Legislacion Informatica de LIECHTENSTEIN Ordinance on the Data Protection Act of 9 July 2002

Ordinance on the Data Protection Act of 9 July 2002

On the basis of Article 8 paragraph 3, Article 9 paragraph 2, Article 11 paragraphs 1 and 5, Article 15 paragraph 6, Article 20 paragraph 2, Article 28 paragraph 3, and Article 42 of the Data Protection Act of 14 March 2002, Official Gazette, 2002 nº 551, the government hereby decrees:

 

I. Processing of personal data by private individuals

A. Right of information

Article 1. Modalities

1) Each person requesting information from a file controller as to whether data relating to him is being processed (Article 11 of the Data Protection Act) shall, as a general rule, make his request in writing and provide proof of his identity.

2) The file controller shall provide the information in writing, as a general rule, in the form of a printout or a photocopy.

3) The person affected may inspect the data on-site in agreement with the file controller or at the suggestion of the file controller. The information may also be provided orally provided the affected person consents and has been identified by the controller.

4) The information or the decision establishing a restriction on the right to information (Article 12 and 13 of the Data Protection Act) shall be communicated within 30 days after receipt of the request for information. In the event the information cannot be provided within 30 days, the file
controller must notify the person making the request of this circumstance and inform him of the period within which the information will be provided.

5) In the event one or several files are kept jointly by multiple controllers, the right for information may be exercised with each controller, unless one of the controllers is responsible for responding to all requests for information. In the event the file controller is not authorised to provide information, he shall forward the request to the competent person.

6) In the event the requested data is being processed by a third party as part of a mandate for a private individual, the private individual shall forward the request for information to the third party for a response if the individual is not capable of providing the information himself.

7) In the event data is requested relating to deceased persons, the information shall be provided if the person making the request demonstrates an interest in the information and that no overriding interests of relatives of the deceased person or third parties oppose such provision. A close
relationship or marriage with the deceased person shall establish an interest.

 

Article 2. Exceptions to the no-cost provision

1) An appropriate participation in costs may be requested if:

a) the person making the request already received the desired information in the twelve months prior to making the request and cannot demonstrate a legitimate interest in a renewed provision of the information. A legitimate interest shall in particular exist if the personal data was modified without
notifying the person affected;

b) the provision of the information requires a particularly high labour expense.

2) The maximum participation shall be 300 Francs. The person making the request shall be informed of the amount of the participation and may withdraw his request within ten days.

B. File registration

Article 3. Registration and updating

The registration of files with the Data Protection Commissioner must contain the information listed in Article 15 paragraph 5 of the Data Protection Act. The file controller must regularly update such information.

The Data Protection Commissioner shall be notified of any changes on an annual basis.

 

Article 4. Files used by the media

Files need not be registered if:

a) such files are used exclusively for publication in the editorially-controlled section of a periodically-published media organ and their data is not disclosed to third parties without the knowledge of the persons affected;

b) such files are being used by journalists exclusively as a personal work aid.

 

C. Transborder data flows

Article 5. Equivalence

The states whose data protection legislation is equivalent based on resolutions of the EEA Joint Committee are listed in the Appendix to this Ordinance (Article 8 paragraph 3 letter b of the Data Protection Act).

Article 6. File transmissions requiring notification

File transmissions abroad requiring notification (Article 8 paragraph 2 of the Data Protection Act) shall specifically include:

a) making personal data accessible via remote access;

b) transmitting a file to a third party who processes the personal data at the mandate of the file transmitter.

 

Article 7. Notification procedure

1) The file controller shall provide notice of the file in writing prior to transmission. The notification shall contain the following information:

a) the name and address of the person disclosing the personal data;

b) the name and address of the recipient of the data;

c) the name and complete designation of the file;

d) the categories of personal data being disclosed;

e) the group and approximate number of the persons affected;

f) the purpose of the data processing by the recipient;

g) the type and frequency of disclosure;

h) the date of initial disclosure.

2) In the event data is disclosed on a regular basis, notification must be made prior to initial disclosure. Notification must also be made of subsequent changes, in particular of the identity of the person receiving the data, the categories of personal data being transmitted, and the purpose of the
disclosure.

3) The disclosure of data of the same category for the same processing purpose within a corporate group or to various recipients may be the subject of a single notification.

 

Article 8. Exemptions from notification duty

1) Notification shall not be required for the transmission of files for purposes not relating to the persons affected, in particular for the purposes of research, planning, and statistics, provided the form in which the results are published do not allow the identity of the person affected to be established.

2) The transmission of files to states with equivalent data protection legislation shall not require notification, unless the files contain sensitive data or personal profiles.

