September 2023

1. Governing Texts

Enshrined in Article 35 of the Constitution of the Republic of Albania (only available in Albanian here) ('the Constitution'), the protection of personal data is of fundamental importance to an individual’s enjoyment of his or her right to respect for private and family life, home and correspondence, as guaranteed by Article 8 of the European Convention for the Protection of Human Rights and Fundamental Freedoms.

The Albanian legal framework protecting individuals' privacy and personal data is continuously evolving, adapting to new technologies as they emerge, and is currently undergoing a process of approximation with the EU acquis communautaire, with the Information and Data Protection Commissioner ('IDP') following the guidelines of the European Commission and the best practices of its homologues in EU countries in exercising its duties.

1.1. Key acts, regulations, directives, bills

The Law on the Protection of Personal Data No. 9887 of 10 March 2008 (as amended) ('the Law'), which abolished the previous data protection law in force since 1999, was amended in 2012 and 2014.

The implementation of the Law is subject to several sub-legal acts, including but not limited to the following:

• Decision of the Parliament No. 95/2019 of 12 September 2019 on the Appointment of the Commissioner for the Protection of Personal Data (only available in Albanian here); and
• Decision of the Parliament No. 86/2018 of 19 July 2018 on the Approval of the Structure, Staff and Classification of Salaries of the Commissioner for the Right to Information and Protection of Personal Data (only available in Albanian here).

The Republic of Albania has also ratified the following international treaties:

• Convention on the Protection of Individuals regarding the Automatic Processing of Personal Data ('Convention 108'), as per Law No. 9288 of 7 October 2004 (only available in Albanian here); and
• Amending protocol to the Convention on the protection of Individuals with regard to Automatic Processing of Personal Data, as per Law No. 49 of 12 May 2022 (only available in Albanian here).

The data protection sublegal acts issued by the IDP incorporate provisions of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR').

1.2. Guidelines

The IDP has issued the following decisions:

• Decision No. 2 of 10 March 2010 on Determining the Procedures for the Administration of Registration Data, Entering the Data, their Processing and Retrieval, as amended by Decision No. 5 of 27 December 2012 ('Decision No. 2');
• Decision No. 4 of 27 December 2012 on Exceptions to the Obligation to Notify the Processing of Personal Data;
• Decision No. 6 of 5 August 2013 on Determining Detailed Rules for the Protection of Personal Data; and
• Decision No. 8 of 31 October 2016 on the Countries with Adequate Level of Protection for Personal Data ('Decision No. 8').

1.3. Case law

Not applicable.

2. Scope of Application

2.1. Personal scope

The Law applies to any personal data related to any natural person.

The Law is equally applicable to the processing of personal data by:

• data controllers established in the Republic of Albania;
• diplomatic missions or consular offices in the Republic of Albania;
• data controllers who are not established in the Republic of Albania, but make use of any equipment located in the Republic of Albania;
• public authorities processing data in the framework of crime prevention and prosecution activities, in cases of a criminal offense against the public order and other violations in the field of criminal law, defense, and national security.

2.2. Territorial scope

As mentioned in the section on personal scope above, the Law applies, inter alia, to controllers who are not established in the Republic of Albania but exercise their activity using any means situated in such territory. In this case, the controller should designate a local representative in the Republic of Albania.

2.3. Material scope

The Law applies to any operation or set of operations that is performed upon personal data, i.e. processing of data. Such operations include the collection of personal data, its storage, disclosure, transfer, and so on and so forth. The Law applies to data processed by automated means (e.g. a computer database of customers) and to data that is part of or intended to be part of non-automated 'filing systems' and accessible according to specific criteria (e.g. the traditional paper files, such as a card file with details of clients ordered according to the alphabetic order of the names).

The Law does not apply to data processed for purely personal reasons or family purposes (e.g. an electronic personal diary or a file with details of family and friends). In addition, the Law does not apply when the information provided concerns public officials or public (state) administration servants, reflecting their public, administrative activities or issues related to their duties.

3. Data Protection Authority | Regulatory Authority 

3.1. Main regulator for data protection

The IDP is established as the responsible authority entitled to supervise and monitor the actions relating to the protection of personal data and to ensure that the Law's provisions are correctly implemented.

