Andorra’s Qualified Personal Data Protection Law

1. Introduction

Law 29/2021 of Andorra is the Personal Data Protection Law passed in October of 2021. Since Andorra is not a member of the European Union, the GDPR does not apply to the collection and processing of personal data within Andorra. As a result, on October 28, Andorra Law 29/2021 was introduced, creating the legal framework for collecting and processing personal data in the country.

On 17 May 2022, Law 29/2021 entered into force. Law 29/2021 regulates the processing of data relating to natural persons by individuals, private businesses, and the Andorran Public Administration.

Law 29/2021 reshapes Andorra's data protection legal framework by adding data controller’s obligations and providing more control to data subjects over their personal data.

2. Who Needs to Comply with the Law

a. Material Scope

This Law applies to the fully or partially automated processing of personal data and the non-automated processing of personal data contained or intended to be included in a file and any subsequent use of such data by public and private companies.

b. Territorial Scope

Applies to data processing carried out in Andorran territory by data controllers domiciled in Andorra or those not domiciled in the territory when using automated or non-automated means of processing located in Andorra.

Controllers or processors that are not domiciled or constituted as per the laws of Andorra but use processing means in Andorra must designate a representative.

3. Regulatory Authority

The law has established the Andorran Data Protection Agency (APDA), an independent supervisory authority safeguarding people's privacy and data protection. The agency's primary goal is to ensure and monitor compliance with Law 29/2021.

Other functions include promoting public awareness and understanding of the risks regarding the processing of their personal data, providing information on the rights of individuals, and penalizing entities for any non-compliance.

4. Definitions of Key Terms

4.1 Personal Data

Personal data includes all numerical, alphabetical, graphic, photographic, auditory, or any other information relating to an identified or identifiable natural person ("interested person").

4.2 Natural Person

An identifiable natural person is someone whose identification can be determined, either directly or indirectly, by an identifier or one or more distinct elements, characteristics of their physical, physiological, genetic, mental, economic, or cultural identity.

4.3 Consent

Any expression of a free, particular, informed, and unambiguous choice by which the person accepts, by means of a declaration or a clear affirmative action the processing of personal data that affects them.

4.4 Data Controller

Any natural or legal person, competent authority, public authority, service, or any other institution that, itself or in collaboration with others, determines the purposes and means of the processing of personal data and ensures that the processing is carried out in accordance with the applicable data protection legislation.

4.5 Genetic Data

Personal data relating to a natural person's genetic characteristics inherited or acquired from a natural person, which provide unique information about their physiology or state of health, obtained from the analysis of a biological sample of the person.

4.6 Special Categories of Personal Data

Personal data revealing ethnic or racial origin, political opinions, religious or philosophical beliefs or trade union affiliation, genetic data, biometric data intended to uniquely identify a person, data relating to health, or data relating to the sexual life or sexual orientation of a natural person.

5. Obligations for Organizations Under PDPA

Data controllers and processors have several responsibilities and obligations concerning collecting and processing personal data under Andorra Law 29/2021.

General Principles

The Law outlines a number of principles for the handling of personal data that are strongly linked to the GDPR and dictate what should be followed by data controllers and processors. According to Article 5 of the Law, personal data shall be, in particular:

• Processed in a legal, fair, and transparent manner concerning the individual involved ("lawfulness, fairness, and transparency");
• Collected for specific, explicit, and lawful purposes and not afterward processed in a way that is inconsistent with those initial purposes ("purpose limitation");
• Adequate, relevant, and limited to what is required in light of the purposes for which they are treated (data minimization); and
• Accurate, complete, and, where appropriate, up to date with the implementation of reasonable means to promptly rectify or erase inaccurate personal data with regard to the purposes for which they are processed (the "accuracy").

a. Lawful Basis Requirement

There are six legal bases for processing personal data under Article 6 of the Law, and the processing of personal data is permissible if at least one of the following requirements is met:

• Data subject’s consent;
• Performance of a contract;
• Compliance with a legal obligation;
• Vital interests of the person concerned or of another natural person;
• Performance of a task carried out in the Public interest; and
• Legitimate interests of the controller or a third party.

b. Consent Requirement

If the processing is based on the data subject's consent, the controller should be able to show that the data subject has given their consent. A request for consent must be clearly distinguished from any other information such as terms and conditions, understandable, readily available, and expressed in clear and simple language.

