FMA Privacy Policy

The controller within the meaning of the GDPR and national data protection legislation is:

Financial Market Authority Liechtenstein
Represented by the Chair of the Executive Board: Mario Gassner
Landstrasse 109
P.O. Box 279
9490 Vaduz
Principality of Liechtenstein

Telephone: +423 236 73 73

For any questions in connection with the processing of personal data by the FMA, please contact the FMA data protection officer directly.

Contact details of the FMA data protection officer:

Financial Market Authority Liechtenstein 
Private/confidential: FAO the data protection officer
Landstrasse 109
P.O. Box 279
9490 Vaduz
Principality of Liechtenstein

datenschutz@fma-li.li

The FMA processes personal data

• in order to fulfil its legal mandate – namely to guarantee the stability of the Liechtenstein fi-nancial market, protect consumers, prevent market abuse and implement and comply with recognised international standards (Articles 4 and 5 of the Liechtenstein Financial Market Supervision Act (Finanzmarktaufsichtsgesetz, FMAG; hereinafter referred to as the “FMA Act”) in conjunction with the respective special legislation);
• based on the granting of corresponding consent (Article 6(1)(a) GDPR); and 
• to comply with contractual obligations (Article 6(1)(b) GDPR).

Processing for other purposes

Personal data are processed exclusively for the purposes for which they were collected. In the event of a planned further processing for other purposes, the FMA proceeds in accordance with Article 13(3) GDPR and informs the persons concerned accordingly.

The FMA processes personal data collected directly (e.g. from the applicant himself within the context of licence applications) and data not directly collected from the data subject (e.g. data transmitted within the context of administrative assistance or data from persons only indirectly affected by an application, such as persons actually managing a business or special functions subject to reporting requirements).

Personal data processed by the FMA includes the following in particular: 

• Data about the person (first name, last name, date of birth, nationality)
• Address and contact details (business and private, as applicable)
• Data related to professional activity (e.g. management/special functions)
• Curriculum vitae and certificate data in the form of documents certifying education and docu-ments certifying practical experience 
• Data on financial integrity in the form of certificates regarding bankruptcy and distraint, and personal declarations concerning freedom from bankruptcy and distraint
• Data relating to transactions with financial instruments subject to reporting requirements within the meaning of European financial market regulations, for example Regulation on Markets in Financial Instruments (MiFIR) and European Market Infrastructure Regulation (EMIR) reporting data
• The right to one’s own image in the form of video surveillance in the publicly accessible areas of the FMA (access control)
• Visitor documentation (access control)

Special categories of personal data (Article 10 GDPR)

The FMA also processes special categories of personal data in the field of licensing and supervision (fit and proper assessments) in accordance with the legal requirements. This relates solely to such data concerning

• criminal convictions and offences (excerpts from the criminal register, personal declarations of a clear record regarding criminal convictions and administrative penalties and personal declarations concerning disciplinary integrity).

Other data in special categories of personal data (Article 9 GDPR)

Where a data subject has voluntarily disclosed personal data in special categories to the FMA (e.g. information about political orientation within the framework of a submitted curriculum vitae), he may request the deletion of such data by the FMA at any time. 

Minors

Persons under the age of 18 should not transmit any personal data to the FMA without the consent of their parents or legal guardians. The FMA does not request personal data from children or adolescents. It does not knowingly collect such data or forward it to third parties.

Further details on the personal data processed by the FMA can be found in section “II. Specific processing of personal data”.

On principle, only employees of the FMA have access to processed personal data within the scope of the performance of their duties. All employees of the FMA are subject to the duty of confidentiality pursuant to Article 23 of the Law on the Control and Oversight of Public Enterprises (Gesetz über die Steuerung und Überwachung öffentlicher Unternehmen, ÖUSG; hereinafter referred to as the “COPE Act”). 

A corresponding fit and proper assessment inquiry is carried out across all departments when a licence application or request for admission to an examination is submitted. 

Service providers (such as auditors and IT service providers) also have limited access to the personal data required in order to fulfil their contractual obligations towards the FMA, while observing the duty of confidentiality.

Transfer of personal data to a third country is only provided for in special cases (in particular in the context of administrative assistance).

