GDPR and personal data protection in non- EU countries:

Albanian case of data protection legislation

Gliqiri Riza
University of Tirana, Faculty of Economics, Tirana, Albania

Abstract
GDPR, which stands for the General Data Protection Regulation, is the European legal
framework, that aims to simplify the regulatory environment for businesses and organizations
in all EU member countries, but with clear implications for businesses and individuals located
in any other country, where domestic or foreign companies process personal data of the
European citizens. It is a set of rules designed to give European citizens more control over their
personal data, at a time when almost every aspect of life revolves around data. From the
companies we work for, social media giants, banks, health care systems and governments, every
service we use in our daily lives, involves the collection and analysis of our personal data. Being
such an important development in protecting the security of personal data, this paper aims to
give a brief analysis of some of the most important concepts of GDPR, the affected companies
and citizens and the administrative fines applied in case of violation. Furthermore, it will
provide a comparison of Albanian legal framework for Data Protection with the GDPR,
followedby some conclusions and recommendations.

Keywords 1
Personal data, legislation, protection, security, controller, processor, administrative fines

1. Introduction other hand, even those who collect, process or save

While the technologhy is being developed in the data are obliged to protect it from misuse and
an unstoppable way, people and authorities are exploitation. At first glance, the GDPR may seem
nowadays more aware and conscious of the risk complex, but the essence of the legislation is
we all face while sharing the virtual reality over based on the fundamental human right to privacy,
the Internet. As a result, in January 2012, the where data owners are the ones who choose what
European Commission began setting targets for to do or not to do with their personal data.
Data Protection Reform across the European
Union [6], so that the changes would make Thus, since the protection and security of
Europe fit the digital era we live in. This period personal data are the foundamentals in which the
needed many years of preparation, but almost GDPR is based, first of all we should all know
four years later agreement was reached on what what is considered personal data under the current
was called the GDPR, one of the most powerful legal framework. Personal data is any information
legislations of the last 20 years. The regulation related to an identified or identifiable living
was adopted by the European Parliament in April individual which can lead to the identification of
2016 and the directives were published in the a particular person. According to the European
Official Journal of the European Union in all Commission (2020) [5], earlier the types of data
official EU languages, while two years later, on that were considered personal included name,
25 May 2018, the legislation came into force all address and photos, but the GDPR extended the
over the Europe. It followed the 1995 Data definition beyond that, considering personal data
Protection Directive [4], which had been even an IP address or other similar digital data
implemented until then. As a result, under the that can identify us on the network.
terms of the GDPR, organizations must not only
ensure that personal data is collected lawfully
and under strict security conditions, but on the

