In this month of May, Law 29/2021, of October 28, qualified for the protection of personal data, has come into force, having passed, as of today, more than six months since its publication in the Official Gazette of the Principality of Andorra.

The objective of this regulation is to harmonize the internal regulations of the Principality of Andorra with the provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016, regarding the protection of natural persons with regard to the treatment of personal data and the free circulation of these data, as well as repealing the previous Law 15/2003, of December 19, qualified of Data Protection.

This regulation, which is already applicable, must be interpreted in accordance with the guide on the use of cookies, privacy policy and legal notice duly prepared by the Andorran Data Protection Agency (APDA).

The main novelties of this new regulation are the following:

1- The principle of proactive responsibility or accountability is introduced, which, among others, implies the application of the appropriate technical and organizational measures by the person responsible for treatment, in order to guarantee and be able to demonstrate that the treatment is in accordance with the regulations, all this taking into consideration the state of the art, the cost of the application, the nature, scope, context and purposes of the treatment as well as the risks of varying probability and severity for the rights and freedoms of natural persons. Hence the “express” consent understood as a free, specific, informed and unequivocal expression of will and the elimination of the obligation related to the registration of personal data files in the public registry of the APDA.

2-The scope of application of the law is extended since the regulations are not only applicable to companies domiciled in the Principality of Andorra and/or incorporated in accordance with the laws of the Principality of Andorra, but also to those public and private entities that carry out personal data processing within Andorran territory.

3- Automated data processing and non-automated processing are taken into consideration and the regulation on the exercise of personal data protection rights that refer to deceased persons and their conditions is included.

4- The catalog of rights for interested parties is expanded (right to be forgotten, guarantee of digital rights, limitation of data processing, right to portability and right not to be the subject of automated individual decisions or profiling) and establishes that the processing of personal data of a minor will only be considered valid if he or she is at least 16 years old.

5- The minimum content of the records of treatment activities (RAT) and of the contracts to be formalized between controllers and processors is regulated.

6- The obligation to carry out a data protection impact assessment (EIPD) is introduced when a high risk is detected in a certain treatment.

7- The figure of the data protection officer (DPD) is incorporated, who may be part of the staff or perform functions through a service contract and may be appointed voluntarily or mandatory due to certain situations and circumstances.

8- The obligation to notify certain breaches and/or security violations to the APDA within a maximum period of 72 hours is established.

9- The functions and powers of the control authority of the Principality of Andorra (APDA) are determined, among others, that of promoting the preparation of codes of conduct by entities.

10- The infractions are divided and classified according to the type of seriousness: the infractions considered very serious, are sanctioned with an amount between 30,001 euros and 100,000 euros; offenses considered serious are sanctioned with an amount between 15,001 euros and 30,000 euros; and the infractions considered minor, are sanctioned with an amount between 500 euros and 15,000 euros. Economic administrative sanctions may range from 500 euros to 100,000 euros; On the contrary, the provisions of the RGPD provide for significantly higher fines of up to 20,000,000 euros or up to 4% of the total annual global turnover of the previous financial year.

Here are two links on this matter:

  • Andorran Data Protection Law

  • Andorran Data Protection Guide

If you need more information in this regard, do not hesitate to contact us or if you prefer, you can send us your query through our form by clicking here.