Changes at the Andorran Data Protection Agency and review of its activity

The Andorran Data Protection Agency (APDA) has entered a new phase with a change in its leadership and with increasingly visible activity in inspecting and monitoring compliance with data protection regulations in the Principality. In recent months, the Agency has published several resolutions and reports that demonstrate growing oversight, both in the public and private sectors.

Below, we review some of the most relevant cases:

Improper transfer of data between two psychology centers
The APDA sanctioned a psychology center for sharing patient data with another center without complying with legal consent and information requirements. The resolution highlighted the need to ensure confidentiality in the health sector, especially when dealing with sensitive data such as psychological well-being information.

A digital media outlet without a Privacy Policy
An online media outlet was sanctioned for not having an accessible and adequate Privacy Policy on its website. The Agency reminded that any entity collecting personal data —such as emails or browsing information— must clearly inform users about how their data is used and about their rights.

Inadequate identification in eSIM management
A telecommunications company was warned for failing to implement sufficient measures to verify the identity of eSIM holders. The APDA considered that this deficiency could facilitate unauthorized access to services or identity theft, recommending the adoption of more secure protocols for client verification.

Privacy policies in political parties
According to an official action by the Agency, only one Andorran political party had a complete and compliant Privacy Policy before APDA’s intervention. The Agency urged other parties to adapt their practices, especially regarding the processing of data of supporters and members.

Government’s failure to comply with the transparency principle
The Government of Andorra was subject to a resolution for failing to respect the transparency principle in one of its administrative actions. The APDA reminded that public administrations are also required to ensure that citizens are clearly informed about the processing of their personal data.

Excessive data collection by a real estate agency
A real estate agency was warned for requesting excessive personal information —such as financial or employment data— even before allowing visits to a rental property. The Agency considered that this practice violated the data minimization principle, which requires collecting only the data strictly necessary for the specific purpose.

A balance without financial penalties, but with clear warnings
Although, so far, the APDA’s resolutions have resulted in warnings rather than financial penalties, their activity demonstrates a clear commitment to advancing a culture of data protection in the country. The Agency continues to work on strengthening regulatory compliance and raising awareness among both companies and institutions about the importance of respecting individuals’ privacy.

Author: Victor Roselló, Lawyer.

If you need help writing Data Protection regulations in Andorra, contact us!

Information on data protection

Company name
LEGAL IT GLOBAL 2017, SLP
Purpose
Providing the service.
Sending the newsletter.
Legal basis
Compliance with the service provision.
Consent.
Recipients
Your data will not be shared with any third party, except service providers with which we have signed a valid service agreement.
Rights
You may access, rectify or delete your data and exercise the rights indicated in our Privacy Policy.
Further information
See the Privacy Policy.