3.2. Main powers, duties and responsibilities

The IDP's powers include:

• administrative investigations;
• blocking, erasing, destroying, or suspending the unlawful processing of personal data;
• providing instructions before the processing of personal data is undertaken and ensuring their publication; and
• applying fines for violation of provisions of the law.

4. Key Definitions

Data controller: A natural or legal person, public authority, agency, or any other body, which alone or jointly with others determines the purposes and means of processing of personal data, in compliance with the laws and applicable secondary legislation, responsible for the fulfillment of obligations defined by the law provisions.

Data processor: A natural or legal person, public authority, agency, or other body, which processes personal data on behalf of the data controller.

Personal data: Any information relating to an identified or identifiable natural person, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to their physical, physiological, mental, economic, cultural, or social identity.

Sensitive data: Any information related to a natural person and referring to their racial or ethnic origin, political opinions, trade union membership, religious or philosophical beliefs, criminal record, as well as with data concerning their health and sexual life.

Health data: Information related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about the past, current, or future physical or mental health status.

Biometric data: Information resulting from biological features, physical, psychological, and behavioral characteristics of a natural person, which are unique and consistent, such as facial images or dactyloscopy data.

Pseudonymization: The processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.

Data subject: Any natural person whose personal data are being processed.

5. Legal Bases

5.1. Consent

Pursuant to Article 6(1)(a) of the Law, personal data may be processed if the personal data subject has given their consent.

5.2. Contract with the data subject

Pursuant to Article 6(1)(b) of the Law, personal data may be processed if the processing is necessary for the performance of a contract to which the data subject is party or in order to negotiate or amend a draft/contract at the request of the data subject.

5.3. Legal obligations

Pursuant to Article 6(1)(c) of the Law, personal data may be processed to comply with a legal obligation of the controller.

5.4. Interests of the data subject

Pursuant to Article 6(1)(c) of the Law, personal data may be processed in order to protect the vital interests of the data subject.

5.5. Public interest

Pursuant to Article 6(1)(d) of the Law, personal data may be processed for the performance of a legal task of public interest or in the exercise of powers of the controller or of a third party to whom the data are disclosed.

5.6. Legitimate interests of the data controller

Pursuant to Article 6(1) (dh) of the Law, personal data may be processed if the processing is necessary for the protection of the legitimate rights and interests of the controller, the recipient or any other interested party. However, in any case, the processing of personal data cannot be in clear contradiction with the data subject right to protection of personal life and privacy.

5.7. Legal bases in other instances

Not applicable.

6. Principles

The spirit of the Law is guided by the principles of the Constitution relating to the right to privacy of individuals, as well as by the principles of the European Convention for the Protection of Human Rights and Fundamental Freedoms.

Lawful basis for processing: Fair and lawful processing of personal data constitutes the guiding principle of the Law.

Transparency: Data subjects should be duly informed regarding the processing of the personal data, i.e. categories of personal data being processed, purpose and means of the processing, recipients or categories of recipients to whom personal data are disclosed, etc.

Purpose limitation: Personal data should be collected for specific, clearly defined, and legitimate purposes and should be processed in a way that is compatible with these purposes.

Data minimization: Such principle is applied as a combination of proportionality and retention principles.

Proportionality: Personal data should be proportionate and correlated with the scope of processing and not excessive in relation to the purposes for which they are collected and processed.

Retention: Personal data cannot be kept longer than necessary for the purpose for which they were collected or further processed.

Data accuracy: Personal data should be accurate and, when necessary, updated. According to the Law all reasonable measures should be conducted so that to ensure that inaccurate or incomplete personal data is erased or rectified.

7. Controller and Processor Obligations

Data controller

Data controllers are responsible for the fulfillment of the obligations stipulated in the Law. Data controllers and processors should take adequate measures in order to ensure that data is processed correctly and lawfully, including appropriate technical and organizational safeguards to protect personal data from intentional or accidental destruction, unauthorized access, and other threats.

In particular:

• data shall be processed fairly and lawfully;
• data shall be collected for explicit and legitimate purposes and processed accordingly;
• data shall be relevant and not excessive in relation to the purpose(s) of processing;
• data shall be accurate and, where necessary, kept up to date;
• data controllers are required to provide reasonable measures for data subjects to rectify, erase, or block incorrect data about them; and
• data shall not be kept for longer than necessary.

