Which of the following is not true about the changes to EU data protection rules proposed in 2012

August 2022

1. Governing Texts

Enshrined in Article 35 of the Constitution of the Republic of Albania (only available in Albanian here) ('the Constitution'), the protection of personal data constitutes a fundamental right. Privacy and personal data protection are continuously evolving and so is the Albanian legislation.

Albanian data protection legislation is currently undergoing a process of approximation with the EU acquis communautaire, with the Information and Data Protection Commissioner ('IDP') following the guidelines of the European Commission and the best practices of its homologues in EU countries in exercising its duties.

1.1. Key acts, regulations, directives, bills

The Law on the Protection of Personal Data No. 9887 of 10 March 2008 (as amended) ('the Law'), which reformed the previous data protection law in force from 1999, was amended in 2012 and 2014. The Law incorporates provisions of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR').

The implementation of the Law is subject to several sub-legal acts, including but not limited to the following:

• Decision of the Parliament No. 95/2019 of 12 September 2019 on the Appointment of the Commissioner for the Protection of Personal Data (only available in Albanian here); and
• Decision of the Parliament No. 86/2018 of 19 July 2018 on the Approval of the Structure, Staff and Classification of Salaries of the Commissioner for the Right to Information and Protection of Personal Data (only available in Albanian here).

The Republic of Albania has also ratified the following international treaties:

• Convention on the Protection of Individuals regarding the Automatic Processing of Personal Data ('Convention 108'), as per Law No. 9288 of 7 October 2004 (only available in Albanian here); and
• Amending protocol to the Convention On the protection of Individuals with regard to Automatic Processing of Personal Data, as per Law No. 49 of 12 May 2022 (only available in Albanian here).

1.2. Guidelines

The IDP has issued the following decisions:

• Decision No. 8 of 31 October 2016 on the Countries with Adequate Level of Protection for Personal Data ('Decision No. 8');
• Decision No. 4 of 27 December 2012 on Exceptions to the Obligation to Notify the Processing of Personal Data;
• Decision No. 2 of 10 March 2010 on Determining the Procedures for the Administration of Registration Data, Entering the Data, their Processing and Retrieval, as amended by Decision No. 5 of 27 December 2012 ('Decision No. 2'); and
• Decision No. 6 of 5 August 2013 on Determining Detailed Rules for the Protection of Personal Data.

1.3. Case law

Not applicable.

2. Scope of Application

2.1. Personal scope

The Law applies to any personal data related to any natural person.

The Law is equally applicable to the processing of personal data by:

• data controllers established in the Republic of Albania;
• diplomatic missions or consular offices in the Republic of Albania;
• data controllers who are not established in the Republic of Albania, but make use of any equipment located in the Republic of Albania;
• public authorities processing data in the framework of crime prevention and prosecution activities, in cases of a criminal offence against the public order and other violations in the field of criminal law, defence, and national security.

2.2. Territorial scope

As mentioned in the section on personal scope above, the Law applies, inter alia, to controllers who are not established in the Republic of Albania but exercise their activity using any means situated in such territory. In this case, the controller should designate a local representative in the Republic of Albania.

2.3. Material scope

The Law applies to any operation or set of operations that is performed upon personal data, i.e. processing of data. Such operations include the collection of personal data, its storage, disclosure, transfer, and so on and so forth. The Law applies to data processed by automated means (e.g. a computer database of customers) and to data that is part of or intended to be part of non-automated 'filing systems' and accessible according to specific criteria (e.g. the traditional paper files, such as a card file with details of clients ordered according to the alphabetic order of the names).

The Law does not apply to data processed for purely personal reasons or family purposes (e.g. an electronic personal diary or a file with details of family and friends). In addition, the Law does not apply when the information provided concerns public officials or public (state) administration servants, reflecting their public, administrative activities or issues related to their duties.

3. Data Protection Authority | Regulatory Authority 

3.1. Main regulator for data protection

The IDP is established as the responsible authority entitled to supervise and monitor the actions relating to the protection of personal data and to ensure that the Law's provisions are correctly implemented.

3.2. Main powers, duties and responsibilities

The IDP's powers include:

• administrative investigations;
• blocking, erasing, destroying, or suspending the unlawful processing of personal data;
• providing instructions before the processing of personal data is undertaken and ensuring their publication; and
• applying fines for violation of provisions of the law.

