The Qualified Law on the Protection of Personal Data, with the aim of guaranteeing and providing a sufficient and reasonable degree of protection in the fundamental rights of natural persons and their privacy, applies to the processing of personal data registered in a physical support (automated or manual file) both by private companies and by the Public Administration, and its subsequent use.
The law requires:
A – Respect certain requirements in the processing of personal data by employers:
- purpose That the storage and processing of personal data respond to a specific objective and need (for example, sending commercial information) that is made known to the individual at the time of the request for their data (right to information) and for which your consent is requested.
- Responsible for the treatment. Each personal data file must have a manager whose identity must be communicated to the interested party at the time of data collection.
- Processed data The processed data must be real, up-to-date and will be kept for a maximum period sufficient for the purpose for which it was requested.
- Security measures. The person in charge of the file must establish the appropriate technical and organizational measures to prevent loss, deterioration and unauthorized third party access to this data (confidentiality).
- Transfer of data. The assignment or communication of data to a person in charge other than the one to whom the interested party originally provided their data and in order for this new recipient to use them for their own purposes, requires the consent of the owner of the data personal data. In the case of sensitive data, it must be an express consent.
- Sensitive data These are those personal data relating to health, ideology, beliefs, ethnic origin, etc. which require special protection and express consent from the interested party to treat them. Exceptions: when the treatment is carried out by health professionals.
- Rights of interested parties. The owners of the personal data have the right to access their data incorporated in the files (right of access), to have them corrected if they are wrong or if they have changed (right of rectification) and to unsubscribe if they do not wish to continue incorporated into the file (cancellation right), by requesting it from the person responsible for the file. The exercise of these rights is free.
B – Apply to the Data Protection Agency for the registration, in the Public Registry of Personal Data Files, of the structure of the file to be created, the purpose of the file and the data of the data controller . The destruction of this same file must also be communicated to the Agency.
The Andorran Data Protection Agency, an objective and independent body of public administrations, although it has the power to inspect and sanction for non-compliance with the law, will have as a priority task, especially initially, to provide information on rights and duties to citizens and employers, trying to find the balance between the needs of companies and the privacy of people, and will only open disciplinary proceedings when serious breaches of the Law and abuses are detected.
A regulation governing the security measures to be adopted by those responsible for the files has not yet been drawn up, although it is planned to be drawn up. However, the intent of the Act is to avoid excessive burdens on employers, and it is preferable for each company to decide which measures (technical, organizational) it will establish to protect its files. The intention of the Law is that each company, in accordance with its own needs, prepares its own security document and defines its security policy, based on the guidelines of the Law, of the regulations that are approved on security measures and international standards (ISO 17799).
Andorran Data Protection Agency. Telephone (+376) 808 115
- Informative guide on the figure of the Data Protection Delegate (DPD) (pdf)
- Webinar presentation “Do you know if you have to appoint a DPD?” (pdf)