Andorra and the GDPR
Andorra has been on trend in recent weeks in the busy digital world. Famous youtubers have decided to relocate their activity there due to the obvious tax benefits offered by this small country in the Pyrenees. Beyond these media cases and given the boom that all online businesses are experiencing due to the restrictions of the pandemic, it seems logical that many companies whose exclusive medium is the Internet, can make the same approaches and if, at the end, you are selling online, ¿what prevents you from having your company’s registered office somewhere with a more favourable tax system? This is not, however, the subject of this post, but instead what happens with GDPR compliance in this type of cases, bearing in mind that Andorra is not a Community country and that the GDPR is an EU regulation. If I do something like this, do I have to comply with the GDPR?
The legal situation in Andorra
As indicated, Andorra does not belong to the EU but this does not mean that its legal activity is highly influenced by Community laws:
- In 2003 it passed Qualified Act 15/2003, of November 18, on the protection of personal data, which was then extremely inspired by the repealed LOPD of 1999.
- In 2010 the European Union resolved that Andorra has an adequate level of data protection comparable to that of the EU. Therefore, if a Spanish company selects an Andorran provider with access to personal data (for example hosting), it can act as if it were a Community provider.
- Although it is not a member of the EU, Andorra is a member of the European Council and, as such, is a signatory state to the 108th Convention on Data Protection. This 1981 Agreement is the source of many of the current laws, and was ratified by Andorra in 2007. However, among the exceptions to application of the Agreement, the “data concerning individuals and related to their business, professional and commercial activity” are expressly included. Strange, isn’t it?
- Lastly, Andorra has had the Andorran Data Protection Agency (APDA), in force since 2004; with powers similar to those of the AEPD. In 2019, it processed 13 administrative sanctioning procedures.
If I start a business in Andorra, must I comply with the GDPR?
So let’s get to it; We will try to answer this question with practical cases, some more theoretical than others, but in an attempt to be as comprehensible as possible:
The GDPR applies if …
… I have a business in Andorra and I only collect Andorran data?
No. The GDPR does not apply to non-EU businesses that do not market their products or services in the EU.
… I have an online business domiciled in the EU and I only sell to Andorrans?
Yes. EU-based companies are obliged to comply with the GDPR; the fact that in this hypothetical case that only Andorran data will be processed from this business, does not exempt it from applying the GDPR. This rule makes it clear that it will apply regardless of the “nationality or residence” of the data subject.
… I have an online business domiciled in Andorra and I sell to EU citizens?
Yes. The GDPR expressly includes within its territorial scope of application, Art. 3.2.b), non-EU companies that offer goods or products to EU consumers and – get this – even if they are not products or payment services.
Therefore, if you sell products or market services to EU citizens, you must comply with the GDPR, which is also the case if you have an online business through which their data is collected (without selling them anything).
In conclusion, the eventual installation of online businesses in Andorra, if the customer or user is still a Community citizen, does not prevent compliance with the GDPR, so be careful with this before jumping to the other side of the wall…
If you have any doubts about this or any other issue, please contact us!
Information on data protection
LEGAL IT GLOBAL 2017, SLP
Providing the service.
Sending the newsletter.
Compliance with the service provision.
Your data will not be shared with any third party, except service providers with which we have signed a valid service agreement.