4. Key Definitions

Data controller: A natural or legal person, public authority, agency, or any other body, which alone or jointly with others determines the purposes and means of processing of personal data, in compliance with the laws and applicable secondary legislation, responsible for the fulfilment of obligations defined by the law provisions.

Data processor: A natural or legal person, public authority, agency, or other body, which processes personal data on behalf of the data controller.

Personal data: Any information relating to an identified or identifiable natural person, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to their physical, physiological, mental, economic, cultural, or social identity.

Sensitive data: Any information related to a natural person and referring to their racial or ethnic origin, political opinions, trade union membership, religious or philosophical beliefs, criminal record, as well as with data concerning their health and sexual life.

Health data: Information related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about the past, current, or future physical or mental health status.

Biometric data: Information resulting from biological features, physical, psychological, and behavioural characteristics of a natural person, which are unique and consistent, such as facial images or dactyloscopic data.

Pseudonymisation: The processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.

Data subject: Any natural person whose personal data are being processed.

5. Legal Bases

5.1. Consent

Pursuant to Article 6(1)(a) of the Law, personal data may be processed if the personal data subject has given their consent.

5.2. Contract with the data subject

Pursuant to Article 6(1)(b) of the Law, personal data may be processed if the processing is necessary for the performance of a contract to which the data subject is party or in order to negotiate or amend a draft/contract at the request of the data subject.

5.3. Legal obligations

Pursuant to Article 6(1)(ç) of the Law, personal data may be processed to comply with a legal obligation of the controller.

5.4. Interests of the data subject

Pursuant to Article 6(1)(c) of the Law, personal data may be processed in order to protect the vital interests of the data subject.

5.5. Public interest

Pursuant to Article 6(1)(d) of the Law, personal data may be processed for the performance of a legal task of public interest or in the exercise of powers of the controller or of a third party to whom the data are disclosed.

5.6. Legitimate interests of the data controller

Pursuant to Article 6(1) (dh) of the Law, personal data may be processed if the processing is necessary for the protection of the legitimate rights and interests of the controller, the recipient or any other interested party. However, in any case, the processing of personal data cannot be in clear contradiction with the data subject right to protection of personal life and privacy.

5.7. Legal bases in other instances

Not applicable.

6. Principles

The spirit of the Law is guided by the principles of the Constitution relating to the right to privacy of individuals, as well as by the principles of the European Convention for the Protection of Human Rights and Fundamental Freedoms, which the Republic of Albania ratified in 1996, establishing that everyone has the right to respect for their private and family life, home, and correspondence.

Lawful basis for processing: Fair and lawful processing of personal data constitutes the guiding principle of the Law.

Transparency: Data subjects should be duly informed regarding the processing of the personal data, i.e. categories of personal data being processed, purpose and means of the processing, recipients or categories of recipients to whom personal data are disclosed, etc.

Purpose limitation: Personal data should be collected for specific, clearly defined, and legitimate purposes and should be processed in a way that is compatible with these purposes.

Data minimisation: Such principle is applied as a combination of proportionality and retention principles.

Proportionality: Personal data should be proportionate and correlated with the scope of processing and not excessive in relation to the purposes for which they are collected and processed.

Retention: Personal data cannot be kept longer than necessary for the purpose for which they were collected or further processed.

Data accuracy: Personal data should be accurate and, when necessary, updated. According to the Law all reasonable measures should be conducted so that to ensure that inaccurate or incomplete personal data is erased or rectified.

7. Controller and Processor Obligations

Data controller

Data controllers are responsible for the fulfilment of the obligations stipulated in the Law. Data controllers and processors should take adequate measures in order to ensure that data is processed correctly and lawfully, including appropriate technical and organisational safeguards to protect personal data from intentional or accidental destruction, unauthorised access, and other threats.

In particular:

• data shall be processed fairly and lawfully;
• data shall be collected for explicit and legitimate purposes and processed accordingly;
• data shall be relevant and not excessive in relation to the purpose(s) of processing;
• data shall be accurate and, where necessary, kept up to date;
• data controllers are required to provide reasonable measures for data subjects to rectify, erase, or block incorrect data about them; and
• data shall not be kept for longer than necessary.

