Data & Privacy · Andorra
Data protection & privacy laws in Andorra (2026)
Andorra shaded by its data & privacy status
Andorra enacted a comprehensive, GDPR-aligned personal data protection law (Law 29/2021, LQPD) in October 2021, which entered into force on 17 May 2022 and replaced the 2003 predecessor law. The law is enforced by the independent APDA (established 2005) and is underpinned by an EU adequacy decision dating from 2010, reconfirmed in a January 2024 European Commission review. Andorra has also ratified the modernised Council of Europe Convention 108+.
Key points
Law 29/2021 (LQPD), adopted 28 October 2021 and in force from 17 May 2022, mirrors GDPR principles including lawfulness, purpose limitation, data minimisation, accuracy, storage limitation, integrity and confidentiality. It was subsequently amended by Law 12/2024 of 15 July 2024.
Decree 391/2022 of 28 September 2022 provides the detailed regulatory framework for applying Law 29/2021, covering obligations for controllers and processors, records of processing activities, and data breach notification procedures.
The Agència Andorrana de Protecció de Dades (APDA), established since 2005 and reconstituted under Decree 368/2022, is the independent supervisory authority. It registers Data Protection Officers (DPOs), handles complaints, conducts inspections, and issues sanctions. Its jurisdiction extends to controllers not domiciled in Andorra that use processing means located in the Principality.
The European Commission granted Andorra an adequacy decision in October 2010 (Decision 2010/625/EU), permitting free personal data flows from the EU/EEA to Andorra without supplementary safeguards. A January 2024 Commission staff working document reconfirmed that adequacy remains warranted.
Andorra is a party to the Council of Europe's modernised Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (Convention 108+), which forms an additional international foundation for its data protection framework.
The LQPD provides for administrative financial sanctions. Serious infringements can attract fines in the range of EUR 30,001 to EUR 100,000. The APDA actively monitors compliance, including conducting audits of political parties and other entities.
Timeline - major decisions & events
The Andorran Data Protection Agency (APDA) issued updated guidelines on the use of cookies, requiring freely given, specific, informed and unambiguous prior consent for non-essential cookies and mandating easy withdrawal mechanisms. This brought Andorra's cookie-consent standards into close alignment with EU practice.
APDA – Agència Andorrana de Protecció de Dades ↗The APDA reprimanded the Government of Andorra for failing to respect the transparency principle in an administrative action — the first time the supervisory authority issued a formal enforcement resolution against a public-sector body, signalling an active new phase of oversight.
DataGuidance (citing APDA resolution) ↗The Government of Andorra approved Decree 391/2022 on 28 September 2022, publishing it in the Official Bulletin (BOPA) on 5 October 2022; it entered into force the following day. The regulation specifies concrete procedures for data controllers, consent records, breach notifications, and the APDA's internal governance.
APDA / BOPA – Butlletí Oficial del Principat d'Andorra ↗Law 29/2021, enacted on 28 October 2021 and published in the BOPA on 17 November 2021, took effect six months later, replacing the 2003 law and establishing a GDPR-aligned regime with mandatory data protection officers, data breach notification, privacy-by-design requirements, and a maximum fine of €100,000.
Portal Jurídic d'Andorra (official legal gazette) ↗Andorra's parliament enacted the Llei qualificada de protecció de dades personals (LQPD), a comprehensive overhaul aligning domestic law with EU GDPR principles, including new rights for data subjects (access, rectification, erasure, portability), and formally establishing the APDA as a fully independent supervisory authority.
Consell General – Principat d'Andorra (Parliament) ↗The EU's Article 29 Working Party (WP166) concluded that Andorra's data protection regime, anchored in Qualified Law 15/2003, ensures an adequate level of protection within the meaning of Article 25(6) of Directive 95/46/EC, paving the way for the 2010 Commission adequacy decision.
Article 29 Data Protection Working Party / European Commission ↗The Consell General passed Andorra's founding data protection statute, establishing individual rights over personal data, requiring lawful bases for processing, and creating the Andorran Data Protection Agency (APDA) as the independent supervisory authority. This law formed the basis for Andorra's subsequent EU adequacy recognition.
APDA – official English text of Qualified Act 15/2003 ↗Andorra - other topics
Last verified 5/24/2026 · Orientation, not legal advice - verify against the primary sources linked above. Explore the full world map →