Monday to Friday from 9 a.m. to 2 p.m. and from 3 p.m. to 6 p.m.

Digitalisation and Data Protection in Andorra

Home · Blog · New

Andorra strongly supports digitalisation of its economy because it is aware that digitalisation is no longer the future but the present. Global changes in society in recent years have led to the creation of a new digital space brimming with business opportunities, with the potential to revamp sectors and boost the economy of businesses in the Principality of Andorra.

Nevertheless, this Pyrenean country, while conscious of the fact that there can be no future without the use of the internet and new technologies, both commercially and professionally, stands firm in its commitment to comply with its legal obligations, placing particular emphasis on the protection of personal data and fundamental freedoms.

Accordingly, the legal framework on personal data protection was amended on 17 November 2021 with the publication of qualified Law 29/2021 on personal data protection. This law, in force since 17 May 2022, updates the previous 2003 law and adopts the amendments made to the European regulatory framework in recent years.

Consequently, Data Protection is established as a national priority for the Principality of Andorra and, consequently, for social and legislative changes on a global scale. In a society that is ever more aware of the importance and value of its personal data, establishing a strategy that fulfils the obligations deriving from applicable regulations also adds significant value to any organisation.

The new Andorran data protection law includes a series of amendments and obligations that must be met by the businesses, entities and organisations that are subject to them.

When does the new Andorran Data Protection Law come into force?

Law 29/2021 on Personal Data Protection was published on 17 November 2021, setting a period of 6 months before entry into force. Therefore, the Law will come into force on 17 May 2022.

Who does the Andorran Data Protection Law apply to?

The Andorran Data Protection Law applies to all public and private entities that carry out data processing for use in their day-to-day activities. Moreover, anyone responsible for or providing services established in Andorra or under its laws will also be subject to the Law.

Finally, anyone responsible for or providing services located outside Andorra but using processing media located inside the country will also be subject to the Law.

Does the General Data Protection Regulation (GDPR) apply in Andorra?

Although Andorra is outside the European Union, the GDPR can apply to businesses or entities that are located in the Principality of Andorra. The territorial scope of the GDPR establishes that this regulation is applicable to data processing carried out by an entity located outside the European Union whenever goods or services are offered to data subjects located inside the European Union, irrespective of whether they require payment or not.

Equally, the GDPR also applies to entities or businesses located outside the EU, which process data for monitoring the behaviour of the data subjects, when this takes place inside the European Union.

It is worth remembering that the GDPR disciplinary procedure envisages penalties of up to 20 million euros or 4% of the global annual turnover from the previous financial year, whichever is higher.


Must I have a Data Protection Officer in Andorra?

The new Andorran Data Protection Law established that some entities and organisations must appoint a Data Protection Officer and report this to the Andorran Data Protection Agency (APDA). The businesses and entities that must have a Data Protection Officer include all public undertakings, irrespective of the data they process, and any private companies that process automated data on a large scale or that process special categories of data.


What data protection rights do data subjects have in Andorra?

The new Andorran legislation provides the same rights as the European Regulation: right of access, right to rectification, right to erasure, right to object, right to restrict processing and right to data portability. It also adds rights such as guaranteeing digital rights and the right to be forgotten.

Must I keep a Record of Processing Activities in Andorra?

Law 29/2021 on Personal Data Protection includes the obligation for some businesses and entities to keep a Record of Processing Activities. This record is created via an internal document with the minimum content to enable monitoring of the personal data processed by the entity. Among the different organisations that must keep this type of record are notably:

Public Administration (including semi-public corporations or public corporations).

Companies with more than 50 employees.

Companies that carry out regular processing of sensitive data, details of sentences or criminal offences, or data that put rights and freedoms at risk.


What happens if I suffer a security breach in Andorra?

With the meaning of security breach as a security incident that results in a breach of data confidentiality, availability or integrity, Andorran legislation establishes an obligation to inform the Andorran Data Protection Agency (APDA) about any such incident.

This communication is mandatory whenever the security breach affects the rights and freedoms of data subjects, and must be made within 72 hours of the security incident.

Must I carry out a Data Protection Impact Assessment in Andorra?

Law 29/2021 on Personal Data Protection established a series of cases where a Data Protection Impact Assessment must be carried out, to identify and control risks to the personal rights and freedoms associated with the data processing:
When data processing is carried out with a high risk to personal rights and freedoms.
When automated processing is carried out having legal effect through systematic, exhaustive assessments.
When data classified as special are processed on a large scale.
When systematic observation of a publicly-accessible area is carried out on a large scale.

How can I mitigate my Data Protection risks in Andorra?

The Data Protection regulations establish that businesses, entities and organisations subject to the Law must establish technical and organisational measures to mitigate their risks in this field. Such measures must be based on data protection by design and by default.

They also establish the importance of training processes for workers and staff in entities with access to personal data. Accordingly, it is essential to have suitable expert professionals in this field, so that risks can be mitigated by analysing the nature of the business and finding the best tailored solutions.

If you are looking for the right professionals, we can help you find them.