August 20221. Governing TextsEnshrined in Article 35 of the Constitution of the Republic of Albania (only available in Albanian here) ('the Constitution'), the protection of personal data constitutes a fundamental right. Privacy and personal data protection are continuously evolving and so is the Albanian legislation. Show
Albanian data protection legislation is currently undergoing a process of approximation with the EU acquis communautaire, with the Information and Data Protection Commissioner ('IDP') following the guidelines of the European Commission and the best practices of its homologues in EU countries in exercising its duties. 1.1. Key acts, regulations, directives, billsThe Law on the Protection of Personal Data No. 9887 of 10 March 2008 (as amended) ('the Law'), which reformed the previous data protection law in force from 1999, was amended in 2012 and 2014. The Law incorporates provisions of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'). The implementation of the Law is subject to several sub-legal acts, including but not limited to the following:
The Republic of Albania has also ratified the following international treaties:
1.2. GuidelinesThe IDP has issued the following decisions:
1.3. Case lawNot applicable. 2. Scope of Application2.1. Personal scopeThe Law applies to any personal data related to any natural person. The Law is equally applicable to the processing of personal data by:
2.2. Territorial scopeAs mentioned in the section on personal scope above, the Law applies, inter alia, to controllers who are not established in the Republic of Albania but exercise their activity using any means situated in such territory. In this case, the controller should designate a local representative in the Republic of Albania. 2.3. Material scopeThe Law applies to any operation or set of operations that is performed upon personal data, i.e. processing of data. Such operations include the collection of personal data, its storage, disclosure, transfer, and so on and so forth. The Law applies to data processed by automated means (e.g. a computer database of customers) and to data that is part of or intended to be part of non-automated 'filing systems' and accessible according to specific criteria (e.g. the traditional paper files, such as a card file with details of clients ordered according to the alphabetic order of the names). The Law does not apply to data processed for purely personal reasons or family purposes (e.g. an electronic personal diary or a file with details of family and friends). In addition, the Law does not apply when the information provided concerns public officials or public (state) administration servants, reflecting their public, administrative activities or issues related to their duties. 3. Data Protection Authority | Regulatory Authority3.1. Main regulator for data protectionThe IDP is established as the responsible authority entitled to supervise and monitor the actions relating to the protection of personal data and to ensure that the Law's provisions are correctly implemented. 3.2. Main powers, duties and responsibilitiesThe IDP's powers include:
4. Key DefinitionsData controller: A natural or legal person, public authority, agency, or any other body, which alone or jointly with others determines the purposes and means of processing of personal data, in compliance with the laws and applicable secondary legislation, responsible for the fulfilment of obligations defined by the law provisions. Data processor: A natural or legal person, public authority, agency, or other body, which processes personal data on behalf of the data controller. Personal data: Any information relating to an identified or identifiable natural person, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to their physical, physiological, mental, economic, cultural, or social identity. Sensitive data: Any information related to a natural person and referring to their racial or ethnic origin, political opinions, trade union membership, religious or philosophical beliefs, criminal record, as well as with data concerning their health and sexual life. Health data: Information related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about the past, current, or future physical or mental health status. Biometric data: Information resulting from biological features, physical, psychological, and behavioural characteristics of a natural person, which are unique and consistent, such as facial images or dactyloscopic data. Pseudonymisation: The processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person. Data subject: Any natural person whose personal data are being processed. 5. Legal Bases5.1. ConsentPursuant to Article 6(1)(a) of the Law, personal data may be processed if the personal data subject has given their consent. 5.2. Contract with the data subjectPursuant to Article 6(1)(b) of the Law, personal data may be processed if the processing is necessary for the performance of a contract to which the data subject is party or in order to negotiate or amend a draft/contract at the request of the data subject. 5.3. Legal obligationsPursuant to Article 6(1)(ç) of the Law, personal data may be processed to comply with a legal obligation of the controller. 