top of page

LIECHTENSTEIN - Data Protection and GDPR Review

The history of data protection in Liechtenstein, similar to other European nations, has been largely influenced by European law. As a member of the European Free Trade Association (EFTA) and the European Economic Area (EEA), Liechtenstein is obliged to incorporate EU law into its national law where relevant, which includes data protection.

Here is an overview:

Pre-EEA Period

Before Liechtenstein's entry into the EEA, the country had its own legal framework for data protection, but it was limited in scope compared to what came afterward. At that time, data protection measures were relatively rudimentary, designed mainly to protect individual privacy from intrusion by state or corporate entities.

EEA Membership and Data Protection

Liechtenstein became a member of the EEA in 1995. EEA membership required Liechtenstein to adopt legislation compatible with EU directives, including those relating to data protection. In response, Liechtenstein enacted or modified various laws to align with European standards on data protection, which were mainly guided by the EU Data Protection Directive 95/46/EC. The Data Protection Office in Liechtenstein is responsible for ensuring compliance with data protection laws and regulations.

GDPR Implementation

The General Data Protection Regulation (GDPR) came into force on May 25, 2018, and this had a significant impact on data protection in Liechtenstein. As an EEA member, Liechtenstein was required to implement the GDPR into national law. The GDPR harmonized data protection regulations across the EEA, including Liechtenstein, providing individuals with greater control over their personal data while simplifying the regulatory environment for international businesses.

National Data Protection Law

While GDPR forms the backbone of data protection regulation in Liechtenstein, the country also has its own national laws that align with the GDPR. These laws often cover areas that are not directly covered by the GDPR, ensuring a comprehensive data protection framework.

Future Considerations

Like many other countries, Liechtenstein is grappling with data protection in the context of rapid technological advancements. Issues such as cybersecurity, the role of artificial intelligence, and the complexities of international data transfers are likely to shape the future of data protection laws in the country.

Enforcement and Penalties

Failure to comply with data protection laws in Liechtenstein can result in significant penalties, often aligned with the stringent fines imposed under GDPR (up to €20 million or 4% of global annual turnover, whichever is higher).

In summary, the history of data protection in Liechtenstein is deeply influenced by its relationships with the EEA and the EU, and the country has made significant strides in implementing comprehensive data protection measures. Given that data protection is a dynamic field, it's likely that Liechtenstein will continue to evolve its regulations in line with European and international developments.

Data protection in Lithuania, like in all EU member states, is chiefly regulated by the General Data Protection Regulation (GDPR) that came into effect on May 25, 2018. This guide aims to provide a comprehensive overview of the essential elements of data protection in Lithuania as influenced by the GDPR. It is crucial to note that this guide is not a substitute for professional legal advice.

Regulatory Bodies

European Data Protection Board (EDPB)

An EU-level body responsible for ensuring consistent application of data protection rules throughout the European Union.

State Data Protection Inspectorate of Lithuania

This is the national authority that supervises compliance with data protection laws in Lithuania, provides guidelines, and handles complaints and data breaches.

Key Concepts

Personal Data

Any information relating to an identifiable individual.

Data Controller

The entity that determines the purposes and means of processing personal data.

Data Processor

A third party that processes personal data on behalf of the data controller.

Data Subject

The individual whose personal data is processed.


Explicit permission from the data subject to process their personal data.

Obligations for Data Controllers and Processors

Privacy Policy

Organizations must have a privacy policy that outlines how they collect, use, and store personal data.

Data Protection Impact Assessment (DPIA)

Required when processing activities may result in high risks to the rights and freedoms of data subjects.

Data Protection Officer (DPO)

A DPO must be appointed if the entity is a public body, or if it processes sensitive data on a large scale.


Both data controllers and processors are obliged to keep records of processing activities.

Security Measures

Organizations must implement adequate technical and organizational security measures to protect personal data.

Data Breach Notification

Data breaches must be reported to the State Data Protection Inspectorate of Lithuania and to the affected individuals within 72 hours of becoming aware of the breach.

Rights of Data Subjects

Right to Access

Individuals can request a copy of their personal data and information on how it's being processed.

Right to Rectification

Individuals have the right to correct inaccurate or incomplete personal data.

Right to Erasure ("Right to be Forgotten")

Data subjects have the right to have their personal data deleted under specific conditions.

Right to Object

Individuals can object to the processing of their personal data for specific purposes like direct marketing.

Right to Data Portability

Individuals can request their personal data in a machine-readable format for transfer to another service provider.

Enforcement and Penalties

Failure to comply with GDPR regulations can result in fines of up to €20 million or 4% of the company's annual global turnover, whichever is higher. Enforcement in Lithuania is carried out by the State Data Protection Inspectorate.

Additional Considerations

  • Local Laws: Lithuania has national laws, such as the Law on Legal Protection of Personal Data, that complement the GDPR.

  • International Data Transfers: Transfers to countries outside the EU must ensure an adequate level of data protection, often through mechanisms like Standard Contractual Clauses.


The GDPR serves as the cornerstone for data protection in Lithuania, setting a high standard for personal data processing. Organizations must be proactive in ensuring compliance, as the penalties for infringement can be severe. This evolving landscape requires constant attention to both Lithuanian and EU-wide data protection updates. Therefore, it is advisable for businesses and data controllers to regularly consult legal experts in this domain to stay compliant.


bottom of page