Securiti Named a 2022 Cool Vendor in Data Security by GartnerDownload Now
Law 29/2021 of Andorra is the Personal Data Protection Law passed in October of 2021. Since Andorra is not a member of the European Union, the GDPR does not apply to the collection and processing of personal data within Andorra. As a result, on October 28, Andorra Law 29/2021 was introduced, creating the legal framework for collecting and processing personal data in the country.
On 17 May 2022, Law 29/2021 entered into force. Law 29/2021 regulates the processing of data relating to natural persons by individuals, private businesses, and the Andorran Public Administration.
Law 29/2021 reshapes Andorra's data protection legal framework by adding data controller’s obligations and providing more control to data subjects over their personal data.
This Law applies to the fully or partially automated processing of personal data and the non-automated processing of personal data contained or intended to be included in a file and any subsequent use of such data by public and private companies.
Applies to data processing carried out in Andorran territory by data controllers domiciled in Andorra or those not domiciled in the territory when using automated or non-automated means of processing located in Andorra.
Controllers or processors that are not domiciled or constituted as per the laws of Andorra but use processing means in Andorra must designate a representative.
The law has established the Andorran Data Protection Agency (APDA), an independent supervisory authority safeguarding people's privacy and data protection. The agency's primary goal is to ensure and monitor compliance with Law 29/2021.
Other functions include promoting public awareness and understanding of the risks regarding the processing of their personal data, providing information on the rights of individuals, and penalizing entities for any non-compliance.
Personal data includes all numerical, alphabetical, graphic, photographic, auditory, or any other information relating to an identified or identifiable natural person ("interested person").
An identifiable natural person is someone whose identification can be determined, either directly or indirectly, by an identifier or one or more distinct elements, characteristics of their physical, physiological, genetic, mental, economic, or cultural identity.
Any expression of a free, particular, informed, and unambiguous choice by which the person accepts, by means of a declaration or a clear affirmative action the processing of personal data that affects them.
Any natural or legal person, competent authority, public authority, service, or any other institution that, itself or in collaboration with others, determines the purposes and means of the processing of personal data and ensures that the processing is carried out in accordance with the applicable data protection legislation.
Personal data relating to a natural person's genetic characteristics inherited or acquired from a natural person, which provide unique information about their physiology or state of health, obtained from the analysis of a biological sample of the person.
Personal data revealing ethnic or racial origin, political opinions, religious or philosophical beliefs or trade union affiliation, genetic data, biometric data intended to uniquely identify a person, data relating to health, or data relating to the sexual life or sexual orientation of a natural person.
Data controllers and processors have several responsibilities and obligations concerning collecting and processing personal data under Andorra Law 29/2021.
The Law outlines a number of principles for the handling of personal data that are strongly linked to the GDPR and dictate what should be followed by data controllers and processors. According to Article 5 of the Law, personal data shall be, in particular:
There are six legal bases for processing personal data under Article 6 of the Law, and the processing of personal data is permissible if at least one of the following requirements is met:
If the processing is based on the data subject's consent, the controller should be able to show that the data subject has given their consent. A request for consent must be clearly distinguished from any other information such as terms and conditions, understandable, readily available, and expressed in clear and simple language.
Law 29,2021 provides the following conditions for a valid consent:
For the processing of personal data belonging to data subjects of 16 years of age or less, consent must be obtained from legal representatives of minors or holders of parental responsibility.
The law mandates the registration of processing activities. Public and private companies with more than 50 employees and possessing sensitive data must register their processing activities with the regulatory authority. To register, companies can submit an official document in writing or electronically. The registration requirement is a new obligation, referred to as the Register of Treatment Activities (RAT). This new obligation compels data controllers to have active responsibility for protecting the personal data of data subjects.
The law mandates data controllers to be transparent in their data processing practices and keep data subjects informed regarding their personal data processing. Data controllers must provide certain information to data subjects regarding the processing of their data at the time when data is collected from them.
In particular, data controllers must inform data subjects of the purposes of the processing, data retention periods, data recipients, and data subjects’ rights.
All information must be concise, transparent, intelligible and easily accessible, and communicated in a clear and simple language.
Data controllers must ensure the application of the appropriate technical and organizational measures taking into account the nature, scope, context, and purposes of the processing as well as the risks to the rights and freedoms of natural persons.
Violation of the security of personal data or a personal data breach is any breach of security that causes the loss, alteration, or unauthorized disclosure of personal data. Personal data breaches that are likely to result in a risk to the rights and freedoms of individuals must be reported to the Andorran Data Protection Agency without undue delay and within a maximum period of 72 hours. Where a personal data breach is likely to result in a high risk to the rights and freedoms of data subjects, such a breach must be notified to the impacted data subject without undue delay.
