In Liechtenstein, the EU General Data Protection Regulation (Link: GDPR) applies
directly and immediately. It does not need to be transposed into national law but is directly
applicable.
In addition, other EU directives and international frameworks also apply in Liechtenstein and
have been incorporated into national law. For example, those concerning data processing by
law enforcement authorities and the free movement of data (Link: EU Directive 2016/680),
In Liechtenstein, the GDPR is further specified and supplemented by the national Data
Protection Act (Link: DPA) and the Data Protection Ordinance (Link: DSV).
Other relevant national legislation in Liechtenstein also includes the Information Act and its
Ordinance, the Communication Act, the Unfair Competition Act and others.

Key decisions in Liechtenstein in terms of data protection includes the following case law:
 

►    Case No. C-416/23, 9 January 2025, The Court of Justice
Issue: Can numerous data subject complaints be considered “excessive” under Article 57(4) GDPR?
Decision:
■    The number of requests alone (e.g. 77 complaints over 20 months) is not sufficient to classify them as "excessive".
■    Authorities must prove intent to abuse by the data subject.
■    Supervisory authorities may impose a fee or reject a request only with a reasoned decision, ensuring that any such measure is necessary, proportionate, and justified.
■    The term "request" under Art. 57(4) also includes complaints under Art. 77(1) GDPR.

►    Case No. C-383/23, 13 February 2025, The Court of Justice
Issue: How should the term “undertaking” be interpreted for GDPR fines under Art. 83? Decision:
■    The term “undertaking” under GDPR Art. 83 refers to an economic unit, consistent with the definition in EU competition law (Arts. 101 & 102).
■    This includes parent and subsidiary companies acting as one entity.
■    Fines can thus be calculated based on the entire global annual turnover of the corporate group, not just the local entity.

►    Case No. C-203/22, 27 February 2025, The Court of Justice
Issue: Must companies disclose algorithmic logic behind automated decisions (e.g., credit scoring)?
Decision:
■    Under Art. 15(1)(h) and Art. 22(1) GDPR, companies must provide detailed, understandable explanations about automated decision-making processes.
■    Invoking trade secrets (under Directive 2016/943) does not justify refusal.
■    If a trade secret is involved, it must be disclosed to the supervisory authority or court, which will decide on proportional disclosure to the data subject.
■    In this case, the subject was denied a contract based on an AI-generated credit score.

►    Case No. C-710/23, 3 April 2025, The Court of Justice
Issue: Is disclosing names and contact info of company representatives considered personal data under the GDPR?
Decision:
■    Even when acting on behalf of a legal entity, such information constitutes personal data and is protected under the GDPR.
■    GDPR does not prevent stricter national rules requiring authorities to notify individuals before releasing documents containing their data, as long as such rules are not impossible or disproportionate in practice.

►    Case No. 2023/106, 26 March 2024, Constitutional Court (StGH) Issue: PEID (personal electronic ID) number privacy
Decision: The PEID numeric code was deemed not to contain personal data under GDPR; even if parts coincidentally matched birthdates, it was still automatically generated and did not infringe data protection rights.
 

►    Case No. 2024/056, 2 September 2024, Constitutional Court (StGH) Issue: Protection of Data Protection Officers (DPOs) in employment
Decision: GDPR’s safeguards against DPO removal under Art. 38(3) and Art. 7(3) do not prevent regular termination under normal employment law, provided dismissal is unrelated to DPO duties and is not retaliatory.

►    Cases No. 2021/031 & 2021/032, 3 September 2021, Court of Administrative Appeals (VGH)
Issue: Anonymity of GDPR complainants
Decision: The VGH ruled that complainants under Art. 77 GDPR do not have to disclose their identity to the data controller by default. Whether anonymity is permissible depends on a case-by-case assessment by the Data Protection Authority, balancing defense rights and GDPR obligations.

►    Case No. 2022/109; 15 December 2023; Court of Administrative Appeals (VGH) Issue: Video surveillance at public recreation areas
Decision: The VGH upheld restrictions imposed by the Data Protection Authority on a municipality’s surveillance system, which had been installed to combat vandalism. The Court ruled that broad daytime surveillance was disproportionate, only limited night surveillance in specific zones was allowed, with strict storage limits under GDPR provisions.

Source: Judikaturspiegel 2018-2020 & Judikaturspiegel 2018-2024

According to Art. 4(1) of the GDPR and Art. 46(a) DPA, “personal data” means any information relating to an identified or identifiable natural person (“data subject”). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.

