Obligations of lawyers before the Personal Data Protection Law

Eighteen years after the General Council approved the first qualified law on the protection of personal data, on November 17, 2021, the new Law 29/2021 of October 28 on the protection of personal data (hereinafter referred to as *LPD) was published and will enter into force in May 2022.

The purpose of this Law is to update the Andorran regulations regarding the processing that both private persons or entities and the public administration carry out of data corresponding to natural persons, in the light of the new European regulation, especially Regulation (EU) 2016/679 of the European Parliament and of the Council. The new Law introduces important novelties with respect to the previous legislation, which is why the present article seeks to specify the data protection obligations that arise for the legal profession.

In this sense, lawyers (or the organization to which they belong), must apply a set of technical, organizational and legal measures that will allow the organization to ensure the confidentiality, integrity and availability of the information.

First of all, it is worth mentioning the specific duty established by the new *LPD to ensure the express consent of customers when processing their personal data. For these purposes, consent shall be understood as the manifestation of free, specific, informed and unequivocal will by which the interested party accepts (art. 4.2 *LPD), excluding tacit consent.

Otherwise, the *LPD adds by the interested ones, to the margin of the traditional rights *ARSO (access, rectification, suppression, and opposition), other nuts, which will have to be guaranteed by the lawyers in the treatment of personal data. First, the right of limitation, which implies that those affected may request the limitation in the processing of their personal data (art. 22 *LPD). On the other hand, the right to portability, which entails the right to transmit the data to another data controller or to the same data subject, through a structured format of habitual use and mechanical reading, when the processing is carried out by automated means (art. 23 *LPD). Likewise, the right of the data subjects not to be subject to automated individual decisions and profiling is also provided for (art. 25 *LPD).

Even so, the new law requires lawyers to carry out a risk analysis, i.e., they will have to assess the possible contingencies of such data processing. Consequently, in the event that the risk is particularly high, they will have to carry out an impact assessment in order to minimize the possibilities of affecting the rights or freedoms of data subjects and will have to implement appropriate security measures (art. 32 *LPD).

It is also necessary to consider the requirement to keep a register of processing activities, which will only be required when the organization meets the following requirements: it has more than 50 employees; the processing may entail a risk to the rights and freedoms of the persons concerned; it is not occasional; or it includes special categories of personal data (art. 34 *LPD).

On the other hand, when data is transferred to third parties, a duty of care is required in the selection of the data processor. Specifically, a processor must be chosen that offers sufficient guarantees to implement appropriate technical and organizational measures, so that the processing guarantees the protection of the rights of the data subjects, and the processor may only process this data on the instructions of the data controller, unless it is obliged to do so by a legal requirement (art. 31 *LPD).

Furthermore, when the lawyer is part of an organization, the employees of the organization will have to sign a confidentiality agreement to prevent the personal data being processed from reaching unauthorized persons. Likewise, it must be ensured that the employees comply with the established security measures.

In the event of a breach of security of personal data, such as a *cyberattack, this will have to be notified to the Andorran Data Protection Agency (*APDA) within 72 hours (art. 36.1 *LPD), and if applicable, to the data subjects concerned (art. 37.1 *LPD).

Finally, it should be added that the new Law has introduced the figure of the Data Protection Officer (*DPD), who is the person in charge of instructing the data controller on the legal obligations to be observed in the field of data protection. In the case of law firms, given that, as a general rule, they process personal data on a large scale, they would be considered as subjects obliged to appoint a *DPD.

By way of conclusion, the legal profession, as a profession that provides a service to society in the public interest through the advice and defence of rights and public and private interests, are determined as subjects bound by the *LPD, which seeks to ensure an adequate level of protection of personal data of individuals, as a fundamental right guaranteed by Article 14 of the Constitution of the Principality of Andorra.

Clàudia Alonso

Augé Legal & Fiscal