top of page

ALBANIA - Data Protection and GDPR Review

Early Efforts and Legislation

Albania's first attempts at legislating data protection began in the late 1990s and early 2000s, as the country transitioned from a communist system to a democratic one. During this time, the concept of privacy and data protection was still new, and the country lacked a robust legislative framework to address these issues.

Law No. 8517 "On the Right of Information for Official Documents"

The first significant piece of legislation related to data protection in Albania was Law No. 8517, enacted in 1999. This law, known as "On the Right of Information for Official Documents," was the country's initial attempt to regulate the use and dissemination of public documents and data. While this law did not provide comprehensive data protection, it established the fundamental right to access official documents and the obligation of public bodies to provide such information.

Law No. 9887 "On Personal Data Protection"

In 2008, Albania took a significant step forward with the introduction of Law No. 9887, known as "On Personal Data Protection". This law represented Albania's first comprehensive data protection legislation, inspired by the European Union's 1995 Data Protection Directive. The law covered a broad range of issues, from the processing of personal data to the rights of individuals regarding their data.

This law established the Information and Data Protection Commissioner (IDPC) as an independent body responsible for overseeing and enforcing data protection law in Albania. The IDPC was granted powers to investigate potential violations of the law, issue penalties for non-compliance, and provide guidance to organizations on data protection issues.

Harmonization with GDPR

Although not an EU member, Albania has made efforts to align its data protection laws with the GDPR, primarily because of its desire for EU membership and to facilitate international data transfers.

To this end, amendments to Law No. 9887 were made in recent years, incorporating many of the principles of the GDPR, such as lawfulness, fairness, transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity, and confidentiality. These amendments also reinforced the rights of data subjects, including the right to access, rectification, erasure, restriction of processing, data portability, and the right to object.

While Albania's history of data protection is relatively short compared to many other countries, it has made significant strides in this area over the past two decades. The country's efforts to harmonize its laws with the GDPR reflect its commitment to protecting the privacy and personal data of its citizens. However, ongoing work is required to ensure that these laws are enforced effectively and keep pace with the rapidly changing digital landscape.

The Albanian Legal Framework for Data Protection

As of 2021, Albania's key legislation relating to data protection is Law No. 9887, enacted in 2008 and amended in 2012, titled "On Personal Data Protection." However, this legislation has been further amended in recent years to bring it in line with the GDPR. The Information and Data Protection Commissioner (IDPC) oversees and enforces this law in Albania.

Key GDPR Concepts and Their Application in Albania

  1. Lawfulness, Fairness, and Transparency: These principles stipulate that personal data should be processed lawfully, fairly, and transparently. In Albania, the IDPC provides guidance and resources to help companies understand and adhere to these principles.

  2. Purpose Limitation: Under GDPR, personal data can only be collected for specified, explicit, and legitimate purposes. In Albania, companies must clearly state the purpose for which data is collected before they gather any personal information.

  3. Data Minimization: Data collected should be relevant, limited, and necessary. In Albania, companies are urged not to collect more personal information than they need.

  4. Accuracy: Personal data should be accurate and, where necessary, kept up to date. Companies operating in Albania are required to take steps to ensure the data they collect is accurate and to correct or remove any inaccuracies.

  5. Storage Limitation: Personal data should only be kept in a form which permits identification of data subjects for as long as necessary. In Albania, companies must delete personal data when it is no longer necessary for the purpose for which it was collected.

  6. Integrity and Confidentiality: Personal data should be processed in a manner that ensures appropriate security, including protection against unauthorized or unlawful processing, accidental loss, destruction, or damage. Companies in Albania are obliged to use appropriate technical and organizational measures to safeguard personal data.

Data Subject Rights in Albania

Data subject rights in Albania mirror those under the GDPR, including:

  • The right to access

  • The right to rectification

  • The right to erasure ('right to be forgotten')

  • The right to restrict processing

  • The right to data portability

  • The right to object

  • Rights concerning automated decision making and profiling.

Data Transfers

Data transfers outside of Albania are permitted to countries that provide an adequate level of data protection. For countries that don't offer an adequate level of protection, specific safeguards must be put in place, similar to the GDPR's requirements.

Penalties for Non-compliance

The Albanian law on data protection provides for financial penalties for non-compliance, although they are typically lower than the maximum penalties under GDPR.


While Albania has made significant strides towards aligning its data protection laws with the GDPR, companies operating in Albania must keep up-to-date with the latest legal and regulatory developments to ensure compliance. Consulting with legal professionals and the IDPC is strongly advised for matters of data protection.


bottom of page