Data protection and cybersecurity laws in Albania

Primary legislation: Law No. 124/2024 “On Personal Data Protection”, effective from December 2024, which repealed Law No. 9887 of 10 March 2008. The new law aligns Albanian data protection rules fully with the EU General Data Protection Regulation (Regulation (EU) 2016/679 – GDPR) and the Law Enforcement Directive (Directive (EU) 2016/680).

This law applies to:

• Controllers and processors established in Albania;
• Diplomatic and consular missions of Albania abroad;
• Controllers and processors not established in Albania that process personal data of individuals located in Albania, where processing activities relate to the offering of goods or services or monitoring their behaviour.

It covers automated and non-automated processing of personal data forming part of a filing system.

Exemptions: Processing by natural persons for purely personal or household purposes, and processing for journalistic or artistic expression subject to safeguards ensuring privacy rights.

Commissioner for the Right to Information and Protection of Personal Data (the “Commissioner”) – the independent authority responsible for monitoring, investigating, and enforcing compliance with data protection legislation.

Key new powers (2024 amendments):

• Conduct on-site and remote inspections;
• Order immediate suspension or deletion of unlawful data processing;
• Issue administrative fines up to ALL 20 million or 4% of the global annual turnover, whichever is higher;
• Approve certification mechanisms and standard contractual clauses.

N/A

N/A

The obligation to notify data processing activities to the Commissioner has been abolished, replaced by the requirement for controllers and processors to maintain a record of processing activities available upon request (Article 29 of Law 124/2024).

Prior authorisation remains necessary only for:

• High-risk processing operations identified by the Commissioner;
• International transfers based on ad hoc clauses or contractual mechanisms.

Personal data may be processed only where one of the following applies:

• Consent of the data subject (freely given, specific, informed, and unambiguous);
•  Necessity for the performance of a contract or pre-contractual measures;
• Compliance with a legal obligation;
• Protection of vital interests of the data subject or another person;
• Performance of a task carried out in the public interest or in the exercise of official authority;
• Legitimate interests pursued by the controller or a third party, provided these are not overridden by the interests or rights of the data subject.

Processing of special categories of personal data (sensitive data) is prohibited unless one of the specific conditions in Article 9 of the Law applies (e.g., explicit consent, substantial public interest, healthcare, or legal claims).

Controllers and processors must:

• Implement appropriate technical and organisational measures ensuring compliance (accountability principle);
• Design and implement data protection by design and by default;
• Keep records of processing activities;
• Conduct Data Protection Impact Assessments (DPIAs) for high-risk operations;
• Appoint a Data Protection Officer (DPO) where required (for public bodies or large-scale monitoring/processing of sensitive data);
• Ensure data processing agreements meet minimum legal requirements.

Breach notification to the Commissioner must be made within 72 hours of awareness (Article 35), unless unlikely to result in risk to rights and freedoms. Processing by third parties 

Processing of personal data by third parties is permitted only where the controller ensures that such processing is governed by a written contract or other binding legal act between the controller and the processor.

The contract must stipulate that the processor:

• processes the personal data only on documented instructions from the controller;
• ensures that persons authorised to process personal data are bound by confidentiality obligations;
• implements appropriate technical and organisational security measures in accordance with Article 32 of Law No. 124/2024;
• assists the controller in fulfilling obligations relating to data subject rights, security, and breach notifications;
• deletes or returns all personal data to the controller after the end of the provision of services, and deletes existing copies unless required by law to retain them;
• makes available to the controller all information necessary to demonstrate compliance and allows for audits or inspections by the controller or by another auditor mandated by the controller.

The processor may not engage another processor (sub-processor) without the controller’s prior written authorisation. When authorised, the processor must ensure that the same data protection obligations apply to the sub-processor.

Controllers and processors established outside Albania remain jointly liable for damage caused by non-compliant processing unless they prove that they are not responsible for the event giving rise to the damage.

Transfers of personal data outside the territory of Albania are permitted only where the recipient country or international organisation ensures an adequate level of protection for personal data.

Adequacy is assessed and recognised by the Commissioner for the Right to Information and Protection of Personal Data through formal decisions or on the basis of international agreements ratified by Albania.

Where no adequacy decision exists, controllers and processors may transfer personal data only if appropriate safeguards are implemented, and data subjects are provided with enforceable rights and effective legal remedies.

These safeguards may include:

• Standard Contractual Clauses (SCCs) adopted or approved by the Commissioner;
• Binding Corporate Rules (BCRs) for intra-group transfers, approved by the Commissioner;
• Codes of conduct or certification mechanisms accompanied by binding and enforceable commitments by the recipient;
• Ad hoc contractual clauses authorised by the Commissioner prior to the transfer.