Data processor

Data processors shall not transfer data unless instructed otherwise by the data controller. Furthermore, data processors must implement all required safety measures pursuant to the provisions of the Law and hire operators who are obligated to preserve the confidentiality of the data. In addition, data processors must implement appropriate technical measures to guarantee that the data controller's obligations to protect data subjects' rights are met. Moreover, after completing the processing service, the data processor must submit all processing results to the data controller and document, maintain, or destroy such data upon the request of the data controller and make all the necessary information available to the data controller to control compliance with the aforementioned obligations.

7.1. Data processing notification

Under Article 21 of the Law, data controllers have the obligation to notify in advance the IDP of any processing of personal data. To this purpose, the Law provides that, prior to the processing of personal data, data controllers should notify the IDP on the intended activity and categories of personal data as well as any changes to these activities or categories.

Any intention of the data controller to transfer data to third countries should be included in the notification to the IDP. However, a data controller will be exempted from the obligation to notify IDP if:

• the processing of data is conducted for the purpose of keeping a record, the sole purpose of which is to provide information to the public in general, in accordance with the law and sub-legal aspects; or
• the processing of data is carried out for the protection of constitutional institutions, interests of national security, foreign policy, economic or financial interests of the state, or the prevention or prosecution of criminal offences.

7.2. Data transfers

According to the definition provided by the Law, 'international transfer' is the transmission of personal data to recipients in third countries.

The Law stipulates that the adequacy of the level of protection by a third country is determined by assessing all circumstances of data processing operations in that country. To this end, Decision No. 8 stipulates that EU countries, EEA countries, Member States that have ratified Convention 108, and countries where personal data is transmitted on the European Commission's decision have an adequate level of protection for the international transfer of personal data. Exceptions to the above rule are applied in the event the transfer:

• is based on international treaties ratified by the Republic of Albania;
• is consented to by the data subject;
• constitutes a legal obligation for the data controller;
• is necessary for completing a contract between the data controller and the data subject or between the data controller and a third party in the interest of the data subject;
• is necessary for the vital interest of the data subject;
• is done through a register open to consultation and which provides information to the public in general; or
• is necessary or legally required because of an important public interest or for the exercise/defense of a legal right.

The international transfer of personal data to third countries not having an adequate level of protection shall be authorized by the IDP. In cases where the IDP, after assessing the circumstances, decides to authorize the international transfer of personal data to a third country lacking adequate levels of protection, the case will be subject to a set of proper safety measures. For some types of personal data, the IDP might exempt data controllers from seeking authorization. The categories of data subjects exempted are decided by the IDP.

7.3. Data processing records

Pursuant to Decision No. 2, as amended, the data controller shall maintain a record of the processing activity with all the data collected (i.e., categories of personal data collected, the purpose of processing, the identity of the processors (if any), the countries where data will be transferred, and any other information pertaining to the data processing). The data shall be accurate, comprehensive, and updated.

7.4. Data protection impact assessment

Pursuant to IDP instructions, large controllers (or processors) should carry out a Data Protection Impact Assessment ('DPIA'). Large controllers (or processors) are considered the ones that process data by automatic or manual means and have employed six or more persons. In order to guarantee the protection and the safety of personal data, large controllers, inter alia, should establish and maintain the Information Security Management System ('ISMS'). The ISMS should also include the conduct of DPIAs. The DPIA should be carried out prior to the processing of personal data, so as to detect any case of processing that may pose particular risks to the rights and freedoms of personal data subjects due to their nature, extent, and purpose.

7.5. Data protection officer appointment

Instruction No. 47 of 14 September 2018 on the Determination of Rules on the Safety of Personal Data Processed by Large Data Controllers ('Instruction No. 47') issued by the IDP stipulates that large processing entities, which are considered data controllers or data processors that process data by automatic or manual means, through 6 or more persons appointed/engaged in the processing of personal data, either directly or through other processors, are required to appoint a data protection officer ('DPO').

The DPO is responsible for the following:

• the internal monitoring of obligations regarding the protection of personal data by the data processor;
• advising the responsible persons on personal data protection; and
• the implementation of technical and organizational measures in relation to staff and monitoring their practical implementation.