The term “personal data” does not include information relating to legal entities, deceased individuals, unborn children, or anonymized data.

According to Art. 9(1) of the GDPR and Art. 46(o) DPA, special categories of personal data (“sensitive data”) include personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, as well as the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, health data, and data concerning a person’s sex life or sexual orientation.

The DPA protects personal data through a combination of legal principles, data subject rights, technical and organizational obligations placed on data controllers and processors. Specifically:

■    Principles of Data Processing (Art. 47 DPA):
Data must be processed lawfully, fairly, and transparently. It must be collected for specific purposes, kept accurate and up to date, and stored only as long as necessary.

■    Security of Processing (Art. 63 DPA):
Controllers and processors must implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk. This includes measures such as:
•    pseudonymization and encryption
•    ensuring confidentiality, integrity, availability, and resilience of systems
•    the ability to restore access after an incident
•    regular testing and evaluation of security measures

■    Accountability (Art. 61(5e) DPA):
Controllers are responsible for compliance and must be able to demonstrate that data protection principles are met.

■    Data Protection Impact Assessments (Art. 66 DPA):
For high-risk processing, organizations must assess and mitigate risks to individuals’ rights and freedoms before starting.

■    Supervisory Authority and Enforcement (Art. 40 DPA):
The Data Protection Authority can investigate, issue warnings or fines, and enforce corrective measures.

■    Data Subject Rights (Arts. 32-37 DPA):
Individuals have right to access, correct, delete, restrict, or object to processing of their data, and even request data portability.

Under Art. 2 of the Liechtenstein Data Protection Act privacy obligations apply to:
■    Public bodies, including:
■    State authorities, municipalities, public-law corporations, foundations, and institutions (Art. 3(a)(1));
■    Private entities performing public-interest tasks assigned to them (Art. 3(a)(2)).
■    Non-public bodies, such as:
■    Natural persons, legal entities, associations, and societies under private law (Art. 3(b)(1)).
 

The Act also applies to non-public bodies if:
■    They process personal data within Liechtenstein;
■    The processing is carried out in connection with an establishment in Liechtenstein; or
■    They are outside the EEA but fall under the scope of the EU GDPR (Art. 2).

According to Art. 4(2) of the GDPR and Art. 46(b) DPA, “data processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

According to Chapter II of the GDPR, the principles and rules on the protection of natural persons with regard to the processing of their personal data should, respect their fundamental rights and freedoms, regardless of their nationality or residence, particular their right to the protection of personal data.
According to Art. 47 of the DPA, personal data must be:
■    Lawfully and fairly processed
■    Collected for specific, explicit, and legitimate purposes
■    Adequate, relevant, and not excessive
■    Accurate and kept up to date, with prompt correction of errors
■    Stored only as long as necessary for the intended purpose
■    Processed with appropriate security to prevent unauthorized access, loss, or damage

These principles reflect the broader GDPR aim to safeguard individuals' fundamental rights and freedoms, regardless of their nationality or residence.

The DPA refers to the GDPR and the provisions contained therein. Processing of personal data is regulated throughout the DPA in Chapter III (Arts. 45-47) outlines specific legal bases and conditions, including core principles (Art. 47), processing of sensitive data (Art. 48), for secondary purposes (Art. 48), and for research or statistics (Art. 50). These operate alongside rules on security, individual rights, and oversight by the Data Protection Authority.
The DPA covers the following key components when it comes to processing of personal data:
a)    Lawfulness, Fairness, and Transparency (Art. 6 GDPR) Data must be processed only if there is a legal basis, such as:
■    Consent of the data subject
■    Contract performance
■    Legal obligation
 

■    Protection of vital interests
■    Public interest or official authority
■    Legitimate interests of the controller

Processing must also be transparent, meaning data subjects are informed how their data is used.
b)    Purpose Limitation & Data Minimization (Art. 5(1) (b-c) GDPR)
Data must be collected for specified, explicit, and legitimate purposes and not further processed in ways incompatible with those purposes. Only data that is adequate, relevant, and limited to what is necessary can be processed.
c)    Accuracy & Storage Limitation (Art. 5(1) (d-e) GDPR)
Controllers must keep data accurate and up-to-date and retain it no longer than necessary for the purpose.
d)    Integrity & Confidentiality (Art. 5(1)(f) GDPR )
Data must be protected through technical and organizational measures against:
■    Unauthorized access
■    Loss or destruction
■    Alteration or disclosure

e)    Accountability & Documentation (Art. 5(2) GDPR)
Controllers are not only responsible for complying but must also be able to demonstrate compliance through:
■    Records of processing activities
■    Data protection policies
■    Staff training and audits.