Details can be found in section “II. Specific processing of personal data”.

The FMA is fundamentally integrated within the IT infrastructure of the Liechtenstein government. Both the FMA and the responsible Office of Information Technology use suitable technical and organisational measures to protect personal data from accidental or intentional manipulation, loss and destruction, and against unauthorised access by third parties. 

In doing so, the Office of Information Technology observes the ISO/IEC 27000 family of standards. Moreover, penetration tests are regularly carried out using standardised procedures with external specialists to verify the security of the infrastructure and applications used.

All the measures taken correspond to the current state of technology and are to be considered sufficient in relation to the risk of improper handling of data. The security precautions are continuously monitored and optimised in line with technical developments.

According to Article 33 of the FMA Act, the general retention period of the FMA is at least 10 years. 

In the case of continuing obligations, this period starts from the end of the calendar year in which the legal relationship ended, and in all other cases from the end of the calendar year in which the FMA last acted in the matter concerned.

The FMA visitor list is kept for one year for the purpose of access control, and to provide the related documentary evidence if required, before then being deleted.

Video surveillance data are automatically deleted from the system after seven days. Only in substantiated individual cases may a longer retention period be decided by the Chair of the Executive Board.

Data subjects are generally entitled to the following rights:

• Right of access (Article 15 GDPR) 
• Right to rectification (Article 16 GDPR)
• Right to erasure (Article 17 GDPR)
• Right to restriction of processing (Article 18 GDPR)
• Right to data portability (Article 20 GDPR)
• Right to object (Article 21 GDPR)

If the FMA does not process any personal data concerning an individual, that person still has right of access, which will then be answered by a negative confirmation by the FMA. 

Moreover, the FMA will notify the data subjects in the event of a breach of the protection of their personal data (Article 34 GDPR), provided the breach is likely to result in a high risk to the personal rights and freedoms of the data subject.

Right to lodge a complaint

Data subjects also have the right to lodge a complaint against the competent data protection authority, should they believe that the processing of personal data by the FMA is in conflict with applicable data protection law. 

Contact details of the Data Protection Office:

Städtle 38
P.O. Box 684
9490 Vaduz
Principality of Liechtenstein
Telephone: +423 236 60 90
E-mail: info.dss@llv.li 

No automated decision-making process is used. All processes used by the FMA (e.g. e-Service) always require the involvement of staff.

Supervision, issuing licences and maintaining registers

The FMA is entrusted with the supervision of financial market participants from the following areas: 

• Banking
• Insurance and pension funds
• Securities and markets
• Other financial intermediaries

The FMA is also responsible for issuing licences. Together with the licensing department, it maintains publicly accessible registers and lists of changes on its website concerning licensed financial intermediaries as required by law. These registers contain the following personal data:

• Data about the person (first name, last name, title)
• Address details (business)
• Details of the employer 
• Type of licence granted or expired

Admission to examinations 

The FMA is also responsible for admissions to examinations in accordance with the Professional Trustees Act, the Patent Lawyers Act and the Auditors and Auditing Companies Act.

For the purpose of submitting an examination application, the FMA therefore processes the necessary personal data, which are transmitted by the applicant to the FMA (regarding this, see section 4 of the general part) and the responsible examination board. 

The FMA must make the required data available to the responsible examination board for the purpose of conducting the examination. The data are not passed on to other third parties, nor is there any intention to transmit the data to a third country.

Inquiries 

When replying to inquiries, the FMA processes the personal data transmitted for this purpose and required for the reply. 

Visitors

When supervising visits to the FMA, the FMA processes the name and contact details required for this purpose. Moreover, the publicly accessible areas of the FMA are monitored by video surveillance for access control purposes. 

Internal cooperation within government authorities

In order to fulfil the legal supervisory mandate, relevant personal data available within the FMA (including special categories of personal data relating to criminal convictions and offences) may be shared across the departments if necessary. This applies in particular to cases of relevant preliminary investigations and clarifications, for example based on MiFIR/EMIR notifications, and to fit and proper assessment inquiries for licensing applications or ongoing supervision.

