Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Albania: IDP fines Toronto Group a total of ALL 400,000 for violating Protection of Personal Data Law

On January 17, 2023, the Office of the Information and Data Protection Commissioner (IDP) published its decision No. 167 prot., in which it imposed a total fine of ALL 400,000 (approx. $4,210) on Toronto Group – Spitali Jopublik Amavita (Toronto Group) for violations of the Law on the Protection of Personal Data No. 9887 of 10 March 2008 (the Law), following a complaint submitted by an individual.

Background to the decision

The IDP noted that IDP carried out an administrative investigation to verify the implementation of actions issued to Toronto Group in Recommendation No. 38, dating from July 29, 2021, of the IDP.

Findings of the IDP

Following an investigation, the IDP found that the Toronto Group processed personal data of employees, patients, customers, and suppliers, however, Toronto Group did not publish a privacy notice. The IDP concluded that Toronto Group failed to inform the data subjects according to Article 18 of the Law and Instruction No. 49 on the protection of health data, from March 2, 2020.

The IDP also clarified that the Toronto Group concluded several cooperation contracts with third parties (processors) to delegate the processing of personal data, however, failed to include provisions regarding the legality and security of data processing following Article 20 of the Law and Instruction No. 19, dating from August 3, 2012.

Furthermore, the IDP found that the Toronto Group:

  • failed to update the Data Processing Notice submitted to the IDP, infringing Articles 21 and 22 of the Law;
  • failed to include processes, procedures, technical and organizational measures in its specific regulation, infringing Article 27 of the Law; and
  • failed to take measures to train its employees and create, maintain, and administer information security management systems, infringing Article 27 of the Law and Instruction No. 47.


In light of the above, the IDP imposed the following fines on Toronto Group:

  • ALL 150,000 (approx. $1,580) for violation of Article 18 of the Law;
  • ALL 150,000 (approx. $1,580) for violation of Article 20 of the Law; and
  • ALL 100,000 (approx. $1,050) for violation of Article 27 of the Law.

Moreover, the IDP required the Toronto Group:

  • within 15 days, to revise the cooperation agreements with processors and to update the data processing notice;
  • within 30 days, to review the special regulation to provide technical and organizational measures; and
  • within 45 days, to take measures to train its employees.

You can read the decision, only available in Albanian, here.