In the case of the engagement of a data processor, the DPO is also responsible for the internal monitoring of its activity and its contractual obligations. The DPO, who monitors the international data transfer, is in charge of handing over the documentation on archiving systems for the special registration announcing of changes and de-registration of the archiving systems from the special register, and keeping data on the archiving systems that are not subject of registration. In addition, the DPO serves as the contact person and collaborates with the IDP. Upon the request of the latter, the DPO is obliged to submit the written authorization under which they operate, as well as proof of the skills acquired during their professional training.

The DPO shall meet the following criteria in order to be appointed to this position:

• have full legal capacity to act;
• possess integrity;
• possess a university degree in law or computer science;
• be noted for their professional skills and ethics;
• having at least five years of working experience as a lawyer or IT expert or having worked for no less than three years near the IDP as a lawyer of IT expert; and
• not having been convicted for any criminal offence.

7.6. Data breach notification

The obligation to notify the IDP of a breach of personal data applies if:

• the data controller is considered a large controller; and
• the data controller does not properly address the breach.

Specifically, according to Instruction No. 47, the contact person shall notify in writing, in due time, the data processor regarding each risk of breach of a data subject's rights, including violations to the Law. If the data processor fails to undertake the necessary measures to address the breach in due time, the contact person must immediately notify the IDP.

Furthermore, a data breach notification is considered to be mandatory for the provider of publicly available electronic communications services who must notify of the breach without undue delay to the Electronic and Postal Communications Authority ('AKEP') and the telecommunication regulatory authority. The obligation to notify is vis-a-vis the telecommunication regulatory authority and not the IDP.

In addition, if the personal data breach is likely to be detrimental to the personal data or privacy of the contracting party or another individual, the telecommunication provider shall also notify the contracting party or the individual without delay (within 24 hours). Notification will not be required if the provider has demonstrated to the AKEP that it has implemented the technological protection measures that render the data unintelligible to any entity that is not authorized to access it.

7.7. Data retention

The Law provides that personal data cannot be kept for longer than is necessary for the purpose for which they were collected or for further processing but does not provide a minimum or maximum retention period. However, time limits apply to specific sectors, as determined by the decisions of the IDP referred to in the section on guidelines above.

For example, the Labor Code No. 7961 of 12 July 1995 (only available in Albanian here) ('the Labor Code') provides that an employees' data be retained until the termination of the employment relationship. Any data processing beyond this term requires the employees' consent.

7.8. Children's data

Any person under the age of 18 is considered a child in Albanian law. There are no provisions in the Law that pertain to children, nonetheless, special rules are established in two of the Instructions issued by IDP, as follows:

Instruction No. 9 of 15 September 2010 on the Fundamental Rules in connection with the Protection of Personal Data in Written, Visual, and Audio-Visual Media stipulates that parental consent shall be obtained for children under the age of 16 in connection with the protection of personal data in written, visual, and audio-visual media.

Instruction No. 16 of 26 December 2011 on the Protection of Personal Data in Direct Trade and Security Measures (as amended) provides that parental/legal guardian consent shall be obtained regarding the processing of a minor's data for marketing purposes. When collecting the minor's data, the data controller shall ensure that the parent or legal guardian is informed about the purposes of data processing. Parent/legal guardian enjoys the same rights as the child as a data subject, and the data controller must verify whether the person exercising the rights of the minor is their parent or legal guardian. When participating in games, the controller shall collect only enough data of the minor to participate in the activity.

7.9. Special categories of personal data

In principle, sensitive data cannot be processed. Such data relates to racial or ethnic origin, political opinion, religious or philosophical belief, trade union membership, or concerning criminal history, or health and sexual preference. A derogation of this rule is tolerated under very specific circumstances. These circumstances include:

• the data subject's consent to the processing of the sensitive data, which can be revoked at any time making further processing of such data unlawful;
• authorization is given from the IDP in cases of important public interest under appropriate protective measures;
• when it is necessary for the vital interest of the data subject or of another person and the data subject is physically or legally incapable of giving consent;
• when the processing relates to data manifestly made public by the data subject or is necessary for the exercising or defense of a legal right;
• when data is processed for historical, scientific, and statistical research under appropriate protective measures;
• data which is collected by medical personnel during the course of their activity, who have the obligation to maintain confidentiality;
• data processed by non-profit political, philosophical, religious, or trade union organizations for the purposes of their lawful activity only to members, sponsors, or persons related to their activity. This data cannot be disclosed to a third party without the consent of the data subject unless otherwise provided in the Law; and
• the processing is necessary for the fulfilment of a legal obligation and specific right of the data controller in the field of employment subject to the Labor Code.