 

D. Organisational and technical measures

Article 9. General measures

1) Whoever processes personal data or makes available a data communications network as a private individual shall ensure the confidentiality, availability, and accuracy of the data, in order to guarantee an appropriate degree of data security. He shall in particular protect the systems
from the following risks:

a) unauthorised or accidental destruction;

b) accidental loss;

c) technical errors;

d) forgery, theft, or unlawful use;

e) unauthorised modification, copying, access, or other forms of unauthorised processing.

2) The organisational and technical measures must be suitable. Such measures must in particular take the following criteria into account:

a) the purpose of the data processing;

b) the type and scope of the data processing;

c) an assessment of the potential risks to the person affected;

d) the current state of technology.

3) Such measures shall be reviewed periodically.

4) The Data Protection Commission may make recommendations in this
regard in the form of handbooks.

 

Article 10. Special measures

1) Especially when conducting automated processing of personal data, file controllers shall take the organisational and technical measures suitable to meet the following objectives:

a) entry control: unauthorised persons are to be denied entry to establishments where personal data is being processed;

b) data storage medium control: unauthorised persons are to be denied the possibility of reading, copying, or removing data storage media;

c) transport control: upon the disclosure of personal data and the transport of data storage media, the unauthorised reading, copying, modification, or deletion of data is to be prevented;

d) disclosure control: recipients of data to whom personal data is disclosed via data transmission institutions must be identifiable;

e) memory control: unauthorised input into memory and unauthorised inspection, modification, or deletion of saved personal data shall be prevented;

f) user control: the use of automated data processing systems by unauthorised persons via data transmission institutions shall be prevented;

g) access control: the access of authorised persons is to be restricted to the personal data required to fulfil their duties;

h) input control: in automated systems, it must be subsequently reviewed which personal data was input by which persons at what time.

2) Files shall be structured in such a manner that persons affected can exercise their right for information and their right to correction.

 

Article 11. Recording

1) File controllers shall record the automated processing of sensitive data and personal profiles in cases where the preventive measures are insufficient to guarantee protection of the data. Data processing must in particular be recorded in cases where it would otherwise be impossible to determine subsequently whether the data was processed for the purposes for which it was collected or disclosed. The Data Protection Commissioner may also recommend recording of data processing in other cases.

2) The record shall be kept up-to-date for one year. The record shall only be accessible to offices and private individuals responsible for monitoring the observance of data protection regulations and may only be used for this purpose.

 

Article 12. Processing regulations

The controller of an automated file requiring registration (Article 15 paragraph 3 of the Data Protection Act) shall draft processing regulations, in particular describing the internal organisation, data processing, and control procedures, and listing the documents on the planning, creation, and operation of the file and data processing tools.

 

Article 13. Disclosure of data

The file controller shall notify the recipient the up-to-date status and reliability of the personal data disclosed by him, unless such information is evident from the circumstances.

 

II. Processing of personal data by the authorities

A. Right for information

Article 14. Modalities

Articles 1 and 2 shall apply accordingly to requests for information directed to authorities.

 

Art. 15. Requests for information to embassies and consulates of the Principality of
Liechtenstein abroad

The embassies and consulates of the Principality of Liechtenstein abroad shall not provide any information. Any requests for information directed to such embassies and consulates shall be forwarded to the Office of Foreign Affairs for a response. That Office shall be the competent body for all files of missions of the Principality of Liechtenstein abroad.

 

B. File registration

Article 16. Proper registration

1) The responsible authorities (Article 20 of the Data Protection Act) shall register all files they keep with the Data Protection Commissioner prior to commencing processing. The registration shall contain the following information:

a) the name and address of the competent authority;

b) the name and complete designation of the file;

c) the office at which the right to information can be asserted;

d) the legal basis and purpose of the file;

e) the categories of the personal data being processed;

f) the categories of recipients of the data;

g) the categories of persons dealing with the file, i.e. third parties entering data into the file and authorised to modify the file;

h) the group and approximate number of the persons affected.

2) The responsible authority shall regularly update such information and shall report any changes on an annual basis.

 

Article 17. Simplified registration and publication

1) The following files shall be the subject of simplified registration and publication, provided the authorities use such files exclusively for internal administrative purposes:

a) manual correspondence registers;

b) files from contractors or clients, provided such files do not contain sensitive data or personal profiles;

c) address collections solely for the purpose of addressing mail, unless such collections contain sensitive data or personal profiles;

d) lists of compensation payments;

e) accounting documents;

f) ancillary files for the personnel administration of the Principality, provided such files do not contain sensitive data or personal profiles;

g) library files (author catalogues, borrower and user lists);

h) files kept at the National Archives.

2) The simplified registration shall contain the following information:

a) the name and address of the competent authority;

b) the name and complete designation of the file;

c) the office where the right to information can be asserted.

3) In the event an authority administers several files belonging to a single category specified in paragraph 1, these files shall be the subject of a single registration.

