data protection management andorra

Andorra has a new Data Protection Law that affects all companies of the country

As of the next 17 May 2022, the new Data Protection Law will come into effect (Law 29/2021 of 28 October on the protection of personal data). This law will provide a new legislative framework that will affect entities, companies, associations, foundations, federations, schools, freelance professionals, medical centres, accountants, auditors, etc. All companies in the country registered in the Principality of Andorra, or constituted in accordance with Andorran laws, whether public or private, small or large, will be expected to adapt and comply with the new Law.

Its scope of application will be relevant to all business sectors with a connection to a professional or commercial activity, as well as the management of the personal data of suppliers, customers or employees.

In order to adapt to the new regulations, entities must apply a series of measures, both in the technical and organizational fields, which must be implemented at the appropriate time and in accordance with the new Law and the future Regulation. Application of the appropriate technical and organizational measures must be guaranteed and compliance with the Law and its regulations should be demonstrable.

Basic implementation measures of the Personal Data Protection Law

The basic measures to be implemented are:

  • Registration in the Data Processing Register (50 or more employees)
  • Drafting of legal informative clauses and consent
  • Drafting of contracts for data processing and data transfer management
  • Implementation of technical and organizational measures regarding data processing
  • Designation of the officials responsible for data protection
  • Adapting website for compliance
  • Drafting of forms for employees
  • Drafting of an instructions and recommendations manual for employees with access to personal data; codes of conduct
  • DPO - designation of a Data Protection Officer at the Andorran Data Protection Agency (APDA) if necessary
  • Video surveillance: drafting of documents and information signs
  • Drafting and forms for the exercise of rights
  • Notification of security breaches
  • AIPD – Impact Assessment of Data Protection (to be defined in the Regulation)
  • International data movements


The starting point: The data protection compliance audit

In order to implement the new standard, companies must carry out a Data Protection Audit that will define the actions to address, according to the type of data processed, the sector or business activity, the volume of data, the number of employees, etc.

Scope of the Law

It is important to highlight that it is a proactive Law, that is, for any data processing, it will be necessary to obtain the express consent of the affected or interested party. For this reason, consent must be demonstrable with the duly signed forms.


Companies that do not comply with this legislation can face important sanctions that can range from €500 to €100,000.

Your trusted agency

At IS21, our professionals specialized in this area offer a global response and help our clients implement the necessary measures to comply with the new legislation.