National and international cooperation with government authorities

The FMA is also obliged, under the relevant special legislation, to share personal data, including special categories of personal data on criminal convictions and offences, with the competent national authorities (in particular the courts, public prosecutors and the Financial Intelligence Unit) and international authorities (foreign financial market supervisory authorities and the European Banking Authority, European Securities and Markets Authority and European Insurance and Occupational Pensions Authority). 

The transfer of personal data to another government authority is solely for the purpose of processing a specific request for administrative assistance, or to fulfil a specific reporting obligation (e.g. reports to the European supervisory authorities regarding imposed sanctions or reports to foreign financial market supervisory authorities in the area of transaction data pursuant to Article 26 MiFIR). 

This exchange of data is governed by special provisions of the law and the data may only be used by the recipient for the underlying purpose of the transfer. 

In the context of international cooperation, therefore, personal data may also be transferred to third countries. The provisions of Article 44 et seqq. GDPR must always be observed here. 

In some areas, the FMA uses secure IT systems of the European supervisory authorities (e.g. eGate) for the transfer of data which are specially provided for this purpose. 

Internal Market Information System – IMI

Personal data may be exchanged with authorities of other EEA Contracting States via a secure Internet application, within the framework of the controls provided by the IMI. 

In this case, Directives 2006/123/EC and 2005/36/EC, Regulation (EU) 1024/2012 of the European Parliament and of the Council and Commission Decision 2009/739/EC will apply.

Publication of decisions

The FMA is obliged to publish legally binding decisions against financial intermediaries on its website in certain areas. Decisions are only published in cases where this is expressly prescribed by a special legal provision. 

Only the mandatory information required by law will be published. Such publications also contain personal data, including the naming of the individuals concerned. 

The publication is to be made publicly available and therefore accessible to everyone online. It must be kept available on the FMA’s website for at least five years, subject to other specific legal regulations. After expiry of the specified legal period, the publication will be deleted. 

In connection with the publication, the data subject has the right to rectification, the right to restriction of processing, and the right to erasure after expiry of the statutory publication period. 

Publication of warnings

For the purpose of customer protection and to prevent abuse in accordance with Article 4 of the FMA Act, the FMA publishes warnings on its website when necessary – also concerning unauthorised persons. These warnings also contain personal data in the form of specific names and addresses.

The warnings are only accessible on the website during the relevant period and are deleted once their purpose has been achieved.

The FMA maintains a whistle-blowing system based on Articles 4 and 5 of the FMA Act in conjunction with the relevant special legislation. This whistle-blowing system can be used to report actual or possible violations of laws to the FMA within the area of responsibility of the FMA.

Furthermore, general complaints in connection with the particular activity may be submitted to the FMA through licensed financial intermediaries. 

The following personal data are usually processed when using the whistle-blowing system and when submitting complaints:

• Data about the person charged in the report or complaint, such as first name and last name (personal data required to process the report or complaint)

On a voluntary basis (notifications and complaints can also be made anonymously), the following personal data may also be considered:

• Data concerning the person submitting the notification or complaint
• Address and contact details of the person charged in the notification or complaint

Only the FMA staff who are responsible for processing the notifications and complaints received, and staff responsible for their further processing in the respective departments, have access to the reported data.

Notifications which suggest the facts of the case fall under criminal law are forwarded to the Office of the Public Prosecutor in Liechtenstein. 

Notifications that do not fall within the area of responsibility of the FMA are forwarded to the competent authority.

The e-Service system of the FMA allows electronic communication with the FMA, including electronic transfer of the required reporting data to the FMA, pursuant to Article 4(2), Article 5(2) and Article 6 of the eGovernment Act. Further information regarding e-Service can be found here.

When using the e-Service, the following personal data needed for its proper use are processed:

• Personal Identification Number (PEID) from lilog or lisign
• First name and last name
• Role (super user, other user)
• Sex (voluntary information for salutation)
• Main employer
• Financial intermediary
• Notification of special functions (e.g. due diligence investigator)
• E-mail address (business)
• Telephone number (business)

The FMA processes personal data only in order to perform its task of supervision within the framework of Article 5 of the FMA Act. No evaluation or publication of the data takes place. Furthermore, the FMA does not disclose personal data to third parties, except where it is legally obliged to do so.

