Albanian Parliament Approves Law on Personal Data Protection: A Step Toward GDPR Compliance
Have you got a question?
On December 19, 2024, the Albanian Parliament officially passed the Law on Personal Data Protection, which marks a significant leap forward in aligning Albania’s legal framework with the European Union’s General Data Protection Regulation (GDPR). This law, which came into full effect on January 17, 2025, provides comprehensive and modern safeguards for personal data processing within Albania and reinforces the country’s commitment to respecting citizens’ privacy rights and complying with international data protection standards.
For businesses operating in Albania or handling Albanian citizens’ data, this new legislation brings significant implications. It sets forth a wide range of responsibilities and obligations that organizations must comply with to avoid severe penalties. This article explores the law’s provisions in depth, highlighting its core principles, the role of data controllers and processors, data subjects’ rights, and essential compliance measures required for organizations to operate within the legal framework. The article also outlines the sanctions for non-compliance and the law’s impact on the Albanian business landscape.
Background and Objectives of the Law
The Law on Personal Data Protection was introduced to bring Albania into alignment with the GDPR and ensure the highest levels of protection for personal data. This is especially crucial as the world becomes increasingly digital, and the risks associated with data breaches and misuse of personal information grow. The law’s primary objective is to safeguard individual rights in the processing of personal data, placing a strong emphasis on transparency, accountability, and data security.
This landmark legislation not only facilitates Albania’s integration into the European Union’s data protection framework but also serves as a catalyst for broader economic development. By aligning with GDPR, Albania opens doors for smoother business transactions between local businesses and international partners. The law enhances Albania’s appeal as a location for foreign investment by ensuring the same high standard of personal data protection that businesses in the EU must adhere to.
Core Principles of the Law
At the heart of the Law on Personal Data Protection are several core principles that all data processing activities must adhere to:
- Lawfulness, Fairness, and Transparency: Personal data must be processed in a lawful, fair, and transparent manner. Organizations must provide clear information to individuals regarding the processing of their personal data.
- Purpose Limitation: Data should only be collected for specific, legitimate purposes and not used for purposes incompatible with those originally stated.
- Data Minimization: Only the minimum amount of personal data necessary for achieving the processing objectives should be collected and retained.
- Accuracy: Personal data must be accurate and, where necessary, kept up to date.
- Storage Limitation: Data should only be retained for as long as necessary to fulfill its original purpose.
- Integrity and Confidentiality: Organizations must implement robust security measures to protect personal data from unauthorized access, loss, or destruction.
- Accountability: Data controllers must demonstrate compliance with these principles and maintain relevant records that show their efforts to uphold data protection requirements.
Obligations for Data Controllers and Processors
The Law on Personal Data Protection places significant responsibilities on both data controllers (those who determine the purposes and means of data processing) and data processors (those who process data on behalf of the controller). Below are some key provisions regarding the obligations of these entities.
Data Controllers' Responsibilities
Data controllers are at the forefront of data protection efforts and must ensure compliance with the law in all aspects of personal data processing. Their primary responsibilities include:
- Lawful Basis for Processing: Data controllers must ensure that personal data is only processed on one of the lawful bases outlined by the law (e.g., consent, contract necessity, legal obligation, legitimate interest). If consent is the basis for processing, the consent must be freely given, specific, informed, and unambiguous.
- Privacy Notices: Controllers must provide individuals with clear and concise privacy notices that outline how their personal data is being used, what legal basis is being relied upon, how long the data will be stored, and the individuals' rights under the law.
- Data Protection Impact Assessments (DPIAs): For any high-risk processing activity (e.g., processing sensitive data, large-scale processing, or profiling), data controllers must conduct a Data Protection Impact Assessment (DPIA) to assess the impact on data subjects' rights and implement measures to mitigate identified risks.
- Data Security: Data controllers must adopt appropriate technical and organizational measures to protect personal data from breaches, including encryption, secure storage, and regular security audits. If a data breach occurs, they must notify the Albanian Data Protection Authority (DPA) within 72 hours.
- Data Transfers: Controllers are required to ensure that any international data transfers comply with the relevant provisions of the law. Personal data must only be transferred to countries that offer an adequate level of protection or where appropriate safeguards (e.g., standard contractual clauses or binding corporate rules) are in place.
- Retention of Data: Data controllers must define and enforce a data retention policy to ensure that personal data is not kept for longer than necessary. Organizations must specify the duration of data retention for each processing purpose and securely dispose of data when it is no longer required.
- Appointment of a Data Protection Officer (DPO): Organizations engaged in large-scale data processing, or processing sensitive data, must appoint a Data Protection Officer (DPO). The DPO’s role is to monitor compliance, offer advice on data protection issues, conduct DPIAs, and serve as a liaison with the DPA.
Data Processors' Responsibilities
While data processors process personal data on behalf of the data controllers, they also have significant obligations:
- Processing Data Only as Instructed: Data processors must only process personal data according to the data controller's instructions, ensuring that they do not use the data for any unauthorized purpose.
- Security Measures: Data processors are responsible for implementing adequate security measures to protect personal data, ensuring that they comply with the same standards as data controllers.
- Sub-processors: If a data processor engages sub-processors to handle personal data, they must obtain the data controller’s consent before doing so. The data processor must also ensure that the sub-processors are bound by data protection obligations similar to those of the original processor.