Data processor

Data processors shall not transfer data unless instructed otherwise by the data controller. Furthermore, data processors must implement all required safety measures pursuant to the provisions of the Law and hire operators who are obligated to preserve the confidentiality of the data. In addition, data processors must implement appropriate technical measures to guarantee that the data controller's obligations to protect data subjects' rights are met. Moreover, after completing the processing service, the data processor must submit all processing results to the data controller and document, maintain, or destroy such data upon the request of the data controller and make all the necessary information available to the data controller to control compliance with the aforementioned obligations.

7.1. Data processing notification

Under Article 21 of the Law, data controllers have the obligation to notify in advance the IDP of any processing of personal data. To this purpose, the Law provides that, prior to the processing of personal data, data controllers should notify the IDP on the intended activity and categories of personal data and any changes to those activities or categories of data.

Any intention of the data controller to transfer data to third countries should be included in the notification to the IDP. However, a data controller will be exempted from the obligation to notify IDP if:

• the processing of data is conducted for the purpose of keeping a record, the sole purpose of which is to provide information to the public in general, in accordance with the law and sub-legal aspects; or
• the processing of data is carried out for the protection of constitutional institutions, interests of national security, foreign policy, economic or financial interests of the state, or the prevention or prosecution of criminal offences.

7.2. Data transfers

According to the definition provided by the Law, 'international transfer' is the transmission of personal data to recipients in third countries.

The Law stipulates that the adequacy of the level of protection by a third country is determined by assessing all circumstances of data processing operations in that country. To this end, Decision No. 8 stipulates that that EU countries, EEA countries, Member States that have ratified Convention 108, and countries where personal data is transmitted on the European Commission's decision have an adequate level of protection for the international transfer of personal data. Exceptions to the above rule are applied in the event the transfer if the transfer:

• is based on international treaties ratified by the Republic of Albania;
• is consented to by the data subject;
• constitutes a legal obligation for the data controller;
• is necessary for completing a contract between the data controller and the data subject or between the data controller and a third party in the interest of the data subject;
• is necessary for the vital interest of the data subject;
• is done through a register open to consultation and which provides information to the public in general; or
• is necessary or legally required because of an important public interest or for the exercise/defence of a legal right.

International transfer of personal data to third countries not having an adequate level of protection shall be carried out with the authorisation of the IDP. In cases where the IDP, after assessing the situation, decides to authorise the international transfer of personal data to a third country lacking adequate levels of protection, the case will be subject a set of proper safety measures. For some types of personal data, the IDP might exempt data controllers from seeking authorisation. The categories of data subjects exempted are decided by the IDP.

7.3. Data processing records

Pursuant to Decision No. 2, as amended, the data controller shall keep a record of the processing activity with all the data collected (i.e., categories of personal data collected, the purpose of processing, the identity of the processors (if any), the countries where data will be transferred, and any other information related with the data processing). The data shall be accurate, comprehensive, and updated.

7.4. Data protection impact assessment

Pursuant to IDP instructions, large controllers (or processors) should carry out a Data Protection Impact Assessment ('DPIA'). Large controllers (or processors) are considered the ones that process data by automatic or manual means and have employed six or more persons. In order to guarantee the protection and the safety of personal data, large controllers, inter alia, should establish and maintain the Information Security Management System ('ISMS'). The ISMS should also include the conduct of DPIAs. The DPIA should be carried out prior to the processing of personal data, so as to detect any case of processing that may pose particular risks to the rights and freedoms of personal data subjects due to their nature, extent, and purpose.

7.5. Data protection officer appointment

Instruction No. 47 of 14 September 2018 on the Determination of Rules on the Safety of Personal Data Processed by Large Data Controllers ('Instruction No. 47') issued by the IDP stipulates that large processing entities, which are considered data controllers or data processors that process data by automatic or manual means, through six or more persons appointed/engaged in the processing of personal data, either directly or through other processors, are required to appoint a data protection officer ('DPO').

The DPO is responsible for the following:

• the internal monitoring of obligations regarding the protection of personal data by the data processor;
• advising the responsible persons on personal data protection; and
• the implementation of technical and organisational measures in relation to staff and monitors their practical implementation.

