Albania’s Law On the Protection of Personal Data

National Regulations

Law No. 9887, dated 10.03.2008, ‘On the Protection of Personal Data’, enacted by the Republic of Albania, is a cornerstone legislative measure designed to safeguard the rights and freedoms of individuals concerning their personal data. This law establishes a comprehensive framework for the lawful collection, processing, and use of personal data, emphasising transparency, accountability, and respect for individual privacy.

In an era of increasing digitalisation and global data exchange, the law aims to address challenges associated with data protection, ensuring that individuals retain control over their personal information while fostering trust in entities that handle such data. It aligns with international data protection principles and sets clear guidelines for both public and private organisations operating within Albania or engaging in data processing activities connected to the country.

By defining specific obligations for data controllers and processors, the law seeks to create a secure environment for personal data management, balancing the legitimate interests of businesses and public authorities with the fundamental rights of data subjects. It also empowers individuals with enforceable rights, such as access to their data, correction of inaccuracies, and protection from unauthorised use or disclosure.

Furthermore, the law introduces mechanisms for oversight and enforcement through the establishment of the Commissioner for Personal Data Protection, an independent authority responsible for monitoring compliance, issuing guidance, and addressing grievances. Administrative penalties and other corrective measures are stipulated to deter violations and uphold the law’s integrity.

Key objectives:

  • Establish rules for the lawful processing and protection of personal data.
  • Ensure the fundamental rights and freedoms of individuals, particularly the right to privacy.

General provisions:

  1. Scope: Applies to automatic and manual processing of personal data by controllers and processors based in Albania, diplomatic missions, or entities using equipment in Albania.
  2. Definitions: Includes terms like personal data, sensitive data, controller, processor, data subject, processing, transmission, and consent.

Data processing principles:

  • Legality: Data must be processed fairly, lawfully, and transparently.
  • Purpose limitation: Data must be collected for legitimate purposes and not processed incompatibly.
  • Data minimisation: Only relevant and necessary data should be processed.
  • Accuracy: Data should be accurate and kept up-to-date.
  • Retention limitation: Data must not be stored longer than necessary.

Special provisions:

  1. Sensitive data: Processing is generally prohibited unless specific conditions (e.g., consent, legal necessity) are met.
  2. International transfer: Allowed only to states with adequate protection levels or under strict conditions.
  3. Scientific and statistical use: Allowed if individuals are not identifiable and confidentiality is maintained.

Rights of data subjects:

  • Access: Individuals can request information about their data and its processing.
  • Correction and erasure: Individuals can demand rectification or deletion of inaccurate or unlawfully processed data.
  • Refusal: Data subjects can refuse processing in specific cases.
  • Compensation: Individuals have the right to compensation for damages caused by unlawful data processing.

Obligations of controllers and processors:

  • Transparency: Inform data subjects about processing purposes and data use.
  • Security measures: Implement organisational and technical safeguards to prevent data breaches.
  • Confidentiality: Maintain strict confidentiality during and after data processing.

Oversight:

  • Commissioner for Personal Data Protection:
    • Supervises compliance with the law.
    • Has powers to investigate, issue instructions, and impose administrative sanctions.
    • Handles complaints and oversees international data transfers.

Sanctions:

  • Violations can result in administrative fines ranging from 10,000 to 50,000 (Albanian lek) (doubling for legal entities).

This law reflects Albania’s commitment to aligning with international standards for personal data protection, emphasising both individual rights and organisational responsibilities.