Page 1

235.1

Liechtenstein National Law Gazette
Vintage 2018

No. 272

issued on December 7, 2018

Data Protection Act (DSG)
from October 4, 2018
I give my opinion to the following resolution passed by the state parliament
Approval: 1

I. General provisions
A. Purpose, scope and definitions
Art. 1
purpose
1) This law aims to protect the personality and the
Fundamental rights of natural persons in the processing of their personal
related data.
2) It also serves:
a) the implementation of Regulation (EU) 2016/679 of the European
Parliament and Council of April 27, 2016 for the protection of natural
Persons in the processing of personal data, for the free
Data traffic and repealing Directive 95/46 / EC
( General Data Protection Regulation) (OJ L 119 of 4.5.2016, p. 1);
b) the implementation of Directive (EU) 2016/680 of the European Parliament
and of the Council of April 27, 2016 for the Protection of Natural Perpersons in the processing of personal data by the responsible
dignified authorities for the purpose of prevention, investigation, detection
or prosecution of criminal offenses or the execution of sentences as well as for
Version: 01/01/2021

1

Page 2
235.1

DSG

free movement of data and repealing Framework Decision 2008 /
977 / JHA of the Council (OJ L 119, 4.5.2016, p. 89).
3) The respectively valid version of the legal provisions mentioned in paragraph 2
resulting from the announcement of the resolutions of the community
the EEA Committee and the international treaties for further development
of the Schengen acquis in the Liechtenstein State Law Gazette
Art. 3 let. c and k of the Announcement Act.
Art. 2
scope of application
1) This law applies to the processing of personal data
by public bodies. This law applies to non-public bodies
for the fully or partially automated processing of personal data
Data as well as the non-automated processing of personal
Data that is or will be stored in a file system
unless the processing is carried out by natural persons for
Exercise exclusively personal or family activities.
2) Special legal provisions on data protection go to
Provisions of this law. Fix a situation for the
this law applies, not or not exclusively, see the regulations
of this Act subsidiary application. The obligation to uphold
Confidentiality or professional or official secrets remains
untouched.
3) This law applies to public bodies. On notIt applies to public bodies if:
a) the controller or processor of personal data
processed domestically;
b) the processing of personal data in the context of the activities
a domestic branch of the person responsible or
processor takes place; or
c) the controller or processor does not have a branch
in an EEA member state, but it falls within the scope of the
Regulation (EU) 2016/679 falls.
If this law does not apply according to sentence 2, apply to the
Responsible person or processor only Art. 9 to 20 and 39 to 44.
4) For the processing of personal data by public
Places in the context of not in the scope of the regulation
2

Version: 01/01/2021

Page 3
DSG

235.1

Activities covered by (EU) 2016/679 and Directive (EU) 2016/680,
can be found in Regulation (EU) 2016/679 and Chapters I and II of this law
according to application, unless in this Act or one
other law is regulated differently.
5) This law does not apply to:
a) Consultations in the state parliament and in commissions of the state parliament as well as in the
Judges selection board;
b) pending civil and administrative complaint proceedings;
c) pending proceedings before the State Court of Justice;
d) the activities of the financial control of the country.
6) This law does not apply insofar as EEA law, in particular
in particular Regulation (EU) 2016/679 applies directly.
Art. 3
Terms and designations
1) For the purposes of this Act, the following apply:
a) "Public bodies":
1. the organs of the state, municipalities and corporations, foundations
institutions and institutions under public law;
2. non-public bodies, insofar as they are in fulfillment of the
are active in their own public tasks;
b) "non-public bodies":
1. Natural and legal persons as well as legally competent persons
companies that are subject to private law, insofar as they are not subject to
Let. a No. 2 fall;
2. Public bodies according to lit. a No. 1, if they are private
act.
2) Among the persons and functions used in this Act
Ons terms are members of the feminine and masculine
Understand gender.

Version: 01/01/2021

3rd

Page 4
235.1

DSG

B. Legal basis for processing personal data
Art. 4
Processing of personal data by public bodies
The processing of personal data by a public body
is permissible if it is required to fulfill the responsibilities of the responsible
verbatim lying task or in the exercise of official authority, the
has been assigned to the person responsible.
Art. 5
Video surveillance of publicly accessible rooms
1) The observation of publicly accessible rooms with optical-electroNiche facilities (video surveillance) are only permitted if:
a) it is required:
1. to fulfill the tasks of public bodies;
2. to exercise house rules; or
3. to safeguard legitimate interests for specifically defined interests
Purposes; and
b) there are no indications that the interests of the data subject are worthy of protection
fenen predominate.
2) The following applies to video surveillance of the following systems and facilities
the protection of life, health or the freedom of persons residing there
as a particularly important interest:
a) publicly accessible large-scale facilities, such as in particular sports
, Places of assembly and entertainment, shopping centers or parking
places; or
b) Vehicles and large publicly accessible facilities of the
public transport.
3) The fact of the observation and the name and contact details
of the person responsible are to take appropriate measures at the earliest possible
to make identifiable point in time.
4) The storage or use of data collected in accordance with Paragraphs 1 and 2
Data is permitted if it is required to achieve the intended purpose.
and there are no indications that interests worthy of protection
of those affected predominate. Paragraph 2 applies accordingly. For someone else
Purpose, they may only be processed, as far as this is for defense
4th

Version: 01/01/2021

Page 5
DSG

235.1

of dangers to state or public security, to avert
serious danger to life, limb, freedom or property as well as for
Prosecution of criminal offenses or to preserve evidence is necessary; in the
in the latter cases, the state police can request the transmission of the
request the necessary data.
5) Are data collected by video surveillance of a specific
Assigned to a person, there is an obligation to inform the data subject
Person about the processing according to Articles 13 and 14 of the Regulation (EU)
2016/679. Art. 32 applies accordingly.
6) The data are to be deleted immediately when they are reached
of the purpose are no longer required or legitimate interests of
Those affected oppose further storage.
7) The use of video surveillance must be carried out prior to commissioning
to be reported to the data protection office. Assumed by a message
Image transmissions are assumed in real time without recording or
other further processing options. The government does it
More details with regulation.
8) Anyone who deliberately violates the reporting obligation according to Paragraph 7 will be
from the data protection office for violation with a fine of up to 5,000
Francs punished. Art. 40 paras. 3 to 6 apply accordingly.
C. Data protection officers of public bodies
Art. 6
designation
1) Public bodies appoint a data protection officer. This
also applies to public bodies according to Art. 3 Para. 1 let. b No. 2, the private
act economically.
2) For several public bodies, taking into account their
Organizational structure and its size, a common data protection
to be named.
3) The data protection officer is appointed on the basis of his professional
his qualification and, in particular, his specialist knowledge that he
owns in the field of data protection law and data protection practice,
as well as on the basis of its ability to fulfill the requirements set out in Art. 8
mentioned tasks.

Version: 01/01/2021

5

Page 6
235.1

DSG

4) The data protection officer can be employed by the public body
his or her duties on the basis of a service contract
fulfill.
5) The public body publishes the contact details of the data
protection officer and communicates this data to the data protection office.
Art. 7
position
1) The public body ensures that the data protection officer
properly and early in all with the protection of personal
Data-related questions is incorporated.
2) The public body supports the data protection officer in the
Fulfillment of his duties according to Art
The necessary resources and access to personal
Genigen data and processing operations as well as those to maintain his
Makes the necessary resources available.
3) The public body ensures that the data protection officer at
the fulfillment of his tasks no instructions regarding the exercise
of these tasks. The data protection officer reports immediately
the management of the public body. The data protection officer may from
not dismissed from the public body due to the fulfillment of his duties
or be disadvantaged.
4) The dismissal of the data protection officer is only permitted
permissible according to the application of Art. 24 of the State Personnel Act.
5) Affected persons can contact the data protection officer for all
with the processing of your personal data and with the
exercise your rights under Regulation (EU) 2016/679, this law
as well as other laws on data protection.
Consult the following questions. The data protection officer is responsible for
confidentiality about the identity of the data subject as well as about
Circumstances that allow conclusions to be drawn about the person concerned
obligated, as far as he is not exempted from it by the person concerned.
6) If the data protection officer is aware of
Receives data for the management or a public authority
employed person a refusal to testify for professional reasons
is entitled, this right is also available to the data protection officer and
to his subordinate employees. About exercising this right
6th

Version: 01/01/2021

Page 7
DSG

235.1

decides the person who has the right to refuse to testify for professional reasons
Reasons are due, unless this decision in the foreseeable future
cannot be brought about. So much for the right to refuse to testify
of the data protection officer suffices, his files and others are subject
Documents a prohibition of seizure.
Art. 8
tasks
1) The data protection officer is responsible in addition to those in the regulation
(EU) 2016/679 at least the following tasks:
a) Informing and advising the public body and employers
who carry out the processing with regard to their obligations
this law and other regulations on data protection, a
and finally the one adopted to implement Directive (EU) 2016/680
Laws;
b) Monitoring compliance with this Act and other regulations
on data protection, including the implementation of the directive
(EU) 2016/680 enacted laws, as well as the strategies of the public
Office for the protection of personal data, including the
Allocation of responsibilities, awareness raising and training
the employees involved in the processing operations and the
related reviews;
c) Advice in connection with the data protection impact assessment
and monitoring their implementation in accordance with Art. 66;
d) Cooperation with the data protection office;
e) Acting as a contact point for the data protection office in connection with the processing
related issues, including previous conConsultation according to Art. 68 and, if necessary, advice on all others
Ask.
2) In the case of a data protection officer appointed to a court
the tasks according to paragraph 1 do not relate to the actions of the court
as part of its judicial activity.
3) The data protection officer can have other tasks and obligations
perceive. The public body ensures that such tasks
and duties do not lead to a conflict of interest.
4) The data protection officer contributes to the fulfillment of his duties
due to the risk associated with the processing operations
Version: 01/01/2021

7th

Page 8
235.1

DSG

Invoice, stating the nature, scope, circumstances and purposes
processing is taken into account.
D. Data Protection Office
Art. 9
Position and organization
1) The data protection office is the national supervisory authority according to Art. 51
of Regulation (EU) 2016/679 and Art. 41 of Directive (EU) 2016/680.
2) The data protection office consists of the head of the data protection office
and the rest of the staff.
3) So far from Regulation (EU) 2016/679 or this law
nothing else results, takes place on the employment relationship of the head of the
Data protection office and the other staff of the data protection office
State Personnel Act apply mutatis mutandis.
Art. 10
Jurisdiction
1) The data protection office is responsible for the supervision of the by
processing carried out by public and non-public bodies
services.
2) The data protection office is not responsible for the supervision of:
a) the procedures carried out by the government in the course of its activities
works;
b) the acts carried out by the courts in the course of their judicial activity
menen processing.

8th

Version: 01/01/2021

Page 9
DSG

235.1

Art. 11
independence
1) The data protection office acts in the fulfillment of its tasks and
completely independent in the exercise of their powers. It is neither subject to
direct or indirect influence from outside and does not ask for
She still accepts instructions.
2) The data protection office is subject to review by the financial
troll under the Financial Control Act.