In the absence of adequacy or safeguards, a transfer may take place only if one of the following applies:

• The data subject has explicitly consented to the proposed transfer after being informed of the possible risks;
• The transfer is necessary for the performance of a contract between the data subject and the controller, or for pre-contractual measures;
• The transfer is necessary for important reasons of public interest, to establish or defend legal claims, or to protect vital interests where the data subject is unable to consent;
• The transfer is made from a public register that is intended to provide information to the public.

Transfers based on ad hoc clauses or derogations require prior authorisation from the Commissioner.

Controllers must carry out and document a transfer risk assessment, identifying the level of protection in the recipient jurisdiction and any supplementary measures necessary to ensure compliance with Albanian law and GDPR-equivalent standards.

Controllers and processors remain jointly liable for damages resulting from unlawful international transfers unless they prove that they are not responsible for the event giving rise to the damage.

Under Law No. 124/2024 “On Personal Data Protection”, the general obligation to register or notify the Commissioner of all data processing activities has been abolished.

However, specific authorisation from the Commissioner remains mandatory in certain circumstances where the processing presents a high risk to the rights and freedoms of individuals or involves particular data transfer mechanisms.

1. Prior Authorisation for High-Risk Processing

The Commissioner may require controllers to obtain prior authorisation before initiating data processing activities that are considered high-risk, including where:

• Processing involves large-scale use of special categories of personal data (e.g. health, biometric, genetic, or criminal data);
• Processing entails systematic monitoring of publicly accessible areas or individuals;
• Data is used for automated decision-making or profiling that produces legal or significant effects on individuals;
• A Data Protection Impact Assessment (DPIA) identifies residual high risk after mitigation measures.

In such cases, controllers must submit a written application to the Commissioner containing:

• A detailed description of the intended processing operations and purposes;
• The categories of personal data and data subjects;
• The envisaged security and organisational measures; and
• The results of any DPIA conducted.

The Commissioner must respond within six weeks, extendable by an additional six weeks for complex cases.

2. Authorisation for International Data Transfers

Prior authorisation is required for cross-border data transfers that rely on:

• Ad hoc contractual clauses not previously approved or standardised;
• Derogations where no adequacy decision or standard safeguards exist;
• Transfers to countries under a restrictive or sanction regime.

Controllers must justify the transfer’s necessity and the safeguards applied to protect the data subject’s rights.

3. Authorisation for Specific Processing in the Public Interest

Authorisation is also required for certain processing operations carried out:

• By public authorities for law enforcement or national security purposes involving private-sector cooperation;
• For research or archiving in the public interest where data subjects’ rights cannot be fully exercised.

In such cases, the Commissioner may impose additional conditions to ensure proportionality, necessity, and adequate safeguards.

4. Renewal, Amendment, and Revocation

Authorisations are typically valid for the duration of the processing described in the application.

Any substantial change to the purpose, scope, or nature of processing must be notified to the Commissioner for reassessment.

The Commissioner may revoke or suspend authorisation if processing no longer complies with the conditions set out in the approval or if it poses new, unforeseen risks.

5. Practical Implications

Businesses should:

• Conduct DPIAs for all potentially high-risk operations;
• Retain documentation evidencing the assessment and communications with the Commissioner;
• Integrate authorisation procedures into their internal compliance governance and privacy management systems.

Controllers and processors must implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, as required under Article 32 of Law No. 124/2024.

These measures must protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access.

1. Security Measures

When assessing the appropriate level of security, controllers and processors must consider:

• The nature, scope, context, and purposes of the processing;
• The risks of varying likelihood and severity for the rights and freedoms of individuals; and
• The state of the art, implementation costs, and proportionality.

Typical security measures include:

• Encryption and pseudonymisation of personal data;
• Ensuring ongoing confidentiality, integrity, availability, and resilience of processing systems;
• Procedures for timely restoration of data availability and access following an incident;
• Regular testing and evaluation of technical and organisational controls;
• Access control policies and user authentication mechanisms;
• Physical and network security controls, including firewalls and intrusion detection systems.

The controller bears the primary responsibility for implementing these safeguards and must ensure that processors and any sub-processors adhere to equivalent standards through contractual obligations and regular audits.

2. Data Breach Notification

Under Article 35 of Law No. 124/2024, the controller must notify the Commissioner of any personal data breach within 72 hours after becoming aware of it, unless the breach is unlikely to result in a risk to the rights and freedoms of individuals.

