New Data Protection and Personal Privacy Law in Andorra

Andorra Law 29/2021, of 28 October is a data protection and personal privacy law that was recently passed in October of 2021. As the country of Andorra is not a part of the larger European Union, the collection and processing of personal data within the country do not fall under the jurisdiction of the General Data Protection Regulation or GDPR. As such Andorra Law 29/2021, of 28 October establishes the legal framework for the collection and processing of personal data within the country. Moreover, the purpose of the law is “to update the regulations relating to the processing carried out by both individuals or private entities and the Andorran Public Administration on the data corresponding to natural persons in accordance with the new European regulations contained in the General Protection Regulations.”

How are data controllers and processors defined under Andorra Law 29/2021, of 28 October?

Under Andorra Law 29/2021, of 28 October, a data controller is defined as a “natural or legal person, competent authority, public authority, service or any other body that, alone or together with others, determines the purposes and means of the processing of personal data, and ensures for its correct compliance with the data protection rules that apply to the purposes of the processing.” Alternatively, a data processor is defined as a “natural or legal person, competent authority, public, where applicable, service or any other body that processes personal data on behalf of the controller”, while personal data is defined as “any structured set of personal data accessible according to certain criteria, whether centralized, decentralized or functionally or geographically distributed, whatever its form or mode of creation, storage, organization, and access.”

What are the requirements of data controllers and processors under Andorra Law 29/2021, of 28 October?

Under Andorra Law 29/2021, of 28 October, data controllers and processors within the country have the following responsibilities and obligations as it pertains to the collection and processing of personal data:

• The processing of data must be provided for the legitimate purpose pursued with the achievement, at each stage of the processing, of a fair balance between the various interests at stake, whether public or private, which reconciles the rights and freedoms affected.
• Personal data must be treated in a lawful, fair, and transparent manner with respect to the data subject concerned.
• Personal data must be relevant, adequate, and limited to what is necessary in regards to the purposes for which it is treated.
• Personal data must be accurate and updated where necessary, and data controllers and processors must adopt reasonable measures to ensure that any incorrect or inaccurate personal data is erased or rectified, without undue delay.
• Personal data must be obtained directly from applicable data subjects prior to being processed.
• Personal data must be held in such a way as “to identify the persons concerned for a period not exceeding that necessary for the purposes of the processing of personal data.”
• Personal data must be treated in such a way as “to ensure adequate security, including protection against unauthorized or unlawful treatment and against accidental loss, destruction or damage, through the application of appropriate technical and organizational measures.”

What are the rights of data subjects under Andorra Law 29/2021, of 28 October?

Under Andorra Law 29/2021, of 28 October, data subjects within the country are given the following data protection rights:

• The right to be informed.
• The right access.
• The right to object or opt-out.
• The right to rectification.
• The right to erasure.
• The right to net neutrality.
• The right to limitation of treatment.
• The right to data portability.
• The right not to be subject to automated data processing decisions.
• The right to file a complaint.

In terms of the enforcement of the law, Andorra Law 29/2021, of 28 October is enforced through the Andorran Data Protection Agency. To this point, the Andorran Data Protection Agency can impose monetary and administrative sanctions against data controllers and processors who fail to comply with the provisions of the law, as well as the following actions:

• Order the person in charge of the processing of personal data, and, where applicable, the representative of the person in charge of the person in charge of the processing, to provide any information necessary to fulfill their functions.
• Carry out investigations in the form of data protection audits; where appropriate with experts appointed ad hoc in a motivated manner.
• Obtain access to all personal data and all the information necessary for the exercise of their functions by the controller or the controller.
• Obtain access to all premises of the controller and the data controller, including any data processing equipment and means.

As Andorra was the twenty-fifth country to ratify the Council of Europe Convention 108+ for the Protection of the Data of Individuals with regard to the Processing of Personal Data or Convention 108 for short, promoting data protection and personal privacy are clearly a top priority within the country. Despite the fact that Andorra does not fall under the jurisdiction of the EU’s GDPR law, the provisions of Andorra Law 29/2021, of 28 October provide data subjects within Andorra with a similar level of protection, as the law grants extensive rights to citizens and mandates that strict requirements are followed in relation to the collection and processing of personal data.