Data & Privacy - Andorra

Law 29/2021 (LQPD), adopted 28 October 2021 and in force from 17 May 2022, mirrors GDPR principles including lawfulness, purpose limitation, data minimisation, accuracy, storage limitation, integrity and confidentiality. It was subsequently amended by Law 12/2024 of 15 July 2024.

Decree 391/2022 of 28 September 2022 provides the detailed regulatory framework for applying Law 29/2021, covering obligations for controllers and processors, records of processing activities, and data breach notification procedures.

The Agència Andorrana de Protecció de Dades (APDA), established since 2005 and reconstituted under Decree 368/2022, is the independent supervisory authority. It registers Data Protection Officers (DPOs), handles complaints, conducts inspections, and issues sanctions. Its jurisdiction extends to controllers not domiciled in Andorra that use processing means located in the Principality.

The European Commission granted Andorra an adequacy decision in October 2010 (Decision 2010/625/EU), permitting free personal data flows from the EU/EEA to Andorra without supplementary safeguards. A January 2024 Commission staff working document reconfirmed that adequacy remains warranted.

Andorra is a party to the Council of Europe's modernised Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (Convention 108+), which forms an additional international foundation for its data protection framework.

The LQPD provides for administrative financial sanctions. Serious infringements can attract fines in the range of EUR 30,001 to EUR 100,000. The APDA actively monitors compliance, including conducting audits of political parties and other entities.