Law No. 124/2024 “On the Protection of Personal Data” was promulgated by decree of the President of the Republic of Albania on January 15, 2025, and was published in the Official Gazette. This law sets out the rules for the processing and protection of personal data in Albania and is harmonized with the European Union’s General Data Protection Regulation (GDPR).
The processing of personal data includes any action or set of actions performed on personal data, whether automated or not. These actions may include collection, recording, organization, structuring, storage, alteration, retrieval, consultation, use, dissemination, making available, linking, combination, restriction, deletion, or destruction of data.
This law applies when personal data is processed entirely or partially by automated means, as well as for the processing of personal data that are or are intended to be part of a filing system, even if the processing is not carried out by automated means. Furthermore, the scope of the law is not limited to the territory of Albania but also extends to foreign operators processing the personal data of Albanian subjects.
Consent for the processing of personal data must be freely given, informed, and explicit, expressed through a statement or any other unambiguous indication of the subject’s will. Subjects have the right to withdraw their consent at any time. For minors under 16 years of age, consent must be given with the approval of their parents or legal guardians. The controller must be able to verify that the subject has consented to the processing of their data.
The processing of personal data must be lawful, transparent, and fair. Data should not be collected more than necessary and must be retained only as long as needed for the purpose for which it is processed. Technical and organizational measures must ensure the integrity and confidentiality of the data.
The controller or processor is required to make the data available to the Commissioner for the Protection of Personal Data, upon request.
Exemptions from the obligation to document data apply to companies or organizations with fewer than 250 employees, except in cases where:
- The processing may present a risk to the rights and freedoms of the subjects.
- The processing is not occasional.
- The processing involves sensitive data or criminal data.
Any security breach that may jeopardize personal data must be reported to the relevant authorities within 72 hours.
While the Commissioner for the Protection of Personal Data monitors and enforces the law, examines complaints, and imposes administrative measures in case of violations.
This new law repeals the previous law and regulations in force, providing a legal framework that is closer to that of the European Union.
