Privacy policy

With this Privacy Policy, the Andorran Financial Authority (AFA) informs of the personal data that are collected through the services offered and that are reflected through this website, how they are treated, of the rights, in relation to the personal data of the user and the web treatments conferred by the Personal Data Protection regulations that apply.

Applicable law

  1. Law 29/2021 of 28 October on the protection of personal data of the Principality of Andorra (Law 29/2021) and the regulations implementing it; and
  2. Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and the free movement of such data (EU Regulation 679/2016).

In the following table you will find the links to facilitate access to the different points of this policy:

This Policy applies to visitors to the website ((, users of the services offered by the AFA for the purposes described in paragraph 4 of this policy (the services), and all persons whose personal data, for example, their images, may appear on the website or in the context of the services.

The only responsible for the use of the user’s personal data, as indicated in the previous section, is the owner of the website:

Andorran Financial Authority (AFA)

NRT number: D-800383-X

Registered office:

Carrer Bonaventura Armengol, 10

Edifici Montclar, bloc 2, 4a planta

AD500 Andorra la Vella

Principality of Andorra.

The user can contact the Data Protection Officer by email at

The AFA is not responsible for the activities carried out by other websites due to the fact that they are accessed through links published on the AFA website. The user is advised to read carefully the information provided by those responsible for these other websites, especially the privacy and cookie policies of each website that is visited, before giving personal data and to contact these managers directly for any questions or concerns.

In general, it is the user who directly provides his personal data; for example, through the forms on this website. The only exceptions to this rule are:

  • the image of the user when it is eventually collected by video surveillance cameras;
  • data provided by third parties to whom additional information has to be requested or data provided by third parties to the AFA on behalf of the user;
  • images corresponding to a news item in which it is considered that the public interest and the right to information take precedence over the possible interests of individuals, image or other personal data that are published on the AFA website;
  • the user’s data that may appear in e-mails and other information media sent, among others, by the state security forces, the Batllia (the Law Court), other Courts and other judicial or supervisory bodies and/or regulatory authorities of other countries;
  • contact details provided by service and product providers when represented by the user; and/or
  • the cookies on this website, about which more information can be found in the Cookies Policy of the AFA website.

To initiate and maintain the relationship with suppliers

If the user represents a supplier of products or services, their contact details and signature are collected to:

  1. manage all kinds of relationships with the provider that the user represents;
  2. manage the relevant listing of authorised suppliers; and/or
  3. manage the budgets and invoices of the provider that the user represents.

Treatments linked to purposes a) and b) are legitimised by the contract of employment or services that the user has signed with the provider that the user represents and the legitimate interest of the AFA when contacting him; and treatments linked to purpose c) are legitimised because they are necessary for the execution of the contract that the user has signed with the AFA.

 To preserve security through video surveillance

The AFA collects the image of the user through video surveillance systems in order to preserve the security of people, goods and facilities themselves.

The basis of legitimacy for the aforementioned treatments is the public interest in public security, the legitimate interest of the AFA in the security of the AFA facilities, and the legitimate interest of third parties seeking judicial protection over an alleged offence that may be substantiated by a fragment of a recording.

To select and hire staff

The AFA processes the data of the CV resumes voluntarily send by users to manage the relationship with candidates for a job at the AFA, including the process of searching, filtering and storing the CV resumes of candidates, the staff selection process and the recruitment process.

The basis of legitimacy for these treatments is the consent of the user, which the user himself manifests when sending his CV to the AFA, the execution of pre-contractual measures and, in the event of not having an open selection process or not being hired and being considered by the AFA as a candidate that can fit in future selection processes, the legitimate interest of the AFA in retaining the candidate’s CV in order to include it in future processes.

To create a virtual office user account

 The AFA collects the necessary data for the creation of a user account to access the virtual office to:

  • give the user access to the virtual office;
  • respond to requests and submissions relating to the various procedures that may be performed through this channel; and
  • provide supporting documents or acknowledgement of receipt of applications and written submissions.

The basis that legitimises this processing activity is the public interest in providing an access channel for the execution of the procedures to which entities subject to the supervision of the AFA are legally bound.


To fulfil the functions of the AFA

The AFA collects the data that the user provides directly and those that third parties provide in the exercise of their respective functions, to perform the functions indicated in the Objectives and Functions section of the AFA website.

The basis that legitimises these processing activities is the public interest and the legal obligations that, for each treatment, are indicated on the aforementioned page of the AFA website.

To send information, notices, notifications or communications of interest to the user

When the user subscribes to the AFA newsletter, the user’s email address, identification data, profession and interests are collected to send him the information deemed relevant to his profile.

The legal basis for this processing is the consent of the user, who can withdraw it at any time by exercising his right, as indicated later in this policy or through the link at the bottom of each email. The only consequence of the withdrawal of consent is that the user will no longer receive the information that used to be sent to him.

 To respond to requests, inquiries, complaints or communications of infringements

The AFA collects the personal data that the user provides in his emails, by phone, through the form of the contact page, through the corresponding forms of inquiry, complaint or communication of infringements that are provided on the website, and personal data that include requests to exercise rights, in order to be able to attend to the user.

