In other words, both cloud providers and businesses must meet the minimum legal requirements for each cloud service under GDPR.

N/A.

Typically, violations of the General Data Protection Regulation (GDPR) are pursued through formal complaints, on which the Data Protection Authority provides guidelines. Once the Data Protection Authority has issued its decision, any party negatively affected thereby can avail of the remedies provided by administrative procedure.

In 2019, the Data Protection Authority received 41 complaints directed against responsible persons in Liechtenstein. This figure does not include requests from data subjects where it turned out that the complaint was not based on the processing of personal data relating to them.

In 29 of these cases, an amicable solution was found with the data controller, and the complaints were withdrawn and an amicable settlement reached. This procedure, which is also recommended in Recital 131 of the GDPR, prevented numerous lengthy and costly procedures.

Twelve complaints were decided by means of an order, whereby the Data Protection Authority made extensive use of its powers under Article 58(2) of the GDPR and issued warnings, instructions, restrictions and prohibitions. In contrast, no fines were imposed in 2019.

The Data Protection Authority releases an annual report on its activities, including reporting minor disputes

(www.datenschutzstelle.li/application/files/1815/8988/1511/Taetigkeitsbericht_2019.pdf).

The General Data Protection Regulation affects Liechtenstein companies, institutions and associations within the framework of their domestic and foreign customer relations. Public awareness has increased due to international media coverage and the efforts of the national Data Protection Authority. As the number of disputes is on the rise, public attention will likewise increase. As a countermeasure, the University of Liechtenstein has extended its academic training on data protection and security, and private associations dealing with data privacy have been established in recent years.

Keep track of recent legal developments through sources such as the Data Protection Authority’s website (www.datenschutzstelle.li/).