Andorra’s Qualified Personal Data Protection Law (LQPD)

Llei 29/2021, del 28 d’octubre, qualificada de protecció de dades personals (LQPD) updates and modernizes Andorra’s data protection regulations to align with the European Union’s General Data Protection Regulation (GDPR).

Effective date: May 17, 2022

Official text: Llei 29/2021, del 28 d’octubre, qualificada de protecció de dades personals

The Andorra Qualified Personal Data Protection Law (LQPD), enacted on October 28, 2021, aligns Andorra’s data protection regulations with the EU’s General Data Protection Regulation (GDPR). Replacing the 2003 law, it entered into force on May 17, 2022, introducing new rights for Andorran residents (individuals) and obligations for public and private organizations. The law aims to enhance privacy standards and adapt to evolving digital challenges. 

The Andorran Data Protection Agency (ADPA) oversees compliance with the law including maintaining registrations, conducting inspections, investigating violations, and issuing sanctions. 

The LQPD replaces Andorra’s 2003 data protection law and harmonizes its domestic regulations with the European Union’s GDPR.

The Andorra LQPD applies to all entities, whether public or private, that process personal data of Andorran individuals and are based or established in the Principality of Andorra. They are known as data controllers (and processors). 

Additionally, it extends to entities outside the Principality if they process data within Andorra. In such cases, these external entities must appoint a representative in Andorra for compliance with the law. 

Personal data is any information about a known or recognizable person (data subject) such as numbers, letters, graphics, photos, sounds, or other types of data. An identifiable person is someone whose identity can be figured out, directly or indirectly, through identifiers or specific characteristics related to their physical, mental, genetic, economic, cultural, or social identity.

Excluded from this Law are:

• Personal or domestic data unrelated to professional or commercial activities.

• Personal data of deceased individuals, with considerations for certain circumstances.

• Data processed by competent authorities for preventing, investigating, or prosecuting criminal offenses, ensuring public security, etc.

The law also defines Sensitive Personal Data as another category of personal data revealing ethnic or racial origin, political opinions, religious or philosophical beliefs, or membership in trade unions. Data controllers are prohibited from processing this type of data. 

This prohibition also applies to genetic data, biometric data meant for unique identification, health-related information, and details about the sexual life or orientation of an individual.

The principles for processing personal data include:

Purposeful data processing

This principle underscores the importance of aligning data processing with a legitimate purpose. It emphasizes the need for a fair balance between various interests, whether public or private and ensures that the rights and freedoms of data subjects are considered at every stage of the processing.

Treatment of personal data

The law lays out the following manner in which the personal data must be treated: 

• Lawful, fair, and transparent: This aspect focuses on processing personal data in a lawful, fair, and transparent manner, ensuring that data subjects are treated ethically and with integrity.
• Limitation of purpose: Personal data should be collected for specific, explicit, and legitimate purposes. Any subsequent processing should align with these original purposes, with certain exceptions outlined in the law.
• Data minimization: The principle of collecting only the data necessary for the intended purposes, avoiding excessive or irrelevant information to protect data subjects’ privacy.
• Accuracy: Emphasizes the need for accurate and up-to-date personal data, with the responsibility of the data controller to promptly rectify or delete inaccurate information.
• Limitation of storage period: Addresses the duration for which personal data should be retained, focusing on respecting privacy. Exceptions are allowed for archival, research, historical, or statistical purposes.
• Integrity and confidentiality: Highlights the importance of ensuring the security of personal data, and protecting against unauthorized or unlawful processing, loss, destruction, or accidental damage.

Responsibility and proactive compliance

This principle emphasizes that the responsibility lies with the data controller to actively comply with and demonstrate adherence to data processing principles. Proactive measures are required to ensure ongoing compliance.

Processing for legal purposes

Addresses the specific circumstances under which the processing of personal data for purposes such as crime prevention, investigation, detection, or prosecution is permissible, highlighting the need for authorization by law.

The treatment of personal data is only lawful if at least one of the following conditions is met:

• Consent: The data subject has willingly given consent for specific purposes.
• Contractual obligation: Processing is essential for executing a contract with the data subject or for pre-contractual measures at their request.
• Legal obligation: Processing is required to comply with a legal obligation applicable to the data controller.
• Vital interest: Processing is necessary to safeguard the vital interests of the data subject or another person.
• Public interest or powers: Processing is essential for a task carried out in the public interest or the exercise of public powers.
• Legitimate interests: Processing is necessary for legitimate interests pursued by the data controller or a third party, provided these interests do not override the fundamental rights and freedoms of the data subject, especially if the data subject is a minor. (Note: This provision does not apply to processing by public authorities in the exercise of their functions.)