Where notification is delayed, the controller must provide reasons for the delay.

The notification must contain:

• A description of the nature of the breach, including categories and approximate number of data subjects and records affected;
• The likely consequences of the breach; and
• Measures taken or proposed to address the breach and mitigate its possible effects.

If the breach is likely to result in a high risk to individuals, the controller must also communicate the breach to the data subjects without undue delay, unless an exemption applies (e.g., data encrypted or risk effectively mitigated).

Processors must notify the controller without undue delay after becoming aware of a breach.

3. Security Governance and Accountability

Controllers are required to:

• Maintain internal policies and training programmes for staff;
• Conduct periodic security risk assessments and update measures accordingly;
• Keep records of incidents, notifications, and remedial actions;
• Implement data protection by design and by default, ensuring that security and privacy principles are embedded throughout the lifecycle of data processing.

The Data Protection Officer (DPO) plays a central role in monitoring compliance, advising on security practices, and serving as a contact point with the Commissioner.

4. Intersection with Cybersecurity Law

Under Law No. 25/2024 “On Cybersecurity”, entities operating in critical or important sectors (e.g. energy, finance, healthcare, public administration, telecommunications) must adopt enhanced cybersecurity standards consistent with the EU NIS2 Directive.

They are also required to:

• Report cybersecurity incidents to the National CSIRT within 24 hours;
• Coordinate with the National Authority for Cybersecurity (AKSK) and the Commissioner when incidents involve personal data breaches;
• Align technical measures under both data protection and cybersecurity frameworks to avoid duplication and ensure consistency.

5. Enforcement

Failure to comply with data security and breach notification obligations may result in administrative fines up to ALL 20 million or 4% of global annual turnover, as well as potential criminal liability for serious violations involving intentional or negligent disclosure of personal data.

Controllers have a legal obligation under Article 35 of Law No. 124/2024 to notify the Commissioner for the Right to Information and Protection of Personal Data of any personal data breach without undue delay and, where feasible, within 72 hours after becoming aware of it.

If the notification is not made within 72 hours, it must be accompanied by an explanation of the reasons for the delay.

Content of the notification

The notification must include:

• A description of the nature of the personal data breach, including the categories and approximate number of affected data subjects and records;
• The name and contact details of the Data Protection Officer (DPO) or other contact point;
• A description of the likely consequences of the breach; and
• The measures taken or proposed to address and mitigate the breach’s effects.

If the breach is likely to result in a high risk to the rights and freedoms of individuals, the controller must communicate the breach to affected data subjects without undue delay, unless:

• The controller has implemented appropriate technical and organisational protection measures (e.g. encryption) rendering the data unintelligible;
• Subsequent measures have been taken that ensure the high risk is no longer likely to materialise; or
• Communication would involve disproportionate effort (in which case a public communication must be made).

Processors must notify the controller immediately after becoming aware of a personal data breach.

Failure to comply with these obligations may result in administrative fines of up to ALL 10,000,000 or, for severe cases, ALL 20,000,000 or 4% of annual global turnover.

Direct marketing activities are regulated under Articles 6, 7, and 25–27 of Law No. 124/2024, ensuring that individuals maintain control over how their personal data is used for promotional purposes.

1. Consent Requirement

Direct marketing via electronic communications (e.g., email, SMS, automated calls, social media) requires the prior, explicit, and informed consent of the recipient.

Consent must be freely given, specific, and capable of being withdrawn at any time, without detriment to the individual.

Controllers must maintain documented proof of consent and provide a clear, easy-to-use mechanism for withdrawal (“opt-out”).

2. Soft Opt-In Exception

A limited exception applies where:

• The data subject’s contact details were obtained in the context of a sale or service relationship;
• The marketing relates to similar products or services offered by the same controller; and
• The recipient was given a clear and easy opportunity to object (opt-out), both at the time of data collection and in each subsequent message.

This exception does not apply to communications initiated by third parties or unrelated business entities.

3. Right to Object

Data subjects have the right to object at any time to the processing of their personal data for direct marketing purposes, including profiling related to such marketing.

Once an objection is raised, the controller must immediately cease all related processing activities.

4. Sanctions and Enforcement

The Commissioner actively monitors compliance in the area of electronic communications and marketing.

Unlawful marketing practices (e.g., unsolicited email campaigns, lack of consent or opt-out options) may lead to fines of up to ALL 10,000,000 and mandatory suspension of marketing operations.

The Commissioner may also order public disclosure of violations as a corrective measure.

• https://www.idp.al/
• https://idp.al/wp-content/uploads/2025/07/ligj-2024-12-19-124.pdf