This is one of the new duties that all public administrations and some commercial companies must meet, depending on the sort of processing they undertake and the types of operational data.
A data protection officer ('DPO') must be designated by public agencies and companies that frequently and systematically monitor data subjects on a wide scale. This person (DPO), who could be inside or external to the firm, will advise the data controller on all topics relating to the company's data protection.
A data controller that is a company or a private organization must designate a data protection officer in any of the following situations:
It must be ensured that the DPO has no conflicts of interest and has professional skills.
A Data Protection Impact Assessment (DPIA) is a procedure that aims to identify risks to data subjects as a result of a data processing activity. The DPIA must take into account the nature, scope, context, or purposes of data processing and assess the impact of the processing on the protection of personal data.
Organizations are mandated to conduct a data protection impact assessment for high-risk data processing activities or if the organization intends to use new technologies. A DPIA is required in the following situations:
The law requires data controllers to maintain an extensive internal record of data processing activities under their control. Such records must include the following information:
Cross-border data transfers can take place to adequate countries or countries that ensure an equivalent level of data protection.
In the absence of an adequacy decision, cross-border transfers can take place to countries where adequate safeguards are ensured and data subjects have enforceable rights and the right to an effective legal action. Transfers can take place by means of the following adequate guarantees:
In absence of an adequacy decision or any of the adequate guarantees mentioned above, transfers may take place under certain specific situations. These specific situations or derogations include the following:
Data subjects can exercise their rights of access, rectification, opposition, erasure (Right to be forgotten), limitation of processing, and portability.
Individuals have the right of access to request the data controller to obtain confirmation from the data controller whether or not their personal data is being processed. If so, the data controller must enable means for individuals to access their personal data being processed.
Individuals can access the following information:
The data subject can exercise his/her right to rectification by requesting that the data controller correct any incorrect personal data about him/her without undue delay. If the data subjects’ personal data is incomplete, the data subject may provide additional declaration/documentation justifying the inaccuracy or incomplete nature of the personal data to enable the data controller to facilitate data rectification requests.
This is also known as the right to be forgotten, i.e. the right to obtain deletion of personal data. It applies in any of the following circumstances:
This is also known as the right to object. The right to object to the processing of personal data affecting him/her, including profiling, may be exercised for grounds relating to the data controller’s particular circumstances and where the person in charge has not got the data directly from the data subject/individual concerned.
In the event of an objection, the data controller will cease to process the data unless they can demonstrate compelling grounds that outweigh the interested party's interests, rights, and freedoms.
When personal data is processed for direct marketing, the data subject has the right to object to processing his/her personal data, including the building of profiles connected to that marketing; in this instance, personal data must be deleted.
The right to receive data in a structured and machine-readable format and to be able to transfer data from one data controller to another is known as the right to data portability. This right can be exercised when data processing is based on the data subject's consent or performance of a contract to which the data subject is a party to.
Data subjects have the right to obtain from the controller the limitation or restriction of the processing of their personal data. This right can be exercised if any of the following conditions are met:
Article 25 of the law provides individuals with the right to object to automated decision-making including profiling that has significant legal effects affecting the data subject.
This is a particularly unique right that is not frequently encountered in other major privacy laws, such as the GDPR. Digital rights are guaranteed by the law, and article 21 of the law states that the protection of the personal data of all natural persons, regardless of their nationality or place of residence, is fully applicable on the internet.
The right to Guarantee of digital rights includes the following:
In furtherance to this right, internet service providers are required to provide transparent services without any discrimination on technical or economic grounds and inform users of their rights.
The law establishes a system of sanctions for natural or legal persons who violate data protection legislation based on variables such as the seriousness of the infraction, the number of people impacted, the damages incurred, and the likelihood of recurrence. Only the APDA has the authority to issue sanctions. A maximum penalty of € 100,000 may be enforced on organizations that do not comply with the law.
Penalty amounts are classified as follows:
The Andorra Data Protection Agency (APDA) is the authority that can issue warnings and impose financial fines on private organizations.
To comply with Law 29/2021, organizations must:
As the world experiences a radical shift in the digital landscape, businesses must become even more privacy-conscious of their operations and careful guardians of their consumers' data while automating privacy and security processes for speedy action.
Businesses must adopt robotic automation to operationalize compliance and avoid falling behind with an ever-growing network of customers and potential users. While numerous companies offer software to assist businesses in meeting global privacy regulations, these solutions only go so far as to apply various restrictions or provide rudimentary data-driven functionality.
Securiti uses the PrivacyOps architecture to provide end-to-end automation for businesses, combining reliability, intelligence, and simplicity. Securiti can assist you in complying with Andorra’s Law 29,2021 and other privacy and security standards worldwide. Examine how it functions. Request a demo right now.