CMS Expert Guide: Data Law Navigator

Data protection

1. Local data protection laws and scope

Law n. 9887 dated 10 March 2008 “On protection of personal data”.

This law shall apply to the processing of personal data, wholly or partly by automatic means and to the processing by other means of a personal data stored in a filing system, or intended to form part of a filing system. 

This law shall apply to the processing of personal data by:

  1. controllers established in the Republic of Albania;
  2. diplomatic missions or consular offices of the Albanian state;
  3. controllers who are not established in the Republic of Albania, making use of any equipment situated in the Republic of Albania; 

In circumstances stipulated in point 3, the controller designates a representative established in the territory of Albania. Stipulations of this law applying to controllers are also applicable to their representatives. This law applies also to the public authorities that process personal data.

This law is not applicable to processing of data: 

  • by a natural person for purely personal or family purposes;

only in case the information is provided about public officials or public (state) administration servants, reflecting their public, administrative activities or issues related to their duties.

The principal data protection legislation is Law 19.628 “on protection of private life” (also known as the Chilean Data Protection Law or “CDPL”). 

There are also two other legal provisions that regulate some aspects of personal data processing:

  • The Chilean Constitution, in its article 19 No. 4 and No. 5, which enshrine the right to privacy, as well as the protection of personal data, and also;
  • Law 19.496 (Consumer Protection Law) that establishes the regulation regarding unsolicited commercial marketing communications for consumers.

2. Data protection authority

The Commissioner for the Right to Information and Protection of Personal Data is the independent authority in charge of supervising and monitoring the protection of personal data and the right to information by respecting and guaranteeing the fundamental human rights and freedoms in compliance with the law.

Chile does not have a Data Protection Authority.

3. Anticipated changes to local laws

Law no. 48/2012 "On some additions and changes to the law no. 9887, dated 10 March 2008" On the protection of personal data", dated 08 May 2012.

Law no. 120/2014 "On some additions and changes to the law no. 9887, dated 10 March 2008" On the protection of personal data", dated 18 September 2014.

Congress is discussing a new law that will replace the current one and raise the protection standards.

Anticipated changes:

  • A new legal definition: The objective will be to update and expand it, in accordance with international standards;
  • Legitimate Basis for Processing: A more robust basis for processing has been incorporated;
  • The creation of a Data Protection Authority: A National Directorate for Personal Data Protection with the obligation to register databases;
  • Cross-Border Data Transfer: It will be regulated for the first time. According to the current law, there is no statement that controls cross-border data transfers.
  • A new set of infringements;
  • A complaint procedure: This procedure will consist of three steps. First, a direct claim to the data processor. Secondly, an administrative claim before the new National Directorate for Personal Data Protection, and finally, a judicial claim that disputes the decision of the National Directorate for Personal Data Protection.

4. Sanctions & non-compliance

Cases of data processing in contradiction with the provisions of this law do not constitute any criminal offence and are subject to a fine. The Fines shall be imposed by the Commissioner when he finds that the obligations set forth in the law are infringed.

Since there is no Data Protection Authority, sanctions can only be imposed by a judge (in a civil procedure). To this end, Law 19.628 establishes a special procedure called “habeas data”. However, it is common practice to also use the “Remedy for the Protection of Constitutional Rights”, a constitutional action, to protect the fundamental rights affected by an illegal or arbitrary treatment of personal data.

5. Registration / notification / authorisation

Registration and the notification must contain the following information:

  • name and address of the controller;
  • the purpose of processing personal data;
  • categories of data subjects and categories of personal data;
  • recipients and categories of recipients of personal data;
  • the proposal for international transfers that the controller intends to carry out;
  • a general description of the measures for the security of personal data (this is not part of the registration)
The responsibility to notify

Every controller shall notify the Commissioner about the processing of personal data for which he is responsible. The notification shall be made before the controller processes the data for the first time, or when a change of the processing notification status is required.

The processing of personal data the sole purpose of which is to keep a record, which in accordance with the law or sub-legal acts provides information for the public in general, is exempted from the obligation to notify the processing of data. Data that are processed for the purpose of protection of the constitutional institutions, interests of national security, foreign policy, economic or financial interests of the state, prevention or prosecution of the criminal offences are exempted from the obligation to notify. 

Other cases on which notification is not necessary are established under a decision of the Commissioner.

