Law: Law 29/2021, of 28 October, of Personal Data Protection (only available in Catalan here) (the Law)

Regulator: Andorran data protection authority (APDA)

Summary: Law 29/2021, of October 28, of Personal Data Protection (only available in Catalan here) (the Law) was published in the Official Bulletin of the Principality of Andorra on November 17, 2021 and entered into force on May 17, 2022. The Law outlines a number of data protection principles, obligations, and data subject rights akin to those found within the GDPR, and empowers the Andorran data protection authority (APDA) to adopt corrective measures and administrative fines, ranging from €500 to €100,000. The APDA issued its first enforcement action, a reprimand, in June 2023.

Moreover, Decree 391/2022, Approving the Regulations for the Application of Law was published by the Government of Andorra in October 2022 (only available in Catalan here) (the Regulations) and integrate all the necessary regulatory provisions under the Law, clarifying and adapting their application in practice. Before that, in September 2022, the Government also issued Decree 368/2022, Approving the Regulations of the APDA (only available in Catalan here) (the APDA Regulations), further detailing the powers and functions of the APDA.

In addition, Andorra ratified, in September 2008, the Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data (the Convention 108) as well as the Amending Protocol (the Convention 108+), in October 2022.

Furthermore, in 2010 Andorra was recognized by the EU as providing adequate protection, which enables the free flow of data between Andorra and EU Member States.