4) The Data Protection Commissioner may permit simplified registration for other files upon request, provided such would not jeopardise the privacy of the persons affected.

 

Article 18. Exemptions from publication

Files shall not be published in the register if such files:

a) will be used for two years or less;

b) are stored in the National Archives;

c) are ancillary files for personnel administration, provided the responsible authorities guarantee that such files are published internally;

d) are accessible to the public in the form of yearbooks.

 

C. Disclosure abroad

Article 19

1) Authorities shall notify the Data Protection commissioner of the transmission of files and regular disclosure of personal data abroad unless such transmissions and disclosures are required by a law or the persons affected have knowledge of such transmissions and disclosures.

2) Written notification shall be made prior to disclosure. Such notification shall contain the following information:

a) the name and address of the office disclosing the personal data;

b) the name and address of the recipient of the data;

c) the name and complete designation of the file;

d) the categories of the personal data being disclosed;

e) the group and approximate number of the persons affected;

f) the legal basis and purpose of the data processing by the recipient;

g) the type and frequency of disclosure;

h) the date of initial disclosure.

3) The disclosure of data of the same category to various recipients for the same processing purpose may be the subject of a single notification.

 

D. Organisational and technical measures

Article 20. Principles

1) The responsible authorities shall take the organisational and technical measures in accordance with Articles 9 through 11 which are necessary to protect the privacy and fundamental rights of persons about whom data is being processed.

2) The responsible authorities shall notify the Data Protection Commissioner without delay of all projects for the automated processing of personal data so that data protection requirements can be taken into account immediately.

3) The responsible authority must co-operate with the Data Protection Commissioner in determining the measures in accordance with paragraph 1.

 

Article 21. Processing regulations

1) The responsible authorities shall draft processing regulations for automated files which:

a) contain sensitive data or personal profiles;

b) are used by more than one authority;

c) are made accessible to foreign authorities, international organisations, or private individuals; or

d) are linked to other files.

2) The responsible authority shall set forth its internal organisation in the processing regulations. The authority shall in particular define its data processing and control procedure and list all documents on the planning, creation, and operation of the file. The regulations shall contain the information necessary for registration (Article 16) as well as information on:

a) the body responsible for the protection and security of the data;

b) the origin of the data;

c) the purposes for which the data is regularly disclosed;

d) the control procedures, especially organisational and technical measures in accordance with Article 20;

e) a description of the data fields and the organisational units with access to such data fields;

f) the type and scope of user access to the file;

g) the data processing procedures, in particular the procedures for correcting, restricting the communication, anonymising, storing, preserving, archiving, and destroying the data and making such data anonymous;

h) the configuration of the data processing tools;

i) the procedure for exercising the right for information.

3) The regulations shall be updated regularly. Such regulations shall be made available to the competent control authorities in a form comprehensible to such authorities.

 

Article 22. Data processing by a third party

1) An authority may have personal data processed by a third party provided data protection is guaranteed.

2) Authorities which have personal data processed by third parties shall remain responsible for ensuring data protection. Such authorities shall ensure that the data is processed in accordance with the mandate, especially in matters relating to the use and disclosure of the data.

3) In the event the third party is not subject to the Data Protection Act, the competent authority must ensure that other legal provisions guarantee an equivalent degree of data protection. In the event no such protection exists, the competent authority shall ensure such protection by contract.

 

Article 23. Data protection advisor

The government shall designate at least one data protection advisor. This advisor shall have the following tasks:

a) supporting the competent office and users;

b) promoting employee notification and training;

c) co-operation in the enforcement of data protection provisions.

 

E. Specific provisions

Article 24. Collection of personal data

1) In the event the person questioned is legally obligated to provide information, the authority collecting the personal data must inform that person of the consequences of refusing to provide information or providing false information.

2) In the event the person questioned is not legally obligated to provide information, the authority systematically collecting the personal data through the use of questionnaires must inform that person that providing information is voluntary.

 

Article 25. Personal identification number

1) Authorities which introduce a personal identification number for the administration of their files shall create a random number to be used for the fulfilment of its own duties. A random number shall indicate any definite or uniquely invertible number of characters assigned to every person who is
registered in a file and which does not allow for any conclusions about the person.

2) The use of the personal identification number by another authority or private individuals must be approved by the relevant authority.

3) Approval may be granted when there is a close relationship between the intended form of data processing and the form of data processing for which the personal identification number was created.

4) Otherwise, the use of the old age and surviving dependant insurance number shall be regulated by the appropriate legislation.

 

Article 26. Disclosure of data
The responsible authority shall notify recipients of the data of the up-todate status and reliability of the personal data disclosed to them unless such information is evident from the data itself or the circumstances.

 

Article 27. Offering data to the National Archives

1) In accordance with the Archives Act, the authorities shall offer all personal data which is no longer required on a permanent basis to the National Archives, unless such authorities are themselves responsible for archiving the data.

