Data protection law - An Introduction
Objects of and constitutional grounds for data protection legislation
Data Protection Act
I hereby grant my consent to the following resolution adopted by the Diet:
I. General provisions
1) This Act shall seek to protect the personality and fundamental rights of those individuals about whom data is processed.
2) This Act implements EU Directive 95/46 of 24 October 1995 on the protection of individuals with regard to the processing of personal data and the free movement of such data (EEA Compendium of Laws: Appendix. XI - 5e.01).
1) This Act shall regulate the processing of data about natural and legal persons undertaken by:
2) This Act shall also regulate the processing of all data:
3) It shall not apply to:
4) The above provisions shall be subject to differing and supplementary provisions in other Acts, provided such provisions ensure the protection of data from unauthorised processing in terms of this Act.
1) The expressions below shall be defined as follows:
aa) religious, philosophical, or political opinions or activities,
bb) health, sexuality, or racial origin,
cc) social security files,
dd) criminal or administrative proceedings and penalties;
f) "personal profile": a collection of data that allows the appraisal of fundamental characteristics of the personality of a natural person;
2) Unless otherwise specified in this Act, the masculine terms used in this Act shall indicate members of both the male and female sexes.
II. Use of data
A. General provisions
1) Personal data must be collected in a lawful manner.
2) Processing must be conducted in good faith and must not be excessive.
3) Personal data may only be processed for the purpose either for which it was collected, which is evident from the circumstances, or which is provided for by law.
1) In the event that data is collected, the file controller must provide the person affected with the following information at the least, unless the person affected already has such information:
a) the identity of the file controller;
2) The government may enact a regulation requiring that additional information be provided if such is essential for processing the data in good faith considering the specific circumstances under which the data is collected, for example:
3) If the data was not collected from the person affected, the controller must provide the affected person with the information pursuant to paragraph 1 upon commencing storage of the data or, in the event the controller intends to pass the data on to third parties, upon initial disclosure at the latest.
4) The above provisions shall not apply if notifying the person affected is impossible, is only possible at unreasonable expense, or if storage or communication of the data is expressly required by law, especially in the event of data processing for the purposes of statistics, or historical or scientific research.
1) Decisions which are made exclusively on the basis of automated data processing for the purpose of evaluating individual aspects of a person, such as his professional ability, creditworthiness, reliability, or conduct shall constitute a breach of the affected person's privacy provided such decisions have legal consequences and result in substantial impairments.
2) Decisions pursuant to paragraph 1 shall be lawful if:
1) Whoever processes personal data must ensure that the information is correct.
2) Any person affected may request the rectification of inaccurate data.
Transborder data flows
1) No personal data may be transferred abroad if the personal privacy of the persons affected could be seriously endangered, in particular where there is a failure to provide protection equivalent to that provided under Liechtenstein law. This shall not apply to states which are party to the EEA Agreement.
2) Whoever wishes to transmit data abroad must notify the Data Protec-tion Commissioner beforehand in cases where:
3) The government shall regulate the notification procedure in detail. The government may in particular:
1) Personal data must be protected against unauthorised processing by appropriate organisational and technical means.
2) The Government shall enact more detailed provisions on the minimum data security measures.
Whoever processes data or has data processed must keep data from applications entrusted to him or made accessible to him based on his professional activities secret, notwithstanding other legal confidentiality obligations, unless lawful grounds exist for the transmission of the data entrusted or made accessible to him.
Right of information
1) Anyone may ask a file controller if data relating to him is being processed. The Government shall enact a regulation establishing a period within which the information must generally be provided.
2) The file controller must provide information on:
3) The file controller may disclose data relating to the health of the affected person via a doctor designated by the person.
4) In the event the file controller has the personal data processed by a third party, the file controller shall remain responsible for providing the information that is requested. The third party shall be obliged to provide information in the event that it does not disclose the name of the file controller or in the event the controller is not resident in Liechtenstein.
5) The information should, as a general rule, be submitted in writing in printed form or as a photocopy and be provided free of charge. The government shall regulate exemptions from the foregoing. The government may in particular provide for a participation in costs if the provision of the information necessitates an unreasonable expense.
