Law No. 124/2024 On Personal Data Protection Albania

• 19 December 2024 – Approved by the Assembly of the Republic of Albania.
• 15 January 2025 – Promulgated by Presidential decree.
• 17 January 2025 – Published in the Official Gazette.
• 1 February 2025 – Law entered into force.
• 17 January 2027 – Certain provisions enter into application (2-year delay).

The law applies to:

• Processing of personal data wholly or partly by automated means.
• Processing forming part of a structured filing system.
• Controllers or processors established in Albania, regardless of where processing takes place.
• Foreign controllers offering goods or services to individuals located in Albania.
• Foreign controllers monitoring the behaviour of individuals within Albania. The law applies across sectors and to organizations of different sizes, subject to proportionality rules and limited exemptions for small and medium-sized enterprises.

The law does not apply to:

• Processing carried out by natural persons for purely personal or family purposes.
• Processing by competent authorities for criminal law purposes

Controllers and processors must:

• Apply the core principles of lawful, fair, and transparent processing.
• Respect purpose limitation and data minimization.
• Implement appropriate technical and organizational security measures.
• Identify and document a valid legal basis for processing.
• Maintain records of processing activities, subject to limited SME exemptions.
• Conduct Data Protection Impact Assessments where processing is likely to result in high risk.
• Appoint a Data Protection Officer where required.
• Notify the Commissioner of qualifying personal data breaches within 72 hours.
• Conclude written data processing agreements with processors.
• Maintain confidentiality obligations for personnel handling personal data.

Website operators must:

• Provide clear and transparent - information about personal data processing.
• Obtain valid consent where required under the law.
• Enable individuals to exercise their data protection rights.
• Respond to data subject requests within 30 days, with limited extensions permitted.
• Implement appropriate security measures to guarantee security of data processing
• Notify the Commissioner within 72 hours of qualifying breaches.
• Inform affected individuals when a breach is likely to result in a high risk to their rights and freedoms, unless a lawful exception applies.

• International transfers are permitted only where safeguards under Articles 39–42 are met.
• Certain controllers and processors must appoint a Data Protection Officer.
• Controllers must carry out prior consultation where required following a DPIA.
• Written processor agreements are mandatory.
• The Commissioner may issue guidance, including on administrative penalties.
• Public authorities must review and align sectoral legislation within three years of adoption.

Individuals have the right to:

• Access their personal data.
• Request rectification of inaccurate or incomplete data.
• Request erasure in defined circumstances.
• Request restriction of processing.
• Receive personal data in a structured, machine-readable format or have it transmitted directly to another entity where applicable.
• Object to processing in certain circumstances.
• Protection against decisions based solely on automated processing, except under specific legal conditions.
• Seek judicial remedies, including appeal against administrative fines.

Supervisory Authority: Commissioner for the Right to Information and Personal Data Protection.

Powers: Inspections, corrective measures, suspension of processing, administrative proceedings, and issuance of guidance.

Administrative Fines: For serious violations, fines may reach up to:

• 2,000,000,000 Albanian Lek (approximately USD 21,000,000), or
• 4% of the total annual global turnover of the preceding financial year, whichever is higher.

Fines are collected in the state budget. Controllers and processors have the right to appeal fine decisions before the competent court.