Right of access

The right of access, described in article 18 of the LQPD, is your right to contact the controller to find out whether or not they are processing your personal data and, in the event that this processing is being carried out, obtain the next information:

•        A copy of your personal data that is the object of processing.

•        The purposes of the processing.

•        The categories of personal data that are processed.

•        The recipients or categories of recipients to whom the personal data have been communicated or will be communicated, in particular, recipients in third countries or international organizations.

•        The expected period of conservation of the personal data, or if this is not possible, the criteria used to determine this period.

•        The existence of the right of the data subject to request from the controller: the rectification or deletion of their personal data, the limitation of the processing of their personal data or the opposition to this processing.

•        The right to file a claim with a Control Authority (in Andorra, the APDA).

•        When the personal data has not been obtained directly from you, any available information about its origin.

•        The existence of automated decisions, including profiling, and at least in such cases, significant information on the logic applied, the importance and the expected consequences of this processing for the data subject.

•        When personal data is transferred in a third country or to an international organization, you have the right to be informed of the appropriate guarantees in which the transfers are made.

You can download the form to exercise it here.

Commentary

The possibility of receiving consistent, reliable, complete and up-to-date information about processing activities enables individuals to obtain and/or increase their awareness of any relevant processing operations, exercise practical control over their data, and control the accuracy and lawfulness of the data processing. This information is a key principle of the entire Andorran data protection framework, and must be provided in accordance with article 18 of the LQPD. More specifically, the data controller is obliged to provide transparent, intelligible and easily accessible information on whether or not data is being processed, what the actual processing operations are, as well as full access to the data being processed.

The right of access in accordance with article 18.1 of the LQPD includes three components:

1.      the right to obtain confirmation from the data controller as to whether data concerning you is being processed,

2.      the right to obtain access to the data subject to processing and,

3.      The right to obtain information on certain aspects of the processing, as indicated in the list of article 18.1, points a) to h), of the LQPD (or in the above description).

The LQPD (as well as the European Data Protection Regulation, the GDPR) does not impose any requirement regarding the form of the request through which the data subjects or their authorized representative exercises the right of access. The form provided above is only a tool to facilitate the exercise, but no one is obligated to use it.

The data subject can define the scope of her request and does not need to indicate the reasons. Even if he did, the controller does not have the jurisdiction to assess the reasons for it.

Even so, if the request is not clear and a large amount of data is being processed, the controller may ask the data subject to specify which processing activities the request relates to. If the data subject still requests access to all of her personal data, the data controller has to provide this information, as confirmed by the EDPB (European Data Protection Board) and national courts in several EU countries.

The controller has to take all necessary steps to verify the identity of the data subject, since the disclosure of personal data to another person could qualify as a data breach. However, the controller will not use this requirement to hinder the exercise of the right of access, nor is it acceptable to request an identification document in the access request when it is not necessary to authenticate the identity of the requester. For example, when the interested party sends an access request from the same email that he used when he first provided his personal data, there can be no doubt about his identity and, therefore, any other data that the controller requires the data subject to present, as a prior condition to meet your request, is disproportionate, violates the principle of data minimization and, ultimately, would be illegal.

Last updated: May 17, 2022