Andorra’s new data protection law, “Llei 29 2021, del 28 d’octubre, qualificada de protecció de dades personals” (LQPD), will enter into force this May to replace the law from 2003. The text and structure are based on the European General Data Protection Regulation (GDPR), which includes new obligations to which Andorran companies will have to adapt their processes. Among others, these requirements include: keeping a detailed record of data processing operations, creating an impact plan and appointing a Data Protection Officer. The new law also sets out and expands the rights of natural persons, such as the rights to data portability and restriction of processing.
In this article, which is for information purposes, we will tell you about the law’s most important new obligations and the greater protection that people are afforded when they provide their data.
- Update of the Data Protection Act
Who must comply with the new law?
The new rights of natural persons
Registration of activities
Appointment of a Data Protection Officer (DPO)
New powers of the APDA
It should be noted that Andorra was already subject to Decision 2010/625/EU of 19 October 2010, ensuring an adequate level of protection of personal data, both domestically and across borders. However, the GDPR deems that this Decision may be subject to review every four years, corresponding with the date of adoption of the new regulatory framework. Although Andorra is not a member of the European Union, it is a signatory to Convention 108 on Data Protection, which is the origin of many of the current laws.
Moreover, opening up to the digital market is a priority for Andorra, which is why it intends to adopt regulations similar to those of countries wishing to invest in the principality.
The LQPD must be applied by all persons, companies, entities and public and private companies that process personal data. It covers both the manual and automated processing of data located within Andorran territory by companies domiciled in Andorra, as well as those outside of Andorra that operate in the country.
In addition to the rights of access, rectification, erasure and objection already included in the 2003 law, there is the right to be forgotten, the right to restriction of processing and the right to data portability. All these rights are aimed at guaranteeing that personal data processing receives the highest level of protection.
The LQPD also establishes that the data subject must be informed of how they can exercise their rights and by what means. Exercising these rights is free of charge and the Data Controller of the company concerned is obligated to respond. In any event, the data subject must be informed within a period of one month of whether the request has been accepted, refused or extended, and of the justification for such decision.
The standard also sets out how the organisation must obtain the consent of the natural person, which must be given freely, specifically, in an informed and unambiguous manner, and requires a statement or a clear affirmative act from the data subject. The company must disclose the identity of the Data Controller, the type of data that will be processed, as well as the purposes and methods of such processing. The data subject must also be informed at that time of how they can withdraw consent.
If there are multiple purposes for the processing of data, these must be indicated at the time of giving consent by means of a list and a tick box for each purpose, so the user can specifically indicate what they do and do not accept.
The law always refers to persons over 16 years of age. In the case of minors, there are additional requirements for guardians.
It is no longer compulsory to register data files with the Andorra Data Protection Agency (APDA). When the new regulation comes into force, a detailed internal register of all personal data processing actions (RAT) will have to be maintained.
The companies that will be required to do so are:
- Administration, para-public administration, public companies or organisations.
- Those processing sensitive data or data relating to criminal convictions and offences, as well as those that handle data that pose a risk to rights and freedoms.
- Those with more than 50 employees.
The main change brought about by the LQPD is the creation of the role of Data Protection Officer, who may be part of the organisation’s staff or perform their duties by means of a service contract.
Designating a Data Protection Officer will be mandatory for public and para-public bodies. In the case of private entities, it will depend on the size of the company and will be compulsory for any that process sensitive data on a large scale. A company may voluntarily appoint a Data Protection Officer even when there is no legal obligation to do so.
The role of the Data Protection Officer is to inform and advise on the obligations established by law and to supervise compliance with them. The appointment of a DPO must be reported to the Andorra Data Protection Agency.
Even though this position exists, it is still the company that is responsible for compliance with the regulations.
The LQPD demands that a process is conducted to identify potential risks to the rights and freedoms of data subjects.
The impact assessment is a report that includes a detailed description of the processing and the purposes for which it is being performed. It must assess the necessity and proportionality of the processing and detail the identified risks and the security measures intended to address them.
Ideally, this should be completed before any data processing is performed, and the assessment should be used as a guide. If it has already been done, it should be carried out as soon as a risk or failure in the chain is detected. It needs to be followed up on whenever there is a change to the processing or the law.
The Data Protection Law establishes a sanctioning regime in which the financial penalties are higher than those in the 2003 law.
It classifies them as follows:
- Minor: from €500 to €15,000
- Serious: from €15,001 to €30,000
- Very serious: from €30,001 to €100,000
The body that can issue warnings and apply financial penalties to private companies is the Andorra Data Protection Agency (APDA). However, in the case of public administration, the APDA could only publicly report the offence in the Official Gazette and open a file, but there would be no financial penalty. It is governed by its own disciplinary code of conduct.
The Andorra Data Protection Agency is acquiring new powers as an independent supervisory authority, which are detailed in the text of the new regulatory framework. These include monitoring compliance with the law, studying proposals for improvement and inspecting and sanctioning, among others.
This law will certainly require Andorran companies to make changes and adapt in order to comply with its obligations. At Advantia Assessors, we are already hard at work so we can continue to assure our private and professional clients about confidentiality and security in the processing of their data.