The long-anticipated initiative to establish a new legal framework for personal data protection in Albania is finally moving forward, as the Council of Ministers has approved a draft law that aligns closely with the European Union’s General Data Protection Regulation (GDPR). This proposed legislation promises to bring significance in this important but frequently underappreciated legal domain. With its comprehensive approach and alignment with EU standards, the new law aims to greatly improve privacy protection in the national context.
- Broadening the Scope and Applicability
A defining characteristic of the draft law is its expanded and clarified scope compared to the current legislation. Under the current law, data protection rules apply to Albanian controllers and foreign ones using undefined “means” within Albania’s territory, leaving foreign controllers uncertain as to whether they must comply with Albanian regulations.
The draft law eliminates this confusion by broadening the scope of applicability to foreign controllers situated outside Albania if their processing activities relate to offering goods or services to or monitoring the behaviour of data subjects within Albania.
The reframing of the scope addresses a long-standing ambiguity regarding the applicability of the national legislation to certain foreign controllers, aligning with GDPR’s extraterritorial reach.
- Strengthened Definitions and Consent Requirements
The draft law enshrines a refined set of definitions that echo key GDPR concepts but most distinctively introduces essential terms such as “pseudonymization,” “profiling,” and “data minimization,” all of which are absent in the current Albanian law. Furthermore, it delineates between subcategories of personal and sensitive data by including definitions for biometric, genetic, criminal, and health data, enabling a better understanding of the data that comprise each category and mitigating any implementation difficulties.
The draft law also sets forth more stringent requirements around data subject consent. While a written form is not necessarily required, controllers have the burden of proof to demonstrate that the consent was freely given, duly informed, unambiguous, given particularly for data processing and separated from other consents or agreements; for example, consent to process data for account registration cannot simultaneously serve as consent for marketing activities, ensuring transparency and genuine choice for data subjects.
- Local Representatives Instead of Prior Notifications
Under the current law, all data controllers—both Albanian and foreign—are required to file a notification with Albania’s Data Protection Commissioner (the “Commissioner”) before commencing data processing activities. Such notification should contain a summary of the planned processing activities. However, the draft law removes this general notification requirement. Instead, it introduces a new obligation specifically for foreign controllers: they must appoint a local representative in Albania. This representative should be registered with the Commissioner and will serve as the point of contact for both the Commissioner and Albanian data subjects, ensuring greater accountability and local accessibility for foreign entities engaging with Albanian data subjects.
- Data Protection Officer (DPO): Ensuring Compliance and Independence
Under the new law, certain entities must appoint a Data Protection Officer (DPO) to oversee compliance, act as a liaison with the Commissioner, and address data protection concerns raised by data subjects. This requirement applies to (i) public authorities, (ii) entities engaged in large-scale monitoring of data subjects, or (iii) those processing sensitive data such as health records or criminal information. DPOs are granted full operational independence, reporting directly to top management and protected from dismissal or penalties related to their duties. This role serves as an important check on data processing activities, fostering trust and accountability in data handling practices.
- Expanded Data Subject Rights
The proposed legislation also expands the range of rights afforded to data subjects, granting them more control over their personal data. While the core rights of access, rectification, and erasure remain intact, the draft law envisages additional rights, most notably the right to data portability and the right to be forgotten. The latter enables data subjects to request the deletion of personal data under specific conditions, strengthening privacy in a digital era where data traces are often permanent, and their usage is not rarely abusive. Meanwhile, the right to data portability, applicable when data processing is automated and based on consent or contracts, grants data subjects the ability to easily receive and transfer their data across controllers and platforms.
- Responsibilities of Controllers and Processors
Another key component of the new law is the shift from modest requirements governing controller-processor relationships to a framework with significantly strengthened obligations. In this context, a material novelty are the provisions regulating the relationships between multiple controllers, which are set to resolve past challenges associated with assigning responsibility among entities that jointly determine the purposes and means of processing. Should the draft law be enacted, these entities will be required to formalize their cooperation through agreements that clearly delineate their respective obligations, with the main provisions of these agreements made accessible to data subjects.
- Incorporating the Privacy by Design and by Default Principles
Similar to GDPR, the draft law also introduces the principles of Data Protection by Design and Data Protection by Default, which require controllers to integrate data protection measures into every stage of their operations.
Data Protection by Design dictates that controllers implement and maintain appropriate safeguards from the outset, such as pseudonymisation (masking identifiable information) and data minimisation (restricting data collection to only what is strictly necessary). For example, if a mobile app collects location data, it may only store general location information instead of precise coordinates, thereby reducing the sensitivity of the stored data and minimising exposure risks. Complementarily, Data Protection by Default requires that, by default, only essential data processing is conducted. This means users’ privacy settings should start at the highest level of protection. For instance, a social media platform might initially hide profile details from public view and only display them with the user’s explicit consent, thus ensuring that personal information remains protected unless the user decides otherwise.
- Personal Data Breach obligations
Controllers must document all data breaches and notify the Commissioner of those likely to impact data subjects, within 72 hours of detection. In addition, data processors will have to notify the controllers of the breach without undue delay. If a breach poses high risks to data subjects’ rights or freedoms, the controller must promptly inform the affected parties, unless appropriate protective measures, such as encryption or additional safeguards, have been implemented to reduce the risk. In cases where individual notifications would impose an excessive burden, the controller may opt for a public announcement or similar measure to notify data subjects.
- Supervision and Penalties
The Commissioner’s role as a supervisory authority is solidified, with an extended renewable seven-year term to ensure continuity. However, the qualifications required for this role seem exceptionally high—arguably to an excessive degree—potentially limiting the pool of eligible applicants and risking unnecessary barriers to entry for otherwise capable candidates.
Severe financial penalties are prescribed for significant data breaches, with fines for non-compliance potentially reaching up to 1 billion ALL (approximately EUR 10.2 million) or, for corporate entities, up to 2% of global annual turnover. For particularly egregious violations, such as unauthorised international data transfers or breaches of fundamental data processing principles, penalties can double, reaching 2 billion ALL (approximately EUR 20.4 million) or up to 4% of global annual turnover, whichever is higher. To understand the scale of these punishments, it would be sufficient to recall that currently, the highest fine is just a fraction of the above, specifically 2 million ALL (approximately EUR 20,000). Moreover, data subjects harmed by data misuse—whether financially or otherwise—are entitled to seek compensation from responsible controllers or processors.
As noble as the commitment to raise awareness and promote accountability in the field of data protection is, it would hardly be an overstatement to claim that the severity of penalties lacks a sense of proportionality, particularly for smaller businesses in Albania, where such amount of fines could lead to gross financial hardship.
What’s to Come?
As of the present moment, the draft law has received approval from the Council of Ministers and is set to proceed through the formal legislative process. Given its status, it remains uncertain when the law will be fully enacted, or whether it will endure additional modifications or amendments to its provisions. However, what is certain is that if passed, it will have a lasting effect on Albania’s legal landscape.
The information in this document does not constitute legal advice on any particular matter and is provided for general informational purposes only.
