Continue reading on DataGuidance with:
Free Member
Limited ArticlesCreate an account to continue accessing select articles, resources, and guidance notes.
Already have an account? Log in
Create an account
Join our community for free to access exclusive whitepapers, reports, and regulatory information.
Albania: IDP fines Insig ALL 370,000 for lack of technical and organizational measures
On February 15, 2023, the Information and Data Protection Commissioner (IDP) issued its decision No. 366/1 in which it imposed a fine of ALL 370,000 (approx. $3,898) on Insig SHPK for violating the Law on the Protection of Personal Data No. 9887 of 10 March 2008 (as amended) (the Law) following an administrative investigation.
Background to the decision
The IDP highlighted that it carried out an administrative investigation on Insig in relation to the implementation of technical and organizational measures, especially information security management systems (ISMS) and recommendation verification.
Findings of the IDP
The IDP found that Insig violated Articles 5, 18, 20, 21, 27, 28, 29, 30, 39, 40, and 41 of the Law.
In relation to the use of its verification system, Insig had no document plans for risk management, no formalized procedures for reporting and managing incidents, no business continuity policy plan, and no plan in case of the failure of devices. Additionally, the IDP found that Insig had not carried out internal audits to guarantee the proper functioning of risk management techniques, did not train employees who had access to and process personal data, and that real data was used for the system's test environment.
Outcomes
In light of the above violations, the IDP imposed a fine of ALL 370,000 (approx. $3,898) on Insig. In addition to the fine, the IDP ordered Insig to:
pay attention to personal data processing processes and determine the time limits for data storage;
- take measures to fulfill the obligation to inform data subjects of the purpose and method of data processing;
- include the obligations of each party in the contract;
- update the privacy notice regarding the change in the status of the notification of the personal data processing;
- include technical and organizational measures for the protection of personal data;
- train staff and create, maintain, and administer an information security management system;
- assess the certification of information security management systems and personal data protection; and
- notify the IDP of the measures taken.
You can read the decision, only available in Albanian, here.
Send us your Feedback!
Please let us know what you think of DataGuidance! It will only take 60 seconds and help us make the site better for you.
