Skip to content
World Watch/Liechtenstein/Data & Privacy

Data & Privacy · Liechtenstein

Data protection & GDPR compliance in Liechtenstein (2026)

Comprehensive lawEU General Data Protection Regulation (Regulation (EU) 2016/679), incorporated into the EEA Agreement and applicable in Liechtenstein, together with the national Data Protection Act (Datenschutzgesetz, DSG) of 4 October 2018 (LR 235.1); supervised by the Data Protection Authority (Datenschutzstelle, DSS) in Vaduz.Country index 78 · B+

Liechtenstein shaded by its data & privacy status

Data protection in Liechtenstein: comprehensive law, under EU General Data Protection Regulation (Regulation (EU) 2016/679), incorporated into the EEA Agreement and applicable in Liechtenstein, together with the national Data Protection Act (Datenschutzgesetz, DSG) of 4 October 2018 (LR 235.1); supervised by the Data Protection Authority (Datenschutzstelle, DSS) in Vaduz..

Liechtenstein has a comprehensive, GDPR-aligned data-protection regime. As an EEA EFTA state it applies the GDPR directly (incorporated by EEA Joint Committee Decision No 154/2018, effective 20 July 2018), and its national Datenschutzgesetz (DSG) of 4 October 2018 entered into force on 1 January 2019 to complement and implement it. The independent Datenschutzstelle is the national supervisory authority.

GDPR & data protection in Liechtenstein

In Liechtenstein, data protection is governed by the EU General Data Protection Regulation (GDPR), which applies directly and is enforced by the Data Protection Authority (Datenschutzstelle).

Framework
the GDPR (Regulation (EU) 2016/679) plus the national data-protection act
Supervisory authority
the Data Protection Authority (Datenschutzstelle)
Applies to
any organisation processing the personal data of people in Liechtenstein, wherever the organisation is based
Maximum fine
€20 million or 4% of global annual turnover, whichever is higher
Breach notification
within 72 hours of becoming aware, to the supervisory authority
DPO
required for large-scale monitoring or large-scale special-category processing

The GDPR is bloc-wide; Liechtenstein supplements it with a national data-protection act and its own supervisory authority.

GDPR in Liechtenstein: FAQ

Does the GDPR apply in Liechtenstein?

Yes. As an EU/EEA member, Liechtenstein applies the GDPR (Regulation (EU) 2016/679) directly, enforced by the Data Protection Authority (Datenschutzstelle).

Who enforces data protection law in Liechtenstein?

The Data Protection Authority (Datenschutzstelle).

What are the GDPR fines in Liechtenstein?

Up to €20 million or 4% of global annual turnover, whichever is higher.

Do you need a Data Protection Officer in Liechtenstein?

A DPO is required where you carry out large-scale monitoring or process special-category data at scale.

How quickly must a data breach be reported in Liechtenstein?

Personal-data breaches must be notified to the supervisory authority within 72 hours of becoming aware.

Key points

GDPR applies via EEA

Although not an EU member, Liechtenstein is an EEA EFTA state; the GDPR was incorporated into the EEA Agreement by Joint Committee Decision No 154/2018 (6 July 2018), making Regulation (EU) 2016/679 directly applicable.

National Data Protection Act (DSG)

The Datenschutzgesetz of 4 October 2018 (LR 235.1) was a total revision aligning national law with the GDPR; it entered into force on 1 January 2019 and supplements the directly applicable Regulation.

Supervisory authority

The Datenschutzstelle (DSS), based in Vaduz, is the independent national data-protection supervisory authority responsible for enforcing the GDPR and DSG.

Core rights and obligations

The GDPR framework grants data subjects rights of access, rectification, erasure, portability and objection, and imposes controller/processor duties such as lawful basis, transparency, breach notification, records of processing and (where required) data protection impact assessments.

EEA institutional specifics

Liechtenstein's DSS participates in the European Data Protection Board, but for EEA EFTA states judicial oversight of GDPR matters runs through the EFTA Court rather than the Court of Justice of the EU.

Enforcement and penalties

Administrative fines follow the GDPR's two-tier maximums (up to EUR 20 million / EUR 10 million or 2-4% of global annual turnover); the DSS has been a comparatively low-activity enforcer.

Timeline - major decisions & events

Jun 1, 2025guidanceofficial
Data Protection Authority publishes 2024 activity report

The Datenschutzstelle issued its Tätigkeitsbericht 2024, documenting growing caseloads, data-breach notifications and the authority's supervisory and advisory work. It is the most recent official snapshot of how GDPR is being enforced and applied in Liechtenstein.

Datenschutzstelle Liechtenstein
May 1, 2025guidanceofficial
Authority warns on Meta AI training, sets 26 May objection deadline

The Datenschutzstelle alerted residents that Meta would use public Facebook/Instagram data to train its generative-AI models and explained how to object before 26 May 2025. It marked the regulator's first prominent public stance on AI training and personal data.

Datenschutzstelle Liechtenstein
Jun 1, 2024guidanceofficial
Data Protection Authority publishes 2023 activity report

The Datenschutzstelle released its Tätigkeitsbericht 2023, reporting on complaints handled, breach notifications and consultations. The report reflects the authority's pattern of resolving most cases informally rather than through fines.

Datenschutzstelle Liechtenstein
Jan 1, 2019lawofficial
New Data Protection Act and Ordinance enter into force

Liechtenstein's totally revised Datenschutzgesetz (DSG) and Datenschutzverordnung (DSV) took effect, supplementing the directly applicable GDPR with national rules and confirming the Datenschutzstelle as supervisory authority. This is the backbone of the framework in force today.

Datenschutzstelle Liechtenstein
Dec 11, 2018lawofficial
Data Protection Ordinance (DSV) adopted

The government issued the Datenschutzverordnung implementing detailed procedural and substantive rules under the new DSG. It operationalised the GDPR's opening clauses in domestic law.

Datenschutzstelle Liechtenstein
Jul 20, 2018lawofficial
GDPR becomes directly applicable in Liechtenstein

Following EEA incorporation, the GDPR entered into force for the EEA-EFTA states Liechtenstein, Iceland and Norway and became directly applicable. This extended EU-level data-protection standards and the one-stop-shop system to Liechtenstein.

EUR-Lex (EEA Joint Committee)
Jul 6, 2018decisionofficial
EEA Joint Committee Decision No 154/2018 incorporates GDPR

The EEA Joint Committee adopted Decision No 154/2018, amending Annex XI of the EEA Agreement to incorporate Regulation (EU) 2016/679 (GDPR). This is the legal act that brought the GDPR into the EEA legal order binding Liechtenstein.

EFTA
Mar 14, 2002lawofficial
First comprehensive Data Protection Act enacted

Liechtenstein adopted its first modern Datenschutzgesetz, transposing EU Directive 95/46/EC into national law via the EEA Agreement and establishing a dedicated data-protection authority. It set the template later replaced by the GDPR-era 2018 law.

WIPO Lex
May 1, 1995lawofficial
Liechtenstein joins the European Economic Area

Liechtenstein became a member of the EEA, committing it to adopt EU internal-market legislation, including, in time, EU data-protection law, through the EEA Agreement. This membership is the structural reason EU privacy rules apply in the country today.

EFTA

Liechtenstein - other topics

Data & Privacy in other countries

Last verified 5/23/2026 · Orientation, not legal advice - verify against the primary sources linked above. Methodology & how to cite · Explore the full world map →