Albania’s Law No. 124/2024, “On the Protection of Personal Data,” introduces significant compliance requirements for businesses handling personal data. As Albania aligns with the EU’s General Data Protection Regulation (GDPR), companies must adapt to avoid penalties and ensure lawful data processing.
Key Aspects of Law No. 124/2024
1. Scope & Applicability
– Applies to all businesses (local & foreign) processing personal data of individuals in Albania.
– Covers automated & manual processing, including digital and paper records.
2. Legal Basis for Processing
Businesses must justify data processing under one of the following:
– Consent (freely given, specific, and revocable)
– Contractual necessity (e.g., fulfilling an order)
– Legal obligation (e.g., tax compliance)
– Legitimate interest (must not override individual rights)
3. Data Subject Rights
Individuals have enhanced rights, including:
– Right to access their data
– Right to rectification (correcting inaccurate data)
– Right to erasure (“right to be forgotten”)
– Right to data portability (transferring data to another provider)
– Right to object to processing (e.g., direct marketing)
4. Data Protection Officer (DPO) Requirement
– Mandatory for:
– Public authorities
– Companies conducting large-scale processing
– Businesses handling sensitive data (health, biometrics, etc.)
5. Data Breach Notification
– 72-hour reporting requirement to the Commissioner for Personal Data Protection if a breach risks individuals’ rights.
– Affected individuals must be notified if the breach poses a high risk.
6. Cross-Border Data Transfers
– Transfers outside Albania require:
– Adequacy decision (if the recipient country ensures protection)
– Safeguards (e.g., Standard Contractual Clauses – SCCs)
7. Penalties for Non-Compliance
– Fines up to ALL 10 million (≈ €90,000) or 2-4% of annual turnover for severe violations.
– Reputational damage and legal liability risks.
Action Steps for Businesses
– Audit data processing activities – Identify what data you collect and its legal basis.
– Update privacy policies – Ensure transparency on data usage.
– Implement security measures – Encryption, access controls, and breach response plans.
– Train employees – Staff must understand compliance obligations.
– Appoint a DPO if required – Especially for high-risk processing.
Conclusion
Albania’s Law No. 124/2024 brings stricter data protection rules, mirroring GDPR standards. Businesses must act now to avoid fines, lawsuits, and loss of customer trust.
Need compliance assistance? Contact Alba Legal for tailored legal advice on data protection!
Disclaimer: This article is for informational purposes only and does not constitute legal advice.
