The Commissioner is a legal person governed by public law elected by Parliament on the proposal of the Council of Ministers for a term of 5 years and eligible for re-election. Parliament also determines the organizational structure of the Commissioner`s office. The Commissioner for the Right to Information and Data Protection (the «Commissioner») is the independent Albanian authority responsible for monitoring and controlling the protection of personal data and the right to information respecting and guaranteeing human rights and fundamental freedoms in accordance with the legal framework. The controller is obliged to document the measures it has taken to ensure the protection of personal data in accordance with the law and other legal provisions. The international transfer of personal data may take place with recipients from countries that have an adequate level of protection of personal data. The level of protection of personal data for a country is determined by assessing all the circumstances relating to the nature, purpose and duration of the processing, the country of origin and final destination, as well as the legislation and security standards applicable in the receiving country. Data protection law defines direct marketing as the communication of advertising material, by any means and in any way, using personal data of legal or natural persons, agencies or other entities, with or without interference. Data protection law provides for the legal criteria for the processing of personal data, the processing of sensitive data and special data processing. Data protection law provides for the legal obligation of each controller to inform the controller of the personal data for which he is responsible. The notification is made before the controller processes the data for the first time or when it is necessary to change the status of the processing notification. Article 39 (1) of the Data Protection Act stipulates that data processing contrary to the Data Protection Act is an administrative offence and may be punishable by fines ranging from ALL 10,000 (approximately EUR 83) to ALL 1,000,000 (approximately EUR 8300), with legal entities being charged twice the amount. The sanctioned person may challenge the fine before the courts within the time limits and in accordance with the procedures governing administrative procedures.
In the event of repeated or intentional serious breaches of data protection law by a controller or processor, the Commissioner acts in accordance with Article 39 of the Data Protection Act and reports the case publicly or to Parliament and the Council of Ministers. Data protection law states that fair processing is one of the fundamental principles of personal data protection. Personal data is collected and/or processed for specific, clearly defined and legitimate purposes. In addition, the Commissioner has issued an opinion on the protection of personal data on the websites of public and private controllers (which is slightly outdated and, as mentioned above, does not have binding effect on controllers). In this notice, the controller reminds controllers of their obligations under data protection law and the rights of data subjects that apply to the online collection of personal data: Personal data collected for any purpose may be further processed for historical purposes, scientific or statistical, provided that the data are not processed to take actions or decisions concerning a person. Meet. The Commissioner is the competent authority to monitor and enforce data protection law. The Commissioner shall have the right:. In accordance with Directive No.
47 of 14. September 2018 «On establishing rules to maintain the security of personal data processed by large processors», which, as mentioned above, only applies to large data processors, the DPO will promptly inform the large data processor in writing of any risk of violation of the rights of data subjects, including in the event of a breach of the legislation on the protection of personal data. Data protection law introduces the obligation for the controller or processor to take appropriate organisational and technical measures to protect personal data against unlawful or accidental destruction, accidental loss or access or disclosure by unauthorised persons, as well as against any type of unlawful processing. The notice shall contain the name and address of the controller, the purpose of the processing of the personal data, the categories of data subjects and personal data, the recipients and categories of recipients of the personal data, the proposal for international transfers that the controller intends to carry out and a general description of the measures taken to ensure the security of the personal data. staff. The notification is done online, on the Commissioner`s website or manually by sending the competing report form to the Commissioner`s office. Data protection law does not provide for a general obligation of the controller or processor to inform the controller in the event of a personal data breach. The controller or processor who processes personal data to provide business opportunities or services may use the personal data from a public data list. The controller or processor may no longer process such data if the data subject has objected to further processing. By contrast, Law No 9918 of 19 May 2008, entitled `On electronic communications in the Republic of Albania`, as amended (`the Law on Electronic Communications`) (Official Gazette of the Republic of Albania No 84 of 10 June 2008), provides for an additional procedure for reporting offences. The Data Protection Act defines sensitive data as any information concerning a natural person relating to his or her racial or ethnic origin, political opinions, trade union membership, religious or philosophical beliefs, law enforcement, as well as data concerning his or her health and sex life.