Andorra: The present and future of Andorran data protection law
While Andorra does currently hold an adequacy decision from the European Commission, and thus in many respects can be considered as having a modern data protection framework in place, reform may nevertheless be on the cards in order to fully align national law with that of the EU. Esther Garcia Garrido, Legal Advisor at Crèdit Andorrà, outlines Andorra's current data protection law before discussing what additions may soon be made.
The current legal framework
Data protection in Andorra is regulated by Qualified Act 15/2003, of 18 December, of Personal Data Protection ('Law 15/2003')1, the Decree approving the Regulation of the Andorran Authority of Data Protection ('the Regulation')2, the Convention for the Protection with regard to Automatic Processing of Personal Data ('Convention 108'), the Additional Protocol to the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data regarding Supervisory Authorities and Transborder Data Flows, and Convention 108+, signed by Andorra on 28 January 2019 as a result of the necessity to adapt the Convention 108 to the provisions of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'), that may be directly applicable in Andorra by virtue of Article 3, despite their non-membership of the EU.
Furthermore, the right to data protection has been recognised and protected in Andorra since 1993, on the basis of the Article 14 of the Constitution of the Principality of Andorra, which specifically recognises and guarantees the right to intimacy, as well as the secrecy of communications, under the Article 15.
The Andorran data protection authority ('APDA') publishes guidelines on data privacy3.
Scope of application
Law 15/2003 applies to the processing of personal data by individuals or companies located in Andorra or outside of Andorra but using devices for personal data processing located in Andorran territory. Moreover, Law 15/2003 applies to all personal data that is capable of being processed and for any use thereafter of this data.
APDA is, among other things, obliged to control compliance with data protection regulations and exercise sanctioning powers against possible violations of the law.
- Personal data: Any information concerning to identified or identifiable individuals.
- Sensitive data: Any information concerning to political opinions, religious conviction, belonging to a religious or trade unions organisations, health, sex life or racial origin of individuals.
- Data controller: Natural or legal person, public or private, who decides about the purpose and devices for data processing.
- Data processor: Natural or legal person, public or private, which processes personal data on behalf of the controller.
- Data subject: Natural person whose personal data information is processed.
- Recipient: Natural or legal person, public or private, to which the data is disclosed.
- Private data file: Personal data file, the data controller of which is a natural or legal person or a public company subject to private law.
- Public data file: Personal data file, the data controller of which is the part of the public administration.
- International data transfer: Any access or communication of data by a data processor when the recipient of the communications or data processors are domiciled outside of the Principality of Andorra or using devices for data processing located outside too.
Rules on notification and registration
In accordance with Article 27 of Law 15/2003, natural or legal persons or private companies who are responsible for data processing are obliged to record the personal data files under their control in the public register supervised by APDA.
Moreover, on the basis of the Article 28 of Law 15/2003, the scope of the inscription has to include, among other things, the data and domicile of data controller, the purpose of data processing, the recipients, and the kind of data processing.
That obligation is expected to be changed to follow the GDPR in order to mandate the self-responsibility of data controllers to keep written records of personal data processing, which they should make available to APDA when required.
Rights and responsibilities of controllers/processors
The rights and obligations of data controllers and data processors to obtain and process the data of individuals are regulated on the basis of two principles: (i) quality of data; and (ii) legitimate basis.
In general, data processing by data controllers and data processors is only permitted with the express and unconditional consent of data subjects, with some exceptions which should be interpreted restrictively.
The provision of services between data controllers and data processors should be regulated through a written contract, including liabilities for not processing data according to the data controller's instructions and purposes, duties of confidentiality, obligations of destruction/restitution when data processing is finished, and other liabilities concerning technical and organisational security measures.
Data subject rights
Law 15/2003 recognises the exercise of rights of information, access, rectification, cancellation, and opposition of the data subject under the terms and conditions set out in the Regulation. In addition, in relation to providing consent, data subjects should be able to revoke this without prejudice.
