On October 27, 2023, the Supervisory Authority of Liechtenstein (DSS) published guidelines on using chatbots in compliance with data protection requirements. In particular, the DSS stated that operators must have a legal basis before processing personal data using chatbots, such as consent from the user, or contract fulfillment, if, for example, goods or services are ordered via a chatbot. However, the DSS explained that even with a legal basis, the principle of purpose limitation applies, and data processing must be limited to the purpose that users can reasonably expect when using a chatbot. 

In addition, the DSS recommended that to fulfill information obligations under Articles 13 and 14 of the General Data Protection Regulation (GDPR), chatbots should link to relevant data protection information to inform users about all processes involving their personal data, including among other things, processing purposes, legal bases, storage periods, data recipients, and controller identity.

According to the DSS, the inability to technically prevent users from transmitting personal and sensitive information to chatbot systems raises concerns about compliance with basic data protection principles, posing considerable risks to individuals' rights and freedoms.

You can read the guidelines, only available in German, here.