In order to attend to the user, the AFA may be obliged to request additional information from third parties. When this information is linked or can be linked to the user, it will be treated as personal data. If these personal data are not directly related to the attention of the request, inquiry, complaint, communication of infringement, etc. or if they do not provide additional information to that provided by the user himself, they will be destroyed immediately. If, on the contrary, personal data received from third parties are relevant to the attention of the user’s request, the user will be informed with due diligence, respecting restrictions inherent in the concept of personal data defined by the applicable regulations and the rights and freedoms of other natural persons who may be affected by this communication. In any case, whenever additional information has to be requested to serve the user, and whenever possible, the information that has to be shared to serve the user will be anonymised.

The legal basis of this processing is the consent that the user expresses when giving this data, the legal obligation of the AFA to attend to the user’s rights requests, and the legitimate interest of the AFA in attending to the user. The provision of personal data is, therefore, voluntary, although in case of not providing the necessary personal data, the request, enquiry or complaint of the user may not be followed up. The user may revoke his consent at any time, although this revocation will make it impossible to continue the processing of the request, enquiry or complaint.

 To manage possible future complaints

Likewise, the AFA retains the data that may be necessary to manage the possible claims of the user, based on the legitimate interest of the AFA to defend itself to safeguard its rights.

 To control access to facilities, events or services through tickets or credentials

 The AFA uses the data of the visitors and, sometimes, those of their national identity cards or passports and, even if legislation so determines at a specific time, those of the document accrediting the state of protection against the Covid-19, to authorize, or not, access to the restricted areas of the AFA facilities, to analyse and control the occupation and logistics of the different areas, and to ensure health, including the prevention of the spread of diseases and the tracing of contacts of persons affected by Covid-19, and for the safety of all users of the facilities.

The legal basis for this treatment is the legal obligation of secrecy and the public interest to preserve the confidentiality of the data that are processed in the offices and files of the AFA. In the event that documents are requested to prove the visitor’s protection status against Covid-19, the processing will be legitimated by the corresponding legal obligation.

 To ensure the operation of the website (functional cookies)

 We use functional cookies to ensure a proper functioning of the AFA website.

As cookies are necessary for the proper functioning of the website, their use does not require the user to give his express consent and the basis that legitimises the AFA to use them is the legitimate interest to be able to offer the services of the website.

More information about these cookies can be found in the AFA cookies policy.

 To extract aggregated usage statistics of the website (analytical cookies)

 Analytical or statistical cookies are used to identify the most and least visited pages, to analyse what content is of most interest to visitors, and to measure the success of information campaigns, all with the aim of improving the services offered through the web. All these purposes provide aggregated results, in which it is not possible to identify the interests of any particular person.

As these cookies are not necessary, they are only used with the user’s consent, with the aim of improving the website by analysing aggregate statistics of visitors' browsing.

More information about these cookies can be found in the AFA cookies policy.

 To be able to use certain Google services

 In addition, as an obligation that Google LLC, a company of which Google Ireland Ltd is a subsidiary, imposes on entities that use the tools Google reCAPTCHA and Google Analytics, it is reported that these two services are operated by Google Inc., with address 1600 Amphitheatre Parkway, Mountain View, CA 94043, in the USA and that Google Inc. is part benefit of these.

Information generated by cookies about the user’s use of this website and their advertising preferences is usually sent to a Google server in the USA and stored there. For more information, you can consult the page that describes how Google uses the information on the website and/or the privacy policy of Google regarding the aforementioned services.

The AFA reports that the function of anonymising IP addresses on the AFA website has been activated to add additional safeguards to the standard contractual clauses that protect this international transfer of data to the USA. In doing so, Google will shorten the user’s IP address through the obfuscation process of their identity before sending it to the USA. Only in exceptional cases the full IP address is sent to a Google server in the USA and abbreviated there. Google guarantees that the IP address sent by the user’s browser in Google Analytics will not be treated together with any other data that Google has.

The categories of personal data that these services process can be consulted in

For other purposes that are not incompatible with the above

 The AFA may use the personal data of the user for other purposes that are not incompatible with the aforementioned, such as filing purposes for reasons of public interest, scientific or historical research purposes, or statistical purposes, provided it is permitted by the current regulations on the protection of personal data and always acting in accordance with this and other applicable regulations.

