top of page

ANDORRA - Data Protection and GDPR Review

Early Initiatives

Andorra, a small principality nestled between France and Spain, began taking steps to formulate data protection laws in the late 1990s and early 2000s, recognizing the growing importance of privacy rights in the era of digitization.

Qualified Law 15/2003

In 2003, Andorra introduced its first comprehensive law related to data protection, known as Qualified Law 15/2003 of 18 December on personal data protection ("Llei qualificada de protecció de dades personals"). This law was a significant step towards the establishment of a formal legal framework for data protection in Andorra and was modeled on the EU's 1995 Data Protection Directive.

The law established the principles of data processing, defined the rights of data subjects, set out the obligations of data controllers and processors, and introduced penalties for non-compliance. It also created the Andorran Data Protection Agency ("Agència Andorrana de Protecció de Dades" or APDA), an independent body responsible for enforcing the law and protecting citizens' privacy rights.

Recognition of Adequacy by the EU

In 2010, the European Commission recognized Andorra as providing an adequate level of protection for personal data transferred from the European Union. This recognition was an important milestone for Andorra, allowing personal data to flow freely from the EU to Andorra without the need for any additional safeguards.

Adapting to the GDPR

Despite not being a member of the EU, Andorra made efforts to align its data protection law with the GDPR. This is in line with the country's overall approach to harmonizing its legislation with European standards.

The Qualified Law 15/2003 has been updated to adopt many of the key principles of the GDPR, including lawfulness, fairness, and transparency; purpose limitation; data minimization; accuracy; storage limitation; and integrity and confidentiality. It has also reinforced the rights of data subjects, including the rights to access, rectification, erasure, restriction of processing, data portability, and the right to object.

Andorra has shown a strong commitment to data protection over the years, as demonstrated by its robust legislative framework and its efforts to align with the GDPR. The principality's history of data protection, though relatively brief compared to some countries, is marked by significant progress and a clear recognition of the importance of protecting individuals' privacy rights in the digital age.

The Andorran Legal Framework for Data Protection

The main legislation relating to data protection in Andorra is the Qualified Law 15/2003 of 18 December on personal data protection, known as "Llei qualificada de protecció de dades personals." The Andorran Data Protection Agency ("Agència Andorrana de Protecció de Dades" or APDA) is responsible for enforcing this law.

The law has been adapted over time to meet the requirements of the GDPR, recognizing the importance of data protection and the free flow of information within the European Economic Area (EEA).

Key GDPR Concepts and Their Application in Andorra

  1. Lawfulness, Fairness, and Transparency: Personal data should be processed lawfully, fairly, and transparently. In Andorra, businesses and organizations are expected to uphold these principles when handling personal data.

  2. Purpose Limitation: Personal data can only be collected for specified, explicit, and legitimate purposes. The APDA mandates that organizations clearly define why they are collecting data.

  3. Data Minimization: Data collected should be relevant, limited, and necessary for the intended purpose. In Andorra, the principle of data minimization is enforced, and unnecessary data collection is discouraged.

  4. Accuracy: Personal data should be accurate and up-to-date. Organizations in Andorra are expected to take reasonable steps to ensure the data they hold is accurate, and incorrect data should be updated or removed.

  5. Storage Limitation: Personal data should be kept for no longer than necessary. In Andorra, businesses and organizations are expected to have data retention policies in place and to dispose of data responsibly when it is no longer required.

  6. Integrity and Confidentiality: Personal data should be processed securely. In Andorra, businesses are required to implement suitable security measures to protect personal data, including both technological and organizational measures.

Data Subject Rights in Andorra

Just like the GDPR, Andorra's data protection law grants individuals several rights regarding their personal data, including:

  • The right to access

  • The right to rectification

  • The right to erasure ('right to be forgotten')

  • The right to restrict processing

  • The right to data portability

  • The right to object

Data Transfers

Andorra has been recognized by the EU as providing an adequate level of data protection. Therefore, personal data can be transferred from the EU to Andorra without any further safeguard being necessary.

Penalties for Non-compliance

Non-compliance with Andorra's data protection laws can lead to substantial fines, issued by the APDA. The amount varies depending on the severity and nature of the violation.


While not a member of the EU, Andorra has aligned its data protection laws closely with the GDPR, offering robust protection of personal data. Businesses operating in Andorra need to ensure they are fully compliant with these laws to avoid penalties and to maintain the trust and confidence of their customers and partners.


bottom of page