Answer ... The EU General Data Protection Regulation (GDPR) – in conjunction with the Liechtenstein Data Protection Act, implementing the GDPR where necessary – also applies to Liechtenstein companies, institutions and associations within the framework of their domestic and foreign customer relations.
The GDPR also covers big companies, small and medium-sized enterprises and sole proprietorships. Whenever a company processes personal data (eg, saves such data in a client index), the GDPR is applicable.
The GDPR contains a number of provisions that can be specified in greater detail or supplemented by individual states. This means that despite the uniform GDPR provisions, there are differences in data protection regimes between individual European states. Around 70 so-called ‘opening clauses’ are affected. These are governed by the national data protection regimes of individual states and may be interpreted with varying degrees of strictness. As a result of the amendments to the GDPR, the aforementioned Data Protection Act was completely revised in 2018.
The new duty of accountability under this act means that companies must be able to actively demonstrate that they are adhering to the principles of the GDPR (Article 5, paragraph 2 of the GDPR), as follows:
- The company must ensure transparency when processing personal data.
- must obtain approval for the data processing; and
- must process data on the basis of a contractual relationship, to fulfil a legal obligation or for another reason specified in Article 6 of the GDPR in order to ensure the lawful and fair processing of personal data.
- The company must inform the data subject of the purpose of the data processing and the specific purpose of the processing in a precise, transparent, comprehensible and easily accessible manner.
- The company must ensure that it does not collect more data than is required for the purpose for which it is being used.
- The company may not store the data for longer than is required for the specified purpose.
- The company must ensure that the data stored is accurate and where necessary up to date, and that inaccurate personal data is erased or rectified without delay.
- The company must ensure that the data is protected from unauthorised access or misuse.
Answer ... Fintech companies which are regulated by or which obtain licences under the following laws are subject to regulations under the Financial Market Authority’s (FMA) Communique 2018/3 on Expectations on Dealing with Cyber Risks:
Banks according to the Law on Bank and Investment Firms (Bankengesetz, BankG)
Investment firms according to the Law on Bank and Investment Firms
E-money institutions according to the E-Money Act (E-Geldgesetz, EGG)
Payment institutions according to the Payment Services Act (Zahlungsdienstegesetz, ZDG)
Management companies according to the Actoncertain Undertakings for Collective Investment in Transferable Securities(GesetzüberbestimmteOrganismenfürgemeinsame Anlagen in Wertpapiere, UCITSG)
Investment undertakings and management companies according to theInvestment Undertakings Act from 2015(Investmentunternehmensgesetz, IUG)
Alternative Investment Fund Managers according to the Act on Alternative Investment Fund Managers (Gesetzüber die VerwalteralternativerInvestmentfonds, AIFMG)
Asset managers according to the Asset Management Act (Vermögensverwaltungsgesetz, VVG)
Trustees and trust companies according to the Law concerning Professional Trustees and Fiduciaries (Treuhändergesetz, TrHG)
The communiqué outlines specific technical and organisational requirements aimed at preventing cybercrime. Furthermore, the FMA has released non-binding Handout 2019/1 to assist companies in relation to cybersecurity, which aims to enhance awareness of how cyber risks can be identified and addressed. The handout includes indicate possible implementation measures and control mechanisms in relation to the communiqué.
The specific implications (eg, minimum requirements, risk management, identification of specific threat of cyberattacks, vulnerability analyses, information and reporting of cyberattacks, restoring measures) can be found in the handout.