“The long-awaited draft law "On the Protection of Personal Data" (the “New Law"), closely aligned with the GDPR, has recently been approved by the Albanian Council of Ministers. While the exact timeline remains uncertain, it is anticipated that the New Law will soon be passed by Parliament and come into force.
Key highlights of the New Law include a broader scope, stricter fines, additional obligations for data controllers and processors, and enhanced rights for data subjects to strengthen personal data protection and public awareness.”
General improvements introduced by the new law
- New Terms/Definitions: The New Law introduces terms such as “data minimization”, “pseudonymization” and “profiling”, while also providing definitions that align with GDPR terminology for concepts such as "genetic data“, "biometric data“, "criminal data and others.
- BCR as part of the NEW Law: The New Law will allow data transfers to countries with inadequate data protection without the Commissioner's authorization, using new tools such as "Standard Contractual Clauses" and "Binding Corporate Rules”, which are now incorporated directly into the New Law.
- Expanded Scope of Applicability: The New Law will have an extraterritorial reach, extending its applicability to controllers located outside Albania whose processing activities involve offering goods or services to or monitoring the behavior of, data subjects within Albania.
- Local Representatives of Foreign Controllers: Foreign controllers or processors must appoint a local representative in Albania. The representative is authorized to address, alongside or in place of the controller or processor, all matters related to processing, to ensure compliance with the New Law.
How will the new law impact data subjects?
A significant aspect of the New Law is the introduction of enhanced and expanded data subject rights, designed to provide individuals with greater control over their personal data. Key improvements include:
- Refinement of the "right to information" ensuring that the controller provides requested information in a concise, transparent, understandable, and easily accessible form, especially for minors.
- Broadening the scope of the "right of access" to allow data subjects to request information on the estimated storage period or criteria, the legal basis of processing, categories of personal data and their sources, categories of recipients, as well as details on data transfers to foreign countries and the associated protection measures.
- Strengthening the "right to restriction of processing" allowing data subjects to file a complaint with the Albanian Data Protection Commissioner if the controller rejects their request.
- Introducing the "right to be forgotten" allowing data subjects to request the deletion of their personal data, ensuring its removal from social networks, internet search engines, and other online platforms.
- Introducing the “right to data portability”, which applies when data processing is automated and based on consent or contracts, allowing the data subject to receive and transfer their data from one controller to another, where technically feasible.
New obligations for data controllers and processors
For the first time in data protection legislation, new obligations have been introduced for controllers & processors to ensure more effective information security in personal data processing:
- The introduction of Data Protection Impact Assessment (DPIA) prior to commencing a processing activity, aimed at identifying potential risks to the rights and freedoms of data subjects and minimizing risks when the processing presents a high level of risk.
- The obligation to consult with the Data Protection Commissioner before initiating data processing if this processing poses a high risk to the data subject.
- The obligation to document all data breaches and notify the Data Protection Commissioner of those likely to impact data subjects, within 72 hours of detection. In addition, data processors must notify the controllers of the breach without undue delay. If the data breach poses a high risks to data subjects’ rights or freedoms, the controller must promptly inform the affected parties, unless appropriate protective measures have been implemented to mitigate the risk.
- Introducing the principes of Data Protection by Design and Data Protection by Default, which require controllers to integrate data protection measures into every stage of their operations.
- Establishing the obligation for multiple controllers to formalize their relationship through a written agreement that defines each controller's responsibilities under the new law, with key provisions of the agreement made available to data subjects.
- Introducing a certification mechanism as a tool to demonstrate compliance with the data protection legal framework and to provide adequate guarantees for data security during processing activities.
New financial penalties matching GDPR levels
- Up to 1 bill ALL (approx. EUR 10 Mill) or, for corporate entities, up to 2% of the global annual turnover from the preceding financial year, whichever is greater.
- Up to 2 bill ALL (approx. EUR 20 Mill) or, for corporate entities, up to 4% of the global annual turnover from the preceding financial year, whichever is greater.