In the case of the engagement of a data processor, the DPO is also responsible for the internal monitoring of its activity and its contractual obligations. The DPO, who monitors the international data transfer, is in charge of handing over the documentation on archiving systems for the special registration and of the announcing of changes and de-registration of the archiving systems from the special register and keeps data on the archiving systems which are not subject of registration. In addition, the DPO serves as the contact person and collaborates with the IDP. Upon the request of the latter, the DPO is obliged to submit the written authorisation under which they operate, as well as proof of the skills acquired during their professional training.

The DPO shall meet the following criteria in order to be appointed in this position:

• have full legal capacity to act;
• possess integrity;
• possess a university degree in law or computer science;
• be noted for their professional skills and ethics;
• having at least five years of working experience as a lawyer or IT expert or having worked for no less than three years near the IDP as a lawyer of IT expert; and
• not having been convicted for any criminal offence.

7.6. Data breach notification

The obligation to notify the IDP of a breach of personal data applies if:

• the data controller is considered a large controller; and
• the data controller does not properly address the breach.

Specifically, according to Instruction No. 47, the contact person shall notify in writing, in due time, the data processor regarding each risk of breach of a data subject's rights, including violations to the Law. If the data processor fails to undertake the necessary measures to address the breach in due time, the contact person must immediately notify the IDP.

Furthermore, a data breach notification is considered to be mandatory for the provider of publicly available electronic communications services who must notify of the breach without undue delay to the Electronic and Postal Communications Authority ('AKEP') and the telecommunication regulatory authority. The obligation to notify is vis-a-vis the telecommunication regulatory authority and not the IDP.

In addition, if the personal data breach is likely to be detrimental to the personal data or privacy of the contracting party or another individual, the telecommunication provider shall also notify the contracting party or the individual without delay (within 24 hours). Notification will not be required if the provider has demonstrated to the AKEP that it has implemented the technological protection measures that render the data unintelligible to any entity that is not authorised to access it.

7.7. Data retention

The Law provides that personal data cannot be kept for longer than is necessary for the purpose for which they were collected or, further processing without providing for a minimum or maximum time for the retention of personal data. However, time limits apply to specific sectors, as determined by the decisions of the IDP referred to in the section on guideline above.

For example, the Labour Code No. 7961 of 12 July 1995 (only available to download in Albanian here) ('the Labour Code') provides that an employees' data be retained until the termination of the employment relationship. Any data processing beyond this term requires the employees' consent.

7.8. Children's data

Any person under the age of 18 is considered a child in Albanian law. There are no provisions in the Law that pertain to children, nonetheless, special rules are established in two of the Instructions issued by IDP, as follows:

Instruction No. 9 of 15 September 2010 on the Fundamental Rules in connection with the Protection of Personal Data in Written, Visual, and Audio-Visual Media stipulates that parental consent shall be obtained for children under the age of 16 in connection with the protection of personal data in written, visual, and audio-visual media.

Instruction No. 16 of 26 December 2011 on the Protection of Personal Data in Direct Trade and Security Measures (as amended) provides that parental/legal guardian consent shall be obtained regarding the processing of a minor's data for marketing purposes. When collecting the minor's data, the data controller shall ensure that the parent or legal guardian is informed about the purposes of data processing. Parent/legal guardian enjoys the same rights as the child as a data subject, and the data controller must verify whether the person exercising the rights of the minor is their parent or legal guardian. When participating in games, the controller shall collect only enough data of the minor to participate in the activity.

7.9. Special categories of personal data

In principle, sensitive data cannot be processed. Such data relates to racial or ethnic origin, political opinion, religious or philosophical belief, trade-union membership, or concerning criminal history, or health and sexual preference. A derogation of this rule is tolerated under very specific circumstances. These circumstances include:

• the data subject's consent to the processing of the sensitive data, which can be revoked at any time making further processing of such data unlawful;
• an authorisation is given from the IDP in cases of important public interest under appropriate protective measures;
• when it is necessary for the vital interest of the data subject or of another person and the data subject is physically or legally incapable to give consent;
• when the processing relates to data manifestly made public by the data subject or is necessary for the exercising or defence of a legal right;
• when data is processed for historical, scientific, and statistical research under appropriate protective measures;
• data which is collected by medical personnel during the course of their activity, who have the obligation to maintain confidentiality;
• data processed by non-profit political, philosophical, religious, or trade union organisations for the purposes of their lawful activity only to members, sponsors, or persons related to their activity. This data cannot be disclosed to a third party without the consent of the data subject, unless otherwise provided in the Law; and
• the processing is necessary for the fulfilment of a legal obligation and specific right of the data controller in the field of employment subject to the Labour Code.