There is no registration or notification obligation since there is no data protection authority in Chile and the law does not establish this requirement.

6. Main obligations and processing requirements

Protection of personal data is based on: 

  • processing that is fair and lawful; 
  • a collection for specific, clearly defined and legitimate purposes and shall be processed in a way that is compatible with these purposes; 
  • adequate data, which are relevant to the purpose of their processing and not excessive in relation to such purpose; 
  • accurate data, and where necessary, updated; every reasonable step must be taken to ensure that data which are inaccurate or incomplete, having regard to the purposes for which they were collected or for which they are further processed, are erased or rectified;
  • keeping data in a form that allows the identification of data subjects for no longer than it is necessary for the purpose for which they were collected or further processed;

The controller is in charge of applying these requirements to all kinds of processing of data, be it automatically or by other means.

The personal data may be processed only if:

  • Personal data subject has given his or her consent;
  • Processing is necessary for the performance of a contract to which the data subject is party or in order to negotiate or amend a draft/contract at the request of the data subject;
  • in order to protect the vital interests of the data subject;
  • to comply with a legal obligation of the controller;
  • for the performance of a legal task of public interest or in exercise of powers of the controller or of a third party to whom the data are disclosed;
  • processing is necessary for the protection of the legitimate rights and interests of the controller, the recipient or any other interested party. However, in any case, the processing of personal data cannot be in clear contradiction with the data subject’s right to protection of personal life and privacy.

Processing of personal data in the framework of crime prevention and prosecution activities, in cases of a criminal offence against the public order and other violations in the field of criminal law, defence and national security, shall be performed by official authorities as stipulated in the law. 

In the event, the controller or processor may carry out personal data processing for the purpose of offering business opportunities or services provided that the data were taken from a public list of data. 

The controller or processor cannot process any further the data specified in this paragraph, if the data subject has expressed his or her disagreement or has objected to further processing. No additional personal data may be attached to the data specified above without the consent of the data subject. 
The controller is allowed to keep the personal data in its own filing system.

Such data can only be used if the data subject gives his or her consent.

The collection of personal data which is related to a data subject solely for reasons of direct marketing is allowed only if the data subject has given his or her explicit consent.

Obligations of the Controller and Processor:

  • obligation to inform;
  • obligation to rectify and erase;
  • obligations of the Processor.

Data processing: 

According to the CDLP the processing of all data shall be carried out:

  • In a manner consistent with the law;
  • For the purposes permitted by the legal system; and
  • With attention to the full exercise of the fundamental rights of the data subject.

Consent of the data subject: Article 4 of the law establishes that the processing of personal data is permitted only when the law authorises it, or the subject expressly consents or authorises it. However, the law does not provide a definition of what the “authorisation” or “consent” of the data subject means or entails.

Quality: Article 6 of the law establishes that personal data will be: destroyed or cancelled when the purpose of its storage has no legal basis or when it has expired; modified when it is inaccurate, inexact, misleading or incomplete; and blocked when it cannot be destroyed or cancelled, and its accuracy cannot be established or whose validity is doubtful.

Confidentiality: Article 7 of the law establishes that people who work in the processing of personal data, in the private and public sector, must maintain confidentiality when the data comes from sources not accessible to the public, as well as with respect to other data information related to the data bank; an obligation that does not cease upon completion of its functions or activities in that field.

Purpose: Personal data will be used only for the purposes for which it was collected, unless it is obtained from sources accessible to the public (Article 9 of the law)
Personal data: Article 10 of the law prescribes that sensitive personal data, defined as any information regarding characteristics of a physical or moral nature of an individual or facts or circumstances of his private life, such as personal habits, racial or ethnic origin, ideologies and political opinions, religious beliefs or convictions, physical or mental health and sexual life, cannot be processed unless:

  • The law authorises it;
  • The data subject expressly accepts said processing;
  • Such data is necessary to establish or grant health benefits that pertain to the respective data subject.

Data security: Article 11 of the law establishes that those responsible for the registries or personal data must “take care of them with due diligence” and be liable for damages.

7. Data subject rights

  • The right to access;
  • right to request blocking, rectification and erasure;
  • automated decision;
  • right of the data subject to refuse;
  • right to complain;
  • compensation for damage.

Access to data

The rights pertaining to all data subjects to demand from the person responsible for any public or private data bank, any information that pertains to them, its source, the purpose for collecting, the legality of the data processing and the name of the individuals or entities to which the data is regularly transmitted. 

