EY refers to the global organization, and may refer to one or more, of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients.
Recent Searches
I. Introduction
The adoption of Law no. 124/2024 “On Protection of Personal Data” (the “Data Protection Law” or “DPL”), marked a significant advancement in Albania’s data protection legislation, fully harmonizing the national legislation with the General Data Protection Regulation (“GDPR”) and modern European standards.
Following the DPL’s entry into force, the Office of the Commissioner for the Right to Information and Protection of Personal Data (the “Data Protection Commissioner”) remained relatively quiet in undertaking a proactive approach on the applicability of the DPL by the relevant actors. This period of limited activity coincided with awareness initiatives, meetings with stakeholders and broader sensibilization efforts aimed at giving controllers and processors the necessary space to comprehend and adapt to the new legal framework.
II. Recent Shift Toward Active Enforcement
Recently, the Data Protection Commissioner has shifted from an advisory role to one of assertive enforcement, evidenced by increased inspections and penalties for non-compliance with the Data Protection Law. Although the new DPL came into effect in January 2025, only two fines were imposed on private entities in Albania over the previous year. However, in the first two months of 2026, six fines were issued—three times the total from the entire prior year—indicating a significant change in enforcement behavior.
This uptick suggests that the transitional phase following the DPL's implementation has concluded, reflecting the Commissioner’s commitment to holding data controllers and processors accountable. The focus is now on sustained, active supervision and companies must be prepared for heightened scrutiny and demonstrate ongoing compliance with data protection requirements.
III. Overview of Controls and Sanctions Issued
The majority of the fined entities are noted to operate in sectors heavily reliant on personal data processing, including IT service providers, call centers, travel agencies and medical centers. These organizations were subject to administrative penalties primarily due to systemic shortcomings in meeting core requirements of the DPL.
The fines recently applied across various entities share a common denominator of non-compliance with articles 6, 7, 8, 13, 26, 27 and 28 of the new DPL, specifically:
- Failure to implement and maintain adequate Information Security Management Systems to ensure confidentiality, integrity, and availability of personal data.
- Lack of proper written contracts with data processors that define legal obligations, security measures, and responsibilities.
- Violations of fundamental principles of data processing such as lawful processing, obtaining valid consent, and informing data subjects about their rights (access, correction, deletion).
- Failure to draft, update, or publish internal regulations and privacy policies related to data protection.
- Insufficient technical and organizational measures for data security.
- Unauthorized processing of personal data, including improper use of CCTV and publishing images without valid consent.
- Failure to appoint data protection officers and notify relevant authorities.
The fines imposed reflect the seriousness of these violations and the need to ensure compliance with the DPL. The monetary penalties range from smaller fines such as ALL 100,000 (approx. EUR 1.000) for specific breaches (e.g., failure to apply confidentiality declarations) to larger fines reaching up to ALL 4,040,000 (approx. EUR 40.000) for multiple and serious violations involving fundamental principles and security measures.
IV. Controversies Surrounding the Penalty Provisions
The article concerning administrative fines in the new DPL sparked significant legal and public debate at the time of its adoption. As efforts were made to align with the GDPR, concerns quickly emerged regarding the appropriateness of penalties set at GDPR levels for the Albanian context. Stakeholders, including the private sector representatives and various working groups, all raised similar concerns, arguing that the fines proposed by the GDPR were excessively high for Albanian businesses, leading to questions regarding proportionality, fair enforcement and the overall feasibility of a complete transposition of the regulation.
Although these concerns were widely acknowledged, the fines were ultimately retained unchanged to ensure full alignment with the GDPR framework. To mitigate the negative impact on local entities, the Data Protection Commissioner issued an Instruction aimed at developing a methodology for calculating and applying fines that would be more suitable for the Albanian context. However, this Instruction remains complex and may introduce interpretative uncertainties and confusion among the stakeholders affected.
V. Conclusion
The increase in fines in early 2026 shows that the Data Protection Commissioner has moved from awareness to active enforcement of the Data Protection Law.
Despite concerns about the fairness of GDPR-aligned penalties and complex fine calculations in Albania, enforcement remains strong. Organizations need to improve internal processes, document accurately and establish accountability to manage regulatory risks.
Integrating data protection into corporate governance and fostering a compliance-oriented culture are essential for meeting regulatory expectations. Additionally, poor data protection can lead to significant reputational damage, highlighting the importance of robust privacy practices for trusted business operations.