New Data Protection Law in Andorra
Law 29/2021 of 28 October on the protection of personal data was published in the Official Gazette of the Principality of Andorra on 17 November 2021. In February 2021 we talked in this blog about the implications of the GDPR in Andorra. This is a relevant question because, despite not being a member of the EU, we have already seen its application in some cases. Now, however, we can finally say that there is a new Data Protection Law in Andorra that repeals the current one from 2003.
In addition to the undoubted approval of the regulations in the GDPR, which we will discuss later, these regulations respond to several strategic needs:
a) Firstly, although Andorra has an EU adaptation decision (considered to be approved by European standards, even with regard to the 2003 regulations), Art. 45.3 of the GDPR provides that the European Commission may review these decisions every 4 years, which would be in May 2022.
b) The growth of technology startups and the Andorran Government’s undoubted commitment to digital entrepreneurship mean that the country must have regulations that are very similar to, if not exactly the same as those of potential investors. Here we must obviously include the EU Member States, as well as other non-member states, which are making efforts to adapt their own regulations or which already have regulations approved by the GDPR (Israel, United Kingdom, etc.).
About Law 21/2019 on new Data Protection Law in Andorra:
The new Andorran regulations are clearly inspired by the GDPR and also, in some parts, by the Spanish Law of 2018. There are, however, some interesting nuances, which we believe to be in favour of data subjects, that companies must take into account:
First of all, it should be remembered that the regulations will be applied to both controllers and processors established in Andorra, as well as those that do not reside in the Principality but use processing resources located in Andorra. In this second case, they will have to appoint a representative, the name of whom must be reported to the Andorran Data Protection Agency.
Within the similarities, concepts and obligations already known by companies located in EU Member States, the following are introduced:
- Obligation to appoint a Data Protection Officer in public authorities and, in some cases, in private companies (large-scale processing).
- The obligation to register files expires and is replaced by the registration of processing activities.
- Risk analysis is mandatory, and impact assessments are based on the risks detected.
- Sanctioning regime, but beware, with maximum penalties of € 100,000 (significant contrast with the maximum sanction of the GDPR regime of € 20 million, which also provides that the penalty may be established based on the turnover of the offender, something that is not provided for in Andorra).
- Right to compensation for those affected.
- Duty to report incidents within 72 hours.
In conclusion, we can see a notable difference in the way of granting consent, which is that, when it is requested for different purposes, it must be given separately.
This mention, which was clear in the draft Spanish Law of 2018, was finally drafted with unclear wording. In the case of Andorra, it seems clear that if a company wants, for example, to process the data for commercial purposes and to transfer it to third parties, two separate consents will be required.
Since when is it due? Andorran law will become enforceable as of 17 May 2022.
In conclusion, Andorra is taking a giant step towards equating its regulations with European standards. The Government and the General Council have fully understood that the free movement of data is an essential requirement for the commitment to digitisation and the technological startups it has made to make sense. This combined with a very favourable tax regime for companies (10%) and the ease with which they can become established, despite not being residents, means that close attention must be paid to Andorra in the years to come.
If you have doubts about this or any other issue, please contact us!
Information on data protection
Company name
LEGAL IT GLOBAL 2017, SLP
Purpose
Providing the service.
Sending the newsletter.
Legal basis
Compliance with the service provision.
Consent.
Recipients
Your data will not be shared with any third party, except service providers with which we have signed a valid service agreement.
Rights
You may access, rectify or delete your data and exercise the rights indicated in our Privacy Policy.
Further information
See the Privacy Policy.