Impact of the GDPR in Albania

The law no. 9887/2008 on the Protection of Personal Data, as amended (amended upon Law no.48/2012 and Law no.120/2014) and the relevant secondary legislation that mainly include regulations and guidelines approved by the Commissioner for Protection of Personal Data (“supervisory authority”).

The Albanian Data Protection Law and the secondary legislation (referred herein after as “ADPL”) defines general personal data and special categories of personal data in a fairly similar manner to the GDPR, although, the GDPR provides more specific provisions in certain areas, such as special categories of data, (e.g., precise definitions of genetic, health and biometric data, which are not expressly included under the ADPL).

In general, under the Data Protection Law, controllers must ensure:

• the appropriate technical and organizational measures are implemented and that the adequate level of security in data processing is applied; 
• data processing agreements are concluded with data processors in accordance with the applicable rules;
• data subjects’ consent is obtained in form and content as and when required under the law;
• keep records on any processing activities
• data subjects’ rights are complied with (e.g., the right to be informed); and
• official notification to the supervisory authority is performed in due time (before the processing takes place). 

The ADPL provides for the obligation of the data controller to notify the supervisory authority before starting with the processing of the respective personal data or in case of changes related to such processing (i.e. new categories of data or data subjects). The GDPR does not provide for such obligation.

The GDPR is more expansive on the topic and provides for further obligations for both controllers and processors that are not regulated by the ADPL, such as data breach notification requirements, the requirement to perform a data protection impact assessment, etc.

The ADPL of the respective data by the data processor must be performed based on the instructions of the data controller. However, the GDPR extends further such obligation establishing that if a data processor is required to a relevant processing, it must comply with the required legal requirement, regardless the instructions of the data controller; including a prior notice to the data controller on the matter. The ADPL does not provide for such an obligation of data processor to notify the data controller, before processing personal data, about the relevant legal requirements that would oblige the data processor to not follow the instruction of the data controller.

The ADPL provides the following rights to data subjects/individuals:

• right to information
• right to Access;
• the right to request blocking, rectification and erasure;
• automated decision - every data subject has the right not to be subject to decisions based only on automatic processing of the data, that cause legal effects or that affects him/her by assessing certain personal aspects related to him/her, particularly his/her work efficiency, credibility or behavior;
• the right of the data subject to refuse and/or object;
• the right to complain;
• compensation for damages

The GDPR and ADPL regulate similar data subject’s rights, but there are many differences between them; GDPR per each right contain detailed and specified requirements. 

The two novelty rights introduced by the GDPR i.e. the right to be forgotten and the right to data portability have not been transposed and implemented in the ADPL.

According to the ADPL any data subject can file a complaint to the supervisory authority if his/her rights and/or legal interest in relation to the respective personal data have been infringed and request to the supervisory authority, inter alia, correction, blocking or erasure of the personal data or even suspension of the activities that caused the infringement. 

In a similar manner, the GDPR prescribes a number of powers and authorisations to the supervisory authorities, and these are classified under investigative (e.g., notifying the controller/processor of alleged infringement, otaining access to all personal data etc.), corrective (e.g., issuing warnings to controllers/processors), or advisory (e.g., issuing opinions, advising controllers, etc) categories.

A data protection officer in principal is required under the ADPL. The purpose of his/her appointment is substantially the same as in the GDPR.

Nevertheless, there are differences in the concept of appointment of the data protection officer and his/her role. The GDPR determines specific cases when the appointment of a data protection officer is mandatory (i.e. based on the type of personal data to be processed), while it is voluntary in all the other cases. Under the ADPL, the appointment of such officer is related to the number of the staff working at the data controller/processor (equal or more than 6 employees).

Moreover, the role of the data protection officer is rather different under the GDPR in comparison to the ADPL. Under the GDPR, the data protection officer must perform his/her duties quite independently, in comparison to the ADPL based on which a data protection officer may be also appointed a member of the staff. 

With respect to the appointment of a data protection representative, similar to the GDPR required for non-EU entities that offer services to individuals in the EU, the ADPL provides for the appointment of a representative in Albania in event if a data controller located outside Albania process data through tools located in the Albanian territory. In comparison to the GDPR, the ADPL does not further elaborate the concept and role of the data protection representative in order to define the form, criteria and appointment procedures concerning the data protection representative or specify the extent of representative’s liabilities.

No major differences since under both jurisdictions (GDPR and Albania) each data subject has the right to lodge a complaint with the supervisory authority and submit a claim in court for the infringed right and/or demand remedy/compensation before the competent courts.

Monetary fines for breaches of the ADPL can amount up to 2, 000, 000 ALL (approx. EUR 16,400). In comparison to the GDPR, the fines applied under the ADPL are rather mild and not as severe as introduced by the GDPR.

None to note.

The current ADPL is in force since 2008 has replaced the old data protection law, which was applicable since 1999. The current data protection legal provisions and policies reflect some of the main provisions of GDPR, the most considerable part of which is implemented through the secondary legislation approved by the supervisory authority. Nevertheless, the currently applicable legal provisions in Albania (Data Protection Law and the secondary legislation) are not fully aligned with the GDPR. In this regard, on 2020 has started the drafting process of the new data protection law and review of the all the secondary legislation, expected to be completed by the end of 2021.

In practice, although the local mandatory legislation has not yet been harmonised with the GDPR, this piece of EU legislation plays an important role across the business markets and industries in Albania. This is due to the operation of the GDPR-specific rules regulating its application within the EU and outside addressing the cross-jurisdictional presence of EU businesses in Albania and vice versa. 

In addition, the supervisory authority encourages compliance with the GDPR in anticipation of the expected harmonisation of national laws, provided that compliance with the obligations under the PDPA is ensured first.

The main challenge in the data protection sector in Albania is the transposition of GDPR upon adopting the new data protection law by the end of the year 2021 and harmonization of all related data protection legislation in force and sector laws with the GDPR. Transposition in its entirety of the GDPR in the domestic legislation would resolve many gaps mentioned above which are not covered in details by the ADPL currently in force like as a detailed procedure to give consent by the data subjects or establishment of specific requirements relate  to data breach notification or enforce the accountability principal.   

Nevertheless, under the circumstances when multinational companies operates in Albania and the new legislation is expected to be soon adopted, in practice any entities, businesses, undertakings or similar that act as controllers or processors of personal data must be aware of the requirement to ensure compliance with and application of the ADPL and the accompanying framework of secondary rules and the role and interplay of these with the GDPR, particularly due to any rules that impose application of the latter outside of the EU.