1 Relevant Legislation and Competent Authorities

1.1 What is the principal data protection legislation?

  • Constitution of the Republic of Albania.
  • Law no. 9887, dated 10.03.2008 "On personal data protection" as amended.
  • Decision of the Parliament no. 211, dated 11.09.2008 "On the appointment of the Commissioner for the protection of personal data".
  • Decision of the Parliament no. 225, dated 13.11.2008 "On approving of the structure, staff and classification of the working positions in the office of the Commissioner for the protection of personal data".
  • Decision of the Commissioner for the protection of personal data no. 3, dated 20.11.2012 "On the countries with an adequate level of protection for personal data" as amended.
  • Decision of the Commissioner for the protection of personal data no. 4, dated 27.12.2012 "On exceptions to the obligation to notify the processing of personal data".
  • Decision of the Commissioner for the protection of personal data no. 2, dated 10.03.2010 "On determination of procedures for registration administration of data and their recording, procession and extraction".

1.2 Is there any other general legislation that impacts data protection?

The Republic of Albania has also ratified the following international acts:

  • Convention on the Protection of Individuals regarding the automatic processing of personal data (Law no. 9288/2004) ("the Convention").
  • Additional Protocol to the Convention regarding supervisory authorities and trans-border flows of personal data (Law no. 9287/2004).

1.3 Is there any sector specific legislation that impacts data protection?

The competent authority on personal data protection, with the purpose to further regulate the processing of personal data and ensure the correct implementation of the law provisions, has issued several instructions, guidelines and orders.

1.4 What is the relevant data protection regulatory authority(ies)?

The competent authority is the Information and Data Protection Commissioner ("the Commissioner").

2 Definitions

2.1 Please provide the key definitions used in the relevant legislation:

  • "Personal Data"
    Personal Data" refer to any information relating to an identified or identifiable natural person, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity.
  • "Sensitive Personal Data"
    Sensitive Personal Data" mean any information related to the natural person in referring to his racial or ethnic origin, political opinions, trade union membership, religious or philosophical beliefs, criminal record, as well as with data concerning his health and sexual life.
  • "Processing"
    Processing" of personal data means any operation or set of operations which is performed upon personal data, whether or not by automatic means, such as collection, recording, organisation, storage, adaptation or alteration, retrieval, consultation, use, transmission, dissemination or otherwise making available, alignment or combination, photographing, reflection, entering, filling in, selection, blocking, erasure or destruction, even though they are not recorded in a database.
  • "Data Controller"
    Data Controller" means the natural or legal person, public authority, agency or any other body, which alone or jointly with others determines the purposes and means of processing of personal data, in compliance with the laws and applicable secondary legislation, responsible for the fulfilment of obligations defined by the law provisions.
  • "Data Processor"
    Data Processor" means a natural or legal person, public authority, agency or other body, which processes personal data on behalf of the data controller.
  • "Data Subject"
    Data Subject" means any natural person whose personal data are being processed.
  • Other key definitions please specify (e.g., "Pseudonymous Data", "Direct Personal Data", "Indirect Personal Data")

    • "Anonymous Data"
      "Anonymous Data" means any data, which in its origin or during its processing, may not be associated to any identified or identifiable individual.

3 Key Principles

3.1 What are the key principles that apply to the processing of personal data?

  • Transparency
    The transparency principle is not expressly provided in the applicable legislation, although the same can be carved out by reading the other law provisions, such as the duty to inform the data subject, processing for a specific purpose and limited in time, etc.
  • Lawful basis for processing
    Based on the provisions of the Law no. 9887, dated 10.03.2008 "On personal data protection" as amended ("the Law"), one of the guiding principles is the fair and lawful processing of personal data.
  • Purpose limitation
    Furthermore, the legislator stipulates that personal data are collected for specific, clearly defined and legitimate purposes and shall be processed in a way that is compatible with these purposes.
  • Data minimisation
    The principle of data minimisation is not addressed separately in the Law but is applied as a combination of the principles of proportionality and retention.
  • Proportionality
    Based on the Law provisions, personal data must be proportionate and correlated with the scope of processing, and not excessive in relation to the purposes for which they are collected and processed.
  • Retention
    The legislator provides that personal data cannot be kept for longer than is necessary for the purpose for which they were collected or further processed. The Law does not contain a specific provision determining the minimum or maximum time for the retention of personal data. However, there exist time limits applicable to specific sectors, as determined by the decision of the Commissioner.
  • Other key principles please specify

    • Data accuracy
      In addition to the above, protection of personal data is based on accurate data and, where necessary, updated. For such a purpose, the law provides that every reasonable step must be taken to ensure that data, which are inaccurate or incomplete, having regard to the purposes for which they were collected or for which they are further processed, are erased or rectified.

To continue reading this article, please click here.

Originally published in Global Legal Group Ltd

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.