5.4. Interests of the data subjectPursuant to Article 6(1)(c) of the Law, personal data may be processed in order to protect the vital interests of the data subject. 5.5. Public interestPursuant to Article 6(1)(d) of the Law, personal data may be processed for the performance of a legal task of public interest or in the exercise of powers of the controller or of a third party to whom the data are disclosed. 5.6. Legitimate interests of the data controllerPursuant to Article 6(1) (dh) of the Law, personal data may be processed if the processing is necessary for the protection of the legitimate rights and interests of the controller, the recipient or any other interested party. However, in any case, the processing of personal data cannot be in clear contradiction with the data subject right to protection of personal life and privacy. 5.7. Legal bases in other instancesNot applicable. 6. PrinciplesThe spirit of the Law is guided by the principles of the Constitution relating to the right to privacy of individuals, as well as by the principles of the European Convention for the Protection of Human Rights and Fundamental Freedoms, which the Republic of Albania ratified in 1996, establishing that everyone has the right to respect for their private and family life, home, and correspondence. Lawful basis for processing: Fair and lawful processing of personal data constitutes the guiding principle of the Law. Transparency: Data subjects should be duly informed regarding the processing of the personal data, i.e. categories of personal data being processed, purpose and means of the processing, recipients or categories of recipients to whom personal data are disclosed, etc. Purpose limitation: Personal data should be collected for specific, clearly defined, and legitimate purposes and should be processed in a way that is compatible with these purposes. Data minimisation: Such principle is applied as a combination of proportionality and retention principles. Proportionality: Personal data should be proportionate and correlated with the scope of processing and not excessive in relation to the purposes for which they are collected and processed. Retention: Personal data cannot be kept longer than necessary for the purpose for which they were collected or further processed. Data accuracy: Personal data should be accurate and, when necessary, updated. According to the Law all reasonable measures should be conducted so that to ensure that inaccurate or incomplete personal data is erased or rectified. 7. Controller and Processor ObligationsData controller Data controllers are responsible for the fulfilment of the obligations stipulated in the Law. Data controllers and processors should take adequate measures in order to ensure that data is processed correctly and lawfully, including appropriate technical and organisational safeguards to protect personal data from intentional or accidental destruction, unauthorised access, and other threats. In particular:
Data processor Data processors shall not transfer data unless instructed otherwise by the data controller. Furthermore, data processors must implement all required safety measures pursuant to the provisions of the Law and hire operators who are obligated to preserve the confidentiality of the data. In addition, data processors must implement appropriate technical measures to guarantee that the data controller's obligations to protect data subjects' rights are met. Moreover, after completing the processing service, the data processor must submit all processing results to the data controller and document, maintain, or destroy such data upon the request of the data controller and make all the necessary information available to the data controller to control compliance with the aforementioned obligations. 7.1. Data processing notificationUnder Article 21 of the Law, data controllers have the obligation to notify in advance the IDP of any processing of personal data. To this purpose, the Law provides that, prior to the processing of personal data, data controllers should notify the IDP on the intended activity and categories of personal data and any changes to those activities or categories of data. Any intention of the data controller to transfer data to third countries should be included in the notification to the IDP. However, a data controller will be exempted from the obligation to notify IDP if:
7.2. Data transfersAccording to the definition provided by the Law, 'international transfer' is the transmission of personal data to recipients in third countries. The Law stipulates that the adequacy of the level of protection by a third country is determined by assessing all circumstances of data processing operations in that country. To this end, Decision No. 8 stipulates that that EU countries, EEA countries, Member States that have ratified Convention 108, and countries where personal data is transmitted on the European Commission's decision have an adequate level of protection for the international transfer of personal data. Exceptions to the above rule are applied in the event the transfer if the transfer:
