Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Andorra: Unpacking the Regulations for the personal data protection law

The Government of Andorra published, on 5 October 2022, Decree 391/2022, of 28 September 2022, approving the Regulations for the application of Law 29/2021, of 28 October, of Personal Data Protection. In particular, the Regulations provide that Decree 391 will replace Decree 367/2022, of 14 September 2022, as several errors were noted, and ensure compliance with the constitutional principle of legal certainty, promote regulatory clarity, and facilitate the rule of law. OneTrust DataGuidance provide an overview of the Regulations and key provisions.

Mlenny / Signature collection / istockphoto.com

In order to provide legal certainty, Decree 391/2022 approves the Regulations for the application of the Law, the main purpose of which is to establish a regime adapted to the needs and peculiarities of Andorra and those responsible for the processing of data and which specifies the procedures and obligations that derive from the precepts of the Law. The Regulations integrate all the necessary regulatory provisions under the Law, and clarify and adapt their application in practice in order to provide legal security to those responsible for data processing, including administrations, private entities, companies, and associations. The Regulations deploy, among other things, the right to a digital will, the international transfer of data, the exercise of the rights of interested parties, and data processing for the purpose of video surveillance.

Definitions

The Regulations also establish new definitions, including the following:

  • Metadata: all secondary information consisting of data that qualifies other data, which can inform about the date, the location from which the data was requested, the time, who provided it, the type of sensor, its accuracy factor, etc. Metadata is considered personal data when it allows a natural person to be identified directly or indirectly, without disproportionate effort.
  • Legitimate interest: the lawful interest of the data controller or a third party in the processing of personal data that prevails over the interests, rights, or fundamental freedoms of the interested party, taking into account the reasonable expectations of the interested parties based on their relationship with the person in charge. Examples of legitimate interests are processing activities carried out within the framework of a relationship with a customer, when personal data is processed for direct marketing purposes, and data processing to prevent fraud or to ensure the security of the network and the information of its users' computer systems, among others.
  • Economic and financial data: data that provides information on the economic or financial situation of an individual. Economic and financial data has an inherently high degree of sensitivity, although it is not considered a special category of personal data.
  • Data on minors or the disabled: data on vulnerable groups. Such data has a high degree of sensitivity, although it is not considered a special category of personal data.

Data protection delegate

The Regulations elaborate on the procedure for declaring and appointing a data protection delegate ('DPD'). In essence, the Regulations provide that it is up to the data controller to assess whether it is appropriate to appoint a single DPD or more than one, and whether or not it should belong to its structure, to guarantee its independence and availability at all times (Article 21(1) of the Regulations). In addition, the Regulations provide that those responsible and in charge of the processing of personal data must notify the Andorran Data Protection Agency ('APDA'), within ten days, of the designations, appointments, and terminations of the DPD (Article 21 of the Regulation).

Moreover, the Regulations require that the person in charge of the processing of personal data must ensure that the DPD has sufficient time to carry out its duties properly and must be provided with the necessary financial resources, infrastructure, and personnel. It must also ensure that the DPD participates in all actions relating to the protection of personal data in an appropriate and timely manner.

Data subject rights

The Regulations govern the form and procedure for responding to the exercise of rights by citizens (Article 12 of the Regulation). Although the Law provides for the rights of the data subjects, the Regulations expand on how to exercise these. The Regulations highlight that the person in charge of the data processing must establish within their organisation the protocols and effective response systems for the exercise of data subject rights, which must be known by all members of the organisation.

Digital will

Article 6 of the Regulations specifies the right to a digital will. A data subject has the right to foresee the management regime and scope of their digital wishes so that in case of a sudden loss of their capacity, or in case of death, their heirs, or the persons or institutions expressly designated, can act before the digital service providers in which the data subject has active accounts in order to manage them, give them instructions on the use and destination of the information, or even request the closure of the account and/or deletion of personal data. The Regulations stipulate that the service provider or the person in charge of the digital content service to whom the user's claim is directed must execute the request without delay.

In addition, Article 7 of the Regulations creates the electronic register of digital wills where documents of digital wills can be registered in the event that the interested parties have not disposed of these issues via will, codicil, or testamentary memoranda.

International transfers

The Regulations expand on the prior analysis that data controllers must carry out before transferring data internationally. In essence, the Regulations emphasise that a binding legal instrument can be used for the following:

  • to transfer personal data to a Member State of the EU;
  • to a country of the EEA;
  • to a country with an adequate level of protection in accordance with the European Commission;
  • to a country that has ratified the Protocol amending the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data ('Convention 108+'); or
  • to a third country with an appropriate level, as declared by the ADPA.

However, the Regulations highlight that, before making an international transfer outside the countries mentioned, an analysis must be carried out as part of compliance with the principle of proactive responsibility.