7.10. Controller and processor contracts

Instruction No. 19 of 3 August 2012 on the Regulation of the Relationship Between the Controller and the Processor in Case of Delegation of Personal Data Processing and Standard Contract Form for Such Legal Arrangements, as amended by Instruction No. 30 of 27 December 2012 (only available in Albanian here) ('the Regulation') establishes rules regarding the relationship between data controllers and data processors where personal data processing is outsourced including the adoption of a standard contract that the parties shall use for such delegation.

The contractual relationship of the data controller may be with any Albanian or foreign company, which offers processing services. The processing contract provides that the data processor uses and discloses personal data only under the instructions of the data controller and that the data processor implements all the necessary measures to ensure adequate data protection. The outsourcing contract shall include provisions that define the rules for the processing of personal data under Albanian law. Such contracts must provide all the measures that should be taken by data processors to ensure adequate data protection, as well as the procedures to be taken in case of violation of the security of such data.

Under the Regulation, the data controller must examine the following to ensure the selection of a competent data processor:

• that the company has a good reputation in this field and offers permanent guarantees regarding the security of personal data to be processed;
• the contract is in written form and shall contain specific provisions governing the protection of personal data;
• in case the data processor is a foreign company, the data controller shall ensure that the countries where the data processor operates are part of the countries offering adequate protection of personal data under Albanian law;
• the data controller must check the legislation of the origin country of the data processor to ensure that the contract has effect in both countries;
• that the data processor provides appropriate protective measures for the data to be processed;
• that, as part of such appropriate measures, the data processor shall control the personnel handling the processing and for this purpose, the data controller shall refer to the security standards ISO 27000; and
• the data processor shall report any breach of security and any other issue of interest to the data controller in order to:
  • guarantee the implementation of the legislation by applying adequate security standards and adjusting after any possible violation thereof; and
  • allow the data controller to be able to provide information to the data subject upon request.

The data processor is obliged to notify the data controller in the case of violations of personal data, however, the processor is not obliged to notify the data subject of the same. The outsourcing contract shall contain provisions to regulate the following:

• the moment when the data processor shall notify the data controller on the damage caused to:
  • the data subject, in case of unauthorised destruction, loss, modification, disclosure, or alteration of the personal data transmitted, stored, or processed; and
  • the data controller, in case of damage related to the data controller's business position and reputation.
• the content of the notification and its timing. The notification shall be made:
  • without delay;
  • in written form; and
  • contain full information on the type of violation of data and the consequences of thereof.

8. Data Subject Rights

The Law provides to the data subjects six fundamental rights, which are outlined below.

8.1. Right to be informed

Except for when the data subject is already aware of such information, the controller, when collecting personal data, must inform the data subject of:

• the scope and purpose for which personal data is being processed;
• the person who is going to process the data;
• the means of processing; and
• the right to access and the right to rectify personal data.

In case the controller processes personal data obtained from the data subject, they are also obliged to inform the data subject whether the provision of the personal data is obligatory or optional. If the data subject, under a legal or secondary act, is obliged to provide personal data for processing, the controller must inform them of this fact, as well as on the consequences of refusal to provide personal data.

8.2. Right to access

Data subjects are entitled to obtain, free of charge, from the data controller upon written request, confirmation whether their personal data are being processed, information on the purposes of processing, the categories of processed data, and the recipients or categories of recipients to whom personal data are disclosed. The communication thereof must be in a comprehensible form with regard to the data that is being processed and any available information as to their source. In the case of automated decisions, information about the logic applied in the decision-making must be provided.

8.3. Right to rectification

The data subject has the right to request blocking, rectification, or deletion of their data, free of charge whenever they become aware that data relating to them is irregular, false, and incomplete, or has been collected or processed in violation of the provisions of the Law.

8.4. Right to erasure

Please see the section on the right to rectification above.

8.5. Right to object/opt-out

The data subject has the right, at any time and free of charge, to object to the processing of data related to them carried out by the data controller unless it is:

• in the context of the performance of a legal task of public interest or in the exercising of the powers of the data controller, or of a third party to whom the data is disclosed; or
• in cases where the processing is necessary for the protection of the legitimate rights and interests of the data controller, the recipient, or any other interested party.