Law 29,2021 provides the following conditions for a valid consent:

• Freely given – The performance of a contract cannot be made conditional on the data subject’s consent.
• Specific - Consent must be obtained for all purposes where the processing of data concerns multiple data processing purposes,separate consent must be obtained for separate data processing purposes.
• Informed – the parties must be informed about the data controller's identity, what type of data will the data controller process, how the data will be processed, and the purpose of processing the data.
• Unequivocal – consent cannot be implied and must always be made through an opt-in mechanism.
• The data subject must be able to withdraw consent at any time as easily as he/she provided the consent.

For the processing of personal data belonging to data subjects of 16 years of age or less, consent must be obtained from legal representatives of minors or holders of parental responsibility.

c. Registration Requirement

The law mandates the registration of processing activities. Public and private companies with more than 50 employees and possessing sensitive data must register their processing activities with the regulatory authority. To register, companies can submit an official document in writing or electronically. The registration requirement is a new obligation, referred to as the Register of Treatment Activities (RAT). This new obligation compels data controllers to have active responsibility for protecting the personal data of data subjects.

d. Transparency Requirement

The law mandates data controllers to be transparent in their data processing practices and keep data subjects informed regarding their personal data processing. Data controllers must provide certain information to data subjects regarding the processing of their data at the time when data is collected from them.

In particular, data controllers must inform data subjects of the purposes of the processing, data retention periods, data recipients, and data subjects’ rights.
All information must be concise, transparent, intelligible and easily accessible, and communicated in a clear and simple language.

e. Security Requirements

Data controllers must ensure the application of the appropriate technical and organizational measures taking into account the nature, scope, context, and purposes of the processing as well as the risks to the rights and freedoms of natural persons.

f. Breach Notification Requirement

Violation of the security of personal data or a personal data breach is any breach of security that causes the loss, alteration, or unauthorized disclosure of personal data. Personal data breaches that are likely to result in a risk to the rights and freedoms of individuals must be reported to the Andorran Data Protection Agency without undue delay and within a maximum period of 72 hours. Where a personal data breach is likely to result in a high risk to the rights and freedoms of data subjects, such a breach must be notified to the impacted data subject without undue delay.

g. Data Protection Officer Requirement

This is one of the new duties that all public administrations and some commercial companies must meet, depending on the sort of processing they undertake and the types of operational data.

A data protection officer ('DPO') must be designated by public agencies and companies that frequently and systematically monitor data subjects on a wide scale. This person (DPO), who could be inside or external to the firm, will advise the data controller on all topics relating to the company's data protection.

A data controller that is a company or a private organization must designate a data protection officer in any of the following situations:

• Where the processing involves large categories of data on a large scale.
• Where a considerable amount of personal data at the national or supranational level is processed affecting a large number of data subjects and posing a high risk to the rights and freedoms of data subjects.

It must be ensured that the DPO has no conflicts of interest and has professional skills.

h. Data Protection Impact Assessment

A Data Protection Impact Assessment (DPIA) is a procedure that aims to identify risks to data subjects as a result of a data processing activity. The DPIA must take into account the nature, scope, context, or purposes of data processing and assess the impact of the processing on the protection of personal data.

Organizations are mandated to conduct a data protection impact assessment for high-risk data processing activities or if the organization intends to use new technologies. A DPIA is required in the following situations:

• Systematic and extensive assessment of personal aspects of individuals based on automated processing such as profiling.
• Large-scale processing of special categories of personal data or personal data relating to criminal convictions and offenses.
• Systematic large-scale monitoring of a public access area.

i. Record of Processing Activities

The law requires data controllers to maintain an extensive internal record of data processing activities under their control. Such records must include the following information:

• Name and contact details of the person in-charge.
• Purposes of the processing.
• Description of data subjects and categories of personal data.
• Categories of recipients of personal data.
• Transfers of personal data to the third country.
• Data retention periods for different categories of data.
• Description of technical and organizational measures.

j. Cross-border Data Transfer Requirements

Cross-border data transfers can take place to adequate countries or countries that ensure an equivalent level of data protection.

