Liechtenstein - National Data Protection Law


    Liechtenstein - National Data Protection Law

    Data Protection Act (DSG) of 14 March 2002 (LR-Nr. 235.1)

    Currently Lichtenstein is subject to the Data Protection Act (DSG) of 14 March 2002 (LR-No. 235.1). A total revision of data protection legislation, with the aim of implementing the GDPR is underway, and scheduled to be enacted in January 2019.

    Last Updated: July 24, 2019

  • General

    In an official statement, the government of Lichtenstein stated that the aim of this bill is to adapt the Liechtenstein data protection law to the new General Data Protection Regulation. For this reason, several provisions to the proposed law are being adjusted through the legislative process.

    The government issued statement focuses on fines (now to be issued by the DPA instead of the District Court, and elimination of substitute penalties), appointment of the DPA’s ombudsman (which will be limited to two years, the extent of the powers of the DPA, and the amendments carried out on approximately 120 sectoral laws. and duration  so that the buses are no longer issued by the district court, but by the data protection agency. This is accompanied by the elimination of substitute fines. The term of office of the Data Protection Officer will be reduced from eight to six years and the possibility of re-appointment will be limited to two.

    When the law is enacted we can expect it to follow the implementing laws of EU Member States:

    1. to mirror the GDPR in general; and
    2. to add provisions regulating specific aspects according to the leeway afforded by the GDPR.
  • DatabreachPedia


    As Liechtenstein is an EEA country, the General Data Protection Regulation (GDPR) breach notification obligation is applicable to it. There is a general requirement for data controllers to notify personal data breaches to the regulator and in cases of likely high risk to the rights and freedoms of natural persons, also to them.

    Is it Mandatory to Notify Individuals?

    Yes, if the personal data breach is likely to result in a high risk to their rights and freedoms.

    Is it Mandatory to Notify Regulator?

    Yes, if the personal data breach is likely to result in a risk to the rights and freedoms of natural persons.

    Notification Deadline

    72 hours

    Responsible Regulator

    The Liechtenstein Data Protection Authority / Datenschutzstelle
    Städtle 38
    PO Box/Postfach 684
    FL-9490 Vaduz

    Tel. +423 236 60 90
    E-mail: [email protected]

    Breach Notification Format

    Minimum requirements: nature of the breach, categories and approx. number of data subjects concerned, name and contact details of the DPO, likely consequences, measures taken/proposed to be taken. The Liechtenstein regulator provides a downloadable form (in German) for reporting data breaches either electronically or by post.

Want to learn more? Login to the full DataGuidance platform.

About OneTrust

OneTrust is the #1 most widely used privacy, security and third-party risk technology platform trusted by more than 3,000 companies to comply with the CCPA, GDPR, ISO27001 and hundreds of the world’s privacy and security laws. OneTrust's three primary offerings include OneTrust Privacy Management Software, OneTrust PreferenceChoice™ consent and preference management software, and OneTrust Vendorpedia™ third-party risk management software and vendor risk exchange. To learn more, visit or connect on LinkedIn, Twitter and Facebook.