Andorra passes its new data protection act

Other countries

On October 28, 2021, the Andorra General Council adopted Act 29/2021 on Personal Data Protection 

Andorra passes its new data protection act
November 22, 2021

On October 28, 2021, the Andorra General Council adopted Act 29/2021 on Personal Data Protection (“LCPDP” or the “Data Protection Act”), which was published in the Official Gazette of the Principality of Andorra on November 17, 2021.

The Data Protection Act, which is divided into seven chapters and 74 articles, aims to harmonize the Andorran domestic regulations with EU data protection law, i.e., with Regulation (EU) 2016/679, of the European Parliament and of the Council, of 27 April 2016, on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (“GDPR”). To that end, Andorra repeals Act 15/2003, of December 19, on Data Protection.

See below the most significant aspects of the LCPDP:

- The LCPDP’s scope of application includes the automated and non-automated processing of personal data which form part of or are intended to form part of a filing system. The LCPDP will also apply to data processing by controllers or processors not based or incorporated in Andorra under the laws of the Principality if, for the processing of data, they rely on means located in Andorra. If so, the controllers or processors involved must designate a representative before the Andorran Data Protection Agency that must be based in the Principality of Andorra.

- As for the processing of deceased persons’ data, the LCPDP allows the person’s relatives (including informal kinship) to request access to his or her personal data from the controller or processor for rectification or erasure purposes where appropriate. Note that the LCPDP will prevent access if (i) the deceased person expressly precluded it; or (ii) it is expressly provided by an applicable regulation.

- Although the principles applicable to personal data processing are the same as under the GDPR, regarding the principle of accuracy the LCPDP provides that the controller will not be held liable for any inaccuracies in personal data if the controller takes every reasonable step to ensure that the relevant data be rectified or erased.

- Article 6(3) LCPDP sets out various criteria for determining whether data processing for another purpose is compatible with the purpose for which the data were initially collected. These criteria include considering the possible consequences of the intended further processing for data subjects, or whether there is a link between the purposes for which the personal data have been collected and the purposes of the intended processing.

- Article 26 LCPDP lists the situations in which data subjects’ rights may be limited, e.g., national security, defence, public security or the protection of judicial independence and judicial proceedings.

- In line with the GDPR, the LCPDP (i) provides for a data protection impact assessment if the processing can entail a high risk to the rights and freedoms of natural persons; (ii) requires keeping records of processing activities; and (iii) regulates the contents of the data processing agreement concluded between controllers and processors.

- Under the LCPDP, the processing of children’s personal data will only be considered lawful if the child is at least 16 years old.

- It is worth highlighting that the LCPDP includes an article on safeguarding digital rights. This article provides, e.g., that everyone has the right to access the internet, and that affordable and high-quality access should be guaranteed to the entire population, with the aim of bridging (i) the gender gap (both socially and in the workplace); and (ii) generational gaps, through training programs for the elderly.

- The sixth and seventh chapters of the LCPDP regulate matters related to the composition and scope of the Andorran Data Protection Agency, its powers and duties, and the Agency’s prerogatives for granting authorizations or receiving consultations.

- Regarding penalties, the LCPDP provides that infringements may qualify as minor, serious or very serious. According to these categories, penalties can range from €500 to €100,000.

- Finally, note that the third final provision calls for the Government to submit, within two years from the LCPDP’s entry into force, a draft bill on personal data processing prepared by the competent authorities for the prevention, investigation, detection and prosecution of criminal offences, and the enforcement of criminal penalties, so we will look out for any developments.

November 22, 2021