Support Centre

Andorra

Summary

Law: Law 29/2021, of 28 October, of Personal Data Protection (only available in Catalan here) ('the Law')

Regulator: Andorran data protection authority ('APDA')

Summary: Andorra is the 16th smallest country in the world and while it is located between France and Spain and has close ties with the European Union, it is not a member. Accordingly, the Qualified Act 15/2003, of 18 December, of Personal Data Protection was adopted in 2004 and has since been replaced with the Law which aims to update the requirements relating to the processing of personal data. The Law outlines a number of data protection principles and data subject rights akin to those found within the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'). Notably, the Law will come into effect in six months.

In addition, Andorra has ratified the Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data ('Convention 108') and all related texts. Furthermore, in 2010 Andorra obtained an adequacy decision from the EU, which enables the free flow of data between Andorra and EU Member States. Regarding enforcement, whilst the APDA predominantly has an advisory function and issues guidance, for example, on good practices when processing personal data in the workplace, it does also have the authority to initiate and conduct disciplinary proceedings.

Insights

The Government of Andorra published, on 5 October 2022, Decree 391/2022, of 28 September 2022, approving the Regulations for the application of Law 29/2021, of 28 October, of Personal Data Protection. In particular, the Regulations provide that Decree 391 will replace Decree 367/2022, of 14 September 2022, as several errors were noted, and ensure compliance with the constitutional principle of legal certainty, promote regulatory clarity, and facilitate the rule of law. OneTrust DataGuidance provide an overview of the Regulations and key provisions.

Law 29/2021, of 28 October, of Personal Data Protection ('the Law') was published, on 17 November 2021, in the Official Bulletin of the Principality of Andorra and repealed Qualified Act 15/2003, of 18 December, of Personal Data Protection ('the Qualified Act'). The Law notes that it comes into force within six months of publication in the Official Bulletin of the Principality of Andorra. Notably, the Law highlights that it aims to update and modernise the Andorran data protection frame in line with the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'). This Insight article provides an overview of the Law and its key requirements.

Feedback