The conditions to determine the validity of user consent are similar to those of GDPR consent:

• Demonstration: If data processing relies on the data subject’s consent, the responsible party must be able to demonstrate that the data subject has given their consent.
• Specific: When obtaining consent through a written statement covering various topics, the request must be presented distinctly from other matters. It should be clear, understandable, and easily accessible, using plain language. Any part of the statement violating this law is not binding.
• Explicit: When seeking consent for processing data for multiple purposes, it must be explicitly stated that the consent is granted for all purposes. The presumption of non-freely given consent arises when separate authorization for different personal data processing operations is disallowed.
• Revocable: data subjects have the right to withdraw their consent at any time. Withdrawal does not affect the legality of processing based on prior consent. data subjects must be informed before giving consent, and the process should be as easy to withdraw as it is to give consent.
• Freely given: Consideration should be given to whether the execution of a contract, including service provision, is conditional on consent to process personal data not necessary for the contract. Contract execution cannot depend on the data subject consenting to processing for purposes unrelated to the contractual relationship.
• Informed: When consent is required for processing personal data, data subjects must express their will freely, clearly, and after being duly informed.

Consent condition for minors

For minors under 16, processing is only permitted if consent is given or authorized by their legal representative, with verification conducted by the data controller, taking into account available technology. 

The law extends several rights to data subjects that allow them to maintain control over their personal data.

Right to access

Data subjects have the right to obtain confirmation from the data controller on whether personal data about them is being processed.

If so, data subjects have the right to access that personal data including:

• Purposes of processing
• Categories of personal data processed
• Recipients the data has been/will be disclosed to
• Retention periods
• Rights to rectification, erasure, restriction of processing, objection, and data portability
• Right to lodge a complaint
• Source of personal data not obtained directly
• Details of any automated decisions made about the data subject

Data subjects have the right to obtain a copy of their personal data undergoing processing. Reasonable fees can be charged for additional copies.

Right to rectification

Data subjects have the right to have inaccurate personal data corrected without undue delay, including having incomplete data completed.

They should indicate which data is inaccurate and what corrections are required, providing supporting documentation if necessary.

Right to erasure

In certain circumstances, data subjects have the right to obtain the erasure of their data without undue delay such as:

• It is no longer necessary for purposes collected
• Consent being withdrawn
• Successful objection to processing
• Unlawful processing
• Legal obligation to erase
• Data processed via information society services
• Publicly released data may need measures to inform other controllers processing the data
• This right can be limited if necessary for exercising freedom of expression, legal obligations, public health, archiving/research/statistics, or legal claims.

Safeguarding digital rights

Protection of personal data and privacy applies online for all data subjects regardless of nationality or residence. All data subjects have a right to internet neutrality and access.

Right to restriction of processing

Data subjects have the right to restrict the processing of personal data such as when:

• Accuracy contested
• Processing is unlawful and erasure objected
• No longer needed by the controller but required for legal claims
• Objection pending

Restricted data can only be processed further in certain circumstances.

Right to data portability

For data processing based on consent or contract and done via automated means, data subjects have the right to receive a copy of personal data provided to a controller in a commonly used and machine-readable format.

This data can be transmitted to another controller without hindrance.

Right to object

Data subjects can object to the processing of personal data about them on grounds relating to their situation when obtained indirectly. The controller must then stop processing unless legitimate grounds are demonstrated to override the rights of the data subject, or for legal claims.

For direct marketing purposes, data subjects have the absolute right to object to the processing of personal data about them including profiling.

Automated data subject decisions and profiling

Data subjects have a right not to be subjected to legally binding automated decisions evaluating aspects like personality or creating profiles.

There are exceptions like necessary for contract execution, authorized by law, or explicit consent provided. For the exceptions, suitable safeguards must be put in place to protect rights and legitimate interests.

Minors cannot be subject to these kinds of automated decisions that legally affect them.

Andorra LQPD established several obligations for data controllers to process personal data.

Data protection by design and by default

Controllers must implement appropriate technical and organizational measures to effectively apply data protection principles and integrate necessary safeguards.

Controllers must implement measures to ensure that, by default, only personal data necessary for each specific purpose is processed – in terms of data collected, the scope of processing, retention periods, and accessibility.

These measures must ensure personal data is not accessible to an indefinite number of persons by default without the data subject’s involvement.

Data Protection Impact Assessment (DPIA) 

Controllers must conduct an assessment evaluating risks to data subjects’ rights and freedoms before any high-risk data processing, especially using new technologies. Specific high-risk situations requiring assessment include 

• Large-scale profiling
• Processing sensitive data categories
• Systematic monitoring of publicly accessible areas

The assessment systematically describes the envisaged processing operations and their necessity and proportionality. It identifies risks and measures to address them, including safeguards, security mechanisms, and demonstrations of compliance.

Record of processing activities

Public administrations and private organizations processing personal data must maintain a record of processing activities under their responsibility.

The record must include

• Controller contact details, 
• Purposes of data processing
• Data subject and data categories
• Categories of recipients
• Data transfers
• Retention periods of data
• Security description

Processors must record categories of processing carried out on behalf of each controller. Records must be in writing, updates communicated to the DPO and provided to the Data Protection Agency upon request.

