Our Expert in Liechtenstein
No results available
Data protection crypto Liechtenstein compliance has entered a new phase in 2026, driven by the convergence of three regulatory forces: the full application of the Markets in Crypto-Assets Regulation (MiCAR) and its passporting regime across the EEA, the OECD’s Crypto-Asset Reporting Framework (CARF) moving toward first reporting deadlines, and the Finanzmarktaufsicht (FMA) stepping up supervisory scrutiny of licensed crypto-asset service providers (CASPs). Liechtenstein’s unique position, home to the pioneering Token and Trustworthy Technologies Act (TVTG) and a full participant in the EEA GDPR regime, means that compliance officers, CTOs and in-house legal teams must reconcile overlapping obligations that no single EU guidance document addresses.
This guide provides a jurisdiction-specific, operational playbook: the lawful bases, technical architectures, retention rules, reporting workflows and audit documentation that Liechtenstein CASPs, VASPs and payment providers need right now.
Yes, GDPR applies in Liechtenstein, it was incorporated into the EEA Agreement and is enforced domestically by the Datenschutzstelle (Data Protection Authority). And yes, crypto-asset services are legal here: the TVTG established a comprehensive licensing framework, now supplemented by MiCAR passporting under FMA supervision. The central compliance question for 2026 is not whether these rules apply, but how to operationalise them simultaneously without contradiction.
The following eight-step checklist captures the immediate actions every Liechtenstein CASP, VASP or payment provider should take:
The TVTG (Token- und Vertrauenswürdige Technologien Gesetz), enacted in 2020 and available via the Liechtenstein law portal at gesetze.li, introduced the “Token Container Model”, the concept that a token can represent any right, and the technology layer is regulated separately from the asset layer. For data protection purposes, the critical implication is that TVTG-registered service providers (token generators, token custodians, token exchangers, and others) are controllers or processors of personal data wherever their services touch identifiable individuals. The TVTG does not displace GDPR; it adds sector-specific obligations on top of it.
The FMA supervises CASPs under the MiCAR framework and maintains dedicated procedural guidance for applicants. FMA privacy requirements now extend beyond generic compliance statements: applicants must demonstrate operational data-protection measures as part of the licensing procedure. Industry observers expect the FMA to intensify post-licensing audits focused on AML data handling, travel-rule implementation and cross-border data transfers, areas where data protection crypto Liechtenstein obligations intersect most sharply.
| Law / Framework | Regulator | Key Data-Related Requirement |
|---|---|---|
| GDPR (Regulation (EU) 2016/679, as incorporated into EEA law) | Datenschutzstelle Liechtenstein | Lawful basis, data minimisation, DPIA, cross-border transfer safeguards, data-subject rights |
| TVTG (Token and Trustworthy Technologies Act) | FMA Liechtenstein | Registration/licensing of token service providers; organisational requirements that include data governance |
| MiCAR (Markets in Crypto-Assets Regulation) | FMA Liechtenstein (national competent authority) | CASP authorisation, passporting, conduct-of-business rules including client-data handling |
| CARF (OECD Crypto-Asset Reporting Framework) | Liechtenstein Tax Administration (Steuerverwaltung) | Reporting of crypto-asset transactions and user identities to tax authorities; automatic exchange of information |
| Liechtenstein AML Act (SPG) | FMA Liechtenstein | KYC/CDD data collection, retention (minimum periods), suspicious-transaction reporting |
Liechtenstein is not an EU Member State, but as an EEA member it has incorporated the GDPR into domestic law. The Datenschutzstelle enforces the regulation with the same substantive provisions that apply across the EU. For CASPs and payment providers, this means the full GDPR toolkit, lawful bases, data-subject rights, accountability obligations, cross-border transfer restrictions, applies without modification.
GDPR Article 6 provides six lawful bases. In practice, Liechtenstein CASPs rely on three:
Consent (Article 6(1)(a)) is rarely the appropriate basis for mandatory financial-services processing. Relying on consent for KYC creates the risk that withdrawal of consent makes legally required processing unlawful. The recommended practice is to reserve consent for genuinely optional processing, such as marketing communications.
