News

Albania proposes new GDPR compliant data protection act

For more information, please contact Shpati Hoxha at shpati.hoxha@hmh.al.
Scope of application
The draft act distinguishes between material and territorial scope of application. As for its material scope, the draft act provides that it will apply:
  • to the processing of personal data, wholly or partly, by automated means; and, where the processing is not made by automated means,

  • to the processing of personal data, which forms part of an archiving system or are intended to form part of an archiving system.

The draft act excludes from its scope of application the processing of personal data by natural person for personal or household purposes.
As regards it territorial scope, the draft act provides that it applies to the processing of personal data:
(a) in the framework of the activities of a controller or processor established in the Republic of Albania, irrespective if the processing takes place within or outside Albania.
(b) of data subjects who are in Albania, by a controller not established in Albania, where the processing activities are related to:
(i) the offering of goods or services to data subjects who are in Albania, irrespective if a payment from such data subject is required or not; or
(ii) the monitoring of the behavior of data subjects, as far as their behavior takes place in Albania.
(c) by a controller or processor not established in Albania, but in a territory where the Albanian law applies by virtue of public international law.
The draft act extends its application also to international transfer of personal data where a controller engages a processor, who is not established in Albania, for the performance of processing activities under item (b) above.
Novelties
The draft act represents a significant advancement in personal data protection, aligning the domestic legislation with the GDPR standards and introducing new rights and obligations within the Albanian legal framework.
The following is only a summary of the practical novelties of the draft act vis-à-vis the existing legal framework based on a preliminary review of the proposed draft.
The regulation on the below matters is either missing at all in the current framework or developed under the practice of or guidelines issued by the Albanian Commissioner on the Right of Information and Protection of Personal Data (the “Authority”). The spelling out of rights and obligations in the body of the law will grant stronger safeguard of rights of data subjects.
On the side of the rights of data subjects, the main novelties of the draft act include specific provisions on the “right to be forgotten”, “data portability”. Additionally, more detailed provisions are in place related to the conditions for the consent regarding the processing of personal data, to a child’s consent in relation to information society services, and more generally on the safeguard of rights of data subjects.
Based on an initial review of the proposed draft act, the following is a non-exhaustive selection of practical changes that will impact controllers and processors of personal data:
  • the draft act introduces principles on purpose limitation, data minimization, limited storage periods, data quality, data protection by design and by default.

  • under the draft act, processors not established in Albania will be required to appoint a local representative and notify the Authority; under the current legal framework this obligation applies only to foreign controllers.

  • under the draft act, controllers and processors not established in Albania will no longer be required to notify the Authority the details of processing activities, prior to the start of such data processing activities.

  • under the draft act, controllers and processors will be now required to keep records of processing activities; this was not spelled out in current law, as a mandatory notification to the Authority was required prior to the start of data processing activities.

  • the appointment of a data protection officer (DPO) is now spelled out as a legal requirement, applicable on the basis of the nature and scale of processing activities; the current law does not envisage the appointment of a DPO. This requirement was developed under the guidelines issued by the Authority with respect only to large scale data processors, defined as the processors that engage 6 (six) or more persons in their data processing activities.

  • the draft act introduces the requirement to carry out a data protection impact assessment (DPIA), applicable on the basis of the nature and scale of processing activities; the current law does not envisage the requirement for the DPIA. This requirement was developed under the guidelines issued by the Authority with respect only to large scale data processors (defined as above).

  • the draft act introduces the requirement for mandatory 72 hrs notice to the Authority in case of a data breach; the current law does not envisage the requirement for a data breach notice This requirement was developed under the guidelines issued by the Authority with respect only to large scale data processors (defined as above); further, the guidelines require “immediate” notification, which is a reasonably no realistic term.

  • under the draft act, the prior approval by the Authority no longer appears as a condition for international data transfers in absence of an adequacy decision; the draft act streamlines the conditions for international data transfers in absence of an adequacy decision, in line with the GDPR standards.

  • the draft act proposes substantially higher fines in case of breach of law, going up to 2 billion ALL (currently approx. EUR 20 million) or 4 (four) % of the global turnover for the preceding business year, whichever is the highest; the maximum level of fines under the current law amounted to approx. EUR 40.000.

Transition
The draft act provides that it will come into effect 15 (fifteen) days after its publication in the Official Gazette of the Republic of Albania.
However, there will be a 2 (two) years delay from the effective date regarding the entry into force of certain provisions dealing with (i) the mandatory DPIAs and relevant prior consultations with the Authority, (ii) the notification of data breaches to the data subjects, (iii) codes of conduct and the accredited bodies to monitor their compliance.
Further, the draft act provides that secondary legislation issued by the Authority on the basis of the current law shall remain into force, as long as they do not conflict with the provisions of the new law. In this context, the Authority is required to issue, within 6 (six) months of the effective date of the draft act, new secondary legislation on a number of matters, including, among others, (i) types of data processing activities relevant for DPIAs and for prior consultation, (ii) rules on the accreditation of bodies to monitor the compliance of codes of conduct, (iii) rules on the certification mechanisms and of data protection seals and marks, (iv) decisions on countries and international organizations, which ensure an adequate level of personal data protection for the purpose of international transfers and (v) detailed rules for data security and procedures for managing records of data registrant, disposal, processing and disclosure.
Further, the draft act requires the Albanian public authorities to evaluate the compatibility of existing laws, regulations and by-laws with the new act, within a period of 3 years from its effective date.
Finally, international agreements that include the transfer of personal data to third countries or international organizations, which were concluded before the entry into force of the new act, shall remain in force until they are amended, replaced or denounced.
Background
In Albania, the protection of personal data is governed by law no. 9887, dated 10.3.2008 “On the protection of personal data”, as amended. This act loosely follows the provisions of the EU Directive 95/46.
Based on the 2023 progress report for Albania, the EU found that “On the protection of personal data, Albania needs to put in place strong legal and institutional safeguards to prevent further massive breaches of privacy by private companies and the public administration and adopt the necessary legislation to align with the EU acquis on personal data…Albania should, in particular
–          improve data protection, in particular by adopting the revised Law on personal data protection in full alignment with the EU acquis, by strengthening the independence and capacity of the Information and Data Protection Commissioner, and by awareness raising measures.
On this basis and in the framework of Albania’s EU membership ambitions, the Government has submitted to the Parliament a draft for a new data protection act, aiming to align the Albanian legislation on the protection of personal data with the GDPR.
The draft act is expected to go through the legislative process and be approved in the following months. Therefore, the following are initial considerations of the proposed draft act. The compliance level and eventual gaps vis-à-vis the GDPR will need to be assessed once the draft act is approved into law.