Personal data of the user are not transferred to anyone, unless:

  • it is the user himself who requests it;
  • there is a legal obligation to do so; for example, details about financial agents that are published in the relevant section of the website or those of the agents listed in the register of insurance mediators;
  • the user submits a complaint against an entity, to which it is necessary to inform in order to process the complaint;
  • there is a legal obligation to do so; for example, to provide copies of invoices to the Department of Taxes and Borders of the Government of Andorra;
  • the user uses the services of the AFA through intermediaries; for example, representatives, to whom data addressed to the user must be delivered;
  • the AFA is co-responsible for the collection of data, always with the consent of the user, so that other entities treat them in their own name. This is the case of Google Ireland Ltd, which has its registered office at Gordon House 4, Barrow, in Dublin, Ireland, and has been commissioned to process the necessary cookies to use its reCAPTCHA services, and Google Analytics. Google Ireland Ltd acts as an independent controller for all treatments performed on its behalf in accordance with its privacy policy. Data are transferred to Google Ireland Ltd based on the data protection agreement that this company located in the EU includes in the addendum in the standard contract for the countries appropriate to EU Regulation 679/2016, as is the case of Andorra, to which we add the additional safeguard of enabling anonymisation of IP addresses that collect cookies. In the Cookies Policy of the AFA you can see what analytical and advertising cookies are offered and how to configure them.
  • it is necessary to protect the rights of the user, the AFA, the employees of the AFA, and/or third parties; a fact that may require the transfer to the police services for safety reasons or to the health authorities to prevent the spread of diseases; for example, for contact tracing purposes, if video surveillance cameras record a theft at the premises, or if a third party requests video surveillance images on the basis of its legitimate interest in seeking effective judicial protection with respect to the commission of a crime or compensation for damages that may be proved by the images transferred, and with the commitment of that third party to use them exclusively for the reporting of this crime or for the claim for damages suffered, and to reduce the transfer of images to the minimum and indispensable to fulfil the intended purpose; and/or
  • if data need to be processed by the service providers, on behalf of the AFA, and under the terms and conditions of the corresponding processor contract.

Any international transfer that may need to be made will comply with the regulations in force at any time.

The AFA keeps the personal data of the user exclusively during treatments that require them and, afterwards, for as long as legal responsibilities in force resulting from the processing in question take to prescribe, including the obligation to be able to demonstrate that the AFA has complied with the request of destruction of the personal data.

For example, video surveillance recordings are kept for a maximum of 30 days when they do not contain incidents and, if exceptionally there has been a security incident during this period or there is evidence of a crime, a copy of the part of the recording that collects the incident is extracted and kept until it is handed over to the police or to the interested party involved that requires it to prove its request for judicial protection.

When there is no legitimate purpose to process some of the personal data of the user, they are deleted or anonymised and, if this is not possible, for example because they are in backups, they are stored securely and locked to isolate them from any further processing until disposal is possible.

The user has the right to obtain confirmation on whether or not the AFA has any personal data of him.

It should be remembered that when personal data is shared with other controllers, the user has to exercise his rights directly with these controllers, following the instructions provided in their own privacy policies. Specifically, in relation to the data that cookies on the AFA website share with Google, the user is informed that he can install in his Chrome, Internet Explorer, Safari, Firefox and/or Opera browser, the add-on for not sending data from Google Analytics or Google Ads to Google Inc.

Other user rights and how to exercise them are explained below.

 The rights of the user

 In accordance with provisions of Law 29/2021, the user can request the execution of the following rights:

right not to be the subject of automated individual decisions.

Where and how users can exercise their rights

  1. by sending a written request to the AFA, addressed to the postal address indicated in paragraph 2 of this policy, indicating a means of contact with the user in order to be able to respond to his request or to ask for more information if necessary, and under the title "Exercise of Personal Data Protection Rights"; or
  2. by sending the form associated with the right that the user wishes to exercise to the email address and specifying "Exercise of Rights of Protection of Personal Data" in the subject of the email. These forms are available below in this section of the privacy policy.

In both cases, in order to verify the identity of the user and to respond only to the interested person or his legal representative, a proof of identity will be requested, such as a copy of the national identity card or passport, powers of representation, or some other accreditation.

Even so and especially if the user considers that he has not obtained full satisfaction of the attention of the exercise of his rights, he can submit a complaint to the national supervisory authority of his country or, to that end, to the Andorran Data Protection Agency (APDA).

 Forms for the exercise of user rights

 In order to facilitate the exercise of the user’s rights, it is recommended to use the corresponding application forms from among the following:

The AFA is fully committed to protecting privacy and personal data. The registration of all personal data processing activities carried out has been set, the risk to the user of each of these activities has been analysed and legal safeguards, appropriate techniques and organisational arrangements to prevent, as far as possible, alteration of the user’s personal data, its misuse, loss, theft, unauthorised access, or unauthorised processing have been implemented. Data protection policies are kept up-to-date at the AFA to ensure that users are provided with all information about the processing of their personal data and to ensure that the AFA staff receive appropriate guidelines regarding how to process the personal data of users. The AFA has signed data protection clauses and processor contracts with all service providers, taking into account the need for each of them to process personal data.

Access to personal data is also restricted to those employees who really need to know them in order to perform any of the treatments referred to in this policy, and who have been trained and made aware of the importance of confidentiality, the maintenance of integrity, the availability of information and the disciplinary measures entailed by any possible infringement in this area.

The AFA will update this policy whenever necessary to reflect any changes in the regulations or data processing. In the case of substantial changes, the AFA notifies the user before its entry into force by means of a notification or the publication of a prominent notice on its website, so that the user has the option to exercise his rights.

For any questions or concerns about this policy, the user can email