Qualified Personal Data Protection Law (LQPD) Andorra

    Overview

    The Qualified Personal Data Protection Law (Llei 29/2021, LQPD), enacted on October 28, 2021, modernizes Andorra’s approach to personal data protection, aligning it with the European Union’s GDPR framework. This law establishes safeguards for the personal data of individuals, regardless of their nationality or residence, and ensures the fundamental right to privacy. It applies to data processing activities conducted by both private entities and public authorities, emphasizing transparency, data minimization, and lawful processing.

     

    Regulation Summary

    Timeline
    • November 17, 2021 – enacted.
    • May 17, 2022 – enforced
    What Businesses Are Affected
    • All public and private entities that process personal data within Andorra.
    • Businesses operating outside Andorra that process personal data of Andorran residents.
    • Government institutions and organizations handling personal data.
    Exemptions
    • Personal or household use of data.
    • Processing carried out for journalistic or artistic purposes.
    • National security, defense, and public safety activities.
    • Law enforcement activities carried out by public authorities.
    Responsibilities for Businesses
    • Obtain a lawful basis for processing, such as consent, legal obligation, or contractual necessity.
    • Ensure transparency by informing individuals about data collection purposes, retention, and rights.
    • Implement security measures to prevent data breaches and unauthorized access.
    • Appoint a Data Protection Officer (DPO) for organizations conducting high-risk processing.
    • Notify the data protection authority of data breaches within 72 hours of detection.
    Specific Responsibilities for Website Owners
    • Provide clear privacy policies on data collection and use.
    • Implement cookie consent mechanisms before tracking users.
    • Ensure user rights are accessible via an online portal.
    • Secure online forms handling personal data.
    Additional Requirements
    • Cross-border data transfers must comply with adequacy standards, contractual safeguards, or explicit consent.
    • Conduct impact assessments before engaging in high-risk data processing.
    • Stronger protections for sensitive data, such as biometric and financial information.
    Data Subject Rights
    • Right to Access: Individuals can request a copy of their data.
    • Right to Rectification: Users can correct inaccurate information.
    • Right to Erasure: Individuals may request data deletion in specific circumstances.
    • Right to Object: Users can restrict or object to certain processing activities.
    • Right to Portability: Allows transfer of data to another provider.
    Enforcement
    • Regulatory Authority: Andorran Data Protection Agency (APDA).
    • Penalties: Non-compliance can result in significant fines.
    • Fines: Depending on the severity, penalties may reach up to EUR 100,000.
    illustration of contact means

    Questions?

    If you would like to learn more, our compliance experts are happy to support you.

    Leave us a Message
    support@clym.io
    +1 980 446 8535 +1 866 275 2596