Establishment and termination of employment relationships
Art. 12
a) Head of the data protection office
1) The state parliament elects the head of the data protection office on the proposal of the
Government for a period of six years. Re-election is possible.
2) If the employment relationship ends at the end of the contract period, the
Government, in justified cases, employment until employment
of a successor by up to six months.
3) The employment relationship of the head of the data protection office ends with
Expiry of the contract period; Paragraph 4 remains reserved.
4) The employment relationship of the head of the data protection office can be determined by the
Government can only be terminated or dissolved if:
a) he prevents the fulfillment of the tasks due to illness or accident
is different; or
b) there is an important reason for termination without notice.
Art. 13
b) Other staff of the data protection office
1) The remaining staff of the data protection office will be appointed at the suggestion of
Employed by the government as head of the data protection agency.
2) Provisions on the transfer and termination of service
16 and 18 to 27 of the State Personnel Act
to the other staff of the data protection office with the stipulation
application that the transfer or termination of the employment relationship by
the government requires a request from the head of the data protection office.
Version: 01/01/2021

9

Page 10
235.1

DSG

Art. 14
Rights and obligations
1) The head of the data protection office sees everyone with the tasks
of his office and practices during
during his term of office no other incompatible with his office
valid or unpaid activity. The head of the data protection office
may not be submitted to the state parliament, the government, a court or a
administrative authority still belong to the function of a community leader
or a municipality council of a Liechtenstein municipality. With
after his appointment he resigns from such offices. He mustn't against
Submit extrajudicial reports for a fee.
2) The head of the data protection office is entitled to inform about persons who
informing him of facts in his capacity as head of the data protection office.
have dared to refuse to testify about these facts themselves.
This also applies to the other staff of the data protection office with the
admitted that the head of the data protection office was responsible for exercising this right
decides. As far as the right of the head of the data
protection point is sufficient, the submission or delivery of files or
other documents are not required of him.
3) The head of the data protection office is, even after the termination of his
Employment relationship, committed to him in the exercise of his office
to maintain secrecy about matters that have become known. This
does not apply to communications in business dealings or about facts,
which are obvious or, according to their significance, not secrecy
need. The head of the data protection office decides according to mandatory
use reasonable judgment as to whether and to what extent he has any such matters
Testifies or makes statements in court or out of court; if he
is no longer in office, the approval of the acting head of the
Data protection office required. The legally justified remains unaffected
Duty to report criminal offenses.
4) For the head of the data protection office and the other staff of
Articles 84 and 85 of the Tax Act do not apply to the data protection office. This
does not apply if the tax authorities have knowledge of the implementation
a procedure because of a tax offense as well as a related
pending tax proceedings, the pursuit of which is a mandatory
the public interest exists, or insofar as it is deliberately
specific details of the party responsible for providing information or the persons working for him
acts. If the data protection office detects a data protection violation, it is

10

Version: 01/01/2021

Page 11
DSG

235.1

authorized to report this and to inform the person concerned about it.
mate.
5) The head of the data protection office may testify as a witness, unless
the statement would:
a) cause harm to the well-being of the country, in particular to the country
Security or relations with other states; or
b) Violate fundamental rights.
6) If the statement according to Paragraph 5 relates to ongoing or completed
courses that are attributable to the area of ​responsibility of the government or
the head of the data protection office may only be in agreement with
testify to the government. The latter may only refuse approval if
the good of the country requires it.
7) The head of the data protection office issues organizational regulations,
which will be brought to the attention of the government.
Art. 15
tasks
1) In addition to the provisions in Regulation (EU) 2016 /
679 mentioned the following tasks:
a) the application of this Act and other regulations on
Data protection, including the implementation of the directive (EU)
2016/680 enacted laws, monitor and enforce;
b) the public for the risks, regulations, guarantees and rights im
In connection with the processing of personal data
raise awareness and educate them about it, taking specific measures
pay special attention to children;
c) the state parliament, the government and other institutions and bodies
legislative and administrative measures to protect rights and
Freedoms of natural persons with regard to the processing of personal
to advise related data;
d) the controllers and the processors for them
this law and other regulations on data protection, a
and finally the ones adopted to implement Directive (EU) 2016/680
Laws to sensitize emerging obligations;
e) at the request of any data subject, information about the exercise
your rights based on this Act and other regulations about
data protection, including the implementation of the directive (EU)
Version: 01/01/2021

11

Page 12
235.1

DSG

2016/680 enacted laws, to be made available and given
if for this purpose with the supervisory authorities in other member
states to work together;
f) dealing with complaints of a data subject or complaints of a
Body, an organization or an association according to Art. 55 of the
line (EU) 2016/680, the subject of the complaint in
reasonable scope to investigate and the complainant
within a reasonable period of time about the progress and the result
of the investigation, especially if another
Investigation or coordination with another regulatory agency
necessary is;
g) to cooperate with other supervisory authorities, also by providing information
exchange of information, and to provide you with administrative assistance to ensure the unified
Application and enforcement of this law and other provisions
publications on data protection, including the implementation of the
Directive (EU) 2016/680 enacted laws to ensure;
h) Investigations into the application of this Act and others
Data protection regulations, including implementation
of the Directive (EU) 2016/680 enacted laws, also
on the basis of information from another supervisory authority
or another authority;
i) to follow relevant developments insofar as they relate to protection
affect personal data, in particular the development of
Information and communication technology and business
practices;
k) Advice on the processing operations referred to in Art. 68
afford to; and
l) Contributions to the work of the European Data Protection Board
Afford.
2) In the scope of Directive (EU) 2016/680, the
Data protection office also fulfills the task according to Art. 60.
3) To meet the requirements set out in para. 1 let. c, the data
protection point on all questions that arise in connection with the protection of
personal data are available, of their own accord or upon request
participated in the state parliament or one of its commissions, the government,
direct other institutions and bodies. At the request of the Landtag,
one of its commissions or the government goes to the data protection agency

12th

Version: 01/01/2021

Page 13
DSG

235.1

also references to matters and processes of data protection
according to the public authorities.
4) The data protection office facilitates the submission of the information listed in Paragraph 1 lit.
f mentioned complaints through measures such as the provision
a complaint form, which can also be filled out electronically,
without excluding other means of communication.
5) The fulfillment of the tasks of the data protection office is essential for the affected
free person. In the case of manifestly unfounded or, in particular
those in the case of frequent repetition, excessive requests can cause the
Data protection office a reasonable fee on the basis of the
wands or refuse to act on the request.
In this case, the data protection office bears the burden of proof for the open
knowledgeable unfounded or excessive nature of the request. The directorRegulation regulates the details about the fee by ordinance.
Art. 16
Activity report
The data protection office prepares an annual report on its activities,
a list of the types of reported violations and the types of violations
the measures taken, including the sanctions imposed and the
Measures according to Art. 58 Para. 2 of Regulation (EU) 2016/679
can. It forwards the report to the state parliament and the government
Take note and make it public, the European
Data Protection Board and the EFTA Surveillance Authority.
Art. 17
Powers
1) Within the scope of the ordinance, the data protection office takes
(EU) 2016/679 the powers according to Art. 58 of the Regulation (EU)
2016/679 true. If the data protection office comes to the conclusion that
violate the data protection regulations or other shortcomings
when processing personal data are available, this will be communicated by the
responsible specific supervisory authority and issues it before issuing
exercise of the powers of Art. 58 Para. 2 let. b to g, i and j of the regulation
(EU) 2016/679 Opportunity to comment to the person responsible
take within a reasonable period of time. From the granting of the
Opportunity to comment can be waived if an immediate
Decision due to imminent danger or in the public interest
Version: 01/01/2021

13

Page 14
235.1

DSG

appears agile or there is a compelling public interest contrary to it.
stands. The statement should also include a description of the measures
that have been taken on the basis of the notification of the data protection office
are.
2) If the data protection office provides data processing by nonpublic or public bodies for purposes outside of the application
scope of Regulation (EU) 2016/679 violations of the
documents of this law or against other regulations on data
protection or other deficiencies in the processing or use of personal
related data, it will complain to the person responsible
lichen. In the case of a public body, it also informs the management
information about the complaint. She gives the person in charge, in the case of one
public authority, also the government, the opportunity for a position
consultation within a reasonable period to be determined by it.
The data protection office can refrain from making a complaint or accept one
Refrain from comment, especially if it is insignificant or
defects that have since been eliminated. The opinion is also intended to be a
Contain a description of the measures taken due to the complaint by
Data protection office have been taken. The data protection office can
Also warn those responsible that the intended processing
presumably against contained in this law and others on the
the respective data processing applicable regulations on the data
protection violated.
3) The powers of the data protection office also extend to:
a) Personal data obtained from public or non-public bodies
genetic data about the content and the more detailed circumstances of the letter, post
and telecommunications; and
b) personal data that is an official secret, in particular the
Tax secrecy according to Art. 83 of the Tax Act.
4) The public or private bodies are obliged to
Data protection office and that of it with the monitoring of compliance
of the data protection regulations:
a) after prior notification by the data protection office or commissioned
registered persons have access to the properties and rooms,
Finally, all data processing systems and devices, as well as all
personal data and information necessary for the fulfillment of their
Tasks are necessary to grant; and
b) all information necessary for the performance of their duties
are to be provided. In the case of non-public bodies, the information
14th

Version: 01/01/2021

Page 15
DSG

235.1

persons obliged to provide information refuse to provide the information if their
ment himself or one of the persons listed in section 108 (1) of the Code of Criminal Procedure
designated relatives from the risk of criminal prosecution
would put. The person obliged to provide information must be made aware of this.
5) The control activity according to paragraph 4 is with the greatest possible protection of the
To exercise rights of public or non-public bodies and third parties
to practice.
6) The data protection office advises and supports the data protection officer
with consideration of their typical needs. She can do the abberequest the data protection officer to be called if he is required to fulfill the
does not have the necessary specialist knowledge for his tasks or, in the case of Art.
38 para. 6 of Regulation (EU) 2016/679 a serious interest
there is a conflict.
7) The data protection office may only use the data it has saved for
Process the purposes of supervision; in doing so, it may transfer data to other
submit to regulatory authorities. Processing for another purpose is
admissible beyond Art. 6 Para. 4 of Regulation (EU) 2016/679 if:
a) it is obvious that it is in the interests of the data subject and
There is no reason to believe that they are aware of the other
For the purpose of refusing their consent;
b) to avert significant disadvantages for the common good or a
Public safety, defense or national danger
Security or to safeguard significant interests of the common good
is required; or
c) they are used for the prosecution of criminal offenses, for enforcement or for execution
of penalties or measures of the Criminal Code or of educational
preventive measures or other measures in the sense of the youth community
judicial act or for the enforcement of fines is required.
E. Representation in the European Data Protection Board and cooperation
work with other regulators
Art. 18
Representation in the European Data Protection Board
The data protection office represents the country in the European data protection
committee.

Version: 01/01/2021

15th

Page 16
235.1

DSG

Art. 19
Cooperation with other supervisory authorities
Before submitting a position to the supervisory authorities of others
EEA Member States, the EFTA Surveillance Authority or the EuroEuropean data protection committee, the data protection office involves others
national supervisory authorities according to Articles 85 and 91 of Regulation (EU)
2016/679, if these are affected by the matter.
F. Legal protection
Art. 20
Legal remedies
1) The data protection office can oppose decisions and orders
within four weeks of the delivery of the complaint to the complaint committee
mission for administrative matters.
2) Against decisions and rulings by the Appeals Commission
sion for administrative matters can be made within four weeks of delivery
a complaint can be lodged with the Administrative Court; this
The data protection office also has the right to do so.
3) The data protection office may make decisions and rulings against
not withdraw the suspensive effect through a public body.

II. Implementing provisions for processing to
Purposes according to Art. 2 of Regulation (EU) 2016/679
A. Legal basis for processing personal data
1. Processing of special categories of personal data and
Processing for other purposes
Art. 21
Processing of special categories of personal data
1) Notwithstanding Art. 9 Paragraph 1 of Regulation (EU) 2016/679, the
Processing of special categories of personal data in the sense of
permitted by Art. 9 Para. 1 of Regulation (EU) 2016/679:

16

Version: 01/01/2021

Page 17
DSG

235.1

a) by public and non-public bodies if they:
1. Is required to comply with the social security law and the
Exercise of social protection rights and the related
to comply with duties;
2. for the purpose of preventive health care, for assessing occupational
ability of the employee for medical diagnostics,
care or treatment in the health or social sector or
for the administration of systems and services in health and
Social area or based on a contract of the data subject
with a health professional is required and
this data from medical staff or other persons,
which are subject to a corresponding obligation of confidentiality, or
are processed under their responsibility; or
3. for reasons of public interest in the field of public
Health, such as protection against serious cross-border
progressive health hazards or to ensure high
Quality and safety standards in health care
and is required for drugs and medical devices; complement
In relation to the measures mentioned in Paragraph 2 are in particular the
professional and criminal law requirements to maintain the
To maintain professional secrecy;
b) by public bodies if they:
1. Mandatory for reasons of an overriding public interest
is required;
2. to avert a significant threat to public safety
is required;
3. to avert significant disadvantages for the common good or for
It is imperative to safeguard significant interests of the common good.
is lich; or
4. for compelling reasons of defense or fulfillment
or intergovernmental obligations of a public body
of the country in the field of crisis management or conflict
hindrance or is necessary for humanitarian measures
and as far as the interests of the person responsible in the data processing
management in the cases of lit. b the interests of the data subject
to weigh.
2) In the cases of Paragraph 1, appropriate and specific measures
to safeguard the interests of the data subject.
Version: 01/01/2021

17th

Page 18
235.1

DSG

Taking into account the state of the art, the implementation
cost and the nature, scope, circumstances and purposes of
Processing as well as the different probability of occurrence and
Severity of the risks to the rights and associated with the processing
Freedoms of natural persons can include in particular:
a) technical organizational measures to ensure that the
Processing is carried out in accordance with Regulation (EU) 2016/679;
b) Measures to ensure that retrospectively checked and determined
it can be established whether and by whom personal data is entered
give, have been altered or removed;
c) Raising the awareness of those involved in processing operations;
d) Appointment of a data protection officer;
e) Restricting access to personal data within
the responsible body and processors;
f) pseudonymization of personal data;
g) encryption of personal data;
h) Ensuring the ability, confidentiality, integrity, availability
and resilience of the systems and services related to the
Processing of personal data, including the ability to
the availability and access in the case of a physical or technical
to quickly restore an incident;
i) To ensure the security of the processing, the establishment of a
Procedure for regular review, assessment and evaluation
the effectiveness of the technical and organizational measures
took; or
k) specific procedural rules that apply in the event of a transfer or
Processing for other purposes compliance with the requirements of this
Law and Regulation (EU) 2016/679.
Art. 22
Processing for other purposes by public bodies
1) The processing of personal data for a different purpose
than to the person about whom the data was collected, through public
Positions within the scope of their tasks are permitted if:
a) it is obvious that it is in the interests of the data subject and
There is no reason to believe that they are aware of the other
For the purpose of refusing their consent;
18th