International transfer of personal data to third countries not having an adequate level of protection shall be carried out with the authorisation of the IDP. In cases where the IDP, after assessing the situation, decides to authorise the international transfer of personal data to a third country lacking adequate levels of protection, the case will be subject a set of proper safety measures. For some types of personal data, the IDP might exempt data controllers from seeking authorisation. The categories of data subjects exempted are decided by the IDP. 7.3. Data processing recordsPursuant to Decision No. 2, as amended, the data controller shall keep a record of the processing activity with all the data collected (i.e., categories of personal data collected, the purpose of processing, the identity of the processors (if any), the countries where data will be transferred, and any other information related with the data processing). The data shall be accurate, comprehensive, and updated. 7.4. Data protection impact assessmentPursuant to IDP instructions, large controllers (or processors) should carry out a Data Protection Impact Assessment ('DPIA'). Large controllers (or processors) are considered the ones that process data by automatic or manual means and have employed six or more persons. In order to guarantee the protection and the safety of personal data, large controllers, inter alia, should establish and maintain the Information Security Management System ('ISMS'). The ISMS should also include the conduct of DPIAs. The DPIA should be carried out prior to the processing of personal data, so as to detect any case of processing that may pose particular risks to the rights and freedoms of personal data subjects due to their nature, extent, and purpose. 7.5. Data protection officer appointmentInstruction No. 47 of 14 September 2018 on the Determination of Rules on the Safety of Personal Data Processed by Large Data Controllers ('Instruction No. 47') issued by the IDP stipulates that large processing entities, which are considered data controllers or data processors that process data by automatic or manual means, through six or more persons appointed/engaged in the processing of personal data, either directly or through other processors, are required to appoint a data protection officer ('DPO'). The DPO is responsible for the following:
In the case of the engagement of a data processor, the DPO is also responsible for the internal monitoring of its activity and its contractual obligations. The DPO, who monitors the international data transfer, is in charge of handing over the documentation on archiving systems for the special registration and of the announcing of changes and de-registration of the archiving systems from the special register and keeps data on the archiving systems which are not subject of registration. In addition, the DPO serves as the contact person and collaborates with the IDP. Upon the request of the latter, the DPO is obliged to submit the written authorisation under which they operate, as well as proof of the skills acquired during their professional training. The DPO shall meet the following criteria in order to be appointed in this position:
7.6. Data breach notificationThe obligation to notify the IDP of a breach of personal data applies if:
Specifically, according to Instruction No. 47, the contact person shall notify in writing, in due time, the data processor regarding each risk of breach of a data subject's rights, including violations to the Law. If the data processor fails to undertake the necessary measures to address the breach in due time, the contact person must immediately notify the IDP. Furthermore, a data breach notification is considered to be mandatory for the provider of publicly available electronic communications services who must notify of the breach without undue delay to the Electronic and Postal Communications Authority ('AKEP') and the telecommunication regulatory authority. The obligation to notify is vis-a-vis the telecommunication regulatory authority and not the IDP. In addition, if the personal data breach is likely to be detrimental to the personal data or privacy of the contracting party or another individual, the telecommunication provider shall also notify the contracting party or the individual without delay (within 24 hours). Notification will not be required if the provider has demonstrated to the AKEP that it has implemented the technological protection measures that render the data unintelligible to any entity that is not authorised to access it. 7.7. Data retentionThe Law provides that personal data cannot be kept for longer than is necessary for the purpose for which they were collected or, further processing without providing for a minimum or maximum time for the retention of personal data. However, time limits apply to specific sectors, as determined by the decisions of the IDP referred to in the section on guideline above. For example, the Labour Code No. 7961 of 12 July 1995 (only available to download in Albanian here) ('the Labour Code') provides that an employees' data be retained until the termination of the employment relationship. Any data processing beyond this term requires the employees' consent. 