The Personal Data Protection Program, together with the Information Security Management Systems, are a mandatory tool for all companies, regarding the protection of their information and personal data.


IT COMPLIANCE: Personal Protection Program (PD)

The Personal Data Protection Program, together with the Information Security Management Systems, are a fundamental tool for all companies, in terms of the protection of their information and personal data, which ensures compliance with the GDPR and the the national regulations on the matter.

In this practical area, the services offered will be the following:

1. Registration, cancellation, modifications or files before the Data Protection Agency (APDA)

Processing of the administrative procedure for the registration, modification or cancellation of the personal data protection files before the Data Protection Agency, and management of the processing until the final resolution of the procedure.

2. Registry of Treatment Activities (RAT)

Preparation of the Registry of Treatment Activities for the internal control of the personal data of those Responsible and those in charge of the Treatment.

3. Preparation of the Risk Analysis regarding privacy.

Preparation of an analysis report of the treatment activities carried out in the client’s company, in order to determine the inherent risk, the mitigation mechanisms and the residual risk.

4. Preparation of Data Protection Impact Assessments (AIPD)

Preparation of an evaluation report of those processing activities that pose a high risk to the rights and freedoms of people, to guarantee the legitimacy and adequacy of the processing of these personal data to the company.

5. Adaptation of the company through a Procedures Manual

Implementation of the Action Plan established in the risk analysis, through the development of clauses, forms, contracts, policies and specific protocols, in order to respond to the obligations regarding the Protection of Personal Data.

6. Specific business training plan

Certification of the training program for the management team and company employees on Data Protection. Methodology based on theoretical-practical training and qualification system through knowledge certification exam.

7. External Data Protection Officers (DPD)

Appointment of an external Data Protection Delegate in charge of carrying out the functions of the DPD as the maximum responsible for Data Protection. As DPD they include the functions of the DPD, periodic meetings to monitor the DPD, summons and minutes of meetings, and periodic reports on the status of the company.

8. Advice to the internal DPO

Consultancy and permanent advice to the Internal Data Protection Officer (DPD) of the entity. The advice includes periodic meetings to monitor the DPO, calls and minutes of meetings, and personalized advice.

9. Annual program review

Preparation of an annual Review Report in relation to the situation of the entity, regarding its procedures and mechanisms for the protection of personal data at the time of the review.

Why should you choose CP Legal as Data Protection Delegates

CP LEGAL is the reference Corporate Compliance boutique in the Principality of Andorra.

We are a professional law firm specialized in Criminal Compliance, AML Compliance and IT Compliance.

With extensive experience and professional experience in the Principality and neighboring countries, we provide high-quality comprehensive advice.

expert team

Our team is specialized in criminal compliance


We have more than five years of experience in the sector in Andorra and neighboring countries


We offer our services both in Andorra and in Spain

Some things you should know about

IT Compliance

IT is an acronym for the concept in English Information Technology that we translate as Information Technology.

IT Compliance or Compliance Technological refers to the set of procedures or policies that an organization adopts, in order to guarantee and control regulatory compliance in the digital environment and especially the Protection of Personal Data and Information Security.

Therefore, in IT Programs Compliance Matters related to: Protection of Personal Data, Information Society, Electronic Commerce, Consumer Protection and issues related to Intellectual Property are taken into account.

The year 2016 appears on a European scale the General Data Protection Regulation (GDPR) or Regulation 2016/679 which establishes a new European framework for the Protection of Personal Data.

The main objective of the GDPR is to give citizens and residents control over their personal data and to simplify the regulatory environment for international business by unifying regulation within the EU.

Rapid technological evolution and globalization have posed new challenges for the Protection of Personal Data in organizations. The scale of the collection and sharing of personal data has increased significantly, and thus technology has enabled both private companies and public authorities to use personal data on an unprecedented scale when conducting their activities.

Establishing an Information Technology Compliance Program allows us to comply with the requirements of national, European and international regulations on Privacy and Legaltech , as well as protecting company information, which is undoubtedly one of the most precious assets of organizations.

In the case of the Principality of Andorra, not being part of the European Community, initially the GDPR was not applicable. But, at the beginning of February 2019 the Principality signed the current Protocol of amendment to Convention 108 . The Protocol updated the Convention and the Protocol of the Council of Europe on this matter, of which Andorra had been a member since 2008. Thus, the main objective of this was to update the content of the Convention so that it aligned with the provisions of the GDPR and, thus, with Europe.

Currently, the application Convention 108+, and therefore the requirements of the GPDR, Andorra has on the table a Proposal for a Qualified Data Protection Law that, while it is approved, does not exempt companies from responsibilities for compliance with the general criteria of the GDPR that are already applicable.