6) No authority shall have the right to waive their right of information in advance.
Restrictions on the right to information
1) A file controller may refuse to provide, or restrict or defer the provision of the requested information in cases where:
2) In addition, an authority may refuse to provide, or restrict or defer the provision of the requested information in cases where:
3) A private file controller may additionally refuse to provide, restrict or defer the provision of the requested information when it is in his own overriding interest and on the condition that the data is not passed on to a third party.
4) The file controller must indicate the reason why he is refusing, restricting or deferring access to the information.
b)Restriction of the right to information for media employees
1) A file controller who uses a file for the sole purpose of publication in the editorially-controlled section of a periodically published media organ may refuse, restrict or defer the provision of the requested information if:
2) Journalists may additionally refuse, restrict or defer communication of the requested information if a file is being used exclusively as a personal work aid.
Right to object
1) Unless the use of data is required by a law, each affected party may raise an objection to the use of his data with the file controller for violation of his overriding interests resulting from his specific situation.
2) In the event of a legitimate objection, the data processing conducted by the file controller may no longer relate to the affected person's data.
3) In the event data is processed for the purpose of direct advertising, the affected person is to be notified in advance (Article 5) and is to be informed of the no-cost and immediately effective right to object to which he is entitled.
1) The Data Protection Commissioner shall keep a file register which shall be accessible in particular via internet. Anyone may inspect the register.
2) Authorities must declare all files to the Data Protection Commissioner for registration.
3) Private individuals who regularly process sensitive data or personal profiles or communicate personal data to a third party must register their files if:
4) The files must be registered prior to processing.
5) The registration must contain the following information:
6) The government shall regulate the registration and updating of files in detail, as well as the maintenance and publication of the register. The government may exempt specific kinds of files from notification duty or registration, provided such processing does not infringe on the privacy of the persons affected.
B. Processing of personal data by private individuals
Breach of privacy
1) Whoever processes personal data may not unlawfully breach the privacy of persons affected.
2) In particular, he may not, without lawful justification,
3) In principle, there shall be no breach of privacy in the event the person affected has made the data accessible to the public and had not expressly prohibited processing of the data.
a) Personal data
1) An infringement of privacy in the processing of personal data shall be unlawful unless it is justified by:
2) The overriding interests of the processing person shall in particular be taken into account where the processing person:
b) Sensitive data and personal profiles
An infringement of privacy in the processing of sensitive data and personal profiles shall not be unlawful when:
Data processing by a third party
1) The processing of personal data may be entrusted to a third party provided:
2) The third party shall be subject to the same duties and may assert the same grounds of lawful justification as the mandating party.
3) For the purpose of securing evidence, the elements of the contract relating to data protection provisions and the requirements with respect to measures in accordance with paragraphs 1 and 2 shall be documented in written or another form.
C. Processing of personal data by authorities
1) Any Authority that processes personal data or has such data processed in the execution of its legal duties shall be responsible for ensuring the protection of such data.
2) In the event that an authority processes personal data jointly with other authorities or with private persons, the government may regulate the specific responsibilities with regard to data protection.
1) Authorities may process personal data only if there is a legal basis for doing so.
2) Sensitive data or personal profiles may be processed only if a law expressly provides therefor or if, exceptionally:
Collection of personal data
1) Any authority that systematically collects data, in particular through the use of questionnaires, must specify the objective of and the legal basis for the processing, the categories of persons dealing with the file, and the recipients of the data.
2) The collection of sensitive data or of personal profiles must be carried out in a manner that is visible to the persons affected.
Disclosure of personal data
1) Authorities may disclose personal data provided they have legal grounds for doing so in terms of Article 21 or if:
2) Authorities may, on request, disclose the name, first name, the address and the date of birth of a person even if the conditions set forth in paragraph 1 are not fulfilled.
3) Authorities may make personal data available via remote access, provided express provision is made therefore. Sensitive data or personal profiles may only be made available via remote access provided a law provides therefor.
