Appli­ca­bi­li­ty of the GDPR: Liechtenstein

EN 
EN  DE  FR 

from

on

Indu­stries

Aut­ho­ri­ty

Laws

Topics

,
Take-Aways (AI)
  • Swiss com­pa­nies are sub­ject to the GDPR if they offer goods or ser­vices to EU cus­to­mers (Art. 3 para. 2 lit. a GDPR).
  • The appli­ca­ti­on of the GDPR to Liech­ten­stein is curr­ent­ly unclear; Liech­ten­stein is not an EU mem­ber sta­te, but is a mem­ber of the EEA.
  • If the GDPR is incor­po­ra­ted into the EEA Agree­ment, it would app­ly direct­ly in Liech­ten­stein; other­wi­se, the Liech­ten­stein DPA would remain in force.

Many Swiss com­pa­nies are curr­ent­ly busy pre­pa­ring for the imple­men­ta­ti­on of the com­pli­ance requi­re­ments that will result from the GDPR and the revi­sed DPA. As a first step, the que­sti­on ari­ses whe­ther and to what ext­ent com­pa­nies in Switz­er­land will have to com­ply with the GDPR.

It is clear that Swiss com­pa­nies will be sub­ject to the GDPR if they offer goods or ser­vices to cus­to­mers in the EU (Art. 3(2)(a) GDPR). Howe­ver, it is unclear whe­ther the GDPR will also app­ly when addres­sing cus­to­mers in Liech­ten­stein. The ans­wer is still unclear at this point in time:

  • Liech­ten­stein is not a mem­ber sta­te of the EU. Thus, the GDPR is not direct­ly applicable.
  • Howe­ver, Liech­ten­stein is a mem­ber of the EEA (tog­e­ther with Ice­land and Nor­way). Curr­ent­ly, the adop­ti­on pro­cess of the GDPR by the EEA is under­way (cur­rent infor­ma­ti­on on the respec­ti­ve imple­men­ta­ti­on of EU legal acts by the EEA can be found at here can be retrieved).
  • Opi­ni­ons are curr­ent­ly being sought from EEA count­ries on the appli­ca­bi­li­ty of the GDPR. The out­co­me is still unclear. Should the adop­ti­on of the GDPR into the EEA Agree­ment be deci­ded, the next pro­ce­du­ral step would be the draft adop­ti­on decis­i­on by the ‘Joint Com­mit­tee’. After the adop­ti­on decis­i­on enters into force, it would be incor­po­ra­ted into the EEA Agree­ment and the GDPR would app­ly direct­ly in Liech­ten­stein (no natio­nal imple­men­ta­ti­on). As a result, its Art. 3(2)(a) would then also be appli­ca­ble, so that addres­sing Liech­ten­stein cus­to­mers would result in the appli­ca­ti­on of the GDPR to the cor­re­spon­ding pro­vi­der. The sta­tus of the adop­ti­on pro­cess can here (as of March 16, 2017).
  • Should the GDPR not be adopted by the EEA, the cur­rent Liech­ten­stein GDPR would remain in force.

A com­men­ta­ry by the EEA Secre­ta­ri­at, which explains in more detail the incor­po­ra­ti­on of EU acts into the EEA Agree­ment, is as fol­lows here retrievable.