Support Centre

Albania

Summary

Law: Law on the Protection of Personal Data No. 9887 of 10 March 2008 (as amended) ('the Law')

Regulator: Information and Data Protection Commissioner ('IDP')

Summary: The Law, which replaced Albania's previous data protection law that had been in force from 1999, was amended in 2012 and 2014, and incorporates provisions of the EU Data Protection Directive (95/46/EC). The IDP is the authority granted supervisory competence under the Law. While there is no requirement under the Law to notify personal data security breaches to data subjects or the IDP, the IDP has, in an opinion (only available in Albanian here), highlighted that data subjects have the right to be informed when the security of the data subject's personal data has been compromised. Furthermore, the Law provides that cross-border personal data transfers are permitted to countries with an adequate level of data protection as specified in a whitelist (only available in Albanian here) published by the IDP.