4) The authority shall refuse to disclose data, or restrict such disclosure or make it subject to conditions if:
Prohibition of disclosure
1) A person affected who credibly asserts a legitimate interest may request the responsible authority to prohibit the disclosure of certain personal data.
2) The authority may refuse to prohibit disclosure or revoke any such prohibition if:
Making data anonymous, destroying data
Authorities must make personal data that they no longer require anony-mous or destroy such data unless the data:
Processing for the purposes of research, planning, and statistics
1) Personal data may be processed for reasons not related to the persons affected, and in particular for the purposes of research, planning, and statistics, provided:
2) The requirements of the following provisions need not be met:
Private law activities of the authorities
1) In the event that an authority acts on the basis of private law, the provisions on the processing of personal data by private persons shall apply.
2) Supervision of such private law activities shall be conducted in accordance with the provisions applicable to Authorities.
III. The Data Protection Commissioner and the Data Protection Commission
Appointment and status
1) The Data Protection Commissioner shall be appointed by the govern-ment.
2) He shall perform his duties autonomously and may be affiliated with a government department.
3) The government shall regulate the specific details with respect to organisation and compensation.
Supervision of authorities
1) The Commissioner shall supervise compliance by authorities with this Act and other regulations relating to data protection. The government shall be exempted from such supervision.
2) The Commissioner shall investigate cases on his own initiative or at the request of third parties.
3) In order to investigate cases, he may request the production of documents, obtain information and have data processing activities explained to him. The authorities shall be obligated to co-operate in the investigation of any case. The right to refuse to give evidence in terms of Article 108 of the Code of Criminal Procedure shall apply by analogy.
4) In the event that an investigation reveals that data protection provisions have been infringed, the Commissioner may recommend that the responsible authority modify or cease data processing activities. He shall inform the government of his recommendation.
5) In the event that a recommendation is not complied with or is rejected, the Commissioner may refer the matter to the Data Protection Commission for decision. Notice of the decision shall be given to the persons affected.
Investigations and recommendations in the private sector
1) The Commissioner shall conduct investigations on his own initiative or at the request of a third party when
2) He may request the production of documents, obtain information and have data processing activities explained to him. The right to refuse to give evidence in terms of Article 108 of the Code of Criminal Procedure shall apply by analogy.
3) On the basis of his investigation, the Data Protection Commissioner may recommend the modification or cessation of the data processing activities.
4) In the event that a recommendation is not complied with or is rejected, he may refer the matter to the Data Protection Commission for decision.
1) The Commissioner shall submit a report at regular intervals and as required to the government. These periodical reports shall be published.
2) In cases of public interest, he may inform the public of his findings and recommendations. He may only disclose data that has been given to him subject to official secrecy if he has the consent of the competent authority. In the event such consent is withheld by the authority, the Data Protection Commission shall make a decision, which shall be final.
1) The Commissioner shall have the following additional duties:
2) The Commissioner may consult authorities even where this Act is not applicable in accordance with Article 2 paragraph 3 letters c through f. Such authorities may allow him to inspect their papers.
B. The Data Protection Commission
The Data Protection Commission
1) The Data Protection Commission shall consist of three members which shall be elected by the Diet for a term of four years together with two alternate members. The Diet shall designate the President and Vice President of the Commission.
2) Members of the Data Protection Commission shall be subject to the provisions of Act on General Administrative Procedure on work stoppages, responsibilities, and the prohibition on reporting. Such members must take the oath of office prior to taking office.
The Data Protection Commission makes decisions on:
1) Upon the request of a party or the Data Protection Commissioner, the President of the Data Protection Commission may take interim measures which appear necessary for the interim regulation of an existing state of affairs or to guarantee legal relations which are at risk.
2) Appeals against interim measures shall have a suspensive effect.
3) The Data Protection Commission shall decide on appeals against measures taken by the President. The appeals period shall be 14 days.
Members of the Data Protection Commission shall be compensated for their activities pursuant to the provisions of the law relating to the remuneration of members of the government, courts, commissions, and organs of establishments and foundations of the state.