When a user accesses the e-Service platform of the FMA, the FMA stores the date, time, IP address, client version and other technical log data of the user action. The FMA uses these records exclusively for error analysis or, in the event of misuse, for criminal prosecution. If necessary, specialist companies may be consulted for technical support in this regard.

The log information is automatically deleted after one year.

The FMA offers a newsletter service for persons who are interested.

During registration, the following personal data are requested:

• E-mail address (personal datum needed to send the newsletter)
• First name and last name (voluntary information for salutation)
• Sex (voluntary information for salutation)

Registration has to be confirmed by clicking on a hyperlink which is immediately sent to the specified e-mail address. This confirmation must be received within seven days.

By confirming registration via the hyperlink, the necessary consent is given within the meaning of Article 6(1)(a) GDPR to process personal data for the purpose of sending the newsletter. The newsletter will only be sent after the individual’s consent is received.

The FMA newsletters do not contain any visible or hidden counters, third-party advertising or links to external sites that are not directly related to the content of our newsletters. The transferred data is only used for sending out the newsletter. No further processing takes place. 

Only FMA staff, employees of the Office of Information Technology and commissioned IT service providers (processors) are given access to the processed personal data within the context of order fulfilment. The processors fulfil the requirements of the GDPR. 

There is no intention to transfer personal data to a third country.

The processed data will be deleted in accordance with Article 17 GDPR. If the data subject cancels the subscription to the newsletter, the e-mail address and all related personal data which had been transferred will be deleted immediately.

Right to object (Article 21 GDPR)

The newsletter subscription can be cancelled at any time. The unsubscribe option is attached to each newsletter via a link.

The FMA operates the website www.reiseblog.fma-li.li. Respective posts, in particular posts regarding employees, are launched on the website based on the granting of corresponding consent (Article 6(1)(a) GDPR). Posts are taken down as employees withdraw their consent or within six months after they leave the FMA.

The FMA provides information on its activities, for example at public events. While organising such events, the FMA processes personal data in the form of

• first names and last names; 
• contact details of the person applying; and
• if necessary information about the employer or similar.

The personal data transmitted by the person applying are used exclusively for the purpose of carrying out the specific event (e.g. also to provide a confirmation of participation).

Only the responsible FMA staff have access to the data. There is no intention to transmit the data to a third country in these cases.

The FMA might use the application Zoom for online meetings, video conferences and/or webinars. Zoom is a service of Zoom Video Communications, Inc. based in the USA. Personal data is therefore also processed in a third country.

Different types of data are processed by using Zoom. The volume of data thereby depends on the data information provided before or during the online meeting.

The following personal data are processed:

• User information: first name, last name, phone number (optional), e-mail address, password (if not using “single sign on”), profile picture (optional), department/devision (optional);
• Meeting metadata: topic, description (optional), participant IP addresses, device/hardware information.

In case of recordings (optional):

• MP4 file of all video, audio and presentation recordings, M4A file of all audio recordings, text file of the online meeting chat.

Joining an online meeting by phone:

• Information about the incoming and outgoing phone number, country code, start and ending time. If necessary, further connection details like the IP address of the device can be saved.

Text, audio and video data (optional): In an online meeting it might be possible to use the chat, ask questions or use the survey functions. In this respect, the text inputs are processed in order to display them during the online meeting and to log them if necessary. In order to enable the display of video and the replay of audio, data from the microphone of the respective device as well as from a video camera of the device are processed for the duration of the meeting. The camera or microphone can be switched off or muted at any time using the Zoom applications.

If the online meeting is to be recorded, this will be transparently communicated in advance and if necessary permission will be obtained. The fact of the recording is also displayed in Zoom. In the case of webinars, the questions asked by webinar participants can also be processed for webinar recording and follow-up purposes.

The FMA might use the application LimeSurvey to conduct online surveys. LimeSurvey is an online survey application based in Germany.

Different types of data are processed by using LimeSurvey. When accessing the website, information is automatically sent to the website’s server. This information is temporarily stored in a ‘log file’. In no case will the collected data be used for the purpose of drawing conclusions about the person. The following information is collected and stored until it is automatically deleted:

• anonymised (= truncated) IP address of the accessing machine;
• date and time of access;
• name and URL of the file retrieved;
• size of transferred data;
• whether or not the download was successful;
• website from which access is made (referrer URL); and
• browser used and, if applicable, the machine’s operating system and the name of the access provider.