GDPR Article 5(1)(c) requires that personal data be adequate, relevant and limited to what is necessary. For CASP data obligations, this means collecting only the KYC fields mandated by the AML Act, not speculative “nice-to-have” data points. Retention must be governed by the applicable legal minimum (typically the AML Act’s retention period) and data must be deleted or anonymised once that period expires, unless another lawful basis justifies continued storage.
Blockchain’s immutability is fundamentally at odds with GDPR’s right to erasure (Article 17) and storage-limitation principle (Article 5(1)(e)). The practical rule is clear: do not store raw personal data on any public or permissionless blockchain.
On-chain personal data creates an irreconcilable conflict. Once personal data is written to an immutable ledger, it cannot be erased, rectified or time-limited in the manner GDPR demands. The European Data Protection Board (EDPB) has consistently emphasised that controllers must build privacy by design into new technologies, and that technical immutability does not exempt a controller from GDPR obligations.
Acceptable architectural patterns include:
GDPR Recital 26 draws a critical line: pseudonymised data remains personal data (because re-identification is possible with the mapping key), while truly anonymised data falls outside GDPR scope entirely. For data protection crypto Liechtenstein practice, this means that hashed references are pseudonymised, and the full GDPR framework still applies to them, unless the hash is computationally irreversible and no mapping key exists anywhere.
A custody CASP typically operates a gateway model: the client-facing onboarding layer collects and stores KYC data in a segregated, encrypted database; the blockchain layer records only transaction hashes and pseudonymous wallet identifiers. A DPA governs the relationship between the CASP (controller) and any third-party infrastructure provider (processor). This architecture satisfies both TVTG registration requirements and GDPR data-minimisation obligations.
| Technical Pattern | GDPR Status of On-Chain Data | Erasure Compliance |
|---|---|---|
| Raw personal data on public chain | Personal data, full GDPR applies | Non-compliant (immutable) |
| Salted hash on-chain, KYC off-chain | Pseudonymised, GDPR applies to linked dataset | Compliant (delete off-chain record + mapping key) |
| ZKP attestation on-chain | No personal data on-chain if proof reveals nothing identifiable | Compliant |
| Permissioned ledger with delete function | Personal data, GDPR applies | Compliant if governance allows amendment/deletion |
KYC data storage best practices for Liechtenstein CASPs require a documented lifecycle, from collection through to secure deletion.
| Data Category | Retention Period | Legal Basis for Retention |
|---|---|---|
| KYC / CDD records (identity documents, verification results) | Minimum as prescribed by the Liechtenstein AML Act (SPG), typically aligned with EU AMLD standards | Legal obligation (SPG / AML Act) |
| Transaction records | As required by AML Act and applicable tax legislation | Legal obligation |
| Suspicious-activity reports (SARs) | As prescribed by AML Act; access restricted to compliance function | Legal obligation |
| Marketing and consent records | Until consent is withdrawn, plus a short evidential buffer | Consent (Article 6(1)(a)) |
| Internal analytics / fraud-detection logs | Maximum necessary for the stated purpose; review annually | Legitimate interests (Article 6(1)(f)) |
Once the applicable retention period expires, data must be securely deleted or irreversibly anonymised. Automated deletion triggers, configured at the database level, reduce human error and demonstrate accountability to the FMA and Datenschutzstelle.
CARF reporting Liechtenstein obligations require CASPs to collect and transmit specified data about crypto-asset users and their transactions to the Liechtenstein Tax Administration, which then exchanges information with partner jurisdictions. The OECD’s CARF framework defines the reportable fields, broadly, user identity, tax residence, and transaction values. The interaction with GDPR is direct: every reportable field is personal data, and every disclosure to a tax authority is a processing activity that requires a lawful basis.
