Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Andorra: New Data Protection Act – Key Takeaways

Law 29/2021, of 28 October, of Personal Data Protection ('the Law') was published, on 17 November 2021, in the Official Bulletin of the Principality of Andorra and repealed Qualified Act 15/2003, of 18 December, of Personal Data Protection ('the Qualified Act'). The Law notes that it comes into force within six months of publication in the Official Bulletin of the Principality of Andorra. Notably, the Law highlights that it aims to update and modernise the Andorran data protection frame in line with the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'). This Insight article provides an overview of the Law and its key requirements.

yoh4nn / Signature collection /


Before the publication of the Law, data protection in Andorra was regulated by the Qualified Act. In addition to the Qualified Act, the Decree approving the Regulation of the Andorran Authority of Data Protection ('the Regulation'), the Convention for the Protection with regard to Automatic Processing of Personal Data ('Convention 108'), the Additional Protocol to the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data regarding Supervisory Authorities and Transborder Data Flows, and Amending Protocol to the Convention for the Protection of Individuals with regard to the Processing of Personal Data ('Convention 108+') also governed the data protection landscape.


Material scope

The Law is applicable to the fully or partially automated processing of personal data, as well as to the non-automated processing of personal data contained or intended to be included in a file, and to any subsequent use of such data, both in the public sector and private (Article 2(1) of the Law).

Territorial scope

The Law applies to all processing of personal data carried out by those responsible or in charge of the processing, public or private, domiciled in the Principality of Andorra, or constituted in accordance with the laws of the Principality of Andorra (Article 2(1) of the Law).

The Law is also applicable to data processing carried out by data controllers or data processors not domiciled in the Principality or not constituted in accordance with the laws of the Principality of Andorra, when using automated or non-automated means of processing located in Andorran territory. Such data controllers or data processors must appoint a representative established in the Principality of Andorra near the Andorran Data Protection Agency ('APDA') (Article 2(2) of the Law).

For the above purposes, domicile or establishment is understood, regardless of its legal form, to be any stable location that allows the effective and real exercise of an activity (Article 2(3) of the Law).

Key principles

The Law provides for several principles relating to the processing of personal data and closely aligned to the GDPR, which data controllers and processors must adhere to which. In particular, personal data must be (Article 5 of the Law):

  • processed in a lawful, fair, and transparent manner in relation to the person concerned ('lawfulness, fairness and transparency');
  • collected for specific, explicit and legitimate purposes and subsequently not processed in a manner incompatible with these purposes ('limitation of purpose');
  • adequate, relevant, and limited to what is necessary in relation to the purposes for which they are treated ('data minimisation'); and
  • exact, and, if necessary, up to date with the adoption of reasonable measures to rectify or delete without delay inaccurate personal data with respect to the purposes for which they are processed ('accuracy').

Legal bases of processing

Pursuant to Article 6 of the Law there are six legal bases for processing personal data, with the processing of personal data being lawful if at least one of the following conditions are met:

  • consent;
  • performance of a contract;
  • legal obligation;
  • vital interests of the person concerned or of another natural person;
  • public interest; and
  • legitimate interests.

Controller and processor obligations

Obligations of controllers

The Law outlines several obligations for the data controller, including:

  • taking appropriate measures to provide the data subject with all the information required under Articles 16 and 17 of the Law and any other applicable rights of the data subject; the controller must do so in a concise, transparent, intelligible, and easily accessible way, with clear and simple language;
  • where data is collected from the data subject, providing the data subject with the following information (Article 16 of the Law):
    • the controller's or the representative's contact details;
    • the purposes of the processing;
    • the legitimate interests of the controller or third party, if relevant;
    • the recipients of the personal data;
    • where applicable, the intention of the controller to make an international transfer of the personal data collected;
    • the retention period;
    • the data subject rights, including the right to withdraw consent and the right to lodge a complaint with the supervisory authority;
    • whether the communication of personal data is a legal or contractual requirement, or a requirement necessary to sign a contract, as well as whether the person concerned is obliged to provide personal data, being informed in this case of the possible consequences of not doing so; and
    • the existence of automated decision-making, including profiling;
  • ensuring the application of the appropriate technical and organisational measures;
  • ensuring Data Protection by Design and by Default; and
  • blocking of personal data when rectifying or deleting them.

Obligations of controllers and processors

The Law creates several obligations for both controllers and processors, which include:

  • keeping a record of personal data processing operations (Article 34 of the Law);
  • implementing appropriate technical and organisational measures to guarantee a level of security appropriate to the risk (Article 35 of the Law);
  • carrying out a Data Protection Impact Assessment where the processing of personal data is likely to result in a high risk to the rights and freedoms of a natural person (Article 32 of the Law); and
  • designating a data protection officer in certain cases (Article 38 of the Law).