f)    Data Subject Rights (Arts. 16-22 GDPR & Arts. 55-58 DPA) Individuals have strong rights, including:
■    Access
■    Rectification
■    Erasure (“right to be forgotten”)
■    Restriction
■    Objection
■    Data portability.
Controllers must facilitate these rights without undue delay.
 

g)    Special Categories of Data & Safeguards (Arts. 9 GDPR)
Processing sensitive data (like health, religion, political opinions) is prohibited unless specific conditions and safeguards are in place.
h)    Regulatory control (Arts. 57-59 GDPR & Arts. 15-17 DPA)
The Liechtenstein Data Protection Authority supervises compliance, handles complaints, conducts investigations, and can issue fines or other corrective measures.

According to Arts. 63 and 70 of the DPA:

• Controllers and processors must implement appropriate technical and organizational measures based on the risk level, current technology, and the nature of the processing. These measures may include encryption, pseudonymization, access controls, backup and recovery systems, and data separation for different processing purposes.
• Systems must be designed for data protection by design and by default, meaning they should minimize data use and ensure only necessary data is processed and accessible.
• Data must not be retained longer than necessary, and proper safeguards must be in place to prevent loss, destruction, or unauthorized access.

Under Arts. 32 to 37 of the DPA, data subjects have the following rights:
•    Right to information when data is collected directly (Art. 32)
•    Right to information when data is obtained from third parties (Art. 33)
•    Right of access to their personal data (Art. 34)
•    Right to rectification or erasure of inaccurate or unlawfully processed data (Art. 35(1))
•    Right to restriction of processing in certain circumstances (Art. 35(2))
•    Right to object to processing based on legitimate interests or public tasks (Art. 36)
•    Right not to be subject to automated decision-making, including profiling, if it has legal or similarly significant effects (Art. 37)

Under Art. 51 of the DPA (mirroring Art. 7 GDPR), consent must be:

• Freely given: no pressure, no hidden conditions
• Specific: tied to a clearly defined purpose
• Informed: the person knows what they’re agreeing to
• Unambiguous: given through a clear affirmative action (e.g. ticking a box, clicking “I agree”)

Pre-ticked boxes, silence, or inactivity do not count as valid consent. If consent is collected electronically, the request must be clear, concise, and not disruptive.

Consent must also be as easy to withdraw as it is to give and separate from other terms and conditions.

Authorization is based on legal grounds and specific procedural safeguards:

■    Legal basis (Arts. 6 and 9 GDPR): Use must rely on an adequacy decision, appropriate safeguards, or be justified by public interest, legal claims, or vital interests.

■    The information and transparency criteria in accordance with to Arts. 12-14 GDPR must be complied with.

■    Data processing must be carried out in compliance with the rights of the data subject. These are:
■    Right to information (Arts. 13-14 GDPR)
■    Right of access (Art. 15 GDPR)
■    Right to rectification (Art. 16 GDPR)
■    Right to erasure or right to be forgotten (Art. 17 GDPR)
■    Right to restriction of processing (Art. 18 GDPR)
■    Right to data portability (Art. 20 GDPR)
■    Right to object (Art. 21 GDPR)
■    Right not to be subject to an automated individual decision-making, including profiling (Art. 22 GDPR)

Cross-border data transfers are regulated by section E. Transfer of data to third countries and international organizations of the DPA as well as Chapter V Transfers of personal data to third countries or international organizations GDPR.

Cross-border transfers of personal data are restricted to ensure adequate protection of individuals' rights. Key restrictions include:
 

a)    Adequacy Decision Required: Transfers to third countries or international organizations are only allowed if the recipient is responsible for a legitimate purpose (as defined in Art. 45) and the European Commission has issued an adequacy decision (Art. 77(1) DPA).

b)    Case-by-Case Assessment: Even with an adequacy decision, transfers may still be blocked if the recipient cannot ensure sufficient data protection or if the data subject’s rights outweigh the interest of the transfer (Art. 77(2) DPA).

c)    Prior Authorization Needed: If data originates from another EEA/Schengen country, prior authorization from that country is required, except in urgent cases involving public security (Art. 77(3) DPA).
d)    Further Transfers Restricted: The recipient may only transfer data onward to other third countries or international organizations with the original controller’s prior approval (Art. 77(4) DPA).

e)    Transfers with Safeguards: If there is no adequacy decision, transfers may proceed if:

■    There are legally binding safeguards, or
■    The controller determines that appropriate protections exist and documents the assessment (Art. 78 DPA).

f)    Exceptional Cases Without Safeguards: Transfers without an adequacy decision or safeguards are allowed only if necessary for:

■    Vital or legitimate interests;
■    Public security;
■    Specific legal claims or criminal justice purposes (Art. 79 DPA).

g)    Special Cases: In urgent or unique cases where standard recipients are unsuitable, transfers may be made if they are strictly necessary and fundamental rights are not compromised (Art. 80 DPA).

