Law: Law on the Protection of Personal Data No. 9887 of 10 March 2008 (as amended) (the Law)

Regulator: Information and Data Protection Commissioner (IDP)

Summary: The Law on the Protection of Personal Data No. 9887 of March 10, 2008 (as amended) (the Law) entered into force in 1999 and incorporates provisions of the EU Data Protection Directive (95/46/EC). Under the Law, the IDP is the authority that has been granted supervisory competence.

The Law is not completely aligned with the GDPR and does not require notification of personal data security breaches to data subjects or the IDP. The IDP has highlighted in an opinion (only available in Albanian here), that data subjects have the right to be informed when the security of the data subject's personal data has been compromised. Furthermore, the Law provides that cross-border personal data transfers are permitted to countries with an adequate level of data protection as specified in a whitelist (only available in Albanian here) published by the Information and Data Protection Commissioner (IDP).

The IDP is an active authority according to its 2022 annual report which highlights that a total of 370 complaints were examined, 17 decisions issued, and 63 administrative sanctions imposed on entities found to be in violation of the Law.