Correction and deletion

Correction or modification: The right of all data subjects to request the modification of inaccurate, incomplete, misleading or outdated data that concerns them.

Cancellation

The right of all data subjects to demand the destruction or cancellation of personal data when the purpose of its storage has no legal basis or when it has expired.
Data subjects have the right to request the cancellation of data, if the data storage is not authorised by law or if the authorisation has expired. The data subject is also entitled to exercise this right even if this data has been voluntarily provided or is being used for commercial communications, and he no longer wishes to appear in such records, temporarily or permanently.

Marketing objection

The Consumer Protection Law regulates unsolicited commercial or marketing communications sent by email to consumers. That communication must obtain a valid email address to which the recipient may request the suspension of future communications.

8. Processing by third parties

Processing by third parties is not allowed.

The laws do not regulate processing by third parties. According to Article 8 of the CDLP:
If the processing of personal data is carried out by virtue of a mandate, the general rules will apply. Also, the mandate must be granted in writing, regulating the conditions of use of the data.

9. Transfers out of country

International transfer 

The international transfer of personal data is allowed for recipients from states which have an adequate level of personal data protection. The level of personal data protection for a state is established by assessing all circumstances related to nature, purpose and duration of the processing, country of origin and final destination, legal provisions and security standards in force in the recipient state. States that have an adequate level of data protection are assessed under a decision by the Commissioner. International transfer of personal data with a state that does not have an adequate level of personal data protection may be carried out when: 

  • it is authorised by international acts ratified by the Republic of Albania and are directly applicable; 
  • the data subject has given his or her consent for the international transfer; 
  • the transfer is necessary for the performance of a contract between the data subject and the controller or for the implementation of pre-contractual measures taken in addressing the data subject’s request, or the transfer is necessary for the conclusion or performance of a contract between the controller and a third party, in the interest of the data subject;
  • it is a legal obligation of the controller; 
  • it is necessary for protecting vital interests of the data subject; 
  • it is necessary or constitutes a legal requirement over an important public interest or for exercising and protecting a legal right;
  • transfer is done from a register that is open for consultation and provides information to the general public. 

Exchange of personal data to the diplomatic representations of foreign governments or international institutions in the Republic of Albania shall be considered an international transfer of data. 

International transfer of data that need to be authorized 

In cases other than those provided herein, the international transfer of personal data with a state that does not have an adequate level of data protection, shall be carried out upon an authorisation from the Commissioner, if adequate safeguards are foreseen with respect to the protection of the privacy and fundamental human rights and freedoms, as well as regarding the exercise of the corresponding rights. 

The Commissioner, after making an assessment, under the specification provided herein may give authorisation to transfer personal data to the recipient State by defining conditions and obligations. 

The Commissioner issues instructions in order to allow certain categories of personal data international transfer to a state that does not have an adequate level of personal data protection. In these cases, the controller is exempted from the authorisation request. 

The controller shall submit a request for authorisation to the Commissioner prior to the data transfer. In the authorisation request, the controller shall guarantee the observance of the interests of the data subject to protection of confidentiality outside the Republic of Albania.

The law does not establish specific requirements or restrictions on transfers of personal data abroad.

However, the law contains rules for the automated transmission of data. Article 5 of the law prescribes that the person responsible for the database can establish an automated system for the transmission of personal data, provided that it adequately ensures the rights or interests of the parties involved and such transmission is strictly related to the duties and objectives of the participating entities.

In the case of a request for the transmission of personal data through an electronic network, the following shall be recorded:

  • Identification of the requesting party;
  • Reason and purpose of the request;
  • Type of data transmitted.

The law does not restrict transfers of personal data to third countries.

Since there are no data transfer restrictions, foreign companies mostly rely on standard clauses to binding corporate rules established by EU legislation. 

The transfer of personal data does not require registration/notification or prior approval from the relevant data protection authority or entity (given the fact that this body does not exist)

10. Data Protection Officer

The Commissioner.

There is no legal requirement for the appointment of a Data Protection Officer.

11. Security

The controller or the processor shall take appropriate organisational and technical measures in order to protect personal data from unlawful or accidental destruction, accidental loss, from access or disclosure to unauthorised persons, especially when the processing of data takes place in a network, as well as from any other unlawful form of processing. 