7.10. Controller and processor contracts

Instruction No. 19 of 3 August 2012 on the Regulation of the Relationship Between the Controller and the Processor in Case of Delegation of Personal Data Processing and Standard Contract Form for Such Legal Arrangements, as amended by Instruction No. 30 of 27 December 2012 (only available in Albanian here) ('the Regulation') establishes rules regarding the relationship between data controllers and data processors where personal data processing is outsourced including the adoption of a standard contract that the parties shall use for such delegation.

The contractual relationship of the data controller may be with any Albanian or foreign company, which offers processing services. The processing contract provides that the data processor uses and discloses personal data only under the instructions of the data controller and that the data processor implements all the necessary measures to ensure adequate data protection. The outsourcing contract shall include provisions that define the rules for the processing of personal data under Albanian law. Such contracts must provide all the measures that should be taken by data processors to ensure adequate data protection, as well as the procedures to be taken in case of violation of the security of such data.

Under the Regulation, the data controller must examine the following to ensure the selection of a competent data processor:

• that the company has a good reputation in this field and offers permanent guarantees regarding the security of personal data to be processed;
• the contract is in written form and shall contain specific provisions governing the protection of personal data;
• in case the data processor is a foreign company, the data controller shall ensure that the countries where the data processor operates are part of the countries offering adequate protection of personal data under Albanian law;
• the data controller must check the legislation of the origin country of the data processor to ensure that the contract has effect in both countries;
• that the data processor provides appropriate protective measures for the data to be processed;
• that, as part of such appropriate measures, the data processor shall control the personnel handling the processing and for this purpose, the data controller shall refer to the security standards ISO 27000; and
• the data processor shall report any breach of security and any other issue of interest to the data controller in order to:
  • guarantee the implementation of the legislation by applying adequate security standards and adjusting after any possible violation thereof; and
  • allow the data controller to be able to provide information to the data subject upon request.

The data processor is obliged to notify the data controller in the case of violations of personal data, however, the processor is not obliged to notify the data subject of the same. The outsourcing contract shall contain provisions to regulate the following:

• the moment when the data processor shall notify the data controller on the damage caused to:
  • the data subject, in case of unauthorized destruction, loss, modification, disclosure, or alteration of the personal data transmitted, stored, or processed; and
  • the data controller, in case of damage related to the data controller's business position and reputation;
• the content of the notification and its timing. The notification shall be made:
  • without delay;
  • in written form; and
  • contain full information on the type of violation of data and the consequences of thereof.

8. Data Subject Rights

8.1. Right to be informed

The controller, when collecting personal data, must inform the data subject of:

• the scope and purpose for which personal data is being processed;
• the person who is going to process the data;
• the means of processing; and
• the right to access and the right to rectify personal data.

In case the controller processes personal data obtained from the data subject, they are also obliged to inform the data subject whether the provision of the personal data is obligatory or optional. If the data subject, under a legal or secondary act, is obliged to provide personal data for processing, the controller must inform them of this fact, as well as on the consequences of refusal to provide personal data.

8.2. Right to access

Data subjects are entitled to obtain, free of charge, from the data controller upon written request, confirmation whether their personal data are being processed, information on the purposes of processing, the categories of processed data, and the recipients or categories of recipients to whom personal data are disclosed. The communication thereof must be in a comprehensible form with regard to the data that is being processed and any available information as to their source. In the case of automated decisions, information about the logic applied in the decision-making must be provided.

8.3. Right to rectification

The data subject has the right to request blocking, rectification, or deletion of their data, free of charge whenever they become aware that data relating to them is irregular, false, and incomplete, or has been collected or processed in violation of the provisions of the Law.

8.4. Right to erasure

Please see section on right to rectification above.

8.5. Right to object/opt-out

The data subject has the right, at any time and free of charge, to object to the processing of data related to them carried out by the data controller unless it is:

• in the context of the performance of a legal task of public interest or in the exercising of the powers of the data controller, or of a third party to whom the data is disclosed; or
• in cases where the processing is necessary for the protection of the legitimate rights and interests of the data controller, the recipient, or any other interested party.

8.6. Right to data portability

The law does not provide the right of data portability.