All transfers must be documented, reported to the Data Protection Authority when required, and limited to the stated purpose.

Under Art. 46(k) of the DPA and Art. 4(12) of the GDPR, a personal data breach is defined as:

A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data.

This includes both accidental events and deliberate attacks.

The Liechtenstein law does not separately define “data incidents”, but in practice, all security incidents involving personal data that meet this definition are considered breaches and may require notification to the supervisory authority and/or data subjects.

Under Art. 64 of the DPA (aligned with Art. 33 GDPR):

■    If a personal data breach occurs, the controller must notify the Data Protection Authority without undue delay, and within 72 hours if feasible.
■    If notification is delayed beyond 72 hours, the controller must provide a justification.
■    Notification is not required if the breach is unlikely to pose a risk to the rights and freedoms of individuals.

In addition, under Art. 65 DPA (mirroring Art. 34 GDPR):

■    If the breach is likely to result in a high risk to individuals, the controller must also inform the affected data subjects without undue delay.

The Data Protection Authority (Datenschutzstelle) is Liechtenstein’s national privacy regulator. According to Art. 9 of the DPA, it serves as the supervisory authority under both:

■    Art. 51 of the GDPR (Regulation (EU) 2016/679), and
■    Art. 41 of Directive (EU) 2016/680 (on law enforcement data processing).

The authority consists of a Head of the Data Protection Authority and supporting staff.

Under the DPA, a data breach can lead to several legal and regulatory consequences:

a)    Notification obligations (Arts. 64-65 DPA, aligned with GDPR Arts. 33-34):

■    The Data Protection Authority must be notified within 72 hours if the breach is likely to pose a risk to individuals’ rights and freedoms.
■    Affected individuals must also be informed without undue delay if the risk is high, unless protective measures (like encryption) render the data unintelligible.

b)    Internal documentation (Art. 64(5) DPA & GDPR Art. 33(5)):
All breaches, whether reported or not, must be documented internally, including details of the nature, effects, and response actions.

c)    Administrative sanctions (Art. 40 DPA): Non-compliance can lead to fines, such as:

■    Up to EUR 10 Mio. or up to 2% of the total worldwide annual turnover for minor or procedural violations (Art. 83(4) GDPR).
 

■    Up to EUR 20 Mio. or up to 4% of the total worldwide annual turnover for intentional, grossly negligent breaches or non-compliance (Art. 83(5-6) GDPR).

d)    Criminal penalties (Art. 41-42 DPA):
Intentional violations, particularly involving sensitive or large-scale data, can lead to criminal charges, especially breaches of confidentiality, and may be punished with imprisonment of up to six months or a fine of up to 360 daily rates.

Electronic marketing in Liechtenstein is regulated partly in the Communication Act, the Unfair Competition Act as well as Data Protection Act:

■    Direct marketing to existing customers is based on either the express consent of the recipient in accordance with Art. 6(1)(a) GDPR or the legitimate interest of an advertiser in accordance with Art. 6(1)(f) GDPR and Recital 47 GDPR.
■    Direct marketing to new customers, if they have not already published their contact details for this purpose or disclosed them to the advertiser, their explicit consent is required, as otherwise their interest in protection from unwanted advertising prevails and direct advertising is therefore prohibited (Art. 6(1) & Recital 47 GDPR).
■    The Liechtenstein Unfair Competition Act (UWG) stipulates in Point 26 of the Annex that ‘the solicitation of customers through persistent and unwanted contact...’ constitutes an unfair business practice. Even if direct advertising is permissible under data protection law, it must not be carried out in a persistent manner.
■    Regardless of its form, direct advertising must always contain an explicit and easily understandable reference to a simple option for unsubscribing in future or revoking consent that has been given (Art. 51 DPA & Art. 7 as well as Art. 21(4) GDPR). Similarly, the advertiser's data protection information pursuant to Arts. 13-14 GDPR must refer to the processing of data for advertising purposes and the associated right of objection of the data subject.
■    According to the Art. 21 of the GDPR, individuals have the right to object at any time to the processing of their personal data for direct marketing purposes, including related profiling. Once they object, their data must no longer be used for that purpose.
■    Consent requirements (Art. 51 DPA & Arts. 6-7 GDPR).
■    Sending marketing communications generally requires the prior, informed, and explicit consent of the recipient. Pre-ticked boxes, silence, or inactivity are not valid consent (Art. 4(11), Art. 6(1a) & Recital 32 GDPR). Art. 63 in Section C of the Communications Act, which implements the EU ePrivacy Directive (2002/58/EC) into national law, contains provisions on data protection and unsolicited direct advertising. It prohibits unsolicited electronic communications (e.g. emails, SMS) for direct marketing without prior consent, unless narrow exceptions apply (such as existing customer relationships offering similar products).