The controller shall take the following special security measures: 

  • defines the functions of the organisational units and those of the operators as regards the use of data;
  • data shall be used with the order of authorised organizational units or operators; 
  • instructs all operators concerning their obligations, in conformity with this law and the internal regulations on data protection, including the regulations on data security;
  • Prohibits access of unauthorised persons to the working facilities of the data controller or processors;
  • data and programmes shall be accessed only by authorised persons;
  • Prohibits access to the filing system and their use by unauthorised persons; 
  • Operation of the data processing equipment shall be carried out upon authorisation and every device shall be secured with preventive measures against unauthorised operation;
  • records and documents the alteration, rectification, erasure, transfer, etc. 

The controller is obliged to document the technical and organisational measures adjusted and implemented to ensure protection of personal data in compliance with the law and other legal regulations. 

The data recorded shall not be used for different purposes which are not compliant with the purpose of collection. Acquaintance with or processing of the data registered in files for a purpose other than the right to enter the data shall be prohibited. In case data are used to guarantee national security, public security, for prevention or investigation of a criminal offence, or prosecution of the author thereof, or of any infringement of ethics for the regulated professions, it is exempted from this rule. Documentation of the data shall be kept for as long as it is necessary for the purpose for which they were collected.

The security level shall be in compliance with the nature of personal data processing. Detailed rules on data security shall be specified by decision of the Commissioner. Procedures for the administration of the data registration, data entry, their processing and disclosure shall be regulated by a decision of the Commissioner.

Controllers, processors and persons who come to know the content of the processed data while exercising their duty, shall remain under obligation of confidentiality and credibility even after termination of their functions. These data shall not be disclosed save when otherwise provided by law. Everyone acting under the authority of the controller or the processor shall not process the personal data to which he or she has access, without the authorisation of the controller, unless it is mandatory by law.

There are no legal requirements to take appropriate technical and security measures to protect personal data, but the data processor will always be liable for the damages caused by the leaking of information.

12. Breach notification

N/A

There is no legal obligation to notify to the authority data breach events.

13. Direct marketing

Collection of personal data that is related to a data subject solely for reasons of direct marketing is allowed only if the data subject has given his explicit consent.

The data subject has the right to ask the controller not to start processing, or if processing has started, to stop the processing of personal data related to him or her for the purposes of direct marketing and to be informed in advance before personal data are disclosed for first time for such purpose.

Direct marketing is regulated by the Consumer Protection Law. This Law regulates unsolicited commercial marketing communications sent by email to consumers, specifying, among other things, that such communications must contain a valid email address to which the recipient may request the suspension of further communications, also known as an opt-out system. From the moment the recipient requests the suspension of sending further emails, any communication or unsolicited email is prohibited by law.

14. Cookies and adtech

N/A

The CDPL does not directly regulate the use of cookies or similar technologies. 

15. Risk scale

Moderate

Low

Cybersecurity

1. Local cybersecurity laws and scope

Law n. 2/2017 “For Cyber Security”, dated 09.02.2017

Chile does not have a specific law to regulate cybersecurity. However, many laws regulate some aspects of cybersecurity, for example:

  • Ley N°20.285/2008 - Law on access to public information
  • Ley N°17.336/2004 - Intellectual Property Law
  • Ley N°19.927/2004 - Law amending criminal codes regarding child pornography crimes
  • Ley N°19.880/2003 - Law that establishes the bases of the administrative procedures that govern the acts of State administration bodies
  • Ley N°19.799/2002 - Law on electronic documents, electronic signature and certification services of said signature
  • Ley N°19.223/1993 - Law on criminal figures related to computing
  • Ley N°20.478/2010 - Law on recovery and continuity on critical and emergency conditions of the public telecommunications system
  • Ley N°20.285/2008 - Law on access to public information
  • Ley N°17.336/2004 - Intellectual Property Law
  • Ley N°19.927/2004 - Law amending criminal codes regarding child pornography crimes
  • Ley N°19.880/2003 - Law that establishes the bases of the administrative procedures that govern the acts of State administration bodies
  • Ley N°19.799/2002 - Law on electronic documents, electronic signature and certification services of said signature
  • Ley N°19.223/1993 - Law on criminal figures related to computing
  • Ley N°20.478/2010 - Law on recovery and continuity of critical and emergency conditions of the public telecommunications system

2. Anticipated changes to local laws

There are no anticipated changes to local laws.