More importantly, the Regulations include that international transfers can be carried out outside the countries mentioned when adequate guarantees are offered to the protection of personal data. Critically, the analysis of the existence of an adequate level of data protection rests with the person in charge or the person in charge of the data processing who intends to export data, which may have an impact on the measures that these persons in charge must take ex ante since, if the result of the evaluation shows a risk that cannot be mitigated, additional or complementary measures must be adopted. The Regulations provide that additional or complementary measures may be the following, independently or complementary, as necessary:

  • technical measures that may prevent or render ineffective the access of public authorities of third countries to personal data, in particular for surveillance purposes;
  • additional contractual measures that may strengthen the general level of data protection, hindering, for example, attempts by public authorities to access data in a way that does not comply with Andorran rules; and
  • organisational measures, which may consist of internal policies, organisational methods, and rules that controllers and processors can apply to themselves and impose on data importers in third countries.

To this end, the Regulations stress that the ADPA must be consulted if, despite implementing additional or complementary measures, it is not possible to mitigate the risk of the international transfer to a third country.

Impact assessments

Article 17 of the Regulations sets some conditions for carrying out impact assessments in relation to the protection of personal data. Particularly, when it is likely that a type of data processing, especially if it uses new technologies, and taking into account its nature, scope, context, or purposes, may entail a high risk for the rights and freedoms of natural persons, then the person in charge, whether public or private, must assess the impact of the processing operations on the protection of personal data before processing. In the case of a processing activity that is already underway, an impact assessment must be carried out as soon as a serious risk to the rights and freedoms of individuals is detected.

Moreover, the Regulations stipulate that data processing involves a high risk either when one of the situations provided within Section 32(3) of the Law occurs or when two or more of the following criteria appear in a data processing activity:

  • the evaluation or scoring of the data subject, including the creation of profiles;
  • the making of automated decisions with significant legal effects for natural persons or that significantly affect them in a similar way;
  • the systematic observation of interested parties;
  • sensitive data (especially protected);
  • large-scale data processing;
  • the association or combination of data sets;
  • data relating to vulnerable stakeholders, such as minors, employees, or more vulnerable groups of the population that need special protection;
  • the innovative use or application of new technological or organisational solutions;
  • the processing prevents the interested parties from exercising a right, using a service, or executing a contract; or
  • processing of economic and financial data by banking entities or financial establishments.

The Regulations further elaborate on the large-scale concept established in the Law and provide that it depends on the following criteria:

  • the number of people affected, either in absolute terms or as a proportion of a given population;
  • the volume and variety of data processed as the processing of personal data of more than 5,000 affected people involves the consideration of processing on a large scale;
  • the duration or permanence of the processing activity; and
  • the geographical extent of the processing activity.

In addition, the Regulations clarify that the scale of risks established in the Law must be made taking into account the criteria of impact and probability of threat. Further to this, to calculate the level of risk associated with the data processing, the data controller must combine the severity of the possible impact with the probability of the threat, always taking the interested parties as a point of view and reference, in accordance with the risk assessment table contained in Annex 1 of the Regulations.

Enforcement

Decree 368/2022, of 14 September 2022, Approving the Regulations of the ADPA ('the ADPA Regulations') establishes the APDA as a public body with its own independent legal personality, with full capacity to act, and provides further details on its composition, functions, inspection capacity, enforcement powers, and other principal activities contained in the Law.

Amongst other functions, the ADPA Regulations provides that the ADPA has the following functions:

  • the ability to control and guarantee the application of the Law and current regulations on personal data protection and propose improvements;
  • to respond in writing, within a maximum period of 15 working days, to queries made by public administrations, public and private entities, and citizens regarding the application of personal data protection legislation, and cooperate with other control authorities, with these inquiries addressed in writing or electronically;
  • to respond to requests made by data subjects;
  • to publish the list of countries and international organisations that have adequate protection in terms of personal data;
  • to respond to queries relating to international communications of personal data to countries or international organisations that do not offer an adequate level of protection;
  • to deal with complaints received; and
  • to investigate, as appropriate, the reason for the claim and inform the person making the claim about the course and result of the investigation within a reasonable time, in particular if new investigations are necessary.

The ADPA facilitates the submission of claims through a claim submission form, also by electronic means, without excluding other means of claim.

Next steps

The Law stipulates the following transitional provisions:

  • First transitional provision: A period of six months of adaptation is established for those obliged to adapt their internal processes and develop the obligations regulated therein.
  • Second transitional provision: Those responsible for data processing that have declared one or more files in the Public Register of personal data files have a period of two months from the publication of the Regulations to delete the files from the aforementioned register and collect the original copy of the file at the offices of the ADPA. After this period, the ADPA destroys the paper documentation and only keeps a digitised version.
  • Third transitional provision: Data processor contracts signed before 17 May 2022, in accordance with Law 15/2003 of 18 December, entitled Protection of Personal Data, remain valid until the expiration date indicated therein and, in the event of formal agreement indefinite, until 17 May 2024. During these periods, either party can demand from the other the modification of the contract in order to comply with the provisions of the Law.

With the entry into force of the Law, the provisions of equal or lower rank that oppose it are repealed, and in particular Decree 367/2022.

Bahar Toto Privacy Analyst
[email protected]


This Insight article was updated on 29 November and includes further information on the Regulations.

Feedback