The DPA does not include detailed sector-specific rules, however:
 

a)    General obligations under the DPA and GDPR apply to all sectors, including principles of lawfulness, purpose limitation, data minimization, and security.

b)    Additional requirements may apply through sector-specific laws, such as:

■    Financial and banking regulations, reflecting Liechtenstein’s role as a financial center (e.g. due diligence, AML laws).

■    Healthcare laws, which impose stricter confidentiality and processing rules for patient data.

■    Law enforcement and criminal justice, governed by Directive (EU) 2016/680, implemented in Section D of the DPA.

Organizations must comply with both the DPA and GDPR and any relevant sectoral legislation applicable to their industry.

Under Arts. 6-8 of the DPA, in line with Arts. 37-39 of the GDPR, an organization must appoint a Data Protection Officer (DPO) if:

a)    It is a public authority or body (Art. 6(1) DPA), or

b)    Its core activities involve:

■    Large-scale monitoring of individuals (e.g. tracking, surveillance) according to Art. 37(b) & Recital 97 GDPR, or
■    Large-scale processing of special categories of data (e.g. health, ethnicity, biometric data) according to Art. 37(c) & Recital 97 GDPR.

DPO Requirements according to Art. 37 GDPR:

■    Specialist knowledge in the field of national and European data protection law;
■    Knowledge in the areas of IT and data security;
■    Knowledge of the respective industry and company;
■    Competence in promoting a data protection culture within the company;
■    The Data Protection Officer must be notified to the Data Protection Authority.

In addition to the ‘general’ deletion period, which begins when the purpose for which the data was collected is no longer necessary and must therefore be determined on a case-by-case basis, there are also statutory retention obligations and rights as well as deletion regulations (Art. 34 DPA). These specify how long certain personal data must be retained or may be retained for a maximum period of time. While the former must be ensured to remain stored for the entire period, the latter may be deleted earlier in the interests of data minimisation if the purpose no longer applies (Art. 70 DPA).

A data protection impact assessment must be carried out prior to data processing if a high risk to the rights and freedoms of natural persons is to be expected.
As stated in Recital 91 GDPR, “this should in particular apply to large-scale processing operations which aim to process a considerable amount of personal data at regional, national or supranational level and which could affect a large number of data subjects and which are likely to result in a high risk, for example, on account of their sensitivity, where in accordance with the achieved state of technological knowledge a new technology is used on a large scale...”
The recital further explains that such risks may also arise when operations make it harder for data subjects to exercise their rights or access services, or involve systematic and large-scale public monitoring, especially with optic-electronic devices.

A DPIA refers to the data processed, the hardware and software used, and the processes employed in a specific processing operation.

When assessing whether a high risk is to be expected, the nature, scope, circumstances and purpose of the data processing must be taken into account in accordance with Art. 35(1) GDPR. If a Data Protection Officer has been appointed, their advice must be sought when conducting a data protection impact assessment in accordance with Art. 35(2) GDPR.

Art. 35(3) GDPR specifies three categories of cases that require a data protection impact assessment in any event. These are:

(a)    systematic and comprehensive evaluation of personal aspects relating to natural persons based on automated processing, including profiling, which serves as a basis for decisions that produce legal effects concerning natural persons or similarly significantly affect them;

(b)    extensive processing of special categories of personal data pursuant to Art. 9(1) or of personal data relating to criminal convictions and offences pursuant to Art. 10; or

(c)    systematic and extensive monitoring of publicly accessible areas.

Art. 35(4) GDPR requires national supervisory authorities to additionally draw up a list of processing operations for which a data protection impact assessment must be carried out (known as a ‘blacklist’).

