The Data Protection Law distinguishes two types of cross-border data transfer:
- Transfer of data to countries with adequate protection of personal data (“Safe Countries”); and
- Transfer of data to countries without adequate protection of personal data (“Unsafe Countries”).
Safe Countries comprise signatories to the Strasbourg Convention of 28 January 1981 or countries that are included into the specific safe countries list of Roskomnadzor (includes Canada and Australia among others).
Requirements of the Data Protection Law apply to the transfer of personal data to the Safe Countries, i.e. the data controller can justify such transfer by any applicable ground.
Transfer to the Unsafe Countries (for example, the US) requires an additional qualified consent of the data subject, unless an exception applies.
The international transfer of personal data is allowed for recipients from states which have an adequate level of personal data protection. The level of personal data protection for a state is established by assessing all circumstances related to nature, purpose and duration of the processing, country of origin and final destination, legal provisions and security standards in force in the recipient state. States that have an adequate level of data protection are assessed under a decision by the Commissioner. International transfer of personal data with a state that does not have an adequate level of personal data protection may be carried out when:
- it is authorised by international acts ratified by the Republic of Albania and are directly applicable;
- the data subject has given his or her consent for the international transfer;
- the transfer is necessary for the performance of a contract between the data subject and the controller or for the implementation of pre-contractual measures taken in addressing the data subject’s request, or the transfer is necessary for the conclusion or performance of a contract between the controller and a third party, in the interest of the data subject;
- it is a legal obligation of the controller;
- it is necessary for protecting vital interests of the data subject;
- it is necessary or constitutes a legal requirement over an important public interest or for exercising and protecting a legal right;
- transfer is done from a register that is open for consultation and provides information to the general public.
Exchange of personal data to the diplomatic representations of foreign governments or international institutions in the Republic of Albania shall be considered an international transfer of data.
International transfer of data that need to be authorized
In cases other than those provided herein, the international transfer of personal data with a state that does not have an adequate level of data protection, shall be carried out upon an authorisation from the Commissioner, if adequate safeguards are foreseen with respect to the protection of the privacy and fundamental human rights and freedoms, as well as regarding the exercise of the corresponding rights.
The Commissioner, after making an assessment, under the specification provided herein may give authorisation to transfer personal data to the recipient State by defining conditions and obligations.
The Commissioner issues instructions in order to allow certain categories of personal data international transfer to a state that does not have an adequate level of personal data protection. In these cases, the controller is exempted from the authorisation request.
The controller shall submit a request for authorisation to the Commissioner prior to the data transfer. In the authorisation request, the controller shall guarantee the observance of the interests of the data subject to protection of confidentiality outside the Republic of Albania.