- Assistance with Compliance: Data processors must assist data controllers in fulfilling their obligations under the law, including responding to data subject requests, notifying authorities of breaches, and conducting DPIAs.
Rights of Data Subjects
The law enshrines several rights for individuals, referred to as data subjects, concerning their personal data. These rights are crucial for empowering individuals and providing them with control over their data:
- Right to Information and Access: Individuals have the right to be informed about how their personal data is being processed, and they can request access to their personal data held by organizations.
- Right to Rectification: Individuals have the right to request corrections to inaccurate or incomplete data.
- Right to Erasure (Right to be Forgotten): Data subjects can request the deletion of their personal data under certain circumstances, including when data is no longer necessary for the purposes for which it was collected.
- Right to Restriction of Processin: Under certain conditions, individuals can request that the processing of their personal data be restricted, meaning the data is temporarily withheld from being used.
- Right to Data Portability: This right allows individuals to obtain and reuse their personal data across different services in a structured, commonly used, and machine-readable format.
- Right to Object: Individuals can object to the processing of their data, particularly if it is based on legitimate interests or if the data is being used for direct marketing.
- Rights Related to Automated Decision-Making: Individuals are protected from automated decisions that significantly affect them, including profiling, unless specific conditions apply (e.g., explicit consent).
Compliance Steps for Businesses
To achieve compliance with the Law on Personal Data Protection, businesses should take several proactive steps:
- Conduct Data Mapping and Audits: Organizations should carry out a comprehensive audit to identify and map all personal data processing activities. This includes understanding what data is collected, how it is processed, and where it is stored.
- Update Policies and Procedures: Businesses must update their privacy policies, employee contracts, vendor agreements, and website terms to reflect the new data protection obligations.
- Implement Data Security Measures: Organizations should invest in data security technologies, including encryption, access controls, and regular system updates to protect data from breaches.
- Training and Awareness: Regular training should be provided to all employees, particularly those involved in data processing, to ensure they understand their obligations under the law.
- Develop a Data Breach Response Plan: Businesses must establish and regularly test a data breach response plan to ensure a swift and efficient response in the event of a breach, including notifying affected individuals and the DPA as required.
- Appointment of a DPO: Businesses must evaluate whether they need to appoint a Data Protection Officer (DPO) based on the scale of their data processing operations.
Sanctions for Non-Compliance
The Law on Personal Data Protection imposes substantial penalties for non-compliance, including:
- Fines of up to 2,000,000,000 LEK: for individuals found to be in violation of the law.
- Up to 4% of global annual turnover: for companies that fail to comply with the requirements.
Additionally, companies may face reputational damage, loss of consumer trust, and potential civil liability for failing to uphold data protection standards.
Conclusion
The Law on Personal Data Protection represents a crucial step in Albania’s journey toward GDPR compliance, offering individuals stronger protection over their personal data and compelling businesses to adopt more responsible and secure data handling practices. By implementing the necessary changes to their processes, updating policies, and investing in compliance measures, businesses can not only avoid significant penalties but also build greater trust with customers, enhance their reputation, and contribute to Albania’s growing digital economy.
For companies operating in Albania or handling Albanian citizens’ data, it is essential to act swiftly to ensure full compliance with this new law and prepare for its ongoing monitoring and enforcement.
How Oracle Solicitors Albania Can Help
At Oracle Solicitors Albania, we understand the complexities of navigating data protection laws, especially with the introduction of the Law on Personal Data Protection. Our team of experienced legal professionals is well-versed in the intricacies of GDPR compliance and can provide tailored guidance to ensure that your business meets all the legal requirements under Albanian and European data protection laws. Whether you need assistance with data mapping, policy updates, employee training, or the appointment of a Data Protection Officer (DPO), we are here to support you. Additionally, we can help you design and implement robust data protection strategies, including developing data breach response plans and ensuring that your vendor contracts align with the new legal framework. By partnering with Oracle Solicitors Albania, you can navigate this complex landscape with confidence, ensuring your business remains compliant, minimizes risks, and builds trust with clients and stakeholders.
- Boulevard "Deshmoret e Kombit", Twin Towers, Tower 1, 13th Floor, 1001, Tirana, Albania
- +355 6969 37763
Book a call back
Share this article
Got a question?
Please complete this form to send an enquiry. Your message will be sent to one member of our team.
Related posts
Albanian Parliament Approves Law on Personal Data Protection: A Step Toward GDPR Compliance
On December 19, 2024, the Albanian Parliament officially passed the Law on Personal Data Protection, which marks a significant leap forward in aligning
THE AMERICAN WAY TO FLIGHT COMPENSATION: A COMPARATIVE ANALYSIS WITH THE EU261 REGULATION.
UNDERSTANDING THE NEW U.S. DOT (DEPARTMENT OF TRANSPORTATION) MANDATE ON IMMEDIATE FLIGHT COMPENSATION. Last 24th of April 2024, the Biden-Harris Administration announced that
Company Formation in Albania – Setting up an LLC (SHPK)
Expanding your business into Albania presents exciting opportunities, but navigating the legal, tax, and administrative landscape can be complex. Oracle Solicitors Albania, part
Do companies need to have an HR representative?
Human Resources plays a pivotal role in ensuring that operations run smoothly and maintaining employee satisfaction within the business. For companies in the