Can I demand to know what data is stored about me?
Yes — you have a full right of access, and it comes straight from the EU General Data Protection Regulation. Because Liechtenstein belongs to the EEA, the GDPR applies here directly — it was incorporated into the EEA Agreement on 20 July 2018. It is supplemented by Liechtenstein's Data Protection Act (DSG, LR 235.1), in force since 1 January 2019 and modelled on German law. Under Art. 15 GDPR any company or authority must tell you, on request, whether and which data it processes about you, for what purpose and from where — free of charge and within one month. The myth: 'Liechtenstein, like Switzerland, has its own weaker data-protection law.' Wrong — Switzerland stands outside the EEA and has its own act (revised FADP); Liechtenstein by contrast applies the same GDPR as all of Europe, supervised by the Data Protection Authority.
📋 The rules
- The GDPR applies directly. As an EEA state Liechtenstein incorporated the GDPR on 20 July 2018; it applies directly, supplemented by the Data Protection Act (DSG, LR 235.1) of 2019. This sets Liechtenstein fundamentally apart from Switzerland.
- Access is free. The first response under Art. 15 GDPR is free of charge. Only for manifestly unfounded or excessive, repeated requests may a reasonable fee be charged or the access refused.
- A one-month deadline. The controller must respond within one month. In complex cases they may extend by two further months, but must inform you of this.
- Scope of the access. You learn which data is processed, for what purpose, where it comes from, to whom it is passed and how long it is stored — together with a copy of the data.
- Supervision by the Data Protection Authority. If a body does not respond or responds wrongly, you can complain to the Data Protection Authority (DSS). It is the independent supervisory authority and can issue orders and fines.
🔓 Exceptions
- Third-party rights. The access must not reveal the personality rights of others; where data also concerns third persons, the access can be limited or anonymised accordingly.
- Overriding secrecy. Certain areas — such as ongoing criminal proceedings or statutory duties of secrecy — can limit the right of access, in so far as this is proportionate.
- Abusive requests. For manifestly unfounded or excessive repeat requests the controller may charge a fee or refuse to act — but must prove the abuse.
⚠️ Penalties & fines
Ignoring a legitimate data-access request risks a complaint and heavy measures. The Data Protection Authority can order a company or authority to provide the access, to rectify, erase or block processing and to publicly establish breaches. For serious violations the GDPR provides fines up to EUR 20 million or 4 per cent of worldwide annual turnover — a scale Switzerland's own act does not even know. For those affected, compensation matters too: anyone who suffers material or non-material damage from unlawful processing can claim it in the civil courts. Less obvious is the notification duty: a data breach must as a rule be reported to the authority within 72 hours and quickly becomes public. Anyone who keeps data after a valid erasure request continues the breach and steadily raises the risk.
📎 Official sources
- Data Protection Authority Liechtenstein — your rights and complaints (supervisory authority) →
- LILEX — Data Protection Act (DSG, LR 235.1) and GDPR (legal register home) →
- Liechtenstein National Administration — data protection (national administration) →
❓ Frequently asked
Does the GDPR really apply in Liechtenstein?
Yes, because Liechtenstein belongs to the European Economic Area, the GDPR was incorporated into the EEA Agreement in 2018 and applies here directly. It is supplemented by the national Data Protection Act, which has been in force since 2019.
What does a data-access request cost?
The first response under Art. 15 GDPR is in principle free of charge. Only for manifestly unfounded or excessive repeat requests may a reasonable fee be charged, which the controller has to justify.
How quickly must they answer me?
The controller must in principle answer you within one month of receiving the request. For particularly complex or numerous requests they may extend the period by up to two further months, but must inform you of the delay and its reasons.
What can I do if a company does not answer?
You can complain to the Data Protection Authority as the independent supervisory body. It can oblige the company to provide access, establish breaches and, in serious cases, impose heavy fines under the GDPR.
Is data protection stricter than in Switzerland?
As an EEA state Liechtenstein applies the GDPR directly, whereas Switzerland, outside the EEA, has its own and partly weaker act. For those affected this means Europe-wide uniform rights in Liechtenstein and a higher ceiling for fines.
🔎 Common searches
What people search to land here:
- “data access liechtenstein”
- “gdpr liechtenstein”
- “right of access art 15 liechtenstein”
- “data protection authority liechtenstein complaint”
- “what data stored liechtenstein”
- “data protection liechtenstein switzerland difference”