Liechtenstein: Note On Data Protection In The Financial Sector

1. INTRODUCTION

In Liechtenstein the General Data Protection Regulation (Regulation EU/2016/679; GDPR) is generally directly applicable. As Liechtenstein is a member of the European Economic Area (EEA) and not the European Union, even European Regulations have to be incorporated into the EEA Agreement separately. On July 06, 2018, the EEA Joint Committee decided to incorporate the GDPR into the EEA Agreement (Decision of the EEA Joint Committee No 154/2018; OJ L 183, 19.7.2018, p. 23).

The GDPR thus entered into force for the EEA States Liechtenstein, Norway and Iceland on July 20, 2018 and has been directly applicable in Liechtenstein from that date.

Due to the incorporation of the GDPR into the EEA Agreement the Liechtenstein Data Protection Act (Datenschutzgesetz) as well as the Liechtenstein Data Protection Ordinance (Datenschutzverordnung) were completely revised in order to comply with Union Law and specify the applicability of enabling clauses provided by the European legislator.

However, there is not a specific regulation concerning data protection on the financial market in place in Liechtenstein. Instead, any processing of personal data of a data subject falls under the scope of the GDPR as well as the Liechtenstein Data Protection Act. There are no particular provisions regarding data protection in connection with financial regulation present in Liechtenstein.

European legislation on financial services also stipulates provisions on data protection of customers which have been implemented into national Liechtenstein law. The respective national acts for financial institutions and financial intermediaries (e.g. the Banking Act, Payment Service Act, Consumer Protection Act, UCITS Act, etc) refer to the Liechtenstein Data Protection Act and the GDPR respectively when it comes to provisions on data protection. These are the central regulations for all matters concerning data protection.

1.1. LEGISLATION

The following EU legislation, among others, is applicable:

• the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') is applicable to financial services with regard to their personal data processing activities.
• the Fourth Anti-money Laundering Directive (Directive (EU) 2015/849) as incorporated by Decision of the EEA Join Committee (Decision No 249/2018)
• the Payment Services Directive (Directive (EU) 2015/2366) ('PSD2'; entry into force of Joint Committee Decision is still pending. Therefore, PSD2 is not directly applicable in Liechtenstein. However, PSD2 has been implemented in Liechtenstein on a national level in the Payment Service Act or 'PSA'. As a consequence, recitals, interpretations of and guidelines concerning PSD2 are also relevant for Liechtenstein pursuant to established practice of Liechtenstein authorities.)

The European Data Protection Board ('EDPB') has issued the following Opinion:

• Opinion 4/2019 on the draft Administrative Arrangement for the transfer of personal data between the European Economic Area ('EEA') Financial Supervisory Authorities and non-EEA Financial Supervisory Authorities

The Article 29 Working Party has issued the following guidance:

• Opinion 14/2011 on data protection issues related to the prevention of money laundering and terrorist financing
• Letter of the Chair of the Article 29 Working Party to FATCA
• Letter regarding the PSD2 Directive

The European Banking Authority ('EBA') has issued, among others, the following guidance:

• Recommendations on Outsourcing to Cloud Service Providers (20 December 2017)
• Guidelines on major incident reporting under Directive (EU) 2015/2366 (PSD2) (27 July 2017)
• Guidelines on Reporting Requirements for Fraud Data under Article 96(6) PSD2

The EC Directive on Privacy and Electronic Communication (2002/58/EC) as incorporated by Decision of the EEA Join Committee (Decision No 80/2003; OJ L 257, 9.10.2003, p. 31) is also applicable in Liechtenstein regarding the use of cookies and comparable technologies as well as the use of emails and marketing calls – that is until the mentioned Directive will be repealed by the proposed European ePrivacy Regulation (ePR).

EDPB Guidelines in general have to be taken into account when addressing questions on data protection in the financial services sector.

The following legislation of Liechtenstein, among others, is applicable (only available in German; German name in brackets):

• Data Protection Act ('DPA'; Datenschutzgesetz)
• Data Protection Ordinance ('DPO'; Datenschutzverordnung)
• Financial Market Authority Act ('FMAA'; Finanzmarktaufsichtsgesetz)
• Due Diligence Act ('DDA'; Sorgfaltspflichtgesetz)
• Due Diligence Ordinance ('DDO'; Sorgfaltspflichtverordnung)
• Banking Act ('BA'; Bankengesetz)
• Payment Service Act ('PSA'; Zahlungsdienstegesetz)
• Persons- and Companies Act ('PCA'; Personen- und Gesellschaftsrecht)

1.2. SUPERVISORY AUTHORITIES

The GDPR requires every Member State to establish a supervisory authority (Article 54 of the GDPR). In addition, the GDPR provides for a system of cooperation and transparency among all Member States' supervisory authorities in order to ensure consistent application of the GDPR throughout the EU.

The so-called 'Datenschutzstelle' (Data Protection Authority; https://www.datenschutzstelle.li/) is the supervisory authority for data protection in Liechtenstein pursuant to Article 54 of the GDPR.

As for the supervisory authority regulating the financial market, the Liechtenstein Financial Market Authority (FMA; https://www.fma-li.li/) is the competent national supervisory authority. The mandate of the Liechtenstein FMA for one includes the promotion of safety and soundness of banks, systemically important firms as well as other financial institutions and intermediaries and for another comprises of adhering to the integrity of the provision of financial services to customers and is responsible for fair treatment of consumers in the market as the authority on conduct and compliance matters. Pursuant to Article 4 of the Financial Market Authority Act ('FMAA') the FMA ensures the stability of the Liechtenstein financial market, the protection of clients, the prevention of abuses, and the implementation of and compliance with recognized international standards.

Pursuant to the mission statement of the Liechtenstein FMA the aim of regulation must always be to ensure that it is technological neutral, risk-based and non-discriminatory for existing market participants.¹

The Liechtenstein FMA views data protection of customers as an essential concern and players on the financial market are responsible for securing customer data in compliance with the Data Protection Act and the GDPR and protecting it from fraud (cp. e.g. Article 64a of the Liechtenstein Banking Act which requires a notification system between the Liechtenstein FMA and banking institutions as well as investment firms in order to submit notifications about data breaches among others).

Footnote

1 https://www.fma-li.li/de/news/20170920-innovation-als-herausforderung-und-als-chance.html?comefrom=caree

Originally Published February 2020

Click here to continue reading . . .

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.