A. Processing of personal data by private individuals
Claims and legal procedures
1) Legal proceedings or interim measures (protective measures) relating to the protection of privacy are governed by Articles 39 through 41 of the Civil and Corporate Law. The plaintiff in any legal proceedings may specifically request that the personal data be corrected or destroyed, or that its disclosure to third parties be prohibited.
2) In the event the accuracy or inaccuracy of personal data cannot be established, the plaintiff may request that the particular data be marked accordingly.
3) The plaintiff may request the notification of third parties or publication of the judgment relating to the data or its correction, destruction, prohibition of communication, or the marking of the data as to its litigious character.
4) The legal aid procedure shall apply in the event of actions for the assertion of the right for information.
B. Processing of personal data by Authorities
Rights and procedures
1) Anyone with a legitimate interest may request that the responsible authority
2) If the accuracy or inaccuracy of personal data cannot be established, the authority shall be required to mark the data with a note to this effect.
3) The person making the request may in particular request that the authority
4) The procedure shall be governed by the Act on General Administrative Procedure.
5) The decisions and orders of the authorities shall be subject to a right of appeal to the Data Protection Commission within 14 days after service. The decisions made by the Commission shall be subject to a right of appeal to the Administrative Appeals Court within 14 days of service.
6) Decisions made by the government may be appealed to the Administrative Appeals Court within 14 days after service.
V. Penal Sanctions
Unauthorised collection of personal data
Whoever collects sensitive personal data from a file which is not freely accessible without authorisation shall be punishable by the Princely Court on application for prosecution by a term of detention of up to one year or a fine of up to 360 daily rates.
Breach of duties to provide information, to register data, and to co-operate
1) Private individuals who fail to fulfil their duties as set out in Articles 11 and 13 by wilfully providing inaccurate or incomplete information shall be punishable on application for prosecution by a fine of up to 20,000 Francs, and by a term of detention of up to three months in the event the fine is not paid.
2) Private individuals who wilfully:
Breach of professional secrecy
1) Whoever wilfully and without authorisation discloses confidential and sensitive personal data or personal profiles that have come to his knowledge in the course of professional activities that require that he has knowledge of such data shall be punishable on application for prosecution with detention of up to one year or a fine of up to 360 daily rates.
2) Whoever wilfully and without authorisation discloses confidential and sensitive personal data or personal profiles that have come to his knowledge in the course of his activities for persons who are subject to a duty of professional secrecy or in the course of his vocational training with such persons shall also be punishable on application for prosecution by a term of detention of up to one year or a fine of up to 360 daily rates.
3) The illegal communication of confidential and sensitive data or personal profiles shall also be punishable after the relevant persons has ceased to practice his profession or has completed his vocational training.
VI. Transitional and final provisions
1) The government shall enact the ordinances necessary for implementing this Act, in particular relating to:
2) The government may enact exceptions to Articles 12 and 13 for the provision of information through embassies and consulates of the Principality of Liechtenstein abroad.
3) The government shall regulate how files are to be secured whose data can result in a danger to the life and limb of the persons affected in the event of a crisis or war.
Processing of personal data in specific cases involving crimefighting and state security
1) Until an Act comes into force regulating the processing of personal data for fighting terrorism, violent extremists, organised crime, and illicit news services and to guarantee state security, the government may:
2) Ballot, petition, and statistical secrecy shall be preserved.
3) The government shall make its decision after consulting with the Data Protection Commissioner at the offices of the Data Protection Commission or the president thereof. Decisions made by the government may be appealed to the Administrative Court within 14 days after service.
1) File controllers must declare any existing files that must be registered in terms of Article 15 within one year of the date on which this Act comes into force.
2) Within one year of the date on which this Act comes into force, they must take the measures required to allow them to disclose information in terms of Article 11.
3) File controllers may continue to use existing files that contain sensitive personal data or personal profiles until 1st August 2007 without having to fulfil the requirements of Articles 18 and 21.
1) This Act shall come into force on 1 August 2002, subject to paragraph 2 below.
2) Articles 28 and 33 shall come into force on the date of proclamation.
signed Otmar Hasler