Under Convention 108+, recently signed by Andorra, public administrations and companies which regularly and systematically monitor data subjects on a large scale must be designate a data protection officer ('DPO'). This figure could be internal or external to the company, and will be responsible for advising the data controller in all matters concerning to the data protection of the company.
Under Convention 108+, data controllers are obliged to notify APDA of security breaches that involve the destruction, loss, or alteration of personal data.
Law 15/2003 provides for a sanctioning system to punish natural or legal persons who violate data protection regulations on the basis of factors such as the serious violation, the number of individuals affected, the damages caused, and the recurrence. This power to impose sanctions only can be exercised by APDA.
On the basis of the Article 35 of Law 15/2003, international data transfers are prohibited when the recipient country of data does not guarantee an adequate level of protection, equivalent at least level established in Andorran regulation.
In addition, Andorra has been recognised by the European Commission as a country with an adequate level of protection of personal data under Commission Decision of 19 October 2010 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the Adequate Protection of Personal Data in Andorra.
In accordance with the prohibition mentioned above, APDA has maintained its concern regarding international data transfers to third countries that do not offer the same level of protection recognised as existing in Andorra through an adequacy decision from the European Commission. APDA has already demanded the provision of additional guarantees, such as Standard Contractual Clauses, Binding Corporate Rules, or additional measures when it considered that sufficient guarantees of protection do not exist, before giving the authorisation to realise the data transfer.
For this reason, the case of Data Protection Commissioner v. Facebook Ireland Limited, Maximillian Schrems (Case-C-311/18), where the Court of Justice of the European Union review and invalidated the legality of the EU-US Privacy Shield, does not involve a substantial change because APDA will continue controlling the validity of international data transfers from Andorra to the third countries.
In order to clarify the doubts about this matter APDA has been working actively on the publication of a report with questions and answers about the effect of the sentence4.
The future of privacy in Andorra will be marked by an imminent new legal framework as a result of the globalisation and the development of new technologies based on European and international standards. The necessity of this regulatory update has led the political groups in the Principality of Andorra to submit a proposal for a new qualified data protection law, which shall be debated and voted on the next days at the General Council (Congress).
The object of this reform is the harmonisation of the current legal framework with the GDPR and the Convention 108+, and will affect personal data processing carried out by individuals and data controllers in order to provide more guaranties and legal certainty.
This prevailing need to update Andorran data protection law, which has been evident especially over the last two years since the GDPR entered into force, is not due to the fact that Law 15/2003 itself contains anything that conflicts with the GDPR but rather because there is a need to complete the current law to introduce new definitions for terms such as 'profiling,' 'pseudonymisation,' and 'biometric data,' to address deficiencies in the current law, such as setting the minimum age limit of 16 years for minors to give consent, and to introduce new rights that have arisen as a result of new technologies, such as the right to portability and the right to be forgotten.
Amendments may also amend Law 15/2003 to confirm with the GDPR and Convention 108+ in relation to obligations for specific companies to carry out Data Protection Impact Assessments before personal data processing, the obligation to notify security breaches to the data protection authority and data subjects, and the obligation to appoint a DPO, and its communication to APDA.
Analysing the penalty system, which maintains a maximum amount of €100,000 for very serious infringement provided in the current law in relation to private files, there is an understandable interest in achieving a balance between the safeguard of the country's opportunities for openness derived from its strategic and geopolitical position within Europe with the achievement of guarantees of data protection of citizens by establishing reasonable obligations that could obstruct the development of economic and administrative activities.
Esther Garcia Garrido Legal Advisor
Crèdit Andorrà, Andorra
1. Available at: https://www.apda.ad/sites/default/files/2018-10/llei_qualificada_de_proteccio_de_dades_personals_-_en.pdf
2. Only available in Catalan at: https://www.apda.ad/sites/default/files/2018-10/decret_reglament_agencia_andorrana_proteccio_dades_-_ca.pdf
3. Available at: https://www.apda.ad/ca/guies-i-publicacions
4. Only available in Catalan at: target="https://www.apda.ad/sites/default/files/2020-10/sentencia%20tjue.pdf">https://www.apda.ad/sites/default/files/2020-10/sentencia%20tjue.pdf