Data Protection in Andorra: what you should know if your company is going to operate there.

Andorra and its attractiveness for companies has led the country to change its legislative system by leaps and bounds with the incorporation of modifications and new regulations to comply with.

With them, the Principality manages to adapt to the new circumstances so that both the country and the investors obtain the maximum benefits from this new relationship.

This is the case of the Personal Data Protection Act that came into force in May 2022. In this article, we will tell you about the new obligations contained in this law and the greater protection that individuals enjoy when they transfer their data to Andorran companies.

What is the Data Protection Law in Andorra like?.

The modifications to the law already in force were a priority, as Andorra, wishing to open up to a digital and international market, had to adopt regulations similar to those of other countries seeking to invest in the country.

This led to the creation of a new law to replace the 2003 law, the structure of which is quite similar to the European Data Protection Regulation. Although Andorra is not a member of the European Union, the country signed the Data Protection Convention No. 108 which ensured the adequate level of protection of personal data, until now.

Todas las personas, entidades y empresas públicas y privadas que tratan datos de carácter personal, están obligados a cumplir con la nueva ley. Ya usen de forma manual o automatizado los datos extraídos en territorio andorrano.

What are the modifications to the data protection law?

The Data Protection Act, which came into force in 2003, has undergone many changes. Below we will highlight the most relevant points to bear in mind regarding the new regulations and how they affect companies:

New rights for natural persons

The law already included the right to access, rectification, deletion and opposition of personal data and to these are added the right to be forgotten, limitation of processing and data portability. The aim of these new rights is to achieve a new level of security in the protection of personal data.

Another point is that the data subject must be fully aware and informed of how to exercise these rights If he or she requests it from a company, the company is obliged to inform him or her within one month.

Consent between the natural person and the organisation

This consent must be given in a free, specific, informed and unequivocal manner and collected by means of an affirmative and clarifying statement by the user.

In short, the user must know what type of data will be transferred, how it will be processed, for what purposes and how, and has the right to withdraw this consent at any time.

The law refers to persons over 16 years of age, if they are under 16 years of age, there are additional requirements that have to be met.

Registration of activities

Under the 2003 law, all companies had to register their data files with the Andorran Data Protection Agency.

However, this changes with the new regulation and now a detailed internal record of all actions concerning the processing of personal data will have to be kept.

A data protection officer.

A new figure has also appeared: the data protection officer. He or she may be part of the staff or perform the functions of the figure through a service contract.

It will be mandatory for public and para-public bodies. In the case of the private sector, it will depend on the company and will be irrevocable for companies processing sensitive data on a large scale.

The functions of this delegate will be to inform and advise on the obligations of the law and to ensure compliance with it. His/her appointment will be communicated to the Andorran Data Protection Agency.

The impact assessment.

This assessment is a detailed report of the data processing and its purpose, as it will establish the risks identified and the security measures taken to address them..

This report covers the regulatory requirement to carry out a process to identify the risks to the rights and freedoms to which the user is exposed. The idea is that before any data processing is developed, this report should be carried out and used as a guide.

New competences for the Andorran Data Protection Agency.

This body has been given new powers, including the supervision and monitoring of compliance with the regulations, together with the study of proposals to improve, inspect and sanction them. Financial penalties have increased significantly with respect to the 2003 regulations.

The Andorran Data Protection Agency is still considered the data control authority par excellence and can issue warnings and apply financial penalties to private entities.

In the case of the public administration, it can only open a file and report the situation but will not issue a financial penalty.

This new law obliges all companies operating in Andorra to make changes to adapt and comply with the regulations. At Wit we have studied all the points to follow and to cover in order to continue guaranteeing the best advisory service to our clients.

If you are thinking of betting on Andorra, we are the perfect travel partner.

Related Posts

Having a Dog or Cat in Andorra

Aprendizaje del Catalán en Andorra: Integración y oportunidades

Actualizaciones en la fiscalidad inmobiliaria y la inversión extranjera en Andorra

Vacant Property Tax (IHB) in Andorra

Your Premier Choice for Security and Investment Prosperity

Andorran Tax Calendar