8.7. Right not to be subject to automated decision-making

An individual is entitled not to be subject to decisions that cause legal effects upon, or materially affect, them based only on the automatic processing of the data, which aims at assessing certain personal aspects related to them, particularly their work efficiency, credibility, or behavior.

8.8. Other rights

Complaint to the IPD

Anyone who believes that their rights, freedoms, and legal interests in relation to their personal data have been violated, is entitled to file a complaint or to notify the IDP and request that it intervenes to remedy the infringement.

Damage compensation

Anyone who has suffered damage due to unlawful processing of personal data is entitled to compensation, pursuant to the provisions of the Civil Code No. 7850 of 29 July 1997 (only available in Albanian here).

9. Penalties

Administrative liability

The IDP can act:

• on the initiative/notification of data subjects and data controllers:
  • by filing a complaint with the IDP any natural person who claims that personal data have been processed in violation of the Law; or
  • through a request for authorization from the data controller or data subject. If the IDP acts following a complaint or request of an entity, the IDP is obliged to notify the entity regarding the outcome once the investigation process is concluded; or
• on the initiative of the IDP:
  • by reviewing the notices that the data controllers are obliged to send, for the personal data they process; and
  • through controls and inspections carried out by the IDP.

If, from the investigation conducted, due to individual inspections or complaints, it is found that personal data has been illegally processed by a data controller, the IDP has the authority to order the blocking, deletion, destruction, or suspension of the processing.

The IDP has the authority to impose administrative sanctions in the event of serious, repeated, or deliberate violations of the Law by a data controller or data processor, particularly in the case of repeated cases of non-implementation of its recommendations.

IDP may impose fines from a minimum of ALL 10,000 (approx. $87) up to a maximum of ALL 1 million (approx. $8,833). The aforementioned fines apply to natural persons and are doubled in the case of violations attributed to legal persons. The maximum fine also doubles in cases involving the processing of personal data without prior authorization of the IDP.

Criminal liability

Reference in this regard should be made to the Criminal Code No. 7895 of 27 January 1995 (only available in Albanian here) ('the Criminal Code') and, in particular, to Articles 121, 122, and 123 of the same.

Article 121 of the Criminal Code provides unfair interferences in private life by means of recording of data (pictures, conversations, and so on), and their storage and publication without the consent of the data subject constitutes a criminal misdemeanor punishable by a fine or imprisonment up to two years.

Article 122 of the Criminal Code provides that the unauthorized disclosure of personal secrets regarding the personal life of an individual, by persons that should protect such information due to their work or profession, constitutes a criminal misdemeanor punishable by fine or imprisonment of up to one year. If the disclosing of information is committed with the intent of embezzlement, the infringer is punishable by a fine or imprisonment of up to two years.

Article 123 of the Criminal Code states that the intentional commitment of acts including destruction, non-delivery, opening, and reading of letters or any other correspondence, as well as the interruption of, or placement under control, or hearing any conversation through telephone, telegraph, or any other means of communication, constitutes a criminal misdemeanor and is punishable by a fine or imprisonment of up to two years.

9.1 Enforcement decisions

In December of 2021, two databases were made available online containing the personal information of 637,139 and 694,470 Albanians employed respectively in the public and private sectors. The database included, inter alia, the identification number of the employee, their first and last name, their salary, job position, and the name of the employer, etc.

An administrative investigation was immediately initiated by the IDP at the General Directorate of Taxes (Controller). Due to the extensive dissemination of the database online and in audiovisual media, the IDP requested that the Electronic and Postal Communications Authority and the Audiovisual Media Authority promptly close the websites and initiate legal proceedings against the individuals believed to be responsible for publishing personal data of citizens obtained from the databases.

Due to the database's disproportionately large-scale data processing, which is contrary to the principles and standards governing the processing of personal data, IDP concluded that the database's widespread dissemination constituted a serious violation of private life and the rights of individuals to the protection of their personal data.

The General Directorate of Taxes was found in violation of several provisions of the Law, including:

• use of personal data contrary to legal processing criteria;
• failure to fulfill the obligation to inform data subjects;
• failure to fulfill the notification obligation; and
• failure to fulfill the obligation to take appropriate organizational and technical measures to protect personal data from illegal, accidental destruction, accidental loss, or unauthorized access or disclosure.

A sanction of approximately €27,000 was levied against the data controller for these violations.