New Law on "Personal data protection"

The New Law aligns with GDPR’s extraterritorial reach, extending its applicability to data controllers and processers located outside Albania, under the following conditions:

• the data processing is related to offering goods or services to data subjects located in Albania; or
• the data processing is related to monitoring the behavior of data subjects located in Albania; or
• controller/processor is located in a territory outside Albania, whereby Albanian legislation is applied based on international public law.

In the above cases, the data controller and processers located outside Albania must appoint a representative located in Albania which is dully notified to the Right to Information and Data Protection Commissioner (“the Commissioner”). The representative is authorized to handle any matters related to processing, including liaising with the Commissioner and data subjects on behalf of or alongside the controller, to ensure compliance with the New Law.

The New Law provides better definition of existing terms, aligning thus with GDPR terminology.

The written consent by the data subject consent is no longer mandatory. Under the New Law, consent is considered any declaration or any form of expression of the will, freely given, duly informed and unambiguous, whereby the data subject agrees on purposes that own personal data are processed for.  Data controllers shall have the burden of proof to demonstrate that consent by data subject is given in accordance with the law.

New terms such as “pseudonymization”, “profiling” and “data minimization” as well definitions of subcategories of the sensitive data such as biometric, genetic, criminal, and health data, aligned with GDPR terminology are introduced by the New Law.

The New Law provides enhance data subject rights, designed to offer to individuals greater control over their personal data. Key improvements include:

• “The right to information”.
• “The right of access”.
• “The right to be forgotten”.
• “The right to restriction of processing”.
• “The right to data portability".

The New Law introduces for the first time the principes of Data Protection “by Design” and “by Default”, that oblige controllers to integrate data protection measures into every stage of their operations. New obligations for data controllers and processors, to ensure efficacity of data protection during data processing, are provided by the New Law such as:

• Obligation to document all data breaches and any remedial measures taken. The controller must notify the Commissioner on any detected data breach without undue delay within 72 hours, and also the data subject when the risks caused by the data breach are likely to be high. In addition, the processor must notify the controllers of any breach without undue delay.
• Obligation to carry out an impact assessment on data protection prior to personal data processing, to identify potential risks to the rights and freedoms of data subjects and to mitigate such risk when the processing poses a high level of risk. The Commissioner will publish in the official website a list of the specific processing activities that require a prior impact assessment.
• Obligation to consult with the Commissioner before initiating data processing, when based on the impact assessment the processing poses high risk.
• The New Law provides detailed requirements regarding appointment of Data Protection Officer (DPO). The role of the DPO is to ensure the compliance with the legal requirements during data processing, in cases when the activities carried out by the data controller or processor require enhanced and periodic monitoring of data subjects or enhanced sensitive or criminal data are being processed. 
• In case of joint controllers, a written agreement must be concluded whereby respective responsibilities of each controller are specifically defined. Key provisions of the agreement must be made available to data subjects.

New instruments are provided to guarantee enforcement of data protection legislation by data controllers and processors.

• Code of conducts, drafted by organizations or other bodies that represent certain categories of controllers and processors, which aim to contribute to the best possible implementation of the legal framework on data protection. Such codes are subject to approval by the Commissioner and upon approval are published in the official website of the Commissioner.
• Monitoring bodies, that are private entities accredited by the Commissioner and are competent to monitor the compliance with the code of conduct of controllers and processors that have undertaken to adhere to the code; 
• Certification mechanism is further elaborated by the New Law. The aim of such instrument is to guarantee legal compliance by controllers/processors during data processing. Same as before, the certification will be valid for a period of up to three years with option to renew.

The New Law introduces a new approach regarding data transfer, allowing data transfers to countries with inadequate data protection without the Commissioner's authorization, using new tools that guarantee adequate data protection during data transfer, such as "Standard Contractual Clauses", "Binding Corporate Rules”, “Code of conduct”, “Certification mechanism” etc.

The following financial penalties, matching GDPR levels, are provided by the New Law in case of legal breaches:

• Up to 1 billion ALL or for commercial companies, up to 2% of the global annual turnover from the previous fiscal year, whichever is higher, for non-compliance with the obligations of the controller and processor;
• Up to 2 billion ALL or for commercial companies, up to 4% of the global annual turnover from the previous fiscal year, whichever is higher, for more severe violations, including failure to adhere to fundamental data processing principles, breach of data subject rights or international data transfer requirements.

KPMG team remains at your disposal for any inquiries you may have, or assistance needed.

Juliana Mateeva
Partner, Legal Advisory Services
Tel: +359 2 9697 600

Arjola Goxhaj
Manager, Legal Advisory Services
Tel: +355 42274 524

Ergisa Hasanbelliu
Senior Associate, Legal Advisory Services
Tel: +355 42274 524