A DPIA is required under GDPR Article 35 where processing is likely to result in a high risk to individuals’ rights and freedoms. CARF reporting may trigger a DPIA obligation where the CASP processes data on a large scale, involves systematic cross-border transfers, or combines tax-reporting data with other datasets (e.g., transaction-monitoring profiles). Early indications suggest that supervisory authorities will expect CASPs handling significant user volumes to have a CARF-specific DPIA on file.
| Entity Type | Reporting Obligation (CARF/CRS) | GDPR / Data Handling Implication |
|---|---|---|
| Licensed CASP (custody + exchange) | CARF: report transaction counterparties; CRS: standard fields where applicable | Must map reporting fields to lawful basis (legal obligation); perform DPIA; adopt minimisation and secure transfer controls |
| Payment provider (PSP with crypto rails) | Possibly CARF if crypto transactions meet thresholds; CRS if tax-residency triggers apply | Need pseudonymisation for analytics; strict access controls; document legal basis for disclosures |
| Pure custody wallet provider | CARF depending on service model; travel-rule obligations may apply | Avoid on-chain personal data; DPA with sub-processors; retention policies for KYC |
Cross-border data transfers crypto firms must manage arise in two primary contexts: sharing data with group entities or processors outside the EEA, and transmitting reportable information to non-EEA tax authorities under CARF.
GDPR Chapter V provides a hierarchy of transfer mechanisms. For Liechtenstein CASPs:
Tax-authority-to-tax-authority exchanges under CARF operate through inter-governmental agreements, not private-sector SCCs. However, the CASP’s own transmission of data to the Liechtenstein Tax Administration is a domestic transfer, no Chapter V mechanism is needed. The likely practical effect is that CASPs should focus their cross-border transfer compliance efforts on processor relationships (cloud providers, analytics vendors, outsourced compliance functions) rather than on the reporting chain itself.
The FMA’s published procedures for CASP authorisation under MiCAR signal that data-protection governance is a licensing criterion, not an afterthought. Meeting FMA privacy requirements demands a documentation pack that demonstrates both design-stage thinking and operational reality.
The following clause can be adapted for inclusion in a Data Processing Addendum between a CASP (controller) and a DLT-infrastructure provider (processor):
“The Processor shall not write, store, or otherwise record any Personal Data (as defined in Regulation (EU) 2016/679) to any distributed ledger, blockchain, or immutable data structure. Where a reference to Personal Data is required on-chain, the Processor shall use only a salted cryptographic hash derived from the Personal Data, which shall be generated using a currently accepted hashing algorithm. The Processor shall maintain the hash-salt mapping exclusively in an encrypted off-chain environment subject to the access-control and deletion provisions of this Agreement.”
The regulatory environment facing Liechtenstein CASPs, VASPs and payment providers in 2026 is demanding but navigable. The key is to treat data protection not as a separate workstream but as an integrated element of licensing, AML compliance and tax reporting. Begin with the eight-step checklist at the top of this guide. Prioritise your DPIA for any on-chain processing or large-scale CARF reporting. Ensure your DPAs cover every processor in the data chain, particularly DLT-infrastructure providers and blockchain-analytics vendors. And build your FMA documentation pack now, before a supervisory review forces reactive work under time pressure.
Data protection crypto Liechtenstein compliance will only intensify as MiCAR passporting expands the volume of cross-border activity, CARF reporting matures, and the FMA refines its supervisory expectations. Firms that embed privacy-by-design into their architecture and governance today will hold a durable competitive and regulatory advantage.
This article was produced by Global Law Experts. For specialist advice on this topic, contact Josef Bergt at Bergt Law, a member of the Global Law Experts network.
posted 17 minutes ago
posted 41 minutes ago
posted 2 hours ago
posted 2 hours ago
posted 2 hours ago
posted 3 hours ago
posted 3 hours ago
posted 3 hours ago
posted 4 hours ago
posted 4 hours ago
posted 5 hours ago
posted 6 hours ago
No results available
Find the right Advisory Expert for your business
Sign up for the latest advisor briefings and news within Global Advisory Experts’ community, as well as a whole host of features, editorial and conference updates direct to your email inbox.
Naturally you can unsubscribe at any time.
Global Law Experts is dedicated to providing exceptional legal services to clients around the world. With a vast network of highly skilled and experienced lawyers, we are committed to delivering innovative and tailored solutions to meet the diverse needs of our clients in various jurisdictions.
Global Advisory Experts is dedicated to providing exceptional advisory services to clients around the world. With a vast network of highly skilled and experienced advisors, we are committed to delivering innovative and tailored solutions to meet the diverse needs of our clients in various jurisdictions.
Send welcome message