In the absence of an adequacy decision, cross-border transfers can take place to countries where adequate safeguards are ensured and data subjects have enforceable rights and the right to an effective legal action. Transfers can take place by means of the following adequate guarantees:

• A legal contract that binds public authorities or other organizations and is enforceable by the law.
• Binding corporate rules (Enforceable company policies).
• Standard data protection clauses adopted by the European Commission or the Andorran Data Protection Agency.
• A code of conduct as well as legally binding and enforceable obligations from the controller or the third-country data controller to implement the necessary protections, including those pertaining to the rights of the individuals involved.
• A certification process that has been approved in line with EU personal data protection laws and is generally valid within the European Union, along with legally-binding commitments from the controller or data controller in the third country to implement the necessary safeguards, including those pertaining to the rights of the individuals involved.

In absence of an adequacy decision or any of the adequate guarantees mentioned above, transfers may take place under certain specific situations. These specific situations or derogations include the following:

• Where the data subject has provided his/her express consent to the proposed transfer after being informed of the risks of the transfer.
• Where the transfer is necessary for the performance of a contract between the data subject and the controller.
• Where the transfer is necessary to formalize or execute a contract between the controller and other natural or legal persons in the interest of the data subject.
• Where the transfer is necessary for reasons of public interest.
• Where the transfer is necessary to formulate, exercise, or defend claims.
• Where the transfer is necessary to protect the vital interests of the data subject or another natural person.
• Where the transfer is made from a public register for the purpose of providing information to the public and is open for consultation by the general public or by any person who proves a legitimate interest.

6. Data Subject Rights

Data subjects can exercise their rights of access, rectification, opposition, erasure (Right to be forgotten), limitation of processing, and portability.

6.1 Right of Access

Individuals have the right of access to request the data controller to obtain confirmation from the data controller whether or not their personal data is being processed. If so, the data controller must enable means for individuals to access their personal data being processed.

Individuals can access the following information:

• The purpose of data processing.
• The categories of data being processed.
• The recipients or categories of recipients to whom personal data were or will be communicated, especially if the transfer is international.
• The estimated period of personal data storage, or, if this is not possible, the factors used to calculate this time.
• The information on data subject’s right to request access to personal data, rectify, delete or object to processing and data portability.
• The information on the data subject’s right to lodge a complaint with a supervisory authority.
• Any available information on the source of personal data where personal data is not directly collected from the data subject.
• The existence of automated decision-making including profiling and where applicable, the information on the logic involved intended consequences of such automated decision-making.

6.2 Right of Rectification

The data subject can exercise his/her right to rectification by requesting that the data controller correct any incorrect personal data about him/her without undue delay. If the data subjects’ personal data is incomplete, the data subject may provide additional declaration/documentation justifying the inaccuracy or incomplete nature of the personal data to enable the data controller to facilitate data rectification requests.

6.3 Right of Suppression

This is also known as the right to be forgotten, i.e. the right to obtain deletion of personal data. It applies in any of the following circumstances:

• If personal data is no longer required for the purposes for which it was obtained or is processed in another way.
• If the data subject revokes their consent where the data processing was based on the data subject’s consent. For example, where consent is withdrawn for using personal data for direct marketing purposes.
• Where the data subject opposes the processing.
• Where the personal data is processed illegally.
• Where the personal data is required to be deleted in order to comply with a legal obligation.
• Where the personal data is obtained in relation to the direct offer of information society services.

6.4 Right of Opposition

This is also known as the right to object. The right to object to the processing of personal data affecting him/her, including profiling, may be exercised for grounds relating to the data controller’s particular circumstances and where the person in charge has not got the data directly from the data subject/individual concerned.

In the event of an objection, the data controller will cease to process the data unless they can demonstrate compelling grounds that outweigh the interested party's interests, rights, and freedoms.