Security and confidentiality

Controllers and processors must implement appropriate security measures based on risks, such as encryption, resilience, backup systems, and regular testing.

Particular attention must be paid to risks from alteration, loss, unauthorized access, or transfer of personal data.

Data Protection Officer appointment

Public administration bodies and private companies meeting certain criteria must designate a data protection officer. The officer’s general functions include 

• Informing and advising the organization on compliance obligations
• Monitoring data protection policies and staff training
• Advising on impact assessments
• Cooperating with the data protection authority 
• Serving as the authority’s contact point

When performing these duties, the officer considers the nature, scope, context, and purposes of the organization’s data processing.

Breach notification

Notification to APDA

Data controllers must notify the APDA of a personal data breach without undue delay, ideally within 72 hours of becoming aware of it. Notification can be delayed beyond 72 hours if reasons are provided for the delay.

Notification must describe:

• Nature of the breach
• Categories and number of data subjects affected
• Categories and number of records affected
• Name and contact details of DPO or other contact
• Likely consequences of the breach
• Measures taken or proposed

This information can be provided in phases if not available all at once.

Controllers must document details of breaches to demonstrate compliance with notification rules.

Notification to data subjects

Where a breach is likely to result in a high risk to the rights and freedoms of data subjects, controllers must communicate it to affected data subjects without delay.

This communication should be in clear language describing the nature of the breach and covering details about its effects and remediation measures.

Communication to data subjects is not required if appropriate protection measures like encryption make data unintelligible, risk has been mitigated, or it involves disproportionate effort in which case public communication can suffice.

If the controller has not communicated a breach posing a high risk to impacted data subjects, APDA can require them to notify or decide that lack of notification meets exceptions like mitigation or disproportionate effort.

Cross-border data transfer

The law establishes that personal data cannot be transferred internationally if the recipient country or organization does not provide an adequate level of data protection equivalent to that under Andorran law.

The LQPD considers EU member states, countries recognized by an EU adequacy decision, and parties to the Council of Europe Convention 108+ as providing adequate protection for international transfers.

In the absence of an adequacy decision, transfers may still occur if there are appropriate safeguards and enforceable data subject rights in place. Appropriate safeguards can be provided through

• Legally binding public authority instruments
• Binding corporate rules
• Standard contractual clauses
• Certification mechanisms
• Contractual clauses between the data exporter and recipient

Transfers are allowed in specific situations without adequacy decisions or appropriate safeguards, such as

• Explicit consent of the data subject
• Necessary for contract performance
• Necessary for public interest reasons
• Necessary to protect vital interests

The monetary fines for violating the law increase based on the severity of the violation, with very serious violations receiving the highest fines up to €100,000 and minor violations receiving the lowest fines (up to €15,000).

APDA is empowered to issue warnings and levy financial fines on private organizations for non-compliance with data protection regulations.

• Very serious infringements are subject to fines between €30,001 and €100,000.
• Serious infringements are subject to fines between €15,001 and €30,000.
• Minor infringements are subject to fines between €500 and €15,000.

Data subjects can claim compensation within 1 year for damages resulting from violations. Controllers and processors are not exempt from civil liability, and affected parties can take legal action to enforce their right to compensation.

• Verify all data processing activities have a lawful basis
• Maintain a transparent and accessible privacy policy addressing data processing practices
• Obtain valid consent for collecting and using personal data
• Maintain records of processing activities, covering key details
• Conduct Data Protection Impact Assessments for high-risk processing
• Implement appropriate security measures, emphasizing data protection
• Designate a Data Protection Officer if the criteria are met
• Establish a swift breach response plan, including timely notification to ADPA and affected data subjects
• Ensure international data transfers meet the required criteria

Does GDPR apply to Andorra?

Yes, GDPR may apply to Andorra. Despite not being a European Union member state, Andorra is not exempt from GDPR. The extraterritorial scope of the GDPR extends its authority over data processing activities related to the EU, regardless of whether an organization is physically located in the EU. Specifically, if an Andorran business offers goods or services to individuals in the EU, it must comply with GDPR rules when handling their personal data.

What is the Qualified Personal Data Protection Law?

The Andorra Qualified Personal Data Protection Law (LQPD) is the country’s comprehensive data privacy legislation that aligns with the EU’s GDPR. Enacted in 2021, the LQPD updates and replaces Andorra’s 2003 data protection law to better address modern privacy concerns related to technological advancement and data collection practices.

Key objectives include strengthening resident rights over personal data use and setting aligned requirements for organizations processing Andorrans’ information. This includes transparency, lawful justification for processing, processing principles, international transfer regulations, and oversight mechanisms for enforcement.

What is the Andorra adequacy decision?

The Andorra adequacy decision is an official determination by the European Commission that Andorra meets EU standards of personal data protection. This allows personal data to be transferred from the EU to Andorra with no additional controls or safeguards necessary.