2) The authorities shall destroy all personal data which is designated by the National Archives as not worthy of archiving except when such data:

a) has been made anonymous;

b) must be preserved for evidentiary or security purposes

 

III. The file register, the Data Protection Commissioner and the Data Protection Commission

A. The file register and file registration

Article 28. The file register

1) The register kept by the Data Protection Commissioner shall contain the information in accordance with Article 3, 16 and 17.

2) The register shall be public and may be inspected at the offices of the Data Protection Commissioner free of charge.

3) A list of registered files shall be published periodically in official publication organs.

 

Article 29. File registration

1) The Data Protection Commissioner shall register files provided complete registration was submitted meeting formal requirements. Prior to registering the file, the Data Protection Commissioner shall review the lawfulness of the file as a whole.

2) In the event the file to be registered violates data protection provisions, the Data Protection Commissioner shall recommend the modification, suspension, or cessation of the data processing. He shall postpone registration until the legal situation is clarified.

3) In the event a controller fails to register his file or such registration is incomplete, the Data Protection Commissioner shall set a deadline for him to meet his obligations. Upon expiration of the deadline, the Commissioner may recommend the registration ex officio of the file or the suspension of data processing activities based on the information at his disposal.

 

B. The Data Protection Commissioner

Article 30. Administrative affiliation

1) The Data Protection Commissioner shall be affiliated with the Ministry of Justice for administrative purposes.

2) The employment relation of the Data Protection Commissioner's secretariat shall be in accordance with the Civil Servant Act.

 

Article 31. Relations with other authorities and private individuals

1) The Data Protection Commissioner shall deal with the government through the Minister of Justice. The Minister of Justice shall transmit all of the Data Protection Commissioner's recommendations and reports to the government, even if he does not approve such recommendations and reports.

2) The Data Protection Commissioner shall deal directly with other authorities, the courts, foreign data protection authorities, and private individuals.

 

Article 32. Documentation

1) Government offices shall present all bills relating to the processing of personal data and data protection to the Data Protection Commissioner. The departments and the Chancellery shall notify him of their decisions and their data protection directives in anonymous form.

2) The Data Protection Commissioner must have sufficient documentation for his activities. He shall operate an independent information system for documentation, archiving, and the file register.

3) The Data Protection Commission shall have access to the scientific documentation of the Data Protection Commissioner.

 

Article 33. Fees

1) A fee shall be charged for the official expertises of the Data Protection Commissioner. The provisions of the Ordinance on the collection of administrative costs and fees by the government and offices thereof shall be applicable.

2) No fees shall be charged to authorities.

 

Article 34. Review of the processing of personal data

1) In order to conduct investigations in accordance with Articles 29 and 30 of the Data Protection Act, and in particular to review the lawfulness of data processing, the Data Protection Commissioner may request the following information from the file controller:

a) organisational and technical measures (Articles 9 through 11 and 20) taken in the past or planned in the future;

b) provisions with regard to correcting, restricting the communication, storing, and destroying personal data and making such data anonymous;

c) the configuration of data processing tools;

d) links to other files;

e) the manner in which the data is disclosed;

f) a description of the data fields and the organisational units with access to such data fields;

g) the type and extent of user access to file data.

2) In the event of disclosures abroad, the Data Protection Commission may request additional information, in particular on the processing capacities of the recipient of the data or the data protection measures taken.

 

C. The Data Protection Commission

Article 35

1) The Commission may request the submission of processed data.

2) The Commission shall notify the Data Protection Commission of its decisions.

3) Otherwise, the General Act on Administrative Procedure shall be applicable.

 

IV. Final provisions

Article 36. Commencement

This Ordinance shall come into force concurrently with the Data Protection Act.

 

Government of the Principality:

Rita Kieber-Beck

Deputy Head of Government

 

 

 

Appendix

States whose data protection legislation shall be regarded as equivalent in terms of Article 8 paragraph 3 letter b of the Data Protection Act:

– Argentina;

– Guernsey;

– Canada;

– Isle of Man;

– Switzerland;

– United States of America in the framework of:

a) Decision of the European Commission 520/2000/EC of 26 July 2000 pursuant to Directive 95/46 of the European Parliament and of the Council on the adequate protection of personal data provided by the Safe Harbour Privacy Principles and related Frequently Asked Questions;

b) Decision of the European Commission of 14 May 2004 on the adequate protection of personal data contained in the Passenger Name Record of air passengers transferred to the United States’ Bureau of Customs and Border Protection.

Deja una respuesta

Tu dirección de correo electrónico no será publicada. Los campos obligatorios están marcados con *

Este sitio usa Akismet para reducir el spam. Aprende cómo se procesan los datos de tus comentarios.