Skip to main content
Impact assessments for Andorra

Impact assessments for Andorra

Data protection impact assessments are a measure to guarantee the data protection rights of data subjects. In the case of impact assessments for Andorra, they are generally provided for in two specific regulations:

  • Law 29/2021 of 28 October 2021, classified as the protection of personal data (art. 32) “LQPD”.
  • Decree 391/2022 of 28 September 2022 (Regulation for the application of Law 29/2021 of 28 October, classified as the protection of personal data, Art. 17); due from 5 April 2023, “LQPD Regulation”.

Nowadays, and as a result of the application of the previous regulations, sectoral rules are also being approved and emerging that foresee the performing of impact assessments for the processing of particular personal data (for example: Art. 26.7 of Law 41/2022 of 1 December on protection measures, market stimulation, and governance in the housing sector).

In this case, an impact assessment is required for the communication of data between public authorities related with “types and uses (of housing), along with the identification of owners, as well as data on supply consumption and “Employment status”.

When impact assessments for Andorra are needed and who should do it?

First of all, it must be established that the person to carry out an impact assessment is always the controller who, in short, decides to carry out certain data processing. In this sense, processors may be required to provide information on an impact assessment made by a controller who, as said, is who must lead it.

The LQPD establishes the assumptions of general data processing that will require the completion of an impact assessment:

a) Systematic and comprehensive evaluation of personal aspects of natural persons based on automated processing, such as profiling, on the basis of which decisions are taken that produce legal effects for natural persons or that significantly affect them in a similar way

b) Large-scale processing of the special categories of data referred to in Article 9, or of personal data relating to convictions and criminal offenses referred to in Article 10.

c) Large-scale systematic observation of a public access area”.

In addition to the cases in which it is necessary, the current regulations, both the LQPD and the LQPD Regulation, provide additional information while carrying out an impact assessment correctly:

  1. It must be completed prior to data processing.
  2. Processing is considered high risk when two of the following situations occur simultaneously:
Automated decision-making with significant legal effects for natural persons.
The systematic observation of data subjects.
Sensitive data (health, religion, sex life, etc.)
Large-scale data processing.
The association or combination of data sets.
Data of vulnerable people: minors, employees or the most vulnerable groups of thepopulation that need special protection.
The innovative use or application of new technological solutions.
Processing prevents data subjects from exercising a right, using a service or executing a contract.
Processing of economic and financial data by banks or financial institutions.

c) Art. 17.5 of the LQPD also establishes the criteria for defining whether data processing can be considered “large scale”:

The number of people affected, either in absolute terms or as a proportion of a given population.
The volume and variety of data processed, considering that if more than 5,000 are affected, we are dealing with large-scale data processing.
The duration of the processing.
The geographical extent of the processing.

Finally, as additional advice or recommendations:

  • The organisation’s Data Protection Officer must be involved in any impact assessment, to the extent that they can decide to start one and must justify, where applicable, why processing does not require an impact assessment.
  • If, after performing the impact assessment, a large risk is detected and the controller does not take measures to mitigate it, a query must be raised with the Andorran Data Protection Agency.
  • The impact assessment is not a one-time task, instead plans must be made for its updating when necessary.
  • Do not confuse impact assessment with risk analysis: the latter is an obligation for any data processing, whether or not it involves a high risk for those affected.

If you have any questions about this or any other topic, don’t hesitate to contact us!

    Information on data protection

    Company name
    Providing the service.
    Sending the newsletter.
    Legal basis
    Compliance with the service provision.
    Your data will not be shared with any third party, except service providers with which we have signed a valid service agreement.

    You may access, rectify or delete your data and exercise the rights indicated in our Privacy Policy.

    Further information
    See the Privacy Policy.