Version: 01/01/2021

Page 19
DSG

235.1

b) Information from the data subject must be checked because actual
there are any indications that they are incorrect;
c) to avert significant disadvantages for the common good or a
Public safety, defense or national danger
Security, to safeguard significant interests of the common good or for
Securing tax and customs revenue is necessary;
d) they are used for the prosecution of criminal offenses, for execution or for execution
of penalties or measures of the Criminal Code or of educational
preventive measures or other measures in the sense of the youth community
judicial act or for the enforcement of fines is required;
e) to avert a serious impairment of rights
is required by another person; or
f) they exercise supervisory and control powers, the
Auditing or conducting organizational investigations
serves the responsible party; this also applies to processing
for training and examination purposes by the person responsible,
insofar as the data subject's interests worthy of protection do not
oppose.
2) The processing of special categories of personal data
within the meaning of Art. 9 Paragraph 1 of Regulation (EU) 2016/679 to a
for a different purpose than that for which the data was collected
permissible if the requirements of Paragraph 1 and an exception
according to Art. 9 Para. 2 of Regulation (EU) 2016/679 or Art. 21
are present.
Art. 23
Processing for other purposes by non-public bodies
1) The processing of personal data for a different purpose
than to the person for whom the data was collected, through non-public
positions are permitted if:
a) it is required:
1. to avert dangers to state or public security
or to prosecute criminal offenses; or
2. for the assertion, exercise or defense of civil law
Expectations; and
b) the interests of the data subject in the exclusion of processing
tion do not predominate.
Version: 01/01/2021

19th

Page 20
235.1

DSG

2) The processing of special categories of personal data
within the meaning of Art. 9 Paragraph 1 of Regulation (EU) 2016/679 to a
for a different purpose than that for which the data was collected
permissible if the requirements of Paragraph 1 and an exception
according to Art. 9 Para. 2 of Regulation (EU) 2016/679 or Art. 21
are present.
Art. 24
Data transfers by public bodies
1) The transmission of personal data by public bodies
to public bodies is permitted if they are required to fulfill the
the transferring agency or the third party to whom the data is transferred.
are mediated, lying tasks are required and the prerequisites
There are tongues that would allow processing according to Art. The
Third parties to whom the data are transmitted may only use them for the purpose
process, for the fulfillment of which they are transmitted to him. A processing
Use for other purposes is permissible under the conditions of Art.
2) The transmission of personal data by public bodies
to non-public bodies is permitted if:
a) they are required to fulfill the obligations of the transmitting agency
tasks are required and the prerequisites are met,
which would allow processing according to Art. 22;
b) the third party to whom the data is transmitted is an authorized
esse credibly demonstrates and from the knowledge of the data to be transmitted
the data subject has no legitimate interest in the exclusion
the transmission has; or
c) they for the establishment, exercise or defense of legal
Claims is required
and the third party vis-à-vis the transmitting public body
is obliged to process the data only for the purpose for the fulfillment of which
ment they are transmitted to him. Processing for other purposes is
permissible if a transmission according to sentence 1 would be permissible and the transmitted
mediating body has agreed.
3) The transmission of special categories of personal data
within the meaning of Art. 9 Para. 1 of Regulation (EU) 2016/679 is permissible,
if the prerequisites of paragraph 1 or 2 and an exception
according to Art. 9 Para. 2 of Regulation (EU) 2016/679 or according to Art.
lie.
20th

Version: 01/01/2021

Page 21
DSG

235.1

2. Special processing situations
Art. 25
Restriction of the right to information for media professionals
1) Are personal data used exclusively for publication
publication in the editorial part of a periodically appearing medium
works, the person responsible can request the information according to Art. 15 of the
Refuse, restrict or postpone regulation (EU) 2016/679 if:
a) the personal data reveal the sources of information
give;
b) an insight into drafts for publications would have to be given; or
c) the public's freedom of opinion would be jeopardized.
2) Media professionals can request information in accordance with Art. 15 of the Ordinance
(EU) 2016/679 also refuse, restrict or postpone if
the processing of personal data exclusively as perserves as a personal work tool.
Art. 26
Data secrecy
Anyone who processes personal data or has it processed has perPersonal data from processing that he received due to his professional
entrusted to the job or made available
are, without prejudice to other statutory confidentiality obligations,
to be kept secret, unless there is a legally permissible reason for disclosure
the entrusted or accessible data exists.
Art. 27
Data processing for scientific or historical research
purposes and for statistical purposes
1) Notwithstanding Art. 9 Paragraph 1 of Regulation (EU) 2016/679, the
Processing of special categories of personal data in the sense of
of Art. 9 Para. 1 of Regulation (EU) 2016/679 even without consent
for scientific or historical research purposes or for statistical
cal purposes if the processing is necessary for these purposes
and the interests of the person responsible in the processing are the
Interests of the data subject in an exclusion of processing
Version: 01/01/2021

21

Page 22
235.1

DSG

predominate. The person responsible sees appropriate and specific measures
took to safeguard the interests of the data subject in accordance with Art. 21
Paragraph 2 Clause 2.
2) For scientific or historical research in the public interest
The person responsible may use specific research or statistical purposes
all personal data that do not fall under Paragraph 1 Clause 1 are
work if the processing is necessary for these purposes and
if:
a) the data is publicly available;
b) the data for the person responsible pseudonymized personal
Data are and the person responsible is the identity of the data subject
cannot determine with legally permissible means; or
c) Obtaining the consent of the data subject in the absence of his or her
Accessibility is impossible or otherwise disproportionate
Effort means.
Paragraph 1 sentence 2 applies accordingly. Art. 4 remains unaffected.
3) The provisions of Paragraphs 1 and 2 also apply to personal
gene data that the person responsible for other investigations or also
has legitimately identified other purposes.
4) The provisions in Articles 15, 16, 18 and 21 of Regulation (EU) 2016/679
seen rights of the data subject are limited to the extent that these
Rights are expected to enable the realization of the research or statistical
make purposes impossible or seriously impair them and the restrictions
necessary for the fulfillment of research or statistical purposes
is. The right to information according to Art. 15 of Regulation (EU) 2016/679
does not exist if the data is used for scientific
necessary research and the provision of information is an
would require a proportionate effort.
5) In addition to the measures mentioned in Art. 21 Para
for scientific or historical research purposes or for statistical
anonymize personal data processed for table purposes,
as soon as this is possible according to the research or statistical purpose, it be
because the legitimate interests of the data subject oppose this.
Until then, the features are to be saved separately with which individual entries
gave about personal or factual circumstances of a particular or
identifiable person can be assigned. You are allowed to use the
individual information will only be merged if the research or
Statistical purpose this requires.
22nd

Version: 01/01/2021

Page 23
DSG

235.1

6) The person responsible may only publish personal data
if the person concerned has consented or this is necessary for the
management of research results is essential.
Art. 28
Data processing for the purposes of personal, family and genealogical
research as well as the management and publication of family
Chronicles and biographies
The processing of personal data is also possible without
consent of the person concerned for the purposes of personal, family
and genealogical research as well as keeping and publishing
of family chronicles and biographies permitted if processing too
is necessary for these purposes. If the processing is particularly
their categories of personal data within the meaning of Art. 9 Para. 1
of Regulation (EU) 2016/679, this deviates from Art. 9
Para. 1 of Regulation (EU) 2016/679 permissible if the processing is to
is necessary for these purposes and the interests of the person responsible
Interests of the data subjects in an exclusion of processing
predominate. The person responsible sees appropriate and specific measures
took to safeguard the interests of the data subject in accordance with Art. 21
Paragraph 2 Clause 2.
Art. 29
Data processing for archiving purposes in the public interest
cick
1) Notwithstanding Art. 9 Paragraph 1 of Regulation (EU) 2016/679, the
Processing of special categories of personal data in the sense of
of Art. 9 Para. 1 of Regulation (EU) 2016/679 if they are for im
archiving purposes which are of public interest. The responsible
verbatim provides appropriate and specific measures to safeguard the
Interests of the data subject according to Art. 21 Paragraph 2 Clause 2.
2) For archiving purposes in the public interest that do not
If the goal is person-related results, the person responsible may all
process personal data that do not fall under Paragraph 1 Clause 1,
if the processing is necessary for these purposes and if:
a) the data is publicly available;

Version: 01/01/2021

23

Page 24
235.1

DSG

b) the data for the person responsible pseudonymized personal
Data are and the person responsible is the identity of the data subject
cannot determine with legally permissible means; or
c) Obtaining the consent of the data subject in the absence of his or her
Accessibility is impossible or otherwise disproportionate
Effort means.
Paragraph 1 sentence 2 applies accordingly. Art. 4 remains unaffected.
3) The provisions of Paragraphs 1 and 2 also apply to personal
gene data that the person responsible for other investigations or also
has legitimately identified other purposes.
4) The right to information of the data subject according to Art. 15 of the
ordnung (EU) 2016/679 does not exist if the archive material is not through the
Name of the person has been identified or no information is given
finding the archive material in question with justifiable administrative
enable effort.
5) The right to rectification of the data subject according to Art. 16 of
Regulation (EU) 2016/679 does not exist if the personal
Data are processed for archival purposes in the public interest.
If the data subject disputes the accuracy of the personal data
Data, it is to be given the possibility of a reply. The
The responsible archive is obliged to counter the documents
to add.
6) The items listed in Art. 18 Para. 1 let. a, b and d, Articles 20 and 21 of the Ordinance
(EU) 2016/679 do not exist insofar as these rights
probably the realization of those in the public interest
Make archival purposes impossible or seriously impair and the
Exceptions are necessary for the fulfillment of these purposes.
Art. 30
Rights of the data subject and supervisory powers in
Case of confidentiality obligations
1) For the rights of the data subject according to Art. 14, 15 and 34 of
Regulation (EU) 2016/679 the following applies:
a) the obligation to inform the data subject in accordance with Art. 14 Para. 1
to 4 of Regulation (EU) 2016/679, in addition to the provisions in Art.
14 para. 5 of Regulation (EU) 2016/679 do not have exceptions,
to the extent that their fulfillment would reveal information that:
24

Version: 01/01/2021

Page 25
DSG

235.1

1. are subject to a statutory duty of confidentiality; or
2. by their nature, in particular because of the predominantly legitimate
the interests of a third party must be kept secret;
b) the right to information of the data subject according to Art. 15 of the Ordinance
(EU) 2016/679 does not exist if the information provided
would be revealed that:
1. are subject to a statutory duty of confidentiality; or
2. by their nature, in particular because of the predominantly legitimate
the interests of a third party must be kept secret;
c) the obligation to notify according to Art. 34 of the Regulation (EU)
2016/679 is in addition to that in Art. 34 Para. 3 of the Regulation
(EU) 2016/679 does not apply to the extent that the notification
correct information would be disclosed that:
1. are subject to a statutory duty of confidentiality; or
2. by their nature, in particular because of the predominantly legitimate
interests of a third party must be kept secret.
Notwithstanding the exception according to lit. c No. 2 is the one concerned
To notify the person in accordance with Art. 34 of Regulation (EU) 2016/679,
if the interests of the data subject, especially taking into account
inspection of impending damage, against the interest of confidentiality
predominate.
2) Are data from third parties in the course of recording or as part of a
Mandate to a professional secret holder, so
there is the obligation of the transmitting body to inform the affected
person according to Art. 13 Para. 3 of Regulation (EU) 2016/679,
unless the data subject's interest in sharing information
ment predominates.
3) Compared to those in Section 121, Paragraphs 1, 3 and 4 of the Criminal Code
named persons or their processors pass the investigation
powers of the data protection office according to Art. 58 para. 1 let. e and f the
Regulation (EU) 2016/679 not, insofar as the use of the authorization
niss to a violation of the confidentiality obligations of these persons
would lead. If the data protection office obtains within the framework of an investigation
knowledge of data that is subject to a duty of confidentiality within the meaning of
Sentence 1, the duty of confidentiality also applies to the data
protection point.