8.6. Right to data portability

The law does not provide the right of data portability.

8.7. Right not to be subject to automated decision-making

An individual is entitled not to be subject to decisions that cause legal effects upon, or materially affect, them based only on the automatic processing of the data, which aims at assessing certain personal aspects related to them, particularly their work efficiency, credibility, or behaviour.

8.8. Other rights

Complaint to the IPD

Anyone who believes their rights, freedoms, and legal interests in relation to their personal data have been violated, is entitled to file a complaint or to notify the IDP and to request it intervenes to remedy the infringement.

Damage compensation

Anyone who has suffered damage due to unlawful processing of personal data is entitled to compensation, pursuant to the provisions of the Civil Code No. 7850 of 29 July 1997 (only available in Albanian here).

9. Penalties

Administrative liability

The IDP can act:

• on the initiative/notification of data subjects and data controllers:
  • by filing a complaint with the IDP any natural person who claims that personal data have been processed in violation of the Law; or
  • through a request for authorisation from the data controller or data subject. If the IDP acts following a complaint or request of an entity, the IDP is obliged to notify the entity regarding the outcome once the investigation process is concluded; or
• on the initiative of the IDP:
  • by reviewing the notices that the data controllers are obliged to send, for the personal data they process; and
  • through controls and inspections carried out by the IDP.

If, from the investigation conducted, due to individual inspections or complaints, it is found that personal data has been illegally processed by a data controller, the IDP has the authority to order the blocking, deletion, destruction, or suspension of the processing.

The IDP has the authority to impose administrative sanctions in the event of serious, repeated, or deliberate violations of the Law by a data controller or data processor, particularly in the case of repeated cases of non-implementation of its recommendations.

The administrative sanctions provided by the Law are applicable by the IDP, and consist of pecuniary fines that range from a minimum of approximatively ALL 10,000 (approx. €85) up to a maximum of approximatively ALL 1 million (approx. €8,550). The aforementioned fines apply to natural persons and are doubled in the case of violations attributed to legal persons. The maximum fine also doubles in cases involving the processing of personal data without preliminary authorisation of the IDP.

Criminal liability

Reference in this regard should be made to the Criminal Code No. 7895 of 27 January 1995 (only available in Albanian here) ('the Criminal Code') and, in particular, to Articles 121, 122, and 123 of the same.

Article 121 of the Criminal Code provides unfair interferences in private life by means of recording of data (pictures, conversations, and so on) and their storage and publication without the consent of the data subject constitutes a criminal misdemeanour punishable by a fine or imprisonment up to two years.

Article 122 of the Criminal Code provides that the unauthorised disclosure of personal secrets regarding the personal life of an individual, by persons that should protect such information due to their work or profession, constitutes a criminal misdemeanour punishable by fine or imprisonment of up to one year. If the disclosing of information is committed with the intend of embezzlement, the infringer is punishable by a fine or imprisonment of up to two years.

Article 123 of the Criminal Codestates that the intentional commitment of acts including destruction, non-delivery, opening, and reading of letters or any other correspondence, as well as the interruption of, or placement under control, or hearing any conversation through telephone, telegraph, or any other means of communication, constitutes a criminal misdemeanour and is punishable by a fine or imprisonment of up to two years.

9.1 Enforcement decisions

At the beginning of 2021, the IDP performed an inspection of one of the largest data controllers which operates as a telecommunication service provider. The latter was found in breach of several provisions of the Law, such as the failure to obtain the data subjects' consent for the processing of personal data (i.e. direct marketing), as well as the failure to duly inform the data subjects regarding the processing purpose, categories of the data being processed, data subject rights, etc. The data controller also did not inform the data subjects (i.e. its employees) regarding the processing of their health data by data processors. Even though it had fulfilled its obligation to notify the IDP for the processing of the personal data, the notification was not accurate and complete, including, inter alia, the outsourcing agreements were not submitted with the IDP. Moreover, no DPIA had been carried out previously. The data controller was punished regarding the above infringements with a fine in the amount of approximately €12,000.

Which of the five moral dimensions of the information age do the central business activities of DoubleClick involve quizlet?

Which ethical rules states that if an action Cannot be taken repeatedly It is not right to take at all?

Which of the following best describes the effect that new information systems and technology has on society?

Which of the following best describes how new information systems result in legal gray areas?