On May 29, 2023, the Information and Data Protection Commissioner (IDP) issued its decision No. 595/6 in which it imposed a total fine of ALL 600,000 (approx. $6,317) on T.N.T Express Albania, a postal services company, for violating the Law on the Protection of Personal Data No. 9887 of 10 March 2008 (as amended) (the Law) following an investigation.

Background to the decision

The IDP highlighted that it had launched an administrative investigation on T.N.T.

Findings of the IDP

Following its investigation, the IDP found that T.N.T violated Articles 18, 21, and 22 of the Law by failing to adequately inform data subjects of the scope and purpose for which their data would be processed. The IDP also determined that the data processing agreements that T.N.T signed with third parties did not outline all the data protection obligations as required by Article 20 of the Law. 

The IDP also determined that T.N.T had not implemented specific organizational rules and procedures to ensure the security of the data it processed, in violation of Articles 27 and 28 of the Law.

Outcomes

In light of the above violation, the IDP imposed a total fine of ALL 600,000 (approx. $6,317) on T.N.T. In addition to the fine, the IDP ordered T.N.T to:

• notify data subjects of the processing of their personal data;
• set retention periods for the data it collects; and
• implement adequate data security measures.

You can read the decision, only available in Albanian, here.