Article 31 of the Law further highlights that the relationship between the controller and the processor regarding the processing of personal data carried out by the processor must be governed by a written contract, and that the processor must provide sufficient guarantees to, among other things, process personal data only following documented instructions from the person in charge, guarantee that the persons authorised to process personal data have undertaken to respect its confidentiality or are subject to an obligation of confidentiality of a statutory nature, and assist the person in charge whenever possible, in accordance with the nature of the processing and through the appropriate technical and organisational measures, whenever possible, so that they can comply with the obligation to respond to data subject requests.

Data subject rights

Data subjects have the following rights under the Law:

  • right of access (Article 18 of the Law);
  • right of rectification (Article 19 of the Law);
  • right to be forgotten (Article 20 of the Law);
  • right to restriction of processing of personal data (Article 22 of the Law);
  • right to data portability (Article 23 of the Law);
  • right to object (Article 24 of the Law); and
  • right not to be subject to a decision based on automated data processing (Article 25 of the Law).

Furthermore, Article 21 of the Law provides for the guarantee of digital rights and notes that the protection of the personal data of all natural persons, regardless of their nationality or residence, with regard to the processing and use of data, fully preserving the privacy and safeguarding the rights, is fully applicable to the internet.

Article 21 of the Law further notes that every user has the right to internet neutrality and to access the internet regardless of their personal, social, economic, or geographical status.

Under Article 21(3) of the Law, universal, affordable, quality, and non-discriminatory access must be guaranteed for the entire population, paying particular attention to:

  • internet access for men and women who must seek to overcome the gender gap in both the personal and professional spheres;
  • internet access that must seek to overcome the generational gap, through actions aimed at training and access to the elderly; and
  • internet access that must be guaranteed on equal terms for people with special needs.

Users have the right to the security of the communications they transmit and receive over the internet (Article 21(4) of the Law).

Internet service providers must provide a transparent offer of services without any discrimination on technical or economic grounds, and inform users of their rights (Article 21(5) of the Law).

Notification of personal data breaches

A data controller is required to notify the Andorran Data Protection Agency ('ADPA') in the event of a breach within a maximum period of 72 hours from becoming aware of the breach, unless the breach is unlikely to pose a risk to the rights and freedoms of individuals. If the notification does not take place within 72 hours, the reasons for the delay must be justified.

In addition, where a processor has suffered a data breach, it must notify the data controller of the breach without delay.

The Law also contains provisions regarding notification of personal data breaches to data subjects and requires data controllers to notify data subjects of a data breach where such a breach may involve a high risk to the rights and freedoms of natural persons. In such circumstances, the controller must communicate the breach to the data subject without undue delay.

Data transfers

Chapter V of the Law governs transfers of personal data to third countries or international organisations.

International data transfers may not be made when the country or international organisation of destination of the data does not establish, in its current regulations, a level of protection for personal data at least equivalent to that established under the Law. Additionally, for transfers of personal data to a third country or an international organisation, it must be ensured that the level of protection of natural persons established by the Law is not diminished.

Article 43 of the Law concerns transfers of data to EU Member States, jurisdictions with adequacy decisions, and members of Convention 108+. It notes that the transfer of personal data to a third country or to an international organisation may take place where a specific territory or one or more sectors of that third country or of the international organisation in question guarantee an adequate level of protection, and that it is understood that the Member States of the European Union have an adequate level of protection.

Article 44 of the Law governs transfers through appropriate guarantees and notes that if an adequate level of protection is not determined by publication in the Official Journal of the European Union, or by effective submission to the provisions of Convention 108+ of the Council of Europe, the controller or processor may only transmit them to a third country or to an international organiwation if there are adequate guarantees and if the data subjects have enforceable rights and effective legal action.

In particular, proof that the appropriate guarantees may be made by adopting:

  • a legally binding and enforceable instrument between public authorities or bodies;
  • Binding Corporate Rules ('BCRs');
  • Standard Contractual Clauses ('SCCs') clauses adopted by the European Commission or the ADPA;
  • a code of conduct, together with binding and enforceable commitments by the controller or data controller in the third country to apply the appropriate safeguards, including those relating to the rights of the persons concerned; and
  • an approved certification mechanism, together with binding and enforceable commitments of the controller or controller in the third country of applying the appropriate guarantees, including those relating to the rights of the persons concerned.


Article 67 of the Law stipulates the corrective powers of the ADPA which include sanctions, such as warnings and reprimands, orders suspending processing, as well as the imposition of administrative fines.

Article 68 of the Law on the general conditions from imposing administrative fines contains a number of circumstances that the ADPA must take into account when considering the imposition of a fine.

Article 72 of the Law concerns offences and categorises violations of the Law as ‘very serious’, ‘serious’, and 'minor'.

Article 73 outlines that:

  • fines for violations considered very serious are to be sanctioned with a fine ranging from €30,001 to €100,000;
  • fines for violations considered serious are to be sanctioned with a fine ranging from €15,001 to €30,000; and
  • fines for violations considered minor are to be sanctioned a fine ranging from €500 to €15,000.

Alahi Fozlay Privacy Analyst
[email protected]