The specified data is processed by us for the following purposes:

• to ensure that a smooth connection is established with the website;
• to guarantee the convenient use of our website;
• to evaluate system security and stability; and
• for other administrative purposes.

Personal data provided to LimeSurvey through a contact request (via website, e-mail, phone, fax or in person), newsletter subscription or direct business relationship is processed and maintained using a customer relationship system (ZOHO CORPORATION B. V.). More information about LimeSurvey is available here.

After concluding the survey, the FMA deletes the corresponding data on LimeSurvey and then processes it exclusively within the FMA network. The general retention periods apply to the retention and deletion periods.

The FMA, in its capacity as an employer, processes personal data during the job application process – including job interviews and the assessment centre. For the administrative processing of the application procedure, the FMA uses the e-recruiting system of Ostendis AG, based in Switzerland. Further information on Ostendis AG can be found here. Only the personal data required for the application are processed, in order to check whether they match the requirements profile. This usually involves the following data:

• Curriculum vitae data:
  • First names and last names
  • Address and contact data (private and business, as applicable)
  • Personal data in the job application cover letter
  • Report data in the form of education certificates and work references
  • Contact details of references provided by the applicant (for shortlisting candidates only)
  • Assessment centre reports
  • Data on financial integrity in the form of extracts from the debt collection register (only required in the context of employment)
  • if needed background-checks of publicly available date (e.g. Google-search without documentation) and
  • if needed judgements about the applicant (job application presentation) provided by the staff office)

Different types of data is processed by using the e-recruiting system. When accessing the website, information is automatically sent to the website’s server. This information is temporarily stored in a ‘log file’. The collected data will in no case be used for the purpose of drawing conclusions about the person. The following information is collected and stored until it is automatically deleted:

• IP-address (not anonymised);
• date and time of the access;
• with regard to downloads, the name of the downloaded file;
• with regard to uploads, the name of the file and size (implicitly whether the upload was successful);

The specified data is processed for the following purposes:

• to ensure that a smooth connection is established with the website;
• to guarantee the convenient use of our website;
• to evaluate system security and stability; and
• for other administrative purposes.

Additionally, in the event of a job offer being made, the FMA also has to process special categories of personal data in order to evaluate the trustworthiness of the potential employee. This relates solely to such data concerning

• criminal convictions and offences, in the form of an extract from the criminal record.

Only FMA employees (HR and divisions) and Ostendis AG who are responsible for the job application process are given access to the data transferred. Access rights are restricted to the minimum necessary to fulfil the defined scope of duties. The employees are trained in the handling of personal data and instructed on the requirements of confidentiality. There is no intention to transfer the data to third countries.

Internal forwarding of the data to a department of the FMA other than the one addressed in the job application, for the purpose of possibly filling a position other than the one advertised, will only take place after consulting with, and obtaining the express consent of, the applicant.

The job application documents, in both electronic and physical form, will be deleted in the event of non-employment immediately upon completion of the application process, latest six months after completion of the application process. If further physical documents (certificates) are submitted, they will be returned to the applicant. When an employee is hired, the relevant data is transferred to the personnel file.

Data will only be stored for a maximum of one year after the application process is completed if expressly requested and with the applicant’s written consent (“pool of applicants”).

The FMA offers a special newsletter service for former employees which keeps them updated regarding future FMA-events, new job advertisements etc. The distribution of this newsletter is based on an explicit consent of the former employee and can be revoked by e-mail to hr@fma-li.li at any time without giving any reasons. The distribution of the newsletter will be disused and the concerned e-mail-address will be deleted immediately after withdrawal.

Within the framework of its contractual relationships with service providers, suppliers, auditors and experts, the FMA only processes the personal data required to fulfil the purpose of the respective contract. This involves the following data in particular:

• Data about the person (first name and last name) of the contracting partner and any employees of the contracting partner who are involved
• Address and contact details (business)
• Bank account details (where needed to fulfil the contract)

he FMA processes exclusively the following personal data from interns without a formal contract in order to carry out the internship:

• Data about the person (first name and last name);
• Address details.