If the planned data processing is on this ‘blacklist’, the controller is obliged to carry out an impact assessment. In such cases, the assessment of whether the data processing is ‘likely to result in a high risk to the rights and freedoms of natural persons’ has already been carried out by the supervisory authority and does not need to be carried out by the controller.

According to Art. 29 GDPR, the processor may only process the data on the instructions of the controller. If the processor does not comply with the instructions by determining the purposes and/or means of processing itself, it becomes the controller itself according to Art. 28(10) GDPR.

Contracting parties:
■    are obliged to carefully select processors in accordance with Art. 28(1) GDPR;
■    are responsible for assessing the lawfulness of the processing in accordance with Art. 6(1) GDPR and for safeguarding the rights of data subjects in accordance with Arts 12-22 GDPR;
■    issue specific instructions to the processor and document these;
■    treat all knowledge of trade secrets and data security measures of the processor obtained within the scope of the contractual relationship as confidential;
■    inform the processor immediately if they discover errors or irregularities when checking the results of the order.

Processors:
■    may only act in accordance with the written instructions of the controller (Art. 29 GDPR);
■    must demonstrate that they have implemented the guarantees required by Art. 28(1) GDPR with regard to technical and organisational measures;
■    are bound to secrecy together with their acting employees in accordance with Art. 28(3)(b) GDPR;
■    may not engage a sub-processor without the prior written consent of the controller (Art. 28(2) GDPR);
■    must cooperate with the supervisory authorities (such as the DSS) in accordance with Art. 31 GDPR;
■    must provide guarantees for the security of their processing in accordance with Art. 32 GDPR;
■    must keep a record of processing activities in accordance with Art. 30(2) GDPR;
■    must report data breaches to the controller in accordance with Art. 33 GDPR;
■    must appoint a Data Protection Officer if required in accordance with Art. 37 GDPR;
■    must appoint a representative within the EU/EEA if required in accordance with Art. 27 GDPR;
■    are subject to the investigative and sanctioning powers of the supervisory authorities in accordance with Art. 58 GDPR;
■    must expect sanctions or compensation payments in the event of a breach of their obligations.

Joint Controller (Art. 62 DPA) shall determine their respective tasks and responsibilities under data protection law in a transparent manner in an agreement, unless these tasks and responsibilities are already set out in a law. This agreement must indicate which of them must meet which information obligations, and how and with respect to whom data subjects may exercise their rights.

Non-compliance with the DPA can lead to both administrative fines and criminal penalties, depending on the nature and severity of the violation.

■    Administrative penalties (Art. 40 DPA, which is in line with Art. 83 GDPR).
■    Criminal penalties (Arts. 41-42 DPA):
■    Criminal prosecution applies for intentional breaches of data secrecy or unauthorized disclosure of personal data as well as unauthorised collection of personal data.
■    Sanctions may include fines or imprisonment, especially for repeated or serious violations.

Enforcement mechanisms (Art. 17 DPA, which is in line with Art. 58 GDPR): The Data Protection Authority has the following powers:
■    Conduct audits and investigations:
■    Issue warnings, reprimands, and orders to suspend or limit processing;
■    Impose fines or refer cases for criminal prosecution.

Under the DPA and the GDPR, controllers and processors must maintain continuous compliance through a series of proactive obligations:

• Maintain records of processing activities
  Records must be accurate, up to date, and made available to the Data Protection Authority upon request (Art. 69 DPA & Art. 30 GDPR).
• Conduct Data Protection Impact Assessments
  Required for high-risk processing (e.g. profiling, new technologies, large-scale monitoring) (Art. 66 DPA & Art. 35 GDPR).
• Implement data protection by design and by default
  Systems and processes must minimize personal data use and restrict access to what’s strictly necessary (Art. 70 DPA & Art. 25 GDPR).
• Ensure processor compliance
  Controllers must have written contracts and monitor processors for GDPR/DPA compliance (Art. 61 DPA, Art. 28 GDPR).
• Review and update security measures regularly
  Security protocols must evolve to address emerging risks (Art. 63 DPA).
• Annual reporting obligation
  Applies if an organization relies on individual assessments for international data transfers (Art. 78(3) DPA).
• Cooperate with the supervisory authority
  Organizations must be ready to participate in audits, provide information, and comply with inspections by the Data Protection Authority (Art. 67 DPA).

There are currently no immediate amendments planned to the Liechtenstein Data Protection Act.