The Ministry of Justice has started public consultations on a new draft of the law on protecting personal data, designed to align with the EU acquis and tighten the existing 2008 law.
Albania has been rocked by a number of data protection and privacy scandals in the last 18 months, including leaks from government institutions that have seen the names, phone numbers, car registration plates, employers, salaries, and more, in the public realm.
Justice Minister Ulsi Manja said the new changes were important as they would address different kinds of abuse.
“This draft law is of great importance in increasing the standards of protection of personal data of citizens as well as in increasing the effectiveness for addressing any type of abuse”, Manja stated.
He added that the law had been drafted in collaboration with external experts, the Office for the Commissioner for the Protection of Personal Data and the Right to Information, and a project funded by the EU.
A new concept that will be introduced for the first time in Albanian law is that of consent in relation to data protection. It states that consent for personal processing data related to the individual must be given freely, in an informed manner, and transparently through a statement or explicit action to the affirmative.
Other terms to be introduced include the notion of pseudonymised data, further processing, and different categories of sensitive data.
The law also foresees a new system of administrative sanctions for violating its provisions, including increasing the value of the fine to those applied in the EU.
In terms of the rights of data subjects, the draft law not only improves and expands their rights provided by the law in force but also provides for the first time new rights such as the right to be forgotten and the right to data portability.
New obligations are also foreseen for data controllers and processors, including conducting impact assessments on protecting personal data before starting processing, the obligation to consult with the Commissioner before processing begins in cases where there is a high risk to the data subject, and the obligation to appoint a data protection officer. In addition, there will be codes of conduct and certification mechanisms introduced.
The Commissioner will also now have auxiliary investigative and corrective powers for the first time.