Applicability of Data Protection Law in Liechtenstein: Filing System Criterion

The Filing System Criterion in Liechtenstein's data protection law extends the applicability of the law to manual processing of personal data, provided that such data is structured in a way that allows for easy retrieval or access, thus covering systematically arranged personal data on paper or other non-digital formats.

Text of Relevant Provisions

DCG Art.2(1):

"This Act shall apply to the processing of personal data by public bodies. For non-public bodies, this Act shall apply to the processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system with the exception of processing personal data by a natural person in the course of a purely personal or domestic activity."

Original (German):

"Dieses Gesetz gilt für die Verarbeitung personenbezogener Daten durch öffentliche Stellen. Für nicht-öffentliche Stellen gilt dieses Gesetz für die Verarbeitung personenbezogener Daten, die ganz oder teilweise mit automatisierten Mitteln erfolgt, sowie für die nicht-automatisierte Verarbeitung personenbezogener Daten, die Teil eines Dateisystems sind oder dazu bestimmt sind, Teil eines Dateisystems zu werden, mit Ausnahme der Verarbeitung personenbezogener Daten durch eine natürliche Person im Rahmen einer ausschließlich persönlichen oder häuslichen Tätigkeit."

Analysis of Provisions

The Filing System Criterion is a key factor in determining the scope of applicability of Liechtenstein’s data protection law (DSG), particularly for non-public bodies. This criterion ensures that the law covers both automated and manual processing of personal data, provided the data forms part of a filing system.

1. Scope of Application:
   • The provision under DCG Art.2(1) stipulates that the law applies to "the processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system."
2. Definition of Filing System:
   • A filing system is understood as any structured set of personal data accessible according to specific criteria. This includes both digital and non-digital formats, ensuring that manual records organized systematically are also covered.
3. Inclusion of Manual Records:
   • By including manual processing in the scope of the DSG, the law ensures comprehensive protection of personal data regardless of whether it is processed digitally or manually. This means that personal data stored in structured physical files are subject to the same protections as data processed by automated means.
4. Exemptions:
   • The law explicitly exempts processing by natural persons in the course of purely personal or domestic activities. This delineation helps focus regulatory efforts on data processing activities with broader implications for privacy and data protection.

Implications

For Business

• Manual Data Processing: Businesses must recognize that their manual records, if organized in a filing system, fall under the DSG. This necessitates compliance measures similar to those for automated data processing, including security protocols and data subject rights.
• Compliance Obligations: Companies need to implement robust data protection measures for both digital and manual records. This includes policies and procedures for handling personal data in physical files, ensuring they meet DSG requirements.
• Record-Keeping and Access: Organizations must maintain clear and accessible records, both digital and manual, with appropriate safeguards to ensure compliance with the DSG. This involves structured filing systems that allow for efficient retrieval and protection of personal data.

The Filing System Criterion in Liechtenstein’s DSG ensures that personal data, whether processed manually or automatically, receives consistent protection under the law, reflecting the importance of comprehensive data protection measures across various processing methods.