7.8. Children's dataAny person under the age of 18 is considered a child in Albanian law. There are no provisions in the Law that pertain to children, nonetheless, special rules are established in two of the Instructions issued by IDP, as follows: Instruction No. 9 of 15 September 2010 on the Fundamental Rules in connection with the Protection of Personal Data in Written, Visual, and Audio-Visual Media stipulates that parental consent shall be obtained for children under the age of 16 in connection with the protection of personal data in written, visual, and audio-visual media. Instruction No. 16 of 26 December 2011 on the Protection of Personal Data in Direct Trade and Security Measures (as amended) provides that parental/legal guardian consent shall be obtained regarding the processing of a minor's data for marketing purposes. When collecting the minor's data, the data controller shall ensure that the parent or legal guardian is informed about the purposes of data processing. Parent/legal guardian enjoys the same rights as the child as a data subject, and the data controller must verify whether the person exercising the rights of the minor is their parent or legal guardian. When participating in games, the controller shall collect only enough data of the minor to participate in the activity. 7.9. Special categories of personal dataIn principle, sensitive data cannot be processed. Such data relates to racial or ethnic origin, political opinion, religious or philosophical belief, trade-union membership, or concerning criminal history, or health and sexual preference. A derogation of this rule is tolerated under very specific circumstances. These circumstances include:
7.10. Controller and processor contractsInstruction No. 19 of 3 August 2012 on the Regulation of the Relationship Between the Controller and the Processor in Case of Delegation of Personal Data Processing and Standard Contract Form for Such Legal Arrangements, as amended by Instruction No. 30 of 27 December 2012 (only available in Albanian here) ('the Regulation') establishes rules regarding the relationship between data controllers and data processors where personal data processing is outsourced including the adoption of a standard contract that the parties shall use for such delegation. The contractual relationship of the data controller may be with any Albanian or foreign company, which offers processing services. The processing contract provides that the data processor uses and discloses personal data only under the instructions of the data controller and that the data processor implements all the necessary measures to ensure adequate data protection. The outsourcing contract shall include provisions that define the rules for the processing of personal data under Albanian law. Such contracts must provide all the measures that should be taken by data processors to ensure adequate data protection, as well as the procedures to be taken in case of violation of the security of such data. Under the Regulation, the data controller must examine the following to ensure the selection of a competent data processor:
The data processor is obliged to notify the data controller in the case of violations of personal data, however, the processor is not obliged to notify the data subject of the same. The outsourcing contract shall contain provisions to regulate the following:
8. Data Subject RightsThe Law provides to the data subjects six fundamental rights, which are outlined below. 8.1. Right to be informedExcept for when the data subject is already aware of such information, the controller, when collecting personal data, must inform the data subject of:
In case the controller processes personal data obtained from the data subject, they are also obliged to inform the data subject whether the provision of the personal data is obligatory or optional. If the data subject, under a legal or secondary act, is obliged to provide personal data for processing, the controller must inform them of this fact, as well as on the consequences of refusal to provide personal data. 8.2. Right to accessData subjects are entitled to obtain, free of charge, from the data controller upon written request, confirmation whether their personal data are being processed, information on the purposes of processing, the categories of processed data, and the recipients or categories of recipients to whom personal data are disclosed. The communication thereof must be in a comprehensible form with regard to the data that is being processed and any available information as to their source. In the case of automated decisions, information about the logic applied in the decision-making must be provided. 8.3. Right to rectificationThe data subject has the right to request blocking, rectification, or deletion of their data, free of charge whenever they become aware that data relating to them is irregular, false, and incomplete, or has been collected or processed in violation of the provisions of the Law. 8.4. Right to erasurePlease see the section on the right to rectification above. 8.5. Right to object/opt-outThe data subject has the right, at any time and free of charge, to object to the processing of data related to them carried out by the data controller unless it is:
8.6. Right to data portabilityThe law does not provide the right of data portability. 8.7. Right not to be subject to automated decision-makingAn individual is entitled not to be subject to decisions that cause legal effects upon, or materially affect, them based only on the automatic processing of the data, which aims at assessing certain personal aspects related to them, particularly their work efficiency, credibility, or behaviour. 8.8. Other rightsComplaint to the IPD Anyone who believes their rights, freedoms, and legal interests in relation to their personal data have been violated, is entitled to file a complaint or to notify the IDP and to request it intervenes to remedy the infringement. Damage compensation Anyone who has suffered damage due to unlawful processing of personal data is entitled to compensation, pursuant to the provisions of the Civil Code No. 7850 of 29 July 1997 (only available in Albanian here). 9. PenaltiesAdministrative liability The IDP can act:
If, from the investigation conducted, due to individual inspections or complaints, it is found that personal data has been illegally processed by a data controller, the IDP has the authority to order the blocking, deletion, destruction, or suspension of the processing. The IDP has the authority to impose administrative sanctions in the event of serious, repeated, or deliberate violations of the Law by a data controller or data processor, particularly in the case of repeated cases of non-implementation of its recommendations. The administrative sanctions provided by the Law are applicable by the IDP, and consist of pecuniary fines that range from a minimum of approximatively ALL 10,000 (approx. €85) up to a maximum of approximatively ALL 1 million (approx. €8,550). The aforementioned fines apply to natural persons and are doubled in the case of violations attributed to legal persons. The maximum fine also doubles in cases involving the processing of personal data without preliminary authorisation of the IDP. Criminal liability Reference in this regard should be made to the Criminal Code No. 7895 of 27 January 1995 (only available in Albanian here) ('the Criminal Code') and, in particular, to Articles 121, 122, and 123 of the same. Article 121 of the Criminal Code provides unfair interferences in private life by means of recording of data (pictures, conversations, and so on) and their storage and publication without the consent of the data subject constitutes a criminal misdemeanour punishable by a fine or imprisonment up to two years. Article 122 of the Criminal Code provides that the unauthorised disclosure of personal secrets regarding the personal life of an individual, by persons that should protect such information due to their work or profession, constitutes a criminal misdemeanour punishable by fine or imprisonment of up to one year. If the disclosing of information is committed with the intend of embezzlement, the infringer is punishable by a fine or imprisonment of up to two years. Article 123 of the Criminal Codestates that the intentional commitment of acts including destruction, non-delivery, opening, and reading of letters or any other correspondence, as well as the interruption of, or placement under control, or hearing any conversation through telephone, telegraph, or any other means of communication, constitutes a criminal misdemeanour and is punishable by a fine or imprisonment of up to two years. 9.1 Enforcement decisionsAt the beginning of 2021, the IDP performed an inspection of one of the largest data controllers which operates as a telecommunication service provider. The latter was found in breach of several provisions of the Law, such as the failure to obtain the data subjects' consent for the processing of personal data (i.e. direct marketing), as well as the failure to duly inform the data subjects regarding the processing purpose, categories of the data being processed, data subject rights, etc. The data controller also did not inform the data subjects (i.e. its employees) regarding the processing of their health data by data processors. Even though it had fulfilled its obligation to notify the IDP for the processing of the personal data, the notification was not accurate and complete, including, inter alia, the outsourcing agreements were not submitted with the IDP. Moreover, no DPIA had been carried out previously. The data controller was punished regarding the above infringements with a fine in the amount of approximately €12,000. Which of the five moral dimensions of the information age do the central business activities of DoubleClick involve quizlet?Which of the five moral dimensions of the information age do the central business activities of DoubleClick involve? 5 Moral Dimensions: information rights and obligations, property rights and obligations, accountability, liability, and control, system quality, and the quality of life.
Which ethical rules states that if an action Cannot be taken repeatedly It is not right to take at all?Descartes' rule of change: If an action cannot be taken repeatedly, it should not be taken at any time. 4. The Utilitarian Principle: Take the action that achieves the higher or greater value.
Which of the following best describes the effect that new information systems and technology has on society?Which of the following best describes the effect that new information technology has on society? It has a ripple effect, raising new ethical, social, and political issues.
Which of the following best describes how new information systems result in legal gray areas?Which of the following best describes how new information systems result in legal gray areas? It has a ripple effect, raising new ethical, social, and political issues.
|