When personal data is processed for direct marketing, the data subject has the right to object to processing his/her personal data, including the building of profiles connected to that marketing; in this instance, personal data must be deleted.

6.5 Right to Portability

The right to receive data in a structured and machine-readable format and to be able to transfer data from one data controller to another is known as the right to data portability. This right can be exercised when data processing is based on the data subject's consent or performance of a contract to which the data subject is a party to.

6.6 Right to Limitation of Processing

Data subjects have the right to obtain from the controller the limitation or restriction of the processing of their personal data. This right can be exercised if any of the following conditions are met:

• When the data subject disputes the accuracy of the personal data for a period that allows the person in charge to verify its accuracy.
• When the processing is illegal and the data subject opposes the deletion.
• When the personal data is no longer required for the purposes it was collected for.
• When the data subject objects to the processing and verification whether or not the objection is valid is pending.

6.7 Right to Object to Automated Decision-Making

Article 25 of the law provides individuals with the right to object to automated decision-making including profiling that has significant legal effects affecting the data subject.

6.8 Guarantee of Digital Rights

This is a particularly unique right that is not frequently encountered in other major privacy laws, such as the GDPR. Digital rights are guaranteed by the law, and article 21 of the law states that the protection of the personal data of all natural persons, regardless of their nationality or place of residence, is fully applicable on the internet.

The right to Guarantee of digital rights includes the following:

• The right to net neutrality.
• The right to access the internet regardless of their person’s social, economic, or geographical status.
• The right to universal, affordable, quality, and non-discriminatory access to the internet for the entire population.
• The right to the security of the communications individuals transmit and receive over the internet.

In furtherance to this right, internet service providers are required to provide transparent services without any discrimination on technical or economic grounds and inform users of their rights.

7. Penalties for Non-Compliance

The law establishes a system of sanctions for natural or legal persons who violate data protection legislation based on variables such as the seriousness of the infraction, the number of people impacted, the damages incurred, and the likelihood of recurrence. Only the APDA has the authority to issue sanctions. A maximum penalty of € 100,000 may be enforced on organizations that do not comply with the law.

Penalty amounts are classified as follows:

• Minor offenses: from €500 to €15,000
• Serious offenses: from €15,001 to €30,000
• Severe offenses: from €30,001 to €100,000

The Andorra Data Protection Agency (APDA) is the authority that can issue warnings and impose financial fines on private organizations.

8. How an Organization Can Operationalize the Law

To comply with Law 29/2021, organizations must:

• Determine whether they fulfill the Law 29/2021 applicability criteria and whether or not the law applies to their organization;
• Determine their data inventories and categorize data storage that contains personal information about Andorrans;
• Make it transparent how personal data is processed by using official policies and privacy notices;
• Introduce and implement a robust framework for handling data subject rights requests;
• Conduct data protection impact assessments for high-risk data processing activities in order to identify risks and rectify any vulnerabilities;
• Hire an experienced data protection officer that has sound knowledge of Law 29,2021 and handles data subject requests without any delay;
• Create a solid consent framework that handles consent obligations quickly;
• Allow Andorrans to exercise their rights when an organization sells or uses their personal data for targeted advertising;
• Protect their processing activities by embracing technical and organizational security measures; and
• Examine their data handling practices and third-party processor agreements thoroughly.

9. How Can Securiti Help

As the world experiences a radical shift in the digital landscape, businesses must become even more privacy-conscious of their operations and careful guardians of their consumers' data while automating privacy and security processes for speedy action.

Businesses must adopt robotic automation to operationalize compliance and avoid falling behind with an ever-growing network of customers and potential users. While numerous companies offer software to assist businesses in meeting global privacy regulations, these solutions only go so far as to apply various restrictions or provide rudimentary data-driven functionality.

Securiti uses the PrivacyOps architecture to provide end-to-end automation for businesses, combining reliability, intelligence, and simplicity. Securiti can assist you in complying with Andorra’s Law 29,2021 and other privacy and security standards worldwide. Examine how it functions. Request a demo right now.