On October 2018, a bill was introduced to the Senate to strengthen the cybercrime law, thus adapting the current regulation to the Budapest Convention standards. One of the amendments proposed in the bill is the inclusion of any cybercrime as a cause for a legal entity criminal liability under law No. 20,393. 

Thereby, if the amendment is approved, legal entities must prevent any cybercrimes from being carried out by their owners, controllers, executives, representatives or managers. The failure to maintain reasonable preventive measures shall cause the legal entity to be subject to criminal liability and therefore the following sanctions:

  • Fines from UTM 400 (an indexed unit of account) to UTM 300,000;
  • Partial or total loss of benefits or absolute prohibition of receiving them for a specified period;
  • Temporary or permanent prohibition to execute contracts with the State of Chile; and
  • Dissolution of the legal entity.

This bill was approved by the Senate and now has moved to the second constitutional procedure. It is likely to be approved in 2021.

3. Application 

This law is applied to communication networks and information systems, the violation or destruction of which would affect the health, safety, wealth of citizens and the effective functioning of the economy in the Republic of Albania.

Excluded from the application of this law are electronic communications networks and information systems that are subject to legal regulations in force for electronic signature, electronic identification and trusted services, electronic communications networks and information systems that process, archive or transmit classified information of the state, as well as electronic communications networks and information systems, as far as it is provided in the legislation on electronic communications in the Republic of Albania.

N/A

4. Authority

The National Computer Security Agency (ALCIRT) is the central authority for identifying, anticipating and taking measures to protect against computer threats and attacks, in accordance with applicable law.

N/A

5. Key obligations 

The responsible authority has the following competencies in the field of cyber security:

  • to determine cybersecurity measures;
  • to act as a central point of contact at the national level for the responsible operators in the field of cybersecurity and to coordinate the work to solve cybersecurity issues;
  • to manage incident reports in the cybersecurity sector and ensure their storage and registration;
  • to provide methodological assistance and support to the responsible operators in the field of cybersecurity;
  • to analyse for weaknesses in the field of internet security;
  • to perform awareness and education activities in the field of cybersecurity;
  • to act in the capacity of the national CSIRT.

The Authority coordinates its activities with security and defence institutions and cooperates with sectoral CSIRTs and international authorities in the cybersecurity sector, through joint agreements, in accordance with applicable law.

N/A

6. Sanctions & non-compliance 

  • Corrective measures;
  • Administrative offences;
  • Administrative sanctions.

N/A

7. Is there a national computer emergency response team (CERT) or computer security incident response team (CSIRT)? 

Yes.

The National Cybersecurity Centre (which is part of GCHQ) does not regulate the NIS Regulations but has a role in providing technical support and guidance by the following:

  • a Single Point of Contact (SPOC) – for engagement with EU partners, coordinating requests and submitting annual incident statistics;
  • a Computer Security Incident Response Team (CSIRT) to provide advice and support where reported incidents are identified or suspected of having a cybersecurity aspect;
  • being a Technical Authority on Cyber Security – to support OESs and CAs with advice and guidance, and to act as a source of technical expertise. For example, it provides:
    • a set of 14 NIS Security Principles for securing essential services;
    • a collection of supporting guidance for each principle;
    • a Cyber Assessment Framework (CAF) incorporating indicators of good practice; and implementation of guidance and support to CAs.

8. National cybersecurity incident management structure

Computer Security Incident Response Teams (CSIRTs) comprise computer security specialists at each operator that manages critical information infrastructure.

Yes, see above.

9. Other cybersecurity initiatives 

With NATO membership and progress towards EU membership, Albania is increasingly participating in European cybersecurity initiatives and programmes.

Initiatives in the Field of Information Society in SNSHI (Intersectoral Strategy for the Information Society), are as follows:

  • Keeping children safe online and encouraging and coordinating the process for codes of conduct
  • Establishment of the National Agency for Computer Security (ALCIRT)
  • Establishment of PKI (public key government infrastructure) infrastructure and provision of secure services

No.

Portrait of Evis Zaja
Evis Zaja
Local Partner
Tirana
Portrait of Merseda Aliaj
Merseda Aliaj
Associate
Tirana
Portrait of Diego Rodríguez
Diego Rodríguez, LL.M.
Partner
Santiago