Law: Law 29/2021, of 28 October, of Personal Data Protection (only available in Catalan here) ('the Law')
Regulator: Andorran data protection authority ('APDA')
Summary: Andorra is the 16th smallest country in the world and while it is located between France and Spain and has close ties with the European Union, it is not a member. Accordingly, the Qualified Act 15/2003, of 18 December, of Personal Data Protection was adopted in 2004 and has since been replaced with the Law which aims to update the requirements relating to the processing of personal data. The Law outlines a number of data protection principles and data subject rights akin to those found within the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'). Notably, the Law will come into effect in six months.
In addition, Andorra has ratified the Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data ('Convention 108') and all related texts. Furthermore, in 2010 Andorra obtained an adequacy decision from the EU, which enables the free flow of data between Andorra and EU Member States. Regarding enforcement, whilst the APDA predominantly has an advisory function and issues guidance, for example, on good practices when processing personal data in the workplace, it does also have the authority to initiate and conduct disciplinary proceedings.