Data Protection Officer in Andorra
The General Data Protection Regulation or Regulation 2016/679, is the regulation governing the processing of personal data in the European Union.
Following this regulation, the Andorran Personal Data Protection Agency (APDA) and the Government of Andorra legislated to create the qualified law 29 2021 on personal data protection.
This Andorran regulation (law 29 2021) has subjected many companies in the Principality to have the figure of the data protection delegate dpd.
Data Protection Law in Andorra: New developments and key changes in the law
Although Andorra is not a country that is part of the European Union, it does follow the European directives on data protection.
The Principality of Andorra thus seeks to maintain a level of protection of the personal data of all data subjects.
Therefore, Andorra is considered an approved country in terms of personal data protection regulations by the European Union. That is why the international transfer with the Principality of Andorra can be carried out without the need for prior Impact Assessments.
Who must comply with the Andorran data protection law?
Law 29 2021 establishes that both public and private entities that process personal data of data subjects are subject to the regulations in question.
What is considered personal data?
Personal data are all those data that serve to identify a person, such as a photograph, a name, a cass number, an IBAN number, etc.
What are the functions of the Data Protection Officer (DPO)?
Data protection officers are responsible for ensuring the data protection culture of the organization.
In addition, the data protection officer in Andorra acts as a connecting link between the company and the Andorran Data Protection Agency.
The DPD can be a person completely external to the company or an employee of the same company. However, if he/she is an employee, he/she must demonstrate training in the matter, must not have any conflict of interest (for example, he/she cannot be a company director or area manager) and must be totally independent.
Obligation to appoint a DPO
Some companies must appoint data protection representatives for Andorra (DPD). The Andorran data protection law has established this obligation for those entities in Andorra that process personal data on a large scale or special categories of data.
Register of Processing Activities (RAT)
In 2003 companies were required to register data files with the Andorran Data Protection Authority. However, this has changed with the new regulation, what is required by the new law is that companies keep a record of the processing activities (RAT) they carry out in order to minimize the risks of the data controller and thus favor the rights of the data subjects.
How should the entity favor the fulfillment of the DPD’s functions?
The Data Protection Law establishes that the DPD must have the favor of the Data Controller in order to be able to perform his functions.
The Controller must inform and provide all the necessary documentation requested by the DPD for the performance of his duties.
Consent between the natural person and the company
Consent is one of the bases of legitimacy when it comes to the processing of personal data by data controllers.
However, consent is not the best basis of legitimacy that could be obtained for processing data, since in the event that the data subject revokes his consent, the data controller will no longer have any other legitimizing basis to continue processing the data, and must therefore cease its activity.
The new rights of individuals
The 2003 legislation was updated to provide additional protection for individuals to keep their personal data protected.
All data processing companies have a duty to ensure maximum privacy and security.
It is important for Andorran companies to be very clear on the application of this issue, as well as on all obligations for those who process personal information.
Obligation to report security breaches
The new qualified law on the protection of personal data in Andorra provides that the controller must report the security breach to the Andorran Data Protection Agency within a reasonable period of time.
This period of time is normal, but weekends and vacations also count. Therefore, the processing must take place quickly.
Which companies must appoint a Data Protection Officer?
Generally, it will be necessary for all public companies to appoint a data protection officer in Andorra.
As for private companies, it will depend on the volume of data they process and the category of the data.
Contact us if you have any doubts about whether your company, because of the clients you have or the type of personal data you process, should appoint a Data Protection Officer or not.
Obligation to carry out an impact assessment
In some cases where there is no certainty of being able to comply with the regulations in force concerning the processing of personal data, an impact assessment must be carried out under the responsibility of the data controller.
It is important to carry out the impact assessment in order to avoid incurring penalties, as this is one of the most important obligations established by the law and the Andorran body in question.
Expansion of stakeholder rights
This legislation also modifies the rights of the people affected by this issue. Previously, the legislation included the right of access to information and rectification, the right to suppression and the right to oppose. However, Law 29/20211 establishes: the right not to have automatic individual decisions or profiles.
The obligation to register personal data files with the APDA is eliminated.
The laws prohibit the public disclosure of public documents.
However, one of the obligations established in an article of the previous law regarding the need to register personal data files with the Andorran Data Protection Agency, is eliminated with the new law.