Version: 01/01/2021

25th

Page 26
235.1

DSG

Art. 31
Protection of business transactions with scoring and credit reports
1) The use of a probability value over a particular one
future behavior of a natural person for the purpose of making decisions
the establishment, implementation or termination of a contract
relationship with this person (scoring) is only permitted if:
a) the provisions of data protection law have been complied with;
b) the data used to calculate the probability value under
Based on a scientifically recognized mathematical-staverifiable method for calculating the probability
the likelihood of certain behavior are significant;
c) not exclusively for the calculation of the probability value
Address data were used; and
d) in the case of the use of address data, the data subject
Calculation of the probability value over the intended groove
this data has been notified; the briefing is closed
document.
2) The use of a probability determined by credit agencies
value of the solvency and willingness to pay of a natural
In the case of the inclusion of information about claims
Only admissible if the requirements according to Paragraph 1 are met and
only those claims about an owed performance, which despite the due date
has not been provided, the following must be taken into account:
a) which are determined by an enforcement title according to Art. 1 of the enforcement order
have been provided;
b) determined in accordance with Art. 66 of the Insolvency Code and not dated
Debtors have been disputed in the audit agenda; 2
c) which the debtor has expressly recognized;
d) where:
1. the debtor after the due date of the claim at least
has received two written reminders;
2. the first reminder was at least four weeks ago;
3. the debtor in advance, but at the earliest with the first reminder, over
a possible consideration by a credit agency
has been; and
4. the debtor has not disputed the claim; or
26

Version: 01/01/2021

Page 27
DSG

235.1

e) their underlying contractual relationship due to payment
arrears can be terminated without notice and where the
Debtor previously informed about a possible consideration by an
kunftei has been informed.
3) The admissibility of the processing, including the determination of
Probability values, of other creditworthiness-relevant data after all
common data protection law remains unaffected.
B. rights of the data subject
Art. 32
Duty to provide information when collecting personal data at the
affected person
1) The obligation to inform the data subject according to Art. 13 Para.
3 of Regulation (EU) 2016/679 is in addition to that in Art. 13 Para. 4
of Regulation (EU) 2016/679 does not apply if the
Provision of information about the intended further processing:
a) relates to further processing of analog stored data, in which
the person responsible through the further processing directly to the
affected person applies, the purpose with the original collection
purpose is compatible with Regulation (EU) 2016/679, which
Communication with the data subject not in digital form
takes place and the interest of the data subject in the information
division according to the circumstances of the individual case, in particular with a view to
the context in which the data was collected should be regarded as low
see is;
b) in the case of a public body, the proper fulfillment of the
Responsibility of the person responsible within the meaning of
Art. 23 para. 1 let. a to e of Regulation (EU) 2016/679
and the interests of the person responsible in the non-grant
the information outweighs the interests of the data subject;
c) endanger public safety or order or otherwise the well-being
the country would be disadvantageous and the interests of the responsible
the interests of those concerned in the non-disclosure of the information
prevailing person;
d) the assertion, exercise or defense of legal
Would affect claims and the interests of the person responsible

Version: 01/01/2021

27

Page 28
235.1

DSG

the interests of those concerned in the failure to provide the information
prevailing person; or
e) confidential transmission of data to public bodies
would endanger.
2) If the data subject is not informed in accordance with the stipulations
of Paragraph 1, the person responsible takes suitable protective measures
the legitimate interests of the data subject, including
Provision of the information in Art. 13 Para. 1 and 2 of Regulation (EU) 2016/679
mentioned information for the public in more precise, transparent,
understandable and easily accessible form in a clear and simple
Language. The person responsible sets out in writing the reasons for which he is
has refrained from providing information. Sentences 1 and 2 apply in the cases
of para. 1 let. d and e do not apply.
3) If the notification is omitted in the cases of Paragraph 1 due to
a temporary obstacle, comes the person responsible
the information obligation, taking into account the specific circumstances
the processing within a reasonable period after discontinuation of the
the reason for the change, but no later than within two weeks.
Art. 33
Duty to provide information if the personal data is not with the
data subject were collected
1) The obligation to inform the data subject according to Art. 14 para.
1, 2 and 4 of Regulation (EU) 2016/679 exist in addition to the provisions in Art.
14 para. 5 of Regulation (EU) 2016/679 and the article 30 para. 1 let. a
mentioned exception not if the provision of the information:
a) in the case of a public body:
1. the proper fulfillment of the responsibilities of the responsible
verbatim tasks within the meaning of Art. 23 para. 1 let. a to
e of Regulation (EU) 2016/679; or
2. endanger public safety or order or otherwise
Would probably be detrimental to the country
and therefore the interest of the data subject in the information
grant must withdraw;
b) in the case of a non-public body:
1. the assertion, exercise or defense of legal
Claims would affect or processing data from
28

Version: 01/01/2021

Page 29
DSG

235.1

civil law contracts and the prevention of
Damage caused by criminal offenses serves, unless the legitimate interest
the data subject predominates in the provision of information; or
2. the responsible public body vis-à-vis the person responsible
has established that the disclosure of the data is public
Endanger security or order or otherwise the well-being of the country
Would cause disadvantages; in the case of data processing for purposes
criminal prosecution does not require a determination after the first one
Half-sentence.
2) If the data subject is not informed in accordance with the stipulations
of Paragraph 1, the person responsible takes suitable protective measures
the legitimate interests of the data subject, including
Provision of the information in Art. 14 Para. 1 and 2 of Regulation (EU) 2016/679
mentioned information for the public in more precise, transparent,
understandable and easily accessible form in a clear and simple
Language. The person responsible sets out in writing the reasons for which he is
has refrained from providing information.
3) Does the provision of information relate to the transmission of personal
related data by public bodies to the state police for their
Fulfillment of tasks within the framework of state security, it is only possible with consent
The national police are permitted.
Art. 34
Right of the data subject to be informed
1) The right to information of the data subject according to Art. 15 of the
Regulation (EU) 2016/679 is in addition to the provisions in Art. 27 Para. 4, Art. 29
Para. 4 and Art. 30 Para. 1 let. b does not apply if:
a) the data subject according to Art. 33 Para. 1 let. a, b No. 2 or Paragraph 3
is not to be informed; or
b) the data:
1. are only saved because they are due to legal or sataccording to the retention regulations are not deleted
allowed to; or
2. Exclusively for purposes of data backup or data protection
serve control

Version: 01/01/2021

29

Page 30
235.1

DSG

and the provision of information requires a disproportionate effort
as well as processing for other purposes by suitable
Necessary technical and organizational measures are excluded.
2) The reasons for the refusal to provide information must be documented. The
The data subject is entitled to refuse to provide information
justify, unless by the communication of the factual and legal
the reasons on which the decision is based
Refusal of arrival would jeopardize the purpose pursued. The purpose of
Provision of information to the data subject and for their preparation
Stored data may only be used for this purpose and for the purposes of
Data protection control are processed; for other purposes the processing
processing in accordance with Art. 18 of Regulation (EU) 2016/679
restrict.
3) If the data subject is not informed by a public body
the future is given, the information is available to the person concerned at the request of the person concerned
Data protection authority, unless the government determines in individual cases
states that this would endanger the security of the country. The message
mentation of the data protection office to the person concerned about the result of the
data protection check must not draw any conclusions about the
allow the responsible person to be informed, provided that he is not
consents to the information provided.
4) The right of the data subject to information about personal
Genetic data that are neither processed automatically by a public body
not yet processed automatically and stored in a file system
only exists if the person concerned provides information that
Make it possible to find the data and to provide the information
required effort not disproportionate to that of the person concerned
Person asserted interest in information.
Art. 35
Right to cancellation
1) Is a deletion in the case of non-automated or automated
Data processing due to the special type of processing or storage
insurance is not possible or only possible with disproportionately high effort
and the data subject's interest in the deletion is low
view, the data subject has the right to and the duty
of the person responsible for the deletion of personal data according to Art. 17
Paragraph 1 of Regulation (EU) 2016/679 in addition to the provisions in Art. 17 Para.
30th

Version: 01/01/2021

Page 31
DSG

235.1

3 of Regulation (EU) 2016/679 not mentioned exceptions. In this
In this case, instead of deletion, processing is restricted
according to Art. 18 of Regulation (EU) 2016/679. Find sentences 1 and 2
does not apply if the personal data is unlawfully
were working.
2) In addition to Art. 18 Para. 1 let. b and c of Regulation (EU) 2016 /
679, Paragraph 1 Clause 1 and 2 apply accordingly in the case of Art. 17 Paragraph 1 lit. a
and d of Regulation (EU) 2016/679, as long as and to the extent that the
has reason to believe that deletion would result in protection worthy of
The interests of the data subject would be adversely affected. The responsible
liche informs the person concerned about the restriction of the
work, unless the instruction turns out to be impossible or
would require a disproportionate effort.
3) In addition to Art. 17 Para. 3 let. b of Regulation (EU) 2016/679
Paragraph 1 applies accordingly in the case of Art. 17 Paragraph 1 lit. a of the regulation
(EU) 2016/679, if a deletion is statutory or contractual
Retention periods oppose this.
Art. 36
Right to object
The right to object according to Art. 21 Paragraph 1 of the Regulation (EU)
2016/679 does not exist vis-à-vis a public body insofar as the
There is an overriding public interest that the interfood of the person concerned predominates, or a legal provision
obliged to process.
Art. 37
Automated decisions in individual cases including profiling
1) The right according to Art. 22 Paragraph 1 of Regulation (EU) 2016/679,
none based solely on automated processing
The decision to be subjected is based on the conditions set out in Art. 22 Para. 2
Let. a and c of Regulation (EU) 2016/679
not if the decision is made in the context of:
a) the provision of services is issued under an insurance contract and
1. concerns the setting of the insurance premium;
2. the request of the data subject has been granted; or

Version: 01/01/2021

31

Page 32
235.1

DSG

3. the decision on the application of binding fee regulations
lungs for healing treatments is based;
b) the exercise of due diligence when starting a business
relationship, risk-adequate monitoring and risk assessment
a declaration according to Art. 5, 9 and 9a of the Due Diligence Act is issued;
c) of the lending business according to Art. 3 Para. 3 let. b of the Banking Act is issued;
or
d) the provision of an investment service or ancillary securities
service according to Art. 3 Para. 4 of the Banking Act or Art. 3 of the
Asset Management Act is issued.
2) With the exception of para. 1 let. a no. 2 and let. b has the responsibility
take appropriate measures to safeguard legitimate interests
to meet the data subject, including at least the right to obtain
the intervention of a person on the part of the person responsible, on loan
of one's own point of view and contesting the decision counts;
the person responsible informs the data subject about these rights
test at the time of the notification from which it follows that the request
the data subject is not granted in full or the
affected person negatively affected by the automated decision
could be.
3) Decisions according to para. 1 let. a may rely on the processing of
Health data within the meaning of Art. 4 No. 15 of Regulation (EU) 2016 /
679 are based. The person responsible sees appropriate and specific measures
took to safeguard the interests of the data subject in accordance with Art. 21
Paragraph 2 Clause 2.
C. Responsibilities of the controllers and processors
Art. 38
Data protection officers of non-public bodies
1) Is the appointment of a data protection officer for non-public
mandatory, the dismissal of the data
protection officers only under the conditions of labor law
Provisions on the termination without notice for important reasons according to §
1173a Art. 53 ABGB.
2) The data protection officer is obliged to maintain secrecy about the identity
activity of the data subject as well as circumstances that allow conclusions to be drawn about the
32

Version: 01/01/2021

Page 33
DSG

235.1

allow the affected person, if he has not been informed by the
affected person is released.
3) If the data protection officer is aware of
Receives data for the controller or processor
Is entitled to refuse to testify, this right is also available to the data
protection officer and his subordinate employees. About the
The exercise of this right is decided by the person who refuses to testify.
unless this decision is due in the foreseeable future
cannot be brought about. So much for the right to refuse to testify
of the data protection officer suffices, his files and others are subject
Documents a prohibition of seizure.
Art. 39
Accreditation
1) The granting of the authority to act as a certification body in accordance with Art. 43 Para.
1 sentence 1 of Regulation (EU) 2016/679 is carried out by
Liechtenstein accreditation body.
2) The government can provide further details on accreditation with ordinance
regulation.
D. Penal provisions
Art. 40
Violations according to Regulation (EU) 2016/679
1) The data protection office is penalized for violation of the law
Paragraph 2 punishes anyone who - even if only negligently - in accordance with Art. 83
Paragraphs 4 to 6 of Regulation (EU) 2016/679 against the provisions of
Regulation (EU) 2016/679 violates.
2) The fine is:
a) in the cases according to Art. 83 (4) of Regulation (EU) 2016/679: up to
11 million francs or, in the case of a legal entity, up to
2% of your total worldwide annual sales of the previous
in the respective financial year, whichever of the amounts is higher;
b) in the cases according to Art. 83 Para. 5 and 6 of Regulation (EU) 2016/679:
up to CHF 22 million or, in the case of a legal entity, of
up to 4% of your total worldwide annual sales of the previous
past financial year, whichever is the higher.
Version: 01/01/2021

33

Page 34
235.1

DSG

3) The data protection office has to penalize legal persons
hang when the transgressions are in the course of business
the legal person (incidental acts) are committed by persons who
either alone or as a member of the Board of Directors, the Executive Board,
of the board of directors or supervisory board of the legal person or due to
acted in another managerial position within the legal person
because of which they:
a) are authorized to represent the legal person externally;
b) exercise control powers in a managerial position; or
c) otherwise significant influence on the management of the legal
Exercise person.
4) For violations by employees of the legal entity,
although not at fault, is the legal person
also responsible if the transgression is thereby made possible or
It has been made much easier that the persons named in Paragraph 3
have failed to take the necessary and reasonable measures for
To prevent such acts of cause to be seized.
5) The responsibility of the legal person for the cause and
the criminal liability of the persons named in paragraph 3 or of employees
according to para. 4 due to the same act are not mutually exclusive. The dataprotection agency can refrain from punishing a natural person,
if a fine has already been imposed on the legal entity for the same offense
is imposed and there are no special circumstances that a
Refrain from punishment.
6) The data protection office will use the catalog of Art. 83 Para. 2 to 6 of
Apply Regulation (EU) 2016/679 in such a way that the
moderation is maintained. Especially in the case of first-time violations
the data protection office in accordance with Art. 58 of Regulation (EU) 2016 /
679 of their remedial powers, in particular by issuing a warning
do.
7) There are no fines against authorities and other public bodies
imposed.
Art. 41
Unauthorized gathering of personal data
Anyone who has unauthorized personal data that is not freely accessible,
obtained from data processing is, at the request of the injured party, from
34

Version: 01/01/2021

Page 35
DSG

235.1

District court for offenses with imprisonment for up to six months or
To punish a fine of up to 360 daily rates.
Art. 42
Breach of data secrecy
1) Anyone who willfully unauthorized access to secret, personal data
makes available to others, published or exploited, of whom he is at
the exercise of his profession, which requires knowledge of such data,
has learned, is at the request of the injured party by the regional court for
going with a prison sentence of up to six months or a fine of up to 360
Punish daily rates.
2) Anyone who commits the act in order to protect himself or another person
To turn an advantage or to inflict a disadvantage on another is on
Demand of the injured party with imprisonment for up to one year or with
To punish a fine of up to 360 daily rates.
3) Anyone who willfully secret, personal-related is also to be punished
Makes data accessible to another without authorization, publishes or
evaluates, of which he in his work for the confidentiality officer
or learned from them during their training.
4) Make the unauthorized person available to another or publish
Chen of secret, personal data is also after the termination of the
Practice or training is punishable by law.
Art. 43
Use ban
A notification according to Art. 33 of Regulation (EU) 2016/679 or a
Notification according to Art. 34 Para. 1 of Regulation (EU) 2016/679
in criminal proceedings according to Art. 41 and 42 against the notifying party
or notifying party or his or her in Section 108 (1) of the Code of Criminal Procedure
Only with the consent of the person subject to the notification requirement
or notifiers can be used.

Version: 01/01/2021

35

Page 36
235.1

DSG

E. Liability
Art. 44
Liability and right to compensation
1) Any person who, because of a violation of the Regulation (EU)
2016/679 or against the provisions of Chapter I or II a material
rial or immaterial damage has occurred, is entitled to damage
Compensation against the person responsible or against the processor
according to Art. 82 of Regulation (EU) 2016/679. In detail apply to this
Compensation claim the general provisions of the civil
Right.
2) Does the controller or processor have a representative
named according to Art. 27 Paragraph 1 of Regulation (EU) 2016/679, this also applies
as authorized to oppose notifications in civil court proceedings
increase. Art. 12 of the Service Act remains unaffected.

III. Provisions for processing for purposes
Art. 1 para. 1 of Directive (EU) 2016/680
A. Scope, definitions and general principles
records for the processing of personal data
Art. 45
scope of application
The provisions of this chapter apply to the processing of personal
data extracted by those for prevention, investigation, detection or
Prosecution of criminal offenses or the enforcement of criminal offenses
all bodies, insofar as they provide data for the purpose of fulfilling these tasks
to process. The public authorities are considered to be responsible. The
Prevention of criminal offenses within the meaning of sentence 1 includes protection against
and averting threats to public safety. The sentences 1
and 2 also apply to those public bodies that work for
the enforcement of penalties, measures of criminal law, of
Educational measures or other measures in the sense of the youth
court law and fines are responsible. So much for this chapter
Contains regulations for processors, it also applies to them.
36

Version: 01/01/2021

Page 37
DSG

235.1

Art. 46
Definitions
For the purposes of this chapter:
a) "Personal data": all information that relates to an identical
identified or identifiable natural person (data subject)
Respectively; A natural person is regarded as identifiable who
directly or indirectly, in particular by means of assignment to an identifier
like a name, an identification number, location data, a
Online ID or for one or more special features,
the expression of physical, physiological, genetic, psychological
that person’s physical, economic, cultural or social identity
are, can be identified;
b) "Processing": anyone with or without the help of automated processes
guided process or any such series of processes in context
with personal data such as the collection, recording, organizational
organization, ordering, storing, adapting, changing,
reading, querying, using, disclosing
Transmission, dissemination or any other form of provision,
the comparison, the link, the restriction, the deletion or
the destruction;
c) "Restriction of processing": the marking of stored perpersonal data with the aim of stopping their future processing
lockers;
d) "Profiling": any type of automated processing of personal
gener data, which consists in the fact that this personal data is
will be applied to certain personal aspects that relate to one
natural person refer to, to evaluate, in particular to aspects
regarding work performance, economic situation, health, personal
Preferences, interests, reliability, behavior, whereabouts or
To analyze or to anticipate a change of location of this natural person
say;
e) "Pseudonymization": the processing of personal data in
in a way that the personal data without consulting
additional information is no longer of a specific concern
Can be assigned to a person, provided that this additional information
stored separately and technical and organizational
are subject to measures to ensure that the personal

Version: 01/01/2021

37

Page 38
235.1

DSG

obtained data not of an identified or identifiable natural
assigned to a person;
f) "file system": any structured collection of personal data,
which are accessible according to certain criteria, regardless of whether
this collection centralized, decentralized or according to functional or geographical
fishing is conducted in an orderly manner;
g) "Controller": the competent authority, alone or jointly
with others about the purposes and means of processing personal
decides on related data;
h) "Processor": a natural or legal person, authority,
Institution or other body that provides personal data on behalf of
processed by the controller;
i) "Recipient": a natural or legal person, authority, institution
management or other body that discloses personal data
regardless of whether it is a third party
or not; Authorities who, as part of a certain investigation
order according to EEA / Schengen law or other laws.
receive personal data, but are not considered recipients; the Verprocessing of this data by the named authorities takes place in a
sounded in accordance with the applicable data protection regulations in accordance with the purposes
processing;
k) "Personal data breach": a breach
the security that, whether unintentional or unlawful, leads to destruction
processing, loss, alteration or unauthorized disclosure
of or for unauthorized access to personal
Leads to data that is transmitted, stored or otherwise processed
were worked;
l) "genetic data": personal data related to the inherited or
acquired genetic traits of a natural person who
clear information about their physiology or health
natural person and in particular from the analysis of a biological sample of the natural person concerned has been obtained;
m) "Biometric data": obtained using special technical processes
personal data relating to the physical, physiological or
holding-typical characteristics of a natural person, which the unique
Enable or confirm the identification of this natural person,
in particular facial images or dactyloscopic data;
n) "Health data": personal data relating to the body
physical or mental health of a natural person, including
38

Version: 01/01/2021

Page 39
DSG

235.1

the provision of health care services, referring to and from
which provide information about their state of health;
o) "special categories of personal data":
1. Data showing the racial or ethnic origin, political
Opinions, religious or ideological beliefs or the
Indicate union membership;
2. genetic data;
3. biometric data for the unambiguous identification of a natural one
Person;
4. health data; and
5. data on sex life or sexual orientation;
p) "Supervisory authority": one of an EEA / Schengen state according to Art. 41
independent government agency established under Directive (EU) 2016/680;
q) "international organization": an organization governed by international law and
their subordinate bodies or any other body that
an agreement concluded between two or more states, or
was created on the basis of such an agreement;
r) "Consent": each voluntary for the specific case, in informed
Wise and unmistakable declaration of intent in the form
a declaration or any other unequivocal confirming hand
ment, with which the person concerned indicates that they are dealing with the
Processing of the personal data concerning them
is standing.
Art. 47
General principles for the processing of personal data
Personal data must:
a) processed lawfully and in good faith;
b) collected for specified, explicit and legitimate purposes and not
processed in a manner incompatible with these purposes
become;
c) correspond to the processing purpose, for achieving the processing
for the intended purpose and their processing not other than
stand in relation to this purpose;
d) be factually correct and, if necessary, up to date;
all appropriate measures must be taken to ensure that personal
Version: 01/01/2021

39

Page 40
235.1

DSG

related data with a view to the purposes of their processing
are incorrect, deleted or corrected immediately;
e) no longer than is necessary for the purposes for which they are processed
is to be stored in a form that allows the identification of the
enables affected persons; and
f) processed in a manner that ensures reasonable security of the
personal data guaranteed; this also includes a through
to ensure suitable technical and organizational measures
tender protection against unauthorized or unlawful processing, unauthorized
intentional loss, unintentional destruction or unintentional
caused damage.
B. Legal basis for processing personal data
Art. 48
Processing of special categories of personal data
1) The processing of special categories of personal data
is only permitted if it is absolutely necessary for the performance of the task
and:
a) a law expressly provides for it;
b) serves to safeguard the vital interests of a person; or
c) relates to personal data held by the data subject
have obviously been made public themselves.
2) Are special categories of personal data processed,
suitable guarantees for the legal interests of the data subjects are
watch. Suitable guarantees can in particular be:
a) specific requirements for data security or data protection
control;
b) the establishment of special removal test periods;
c) raising the awareness of those involved in processing operations;
d) the restriction of access to personal data within
half of the responsible body;
e) processing separate from other data;
f) the pseudonymization of personal data;
g) the encryption of personal data; or

40

Version: 01/01/2021

Page 41
DSG

235.1

h) specific procedural rules that apply in the event of a transfer or
Processing for other purposes the lawfulness of the processing
to ensure.
Art. 49
Processing for other purposes
Processing of personal data for a different purpose
than to the one to whom they were raised is permissible if it is
the other purpose is one of the purposes specified in Art. 45,
the controller is authorized to process data for this purpose, and
the processing is necessary and proportionate for this purpose.
The processing of personal data to another, in Art. 45
A purpose not mentioned is permissible if there is a legal basis for it
consists.
Art. 50
Processing to archival, scientific and statistical
Purposes
Personal data may be used within the framework of the conditions mentioned in Art
Purposes in archival, scientific or statistical form.
work if there is a public interest in this and
ned guarantees for the legal interests of the data subjects are provided
become. Such guarantees can be made as promptly as possible.
the anonymization of personal data, in precautionary measures
against their unauthorized knowledge by third parties or in your room
and organizationally separated from the other specialist tasks
exist.
Art. 51
consent
1) As far as the processing of personal data in accordance with
a legal provision based on consent
can take place, the person responsible must obtain the consent of the data subject
Person can prove.
2) If the data subject gives his / her consent in accordance with Paragraph 1
a written declaration that relates to other issues must do so
Requests for consent in an understandable and easily accessible form
Version: 01/01/2021

41

Page 42
235.1

DSG

be done in clear and simple language so that it is different from the others
Facts must be clearly distinguished.
3) The person concerned has the right to give their consent in accordance with para.
1 to revoke at any time. By withdrawing your consent, the
Legality of the consent given up to the point of revocation
Processing not affected. Before submitting the input, the person concerned is
consent to inform.
4) The consent according to paragraph 1 is only effective if it is based on the
free decision of the data subject. When assessing whether
the consent was given voluntarily, the circumstances of the granting
must be taken into account. The data subject is on the intended
Indicate the purpose of the processing. Is this according to the circumstances of the
It is necessary in individual cases or if the data subject requests this
also to instruct you about the consequences of refusing your consent.
5) As far as special categories of personal data are processed
the consent in accordance with Paragraph 1 must explicitly refer to this
Get data.
Art. 52
Processing on the instructions of the person responsible
Each subordinate to a controller or a processor
The person who has access to personal data is allowed to do so
Process data exclusively on the instructions of the person responsible, unless
because that it is legally obliged to process.
Art. 53
Data secrecy
Persons involved in data processing may use personal
Do not process data without authorization (data secrecy). You are at the
to commit to data secrecy in their activities. The data
The secrecy persists even after the termination of their activity.
Art. 54
Automated individual decision
1) One based exclusively on automatic processing
Decision that has an adverse legal consequence for the person concerned
42

Version: 01/01/2021

Page 43
DSG

235.1

Connected to a person or significantly impairing them is only permitted,
if there is a legal basis for this.
2) Decisions according to Paragraph 1 may not be based on special categories
personal data, unless appropriate measures are taken
to protect legal interests and the legitimate interests of the
people were hit.
3) Profiling, which means that data subjects are fundamentally
is discriminated against by special categories of personal data
is prohibited.
C. Rights of the data subject
Art. 55
General information on data processing
The person in charge has in general terms and for everyone
to provide accessible information about:
a) the purposes of the processing carried out by him;
b) those with a view to the processing of their personal data
existing rights of the data subjects to information, rectification
elimination, deletion and restriction of processing;
c) the name and contact details of the person responsible and the
Data protection officer;
d) the right to call the data protection office; and
e) the availability of the data protection office.
Art. 56
Notification of data subjects
1) Is the notification of data subjects about the processing
personal data concerning them in special legal provisions
provisions, especially in the case of covert measures, are provided or approved
assigns, this notification must assign at least the following information
contain:
a) the information specified in Art. 55;
b) the legal basis of the processing;

Version: 01/01/2021

43

Page 44
235.1

DSG

c) the storage period applicable to the data or, if this is not possible,
the criteria for determining that duration;
d) if applicable, the categories of recipients of the personal
Data; and
e) if necessary, further information, in particular if the perPersonal data collected without the knowledge of the data subject
were.
2) In the cases of Paragraph 1, the person responsible can notify
Postpone, restrict or refrain from doing so to the extent that and for as long as
otherwise:
a) the fulfillment of the tasks specified in Art. 45,
b) public safety or
c) Third party legal interests
would be compromised if the interest in avoiding this
The data subject's interest in information outweighs the risks.
3) If the notification relates to the transmission of personal
pulled data to the state police for their task fulfillment within the framework
of state security, it is only permitted with the consent of the state police.
4) In the case of the restriction according to Paragraph 2, Art. 57 Paragraph 7 applies accordingly.
corresponding.
Art. 57
right of providing information
1) The person responsible has information on data subjects upon request
to indicate whether he is processing data relating to you. Affected person
In addition, individuals have the right to receive information about:
a) the personal data that are the subject of the processing,
and the category to which they belong;
b) the information available on the origin of the data;
c) the purposes of the processing and their legal basis;
d) the recipients or the categories of recipients to whom
the data has been disclosed, in particular to recipients in
Third countries or international organizations;
e) the storage period applicable to the data or, if this is not possible,
the criteria for determining that duration;

44

Version: 01/01/2021

Page 45
DSG

235.1

f) the existence of a right to correction, deletion or restriction
the processing of the data by the person responsible;
g) the right according to Art. 60 to call the data protection office; and
h) Information on the availability of the data protection office.
2) Paragraph 1 does not apply to personal data that is only
works because they are due to legal retention requirements
may not be deleted or that are used exclusively for data
security or data protection control, if the information sharing
would require a disproportionate effort and a processing
processing for other purposes through suitable technical and organizational
cal measures is excluded.
3) The provision of information is to be refrained from if the person concerned
Person does not provide any information that would enable the data to be found,
and therefore the effort required to provide the information
out of proportion to that asserted by the person concerned
Interest in information stands.
4) Under the conditions of Art. 56
Paragraph 2 refrain from providing information in accordance with Paragraph 1 Clause 1 or the information
partially or completely restrict the division according to Paragraph 1 Clause 2.
5) Does the provision of information relate to the transmission of personal
related data to the state police for their tasks in the
Under the state security, it is only with the consent of the state police
permissible.
6) The person responsible has the data subject waived
or to notify the restriction of information immediately in writing.
judge. This does not apply if the provision of this information is already a
Would cause impairment within the meaning of Art. 56 Para. 2. The
The notification according to sentence 1 must be justified, unless the notification
the reasons for the refusal or restriction of the
would endanger the purpose pursued in the future.
7) If the person concerned has refrained from or
informed the restriction of the information, they can exercise their right to information
also exercise via the data protection office. The person in charge has the
to inform the data subject about this possibility and about it,
that they call the data protection office in accordance with Art. 60 or have an appeal
can demand competent disposition. Makes the person concerned of theirs
Right according to sentence 1 use, the information is upon your request of the data
to grant protection agency, unless the government determines in individual cases,
Version: 01/01/2021

45

Page 46
235.1

DSG

that this would endanger the security of the country. The data protection
body must at least inform the person concerned that
all necessary tests have been carried out or a review has been carried out
it took place. This message may contain the information
whether violations of data protection law have been identified. The communication of the
Data protection office to the data subject may not draw any conclusions
allow the level of knowledge of the person responsible, if this is not one
consents to further information. The person responsible may give consent
only to the extent and for as long as it is required by a
Could refrain from providing information or restrict it. The data protection office has
In addition, the data subject has their right to judicial protection
to teach.
8) The person responsible has the factual or legal reasons for
document the decision.
Art. 58
Right to correction and deletion as well as restriction of processing
processing
1) The data subject has the right to request from the person responsible
to immediately correct the incorrect data concerning them
long. In particular, in the case of statements or assessments, the
The question of correctness does not relate to the content of the statement or assessment. If
the correctness or incorrectness of the data cannot be determined,
if the rectification is replaced by a restriction on processing. In
In this case, the person responsible must inform the person concerned,
before lifting the restriction again. The data subject can
also the completion of incomplete personal data
request if this takes into account the processing purposes
is appropriate.
2) The data subject has the right to request from the person responsible
to request the deletion of data concerning them immediately if their
Processing is not permitted, knowledge of which is necessary for the performance of the task
is no longer required or this is necessary to fulfill a legal obligation
obligation must be deleted.
3) Instead of deleting the personal data, the person responsible can
limit their processing verbatim if:
a) There is reason to believe that deletion is worthy of protection
Would affect the interests of a data subject;
46

Version: 01/01/2021

Page 47
DSG

235.1

b) the data for evidential purposes in proceedings, the purposes of Art. 45
serve, must be kept; or
c) No or only deletion due to the special type of storage
is possible with disproportionate effort.
Restricted data in accordance with sentence 1 may only be used for the
Purpose that precluded their deletion.
4) If the person responsible has made a correction, he has
a body that has previously transmitted the personal data to him,
to notify the correction. In cases of correction, deletion or
The person responsible has the restriction of processing according to Paragraphs 1 to 3
all recipients to whom the data has been transmitted take these measures
to communicate. The recipient has to correct, delete or delete the data
limit their processing.
5) The person responsible has the data subject waived
the correction or deletion of personal data or via the
whose place the restriction of processing is to be given in writing.
judge. This does not apply if the provision of this information is already a
Would cause impairment within the meaning of Art. 56 Para. 2. The
The notification according to sentence 1 must be justified, unless the notification
the reasons for the purpose pursued with the refusal to provide information
would endanger.
6) Art. 57 paras. 7 and 8 apply accordingly.
Art. 59
Procedure for exercising the rights of the data subject
1) The person responsible has with data subjects using
a clear and simple language that is precise, understandable and easy
accessible form to communicate.
2) In the case of applications, the person responsible must
damages Art. 57 Para. 6 and Art. 58 Para. 5 immediately in writing
to inform about how it was dealt with.
3) The provision of information according to Art. 55, the notification
56 and 65 and the processing of applications
Articles 57 and 58 are free of charge. In the case of manifestly unfounded
or excessive applications according to Art. 57 and 58, the responsible
either demand a reasonable fee or refuse to accept
to act on the basis of the application. In this case the person responsible must
Version: 01/01/2021

47

Page 48
235.1

DSG

the manifestly unfounded or excessive nature of the request
can prove.
4) If the person responsible has justified doubts about the identity of a
data subject who has submitted an application in accordance with Art. 57 or 58,
he can request additional information from her for confirmation
their identity are required.
Art. 60
Invocation of the data protection office
1) Without prejudice to any other legal
help with a complaint to the data protection office if they
believes in processing their personal data
by public bodies for the purposes mentioned in Art. 45 in their
Rights of having been violated. This does not apply to the processing of
personal data by courts, insofar as these the data in
Processed in the context of their judicial activity. The data protection office
the person concerned has the status and the result of the complaint
to inform them and thereby to the possibility of complaint according to Art. 20
to point out.
2) The data protection office has a complaint lodged with it
a processing that falls under the jurisdiction of a supervisory authority in a
other EEA / Schengen state, immediately to the competent authority
to the supervisory authority of the other state. In this case she has the
to inform the data subject about the forwarding and to respond to their
Request further assistance.
D. Obligations of the controllers and processors
Art. 61
Order processing
1) Are personal data on behalf of a responsible person
processed by other persons or bodies, the person responsible for
compliance with the provisions of this Act and other regulations
to worry about data protection. The rights of data subjects on
Information, correction, deletion, restriction of processing and
In this case, compensation is payable to the person responsible
close.
48

Version: 01/01/2021

Page 49
DSG

2) A person responsible may only process processors with the
commission the processing of personal data with suitable technical
niche and organizational measures ensure that the processing
processing is carried out in accordance with the legal requirements and the
Protection of the rights of the data subjects is guaranteed.
3) Processors may without prior written approval

235.1

the controller does not involve any other processors. Has
the controller gives the processor general approval
for the involvement of other processors, the processor has
workers inform the responsible person about any intended involvement or
To inform replacement. In this case, the person responsible can use the
Prohibit addition or replacement.
4) If a processor pulls another processor
in addition, he has the same obligations from his contract with him
to impose on the person responsible under Paragraph 5, which also apply to him,
insofar as these obligations have not already been set for the further processor
are binding due to other regulations. Fulfills another mission
If the processor does not meet these obligations, the person commissioning them shall be liable
Processor vis-à-vis the person responsible for compliance
the obligations of the further processor.
5) Processing by a processor is based on the basic
position of a contract or other legal instrument that
or that binds the processor to the controller and the
or that the subject, the duration, the type and the purpose of the processing
processing, the type of personal data, the categories of data subjects
Defines persons and the rights and obligations of the person responsible. The
Contract or other legal instrument must provide in particular:
that the processor:
a) only acts on the documented instructions of the person responsible; is the
Processor believes that an instruction is unlawful,
he has to inform the person responsible immediately;
b) ensures that the processing of personal data
authorized persons are obliged to maintain confidentiality insofar as they
are not subject to an appropriate statutory obligation of confidentiality;
c) supports the person responsible with suitable means to
compliance with the provisions on the rights of the data subject
guarantee;
d) all personal data after completion of the provision of the
returns work at the discretion of the person responsible or
Version: 01/01/2021

49

Page 50
235.1

DSG

deletes and destroys existing copies, if not a legal one
There is an obligation to store the data;
e) all necessary information to the person responsible, in particular
the protocols drawn up in accordance with Art. 75 to prove compliance
makes his duties available;
f) Checks carried out by the person responsible or one of them
commissioned auditor is carried out, enables and contributes to it;
g) the conditions listed in paragraphs 3 and 4 for the claim
adopts the services of another processor;
h) takes all measures required in accordance with Art. 63; and
i) taking into account the type of processing and the
the information available to those responsible for compliance
the obligations specified in Art. 63 to 66 and 68.
6) The contract within the meaning of Paragraph 5 is in writing or electronically
to draft.
7) A processor who determines the purposes and means of processing
determined in violation of this provision, applies in relation to this
work as a responsible person.
Art. 62
Jointly responsible
Put two or more responsible persons together the purposes and
determine the means of processing, they are considered to be jointly responsible.
Jointly responsible persons have their respective tasks and data
property rights responsibilities in a transparent form in a
to specify an agreement, unless this has already been stipulated in a law
are. In particular, it must be clear from the agreement who
Has to comply with information obligations and how and to whom
data subjects can exercise their rights. A corresponding
Agreement does not prevent the data subject from exercising their rights against
to assert each of the jointly responsible parties.
Art. 63
Data processing security requirements
1) The controller and the processor have under
Consideration of the state of the art, the implementation costs, the
50

Version: 01/01/2021

Page 51
DSG

235.1

Type, scope, circumstances and purposes of processing as well as
the probability of occurrence and the severity of the processing
associated risks to the rights and freedoms of natural persons who
to take the necessary technical and organizational measures,
in order to avoid a risk associated with the processing of personal data
to ensure a fair level of protection, in particular with regard to the
Processing of special categories of personal data. The ver
The responsible person has the relevant generally recognized technical
general guidelines and recommendations in information technology
consider.
2) The measures mentioned in Paragraph 1 may include the
Pseudonymization and encryption of personal data
include, as far as such means in consideration of the processing purposes
possible are. The measures according to Paragraph 1 are intended to ensure that:
a) the confidentiality, integrity, availability and resilience of the system
systems and services in connection with processing on a permanent basis
be ensured; and
b) the availability of personal data and access to
in the event of a physical or technical incident
can be produced.
3) In the case of automated processing, the controller
and the processor to take measures after a risk assessment
take action with the aim of:
a) Refusal of access to processing facilities with which the processing
processing is carried out for unauthorized persons (access control);
b) Prevention of unauthorized reading, copying, changing or
Deletion of data carriers (data carrier control);
c) Prevention of unauthorized entry of personal data
as well as the unauthorized knowledge, modification and deletion of
stored personal data (storage control);
d) Preventing the use of automated processing systems with
Assistance of devices for data transmission by unauthorized persons
(User control);
e) Ensuring that the use of an automated processing
access system only to those authorized by their access
to have access to the personal data included in the authorization
(Access control);

Version: 01/01/2021

51

Page 52
235.1

DSG

f) Ensuring that it can be checked and determined which
Provide personal data with the help of facilities
Data transfer was transmitted or made available or
can be (transmission control);
g) Ensuring that they are subsequently checked and ascertained
can determine which personal data, at what time and by whom
entered or changed in automated processing systems
have been (input control);
h) Ensuring that when submitting personal data
as well as when transporting data carriers, the confidentiality and
the integrity of the data is protected (transport control);
i) Guarantee that the systems used are restored in the event of a fault
can be restored (recoverability);
k) Ensuring that all functions of the system are available
and any malfunctions are reported (reliability);
l) Ensuring that stored personal data is not passed through
Malfunctions of the system can be damaged (data integrity);
m) Ensuring that personal data processed on behalf of
be worked, only in accordance with the instructions of the client.
can be worked (order control);
n) Ensuring that personal data against destruction or
Loss are protected (availability control);
o) Ensuring that personal data collected for different purposes
related data can be processed separately (separability).
4) A purpose according to para. 3 let. b to f can in particular by the
use of state-of-the-art encryption
driving can be achieved.
Art. 64
Report personal data breaches to
the data protection office
1) The person responsible has a violation of the protection of personal
collected data immediately and, if possible, within 72 hours,
after it has become known to the data protection office to report it
unless the injury is not expected to pose a risk to the person
Rights and freedoms of natural persons. The message is sent to
52

Version: 01/01/2021

Page 53
DSG

235.1

the data protection office does not respond within 72 hours, the delay is
justification.
2) A processor has a violation of the protection of personal
Immediately report the data collected to the person responsible.
3) The report according to Paragraph 1 must contain at least the following information
contain:
a) a description of the nature of the violation of personal protection
gener data, which, as far as possible, contains information on the categories and the
approximate number of affected persons, to the affected categories
gories of personal data and the approximate number of
must contain the personal data records concerned;
b) the name and contact details of the data protection officer
or any other person or entity who would like further information
can issue;
c) a description of the likely consequences of the breach; and
d) a description of the actions taken or proposed by the
suggested measures to treat the injury and the
measures taken to mitigate their possible disadvantageous
effects.
4) If the information according to Paragraph 3 is not provided together with the
can be transmitted, the person responsible has it immediately
to be submitted as soon as they are available to him.
5) The person responsible has violated the protection of personal
to document gener data. The documentation has all of the
cases related facts, their effects and the seized
necessary remedial action.
6) As far as a violation of the protection of personal data
personal data are affected that are sent by or to a
Responsible persons have been sent in another EEA / Schengen state,
are the information mentioned in paragraph 3 to the responsible person there
to be transmitted immediately.
7) The prohibition of use according to Art. 43 applies accordingly.
manure.
8) Further obligations of the person responsible for notifications about
Violations of the protection of personal data remain unaffected.

Version: 01/01/2021

53

Page 54
235.1

DSG

Art. 65
Notification of data subjects in the event of breaches of protection
personal data
1) Has there been a breach of the protection of personal data
likely high risk to natural rights and freedoms
Persons, then the person responsible has the data subjects
to notify immediately of the incident.
2) The notification according to paragraph 1 has to be in clear and simple language
the nature of the personal data breach
describe and at least those in Art. 64 Para. 3 let. b to d mentioned
To contain information and measures.
3) Notification according to Paragraph 1 can be waived if:
a) the person responsible has suitable technical and organizational security
has taken precautions and applies these precautions to those of
affected by the breach of the protection of personal data
Data were applied; this applies in particular to precautions such as
Encryption that makes the data unauthorized
were made accessible;
b) the person responsible by following the violation
Measures has ensured that in all probability none
there is no longer a significant risk within the meaning of Paragraph 1; or
c) this would involve disproportionate effort; in
this case instead has a public notice or a
similar measure to be taken by the affected persons
be informed in a similarly effective manner.
4) If the controller informs the data subjects about a breach
protection of personal data has not been notified
the data protection office formally establish that, in its opinion, the
in Paragraph 3 are not met. Here she has the
Probability to take into account that the injury to a high
Risk within the meaning of paragraph 1.
5) The notification of the data subjects according to Paragraph 1 can
postponed under the conditions set out in Art. 56 para. 2, a
restricted or omitted, unless the interests of the affected
due to the high risk posed by the injury
prevail within the meaning of paragraph 1.

54

Version: 01/01/2021

Page 55
DSG

235.1

6) The prohibition of use according to Art. 43 applies accordingly.
manure.
Art. 66
Carrying out a data protection impact assessment
1) Has some form of processing, especially when using new ones
Technologies, due to the nature, scope, circumstances and the
Purposes of processing are likely to pose a high risk to the rights
and freedoms of natural persons result, the person responsible has
a preliminary assessment of the consequences of the intended processing
carry out operations for the data subjects.
2) For the investigation of several similar processing operations with
A joint data protection impact assessment can lead to similarly high risks.
can be made.
3) The person responsible has the data protection office in charge of the implementation
to participate in the impact assessment.
4) The impact assessment has the rights of processing
data subjects must be taken into account and at least the following
contain:
a) a systematic description of the planned processing operations
and the purposes of the processing;
b) an assessment of the necessity and proportionality of the processing
processing operations relating to their purpose;
c) an assessment of the risks to the rights and freedoms of those concerned
People; and
d) the measures with which existing risks are to be remedied,
including the guarantees, the safety precautions and the
drive, which ensures the protection of personal data
and compliance with the legal requirements can be demonstrated
should.
5) If necessary, the person responsible has a review
to determine whether the processing follows the requirements resulting from the
Impact assessment.

Version: 01/01/2021

55

Page 56
235.1

DSG

Art. 67
Cooperation with the data protection office
The person responsible has with the data protection office in the fulfillment
to work together in their duties.
Art. 68
Consultation with the data protection office
1) The person responsible must re-register before commissioning
to listen to the data protection office on the relevant file systems if:
a) it emerges from a data protection impact assessment in accordance with Art. 66 that
the processing poses a high risk to the rights and freedoms of natural
of people if the person responsible does not take remedial
would take remedial action; or
b) the form of processing, especially when using new ones
Technologies, mechanisms or processes that pose a high risk to the
Results in the rights and freedoms of the data subjects.
The data protection office can draw up a list of the processing operations,
who are subject to the duty to be heard in accordance with sentence 1.
2) In the case of Paragraph 1, the following must be submitted to the data protection office:
a) the data protection impact assessment carried out in accordance with Art. 66;
b) if applicable, information on the respective responsibilities of the responsible
verbal, jointly responsible and those involved in processing
processors involved;
c) Information on the purposes and means of the intended processing;
d) Information on the protection of the legal interests of the data subjects
planned measures and guarantees; and
e) Name and contact details of the data protection officer.
Upon request, all other information must also be provided to her,
which it needs to ensure the lawfulness of the processing and, in particular,
those who are concerned with the protection of the personal data
and the related guarantees
to be able to evaluate.
3) If the data protection office is of the opinion that the planned
work would violate legal requirements, in particular because
the person responsible does not adequately determine the risk or does not
56

Version: 01/01/2021

Page 57
DSG

235.1

has taken sufficient remedial measures, it can notify the responsible
and, if necessary, to the processor within a period of time
written receipts within six weeks of the start of the hearing
Submit recommendations as to which measures should still be taken.
The data protection office can extend this period by one month if
the planned processing is particularly complex. She has in this case
within one month of initiating the hearing, inform the responsible
and, if necessary, the processor about the extension of the deadline
to inform.
4) If the intended processing is of considerable importance for the processing
fulfillment of the responsibilities of the person responsible and is therefore particularly urgent,
He can start processing after the hearing has started, but before it expires
commence within the period specified in Paragraph 3 Clause 1. In this case, the recipients are
to consider the data protection office's recommendations retrospectively and
the type and manner of processing are then to be
fit.
Art. 69
Directory of processing activities
1) The person responsible has a list of all categories of processing
to carry out work activities for which he is responsible. This verse
The drawing must contain the following information:
a) the name and contact details of the person responsible and given
if the person responsible together with him as well as the name and
the contact details of the data protection officer;
b) the purposes of the processing;
c) the categories of recipients to whom the personal
The relevant data has been disclosed or is still to be disclosed
should;
d) a description of the categories of data subjects and the category
rien of personal data;
e) if applicable, the use of profiling;
f) where applicable, the categories of transfers of personal information
Data to bodies in a third country or to an international organization
sation;
g) information on the legal basis of the processing;

Version: 01/01/2021

57

Page 58
235.1

DSG

h) the deadlines provided for deleting or reviewing the
The need to store the various categories of personal
personal data; and
i) a general description of the technical and organizational
Measures according to Art. 63.
2) The processor has a directory of all categories of processing
to carry out work that he has carried out on behalf of a
which must contain:
a) the name and contact details of the processor, each
responsible, on whose behalf the processor is working, as well as
if applicable, of the data protection officer;
b) if necessary, transfers of personal data to agencies
in a third country or to an international organization
State or organization; and
c) a general description of the technical and organizational
Measures according to Art. 63.
3) The lists mentioned in Paragraphs 1 and 2 are in writing or
to be managed electronically.
4) Responsible persons and processors have their
To make directories available to the data protection office.
Art. 70
Data protection through technology design and data protection-friendly
settings
1) The person responsible has both at the time of determining the
Means for processing as well as at the time of processing itself
to take reasonable precautions that are suitable to safeguard data protection
to effectively implement principles such as data minimization, and the
ensure that the legal requirements are met and that the
Rights of data subjects are protected. He has here the
State of the art, implementation costs and the type, scope,
the circumstances and purposes of the processing as well as the different
The probability of occurrence and severity of the processing
to whom risks to the rights and freedoms of natural persons are assumed
consider. In particular, the processing is more personal
Data and the selection and design of data processing systems
to align only the necessary personal data
58

Version: 01/01/2021

Page 59
DSG

235.1

to process. Personal data are to be collected at the earliest possible
point to anonymize or pseudonymize, as far as this is done after the
Processing purpose is possible.
2) The person responsible has appropriate technical and organizational
Take measures to ensure that through default settings
in principle, only such personal data are processed
can, whose processing is for the respective specific processing
purpose is required. This affects the amount of data collected
Scope of their processing, their storage period and their accessibility. The
Measures must in particular ensure that the data is processed
Presets are not automated for an indefinite number of people
can be made accessible to the public.
Art. 71
Differentiation between different categories of affected persons
sons
The person responsible has when processing personal data
as far as possible between the different categories of concerned
To distinguish people. This applies in particular to the following categories:
a) Persons against whom there is reasonable suspicion that they are a
Have committed a crime;
b) Persons against whom there is reasonable suspicion that they are in the near
Will commit a crime in the future;
c) convicted offenders;
d) Victims of a crime or persons exposed to certain facts
suggest that they may be victims of a crime; and
e) other persons such as in particular witnesses, whistleblowers or persons,
those with the in let. a to d in contact or connection
stand dung.
Art. 72
Differentiate between facts and personal assessments
The controller has as much as possible in processing
to distinguish whether personal data is based on facts or
based on personal assessments. For this purpose he should, so far
this is possible and appropriate in the context of the respective processing,
Judgments based on personal judgment, as such
Version: 01/01/2021

59

Page 60
235.1

DSG

mark it. It must also be possible to determine which body the
Keeps records that are based on a personal assessment
Assessment.
Art. 73
Procedure for transfers
1) The person responsible must take appropriate measures to
to ensure that personal information is inaccurate or not
are more up-to-date, not transmitted or otherwise made available
become. For this purpose, he has to do so with reasonable effort
it is possible to check the quality of the data before it is transmitted or made available
check. Whenever personal data is transmitted,
he also, insofar as this is possible and appropriate, enclose information
add, which allow the recipient, the correctness, the completeness
and to assess the reliability of the data and whether it is up-to-date.
2) Apply special to the processing of personal data
Conditions, the transmitting body has the
Recipients of these conditions and the obligation to observe them.
to assign. The obligation to notify can be fulfilled by the fact that the data
marked accordingly.
3) The transmitting agency may refer to recipients in other EEA /
Schengen states and to bodies and other bodies by title
V Chapters 4 and 5 of the Treaty on the Functioning of the European
Union were established, do not apply conditions that are not also applicable for
corresponding national data transfers apply.
Art. 74
Correction and deletion of personal data as well as restriction
processing
1) The person responsible has to correct personal data,
if they are incorrect.
2) The person responsible must receive personal data immediately
if their processing is inadmissible, delete them for the fulfillment of a
legal obligation must be deleted or their knowledge for
his task is no longer required.

60

Version: 01/01/2021

Page 61
DSG

235.1

3) Art. 58 paras. 3 and 4 shall apply accordingly. Are incorrect
personal data or personal data unlawful
has been transmitted, this must also be communicated to the recipient.
4) Without prejudice to the statutory maximum storage or deletion
The person responsible for the deletion of personal data has deadlines
Data or a regular review of the necessity of their storage
appropriate deadlines and through procedural
Take precautions to ensure that these deadlines are met.
Art. 75
Logging
1) In automated processing systems, those responsible have
and processors at least the following processing operations
to log:
a) survey;
b) change;
c) query;
d) Disclosure including transmission;
e) combination; and
f) deletion.
2) The logs of queries and disclosures must allow
the reason, the date and time of these processes and so on
as much as possible the identity of the person receiving the personal data
queried or disclosed, and the identity of the recipient of the data
ascertain.
3) The protocols may only be used for checking the legal
moderation of the data processing by the data protection officer, the
Data protection office and the data subject as well as for self-monitoring
to ensure the integrity and security of personal
related data and used for criminal proceedings.
4) The log data are to be found at the end of the
to be deleted later than the year.
5) The controller and the processor have the protokolle available to the data protection office on request.

Version: 01/01/2021

61

Page 62
235.1

DSG

Art. 76
Confidential reporting of violations
The person responsible must make it possible for him to receive confidential reports
information about violations of
Data protection regulations can be forwarded.
E. Data transfers to third countries and to international organizations
options
Art. 77
general requirements
1) The transfer of personal data to bodies in third countries
or to international organizations if the other is available for
Data transfers are permitted if:
a) the body or international organization for those named in Art
Purposes is responsible; and
b) the European Commission according to Art. 36 Para. 3 of the Directive (EU)
2016/680 passed an adequacy resolution, which in Liechtenstein is applicable.
2) The transmission of personal data has despite the presence
of an adequacy decision within the meaning of para. 1 let. b and des to
taking into account public interest in the data transmission
are omitted if in the individual case a data protection law is appropriate
and the handling of the data while respecting the fundamental rights
Recipient is not adequately secured or otherwise predominantly protective
stand in the way of dignified interests of a data subject. At his
In the assessment, the person responsible must take into account whether
the recipient in individual cases adequate protection of the transmitted
Data guaranteed.
3) If personal data originating from another EEA /
Schengen state were transmitted or made available, according to para.
1 are to be transmitted, this transmission must first be carried out by the
competent authority of the other EEA / Schengen state.
Submissions without prior authorization are only permitted if
if the transmission is necessary to achieve an immediate and serious
liable danger for the public security of a state or for the essential
to defend against the interests of an EEA / Schengen state, and
62

Version: 01/01/2021

Page 63
DSG

235.1

previous approval cannot be obtained in time. In the case of the
Sentence 2 is the office of the other EEA / Schengen state that is responsible for the
development of the permit would have been responsible immediately about the
Notify transmission.
4) The person responsible who transmits data according to Paragraph 1 has through
suitable measures to ensure that the recipient receives the
only then transfer data to other third countries or other international ones
Forwarded to organizations if the person responsible has this
mediation has previously approved. When deciding whether to grant
After approval, the person responsible has all the relevant factors
to take into account, in particular the gravity of the crime, the purpose of the
original transmission and that in the third country or the international
nal organization to which or to which the data is transmitted
should, existing level of protection for personal data. A permit
Approval may only be given if it is also sent directly to
the other third country or the other international organization is permitted
would. The responsibility for the granting of the permit can also
be regulated differently.
Art. 78
Data transfer with suitable guarantees
1) If contrary to Art. 77 para. 1 let. b no decision according to Art. 36 para.
3 of Directive (EU) 2016/680, a transmission is required if the
other requirements of Art. 77 are also permissible if:
a) in a legally binding instrument, appropriate guarantees for the
Protection of personal data are provided; or
b) the person responsible after assessing all circumstances that occurred during the transfer
play a role, has come to the conclusion that appropriate
There are guarantees for the protection of personal data.
2) The person responsible has transmissions according to para. 1 let. b to document. The documentation has the time of transmission, which
Identity of the recipient, the reason for the transfer and the
to contain personal data. She is the data protection office
to be made available on request.
3) The person responsible has the data protection office at least once a year
to inform about transmissions that are based on an assessment after
Para. 1 let. b have taken place. In the briefing, he can be the recipient and
appropriately categorize the purposes of the transmission.
Version: 01/01/2021

63

Page 64
235.1

DSG

Art. 79
Data transmission without suitable guarantees
1) If contrary to Art. 77 para. 1 let. b no decision according to Art. 36 para.
3 of Directive (EU) 2016/680 and there are no suitable guarantees
objects within the meaning of Art. 78, Paragraph 1, is a transmission if the
other requirements according to Art. 77 are also permissible if the transfer
averaging is required:
a) to protect the vital interests of a natural person;
b) to safeguard the legitimate interests of the data subject;
c) to avert a current and significant danger to the public
the security of a state;
d) in individual cases for the purposes specified in Art. 45; or
e) in individual cases for the assertion, exercise or defense of
Legal claims in connection with those mentioned in Art. 45
Purposes.
2) The person responsible has to refrain from a transmission according to Paragraph 1
see when the fundamental rights of the data subject affect the public
food predominate in the transmission.
3) For transmissions according to Paragraph 1, Art. 78 Paragraph 2 applies accordingly.
Art. 80
Other data transfer to recipients in third countries
1) If the rest of the data transfer is available, those responsible can
mediation in third countries applicable requirements in particular individual
if personal data is not directly available in Art. 77 para. 1 let. a
transfer the named bodies in third countries if the transfer is for the
Fulfillment of their tasks is absolutely necessary and:
a) in the specific case no fundamental rights of the person concerned the public
interest in a transmission predominate;
b) the transmission to the persons listed in Art. 77 Para. 1 let. a mentioned bodies we
would be unsuccessful or unsuitable, especially if they were not done in time
can be carried out; and
c) the person responsible informs the recipient of the purposes of the processing
shares and informs him that the transmitted data is only available in the
The extent to which they are processed for this
Purposes is required.
64

Version: 01/01/2021

Page 65
DSG

235.1

2) In the case of Paragraph 1, the person responsible has the requirements set out in Art.
a to inform the named bodies immediately about the transfer,
unless this is ineffective or unsuitable.
3) For transmissions according to Paragraph 1, Art. 78 Paragraphs 2 and 3 apply accordingly.
corresponding.
4) In the case of transmissions according to Paragraph 1, the person responsible has the
oblige catcher to use the transmitted personal data without
to process his consent only for the purpose for which it is transmitted
have been.
5) Agreements in the field of judicial cooperation in criminal
Chen and police cooperation remain unaffected.

F. Cooperation between regulators
Art. 81
Mutual administrative assistance
1) The data protection office has the data protection supervisory authorities in
to transmit information to other EEA / Schengen states and to provide official
to provide help insofar as this is necessary for uniform implementation and application
directive (EU) 2016/680 is required. The administrative assistance concerns
in particular requests for information and supervisory measures, both
for example, requests for consultation or for review
tests and investigations.
2) The data protection office must take all appropriate measures
to request administrative assistance immediately and at the latest within one month
to be complied with upon receipt.
3) The data protection office may only reject requests for administrative assistance if:
a) they for the subject of the request or for the measures they
should perform, is not responsible; or
b) responding to the request would violate the law.
4) The data protection office has the requesting supervisory authority of
other EEA / Schengen state about the results or, if applicable
to inform about the progress of the measures that have been taken,
to comply with the request for assistance. In the case of paragraph 3, it has the
Explain the reasons for the rejection of the request.

Version: 01/01/2021

65

Page 66
235.1

DSG

5) The data protection office has the information required by the supervisory
regulatory authority of the other EEA / Schengen state has been requested in the
Usually transmitted electronically and in a standardized format.
6) The data protection office has to deal with requests for administrative assistance free of charge,
unless they are in individual cases with the supervisory authority of the other EEA /
Schengen State has agreed to reimburse expenses incurred.
7) A request for assistance from the data protection office has all the necessary
To contain information; this includes in particular the purpose and
the reason for the request. The information provided on the request
mations may only be used for the purpose for which
they were requested.
G. Liability and Sanctions
Art. 82
Damages and Compensation
1) If a person responsible for a data subject has
processing of personal data according to this Act or according to
other regulations applicable to their processing were unlawful,
caused damage, he or his legal entity is the data subject
obliged to pay damages. The obligation to pay compensation does not apply if one
non-automated processing of the damage is not due to a fault
of the person responsible.
2) Because of damage that is not pecuniary damage, the
request the affected person appropriate compensation in money.
3) Can be used with automated processing of personal
Data does not determine which of several responsible parties involved
caused the damage, everyone responsible is relationally liable
wise its legal entity.
4) If the damage occurred, it was the fault of the person concerned
Person involved, are the §§ 1301 to 1304 of the general civil
To apply accordingly.
5) Claims for compensation become statute-barred three years after the end of the day
who has become aware of the damage to the injured party.

66

Version: 01/01/2021

Page 67
DSG

235.1

Art. 83
Penal provision
For the processing of personal data by public
Positions within the scope of activities according to Art. 45 Clause 1, 3 or 4 are found in Art.
41 and 42 apply accordingly.

IV. Special provisions for processing in
Within the scope of the ordinance
tion (EU) 2016/679 and Directive (EU) 2016/680 fall
lumbar activities
Art. 84
Processing of personal data in the context of not in the
Areas of application of Regulation (EU) 2016/679 and the Directive
(EU) 2016/680 covered activities
1) The transfer of personal data to a third country or
to supra- or international organizations within the framework of not in the
Areas of application of Regulation (EU) 2016/679 and the Directive
(EU) 2016/680 is covered by the activities already under the regulation
tion (EU) 2016/679 admissible cases also admissible if they
for the fulfillment of own tasks for imperative reasons of the defense
for the fulfillment of contractual obligations of the state on the
Area of ​crisis management or conflict prevention or for humane
sanitary measures are required. The recipient must be informed that
that the transmitted data may only be used for the purpose
to which they were transmitted.
2) For processing in the context of not included in the application
under Regulation (EU) 2016/679 and Directive (EU) 2016/680
Art. 17 Para. 4 does not apply to activities carried out by the State Police, insofar as
the government determines in each individual case that the fulfillment of the specified there
Obligations would endanger the security of the country.
3) For processing in the context of not included in the application
range of Regulation (EU) 2016/679 and Directive (EU) 2016/680
activities by public bodies, there is no information
Obligatory according to Art. 13 Para. 1 and 2 of Regulation (EU) 2016/679 if:
Version: 01/01/2021

67

Page 68
235.1

DSG

a) it concerns cases of Art. 32 para. 1 let. a to c; or
b) through its fulfillment, information would be revealed after a
Law or its essence, especially because of the predominant
legitimate interests of a third party must be kept secret,
and therefore the interest of the person concerned in the issuance of the
Information must recede.
4) If the data subject is not to be informed in the cases according to Paragraph 3
there is also no right to information. Art. 32 Para. 2 and Art. 33
Paragraph 2 does not apply.

V. Transitional and final provisions
Art. 85
Implementing regulations
The government shall issue the measures necessary for the implementation of this law
current ordinances, in particular on:
a) the conditions under which a public body
have the data processed by a third party or on behalf of a third party.
may work;
b) the reporting of video surveillance according to Art. 5;
c) the adequacy decisions of the EU applicable in Liechtenstein
Commission according to Art. 45 of Regulation (EU) 2016/679 and that of
Standard data protection clauses issued by the EU Commission in accordance with Art.
46 of Regulation (EU) 2016/679;
d) the fees for official acts of the data protection office.
Art. 86
Repeal of previous law
The Data Protection Act (DSG) of March 14, 2002, LGBl. 2002 No. 55,
in the current version is repealed.

68

Version: 01/01/2021

Page 69
DSG

235.1

Art. 87
Data protection officer and other staff
The data protection officer elected according to the previous law
takes over the management of the data protection office after this law comes into force
(Art. 12) and exercises this function in accordance with the new law until
December 31, 2025 still off. The existing employment relationships of
other staff of the data protection office remain in place.
Art. 88
Data Protection Commission
1) With the entry into force of this Act, the term of office of
existing data protection commission.
2) At the time this Act came into force, the data
protection commission pending complaint procedures or procedures in
In connection with recommendations of the data protection office, the
Complaints Commission for Administrative Matters according to the previous
treated right.
Art. 89
Video surveillance
1) Licenses for video surveillance issued under previous law
Applications remain valid until the expiry of the period of validity.
2) If the intention is to stop the video surveillance after the expiry of the
to continue the duration of the approval, a report according to Art. 5 Para. 7 must be made
respectively.
Art. 90
Accreditations and Certifications
Accreditations and certifications granted under previous law
remain in effect until their period of validity has expired. Up at the time
of the entry into force of this Act for accreditation or certification
the accreditation body finds pending accreditation or certification procedures
the previous law applies.

Version: 01/01/2021

69

Page 70
235.1

DSG

Art. 91
Come into effect
This law applies subject to the unused expiry of the referThe end of the term will come into force on January 1, 2019, otherwise on the day after the customer
making.

On behalf of the sovereign:
signed Alois
Hereditary Prince

signed Adrian Hasler
Princely Prime Minister

70

Version: 01/01/2021

Page 71
DSG

235.1

1 Report and application as well as government opinion No. 36/2018 and 69/2018
2 Art. 31 para. 2 let. b amended by LGBl. 2020 No. 389 .

Version: 01/01/2021

71

