On November 22, 2023, the Information and Data Protection Commissioner (IDP) issued its decision No. 1736/12 in which it imposed a total fine of ALL 870,000 (approx. $9,226) on Vivere Ticketing SHPK, for violating the Law on the Protection of Personal Data No. 9887 of 10 March 2008 (as amended) (the Law), following an administrative investigation.

Background to the decision

The IDP highlighted that it carried out an administrative investigation on Vivere Ticketing in relation to Vivere Ticketing's collection, processing, storage, and security of personal data in the performance of its business activities.

Findings of the IDP

The IDP found that Vivere Ticketing violated Articles 5, 18, 20, 21, 22, 27, 28, 29, 30, 39, 40, and 41 of the Law. The IDP observed the following:

• in the contracts between Vivere Ticketing and its service providers, the obligations of the parties on the processing of personal data were not foreseen;

• the deficiencies in Vivere Ticketing's privacy notices, specifically regarding the categories of personal data processed, the purpose of processing, recipients of personal data, and security measures and personal data storage policies;
• the lack of a business continuity policy plan, system security assessment report, risk management procedures/policies, impact analysis on personal data of its operations processing, procedures for keeping records related to modifications, destruction, and transfers of data; and
• the lack of adequate technical and organizational measures to protect personal data from access, accidental destruction, and loss, as well as failure to protect against the access or dissemination of personal data by unauthorized persons.

Outcomes

In light of the above violations, the IDP imposed the aforementioned fine on Vivere Ticketing. In addition to the fine, the IDP ordered Vivere Ticketing to:

• pay attention to processing activities to determine the time limits for data storage;
• pay attention to fulfilling the obligation of informing data subjects;
• continuously update the notice regarding changes in the status of personal data processing;
• review cooperation agreements, specifying obligations between parties within 15 days;
• include technical and organizational measures for the protection of personal data within 30 days;
• create, maintain, and administer an information security management system for the protection of personal data within 45 days; and
• assess the certification of information security management systems.

You can read the decision, only available in Albanian, here.