Proccedings of RTA-CSIT 2021, May 2021, Tirana, Albania

EMAIL: gliqeririza@hotmail.com
©️ 2021 Copyright for this paper by its author. Use permitted under Creative
Commons License Attribution 4.0 International (CC BY 4.0).
CEUR Workshop Proceedings (CEUR-WS.org)
 Furthermore, General Data Protection personal data of European citizens;
Regulation states that genetic and biometric • The company has more than 250
data, which can be processed to uniquely employees;
identify an individual are also defined as • The company has less than 250
sensitive personal data. Based on the new GDPR employees, but the data processing being
rules, the types of information that should be performed during the daily activity
addressed and treated with special care as they affects the rights of its data subjects.
constitute personal data include: name, address,
date of birth, social security numbers, etc.; According to the GDPR, there are two
internet-based data, including user location, IP declarations which analyze the territorial scope
address, cookies and RFID1 tags; health card and clearly specify the rules that must be
data (HIPAA2) and genetic data; biometric data; followed by a company located outside the
racial and/or ethnic background; political European Union, but is still processing the data of
convictions; religious faith and sexual a European entity or citizen [7]. There are two
orientation. cases that analyse when an organization outside
On the other hand, when it comes to the European Union is affected by the legal
dicussing the responsibility for processing and framework of the GDPR and will have to apply
having control over the personal data, GDRP increased measures and controls, in order to be
specifies that there are two main stakeholders, compliant with the legislation [3]. This happens
Data Controllers and Data Processors. A Data in the case of:
Controller can process the collected data using • Providing goods and / or services to
its own processes, or in some cases the European citizens/ The Offering Test
controller can also work with a third party/ One of the ways the internet is making our
outsourced service for processing procedures. lives easier is the fact that with just one click,
However, even in this case, the Data Controller goods and services become accessible very easy
should not relinquish the control of the data over from anywhere in the world. From the GDPR
the third-party service. The Data Controller perspective, it adds challenges for companies and
continues to be in control, specifying how the organizations operating globally [2] because the
data will be used and processed by the external legislation states that, no matter where the
service. Thus, the Controller has the greatest organization is located, as long as it provides
responsibility when it comes to protecting the goods and services to European citizens, it is
rights of the data subject. As a result, the Data obliged to be compliant with the GDPR. Thus,
Processor, simply processes any data given to it even if the company is not operating in a
by the controller. The Data Processor can also be European country, it should be compliant with the
a company or a third-party outsourced GDPR.
organization, subcontracted by the Data • Monitoring their behavior/ The
Controller for data processing service, even Monitoring Test
though the processor neither possesses the data If an organization uses tools that allow it to
being processed, nor controls it. This means that track cookies or IP addresses of people from any
a processor is neither able to change the of the European Union countries who visit its
purpose, nor the means in which the data is website, then it is obviously affected by the
processed. Therefore, Data Processors are GDPR legislation. As e result, the company will
obliged to operate under the instructions given have to take responsibility for tracking this data.
by the controller. In contrast to the provision of goods and services,
monitoring does not specifically require any
2. The GDPR’s important changes indication of why it occurs, even though GDPR
According to the General Data Protection guidelines state that "use of the word
Regulation, a company or organization, either it “monitoring” means that the controller has a
is located within the EU, or it is operating in any specific purpose in mind for the collection and
country outside the European Union, must subsequent activities of reuse of relevant data
implement and be compliant with the GDPR, if relating to the conduct of an individual within the
it meets any of the following conditions: EU." Furthermore, according to the legal
• The business is operating in any framework explanations, although it is not
European Union country; required a concrete reason why someone's activity
• Even if it is not located in any of the EU on the network is being monitored, the main
countries, the company still processes consideration is the fact that it is believed that any
observed behavior can later be used to profile the
monitored subject [2].
1
RFID- Radio-frequency Identification
2
Health Insurance Portability and Accountability Act
 On the other hand, according to the undoubtedly the ability of regulators to penalize
changes GDPR brought in the European legal businesses that do not comply with the
framework for Personal Data Protection, a regulation. Thus, if an organization does not
data subject, i.e. the person whose data are process the individual's data properly, any of the
collected and processed, has some subject’s rights is violated, or there are found
fundamental rights [9], which must be other compromising factors, the company can
respected during the processing of his be fined. The GDPR has two main levels of
personal information. These rights are fines: it states that minor violations can result in
explained in the Articles 15- 22 of the General fines up to € 10 million or 2% of a firm's global
Data Protection Regulation and in case of turnover (whichever is higher), while major
violation, the Data Controller, i.e. the violations may have more serious consequences:
company which is processing the data will fines up to € 20 million or 4% of a firm’s global
have to face the administrative fines stated by turnover (whichever is higher). The maximum
the regulation. These rights include: fines of course do not mean that by default it is
• The data subject’s right of access: the applied the highest level of administrative
right to obtain from the controller the measures. The exact level of the fine depends
confirmation as to whether or not the on many factors, such as the severity of the non-
personal data of the subject are being compliance or possible breach of personal data;
processed. the measures taken to comply with the GDPR;
• The right to rectification: the right to the degree to which the organization fails to
establish and provide essential mechanisms to
obtain from the controller without
prevent violations of personal data or to provide
undue delay the rectification of the
answers to the requests of entities; willingness
innacurate personal data concerning to respond to these requests; the degree to
the subject. which privacy is respected; additional measures
• The right to erasure/ “The right to be or even the will of the data subject for how the
forgotten”: the right to obtain the information that has been collected will be
erasure of the personal data concerning further handled [1]. The GDPR summarizes that
the subject, where the controller shall the first level applies specifically to data
have the obligation to erase the data breaches. The maximum amount is set at 2% of
without undue delay. a company's global revenue or 10 million euro,
• The right to restriction of processing: whichever is higher. To avoid this fine, it is
the right to obtain the restiction of suggested that organizations should apply high
processing him/her personal data. levels of security, demonstrate cooperation with
• The right to be informed: the right to the authorities, conduct a Data Protection
being informed from the controller, in Impact Assessment, and potentially hire Data
case your personal data is being Protection Officer. On the other hand, the second
collected, processed or saved for any level covers the will or the consent of a data
subject on how the data that is being collected
aim.
or processed, should be treated. It also covers
• The right to data portability: the compliance with the eight rights of data subjects
subject’s right to receive the data under the GDPR. Violations of these rights can
concerning him/her, in a structured, be punished with a maximum of 4% of a
commonly- used and machine-readable company's global revenue or 20 million euro,
format. whichever is higher [8].
• The right to object: the right to object
at any time the processing of data
concerning the subject.
3. Albanian legal framework for
• The right not to be subject to a decision Personal Data Protection
based on automated processing: the After it is given above a brief analysis of
right not to be subject to a decision some of the most important concepts of the
based solely on automated processing, GDPR, this part of the paper is dedicated to the
including profiling, that affects the Albanian legal framework for Personal Data
subject and produces legal effects Protection. At the time being, Albania has a
concerning him/ her. dedicated law for Personal Data Protection, the
Law nr. 9887 on Personal Data Protection, dated
10.03. 2008, which was promulgated by decree
GDPR administrative fines
number 5671 dated 21. 03. 2008. It acts as a legal
One of the most discussed factors framework for personal data protection and
whenever GDPR is being analysed is security in the Republic of Albania, but its
territorial scope affects: (a) all data controllers violations of the law by a controller or processor,
located in the Republic of Albania; (b) all especially when his recommendations have not
diplomatic missions or consular offices of the been implemented even after repeated warnings,
Albanian state; and (c) all data controllers, who the Commissioner may publicly denounce the
may not be located in Albania, but perform their case or report the matter to the Assembly and the
activity through the use of any means located Council of Ministers.
within the territory of the Republic of Albania.
Similar to the General European Regulation Albanian administrative fines in case of
on Personal Data Protection GDPR, even in the violation
Albanian legal framework, there are two main As stated in the legislation, the data processing,
stakeholders, the Data Controller and the Data must be based on the principles of justice,
Processor and for each of them, the law clearly security and legality. In the same way, Albanian
states the responsabilities and obligations in legal framework also states that entities have their
order to guarantee the protection and security of rights, which must be strictly respected by
thesubject’s personal data [10]. Furthermore, the controllers and processors. In case the subject
legal framework analyses also the Data Subject, faces a violation of his rights, those responsible
whose personal data are being collected, become subject to sanctions and adminisatrative
processed or saved by the Controller and the measures, which are intended to punish legal
Processor. Even in the Albanian legislation for offenses. Since the controller is responsible for
personal data protection, the legal framework the data of a subject and its proper processing, it
states that the Data Subject has some is the main stakeholder affected by fines. In case
foundamental rