The GDPR also covers big companies, SMEs as well as sole proprietorships. Whenever a company processes personal data (this also includes, e.g. saving such data in a client index), the GDPR is applicable.

The GDPR contains a number of provisions that can be specified in greater detail or supplemented by the individual states. This means that despite uniform GDPR provisions, there are differences between individual European states. Around 70 so-called opening clauses are affected. These are governed by the national data protection acts of the individual states, and may be interpreted with differing degrees of strictness. As a result of the amendments to the GDPR, the data protection act in Liechtenstein is currently being completely revised and is expected to come into force by the end of 2018.

The principle of the duty of accountability is new. This means that companies must be able actively to demonstrate that the principles are being adhered to. This means:

  • The company must ensure transparency when processing personal data;
  • The company must obtain approval [1] for the data processing, must process data on the basis of a contractual relationship [2] or to fulfil a legal obligation [3], or for another reason specified in Art. 6 GDPR;
  • The company must inform the person whose data is being processed about the processing and its specific purpose;
  • The company may not collect more data than is required for the purpose for which it is being used;
  • The company may not store the data for longer than is required for the specified purpose;
  • The company must ensure that the data is protected from unauthorised access and misuse.

The Liechtenstein Data Protection Office has posted information about the on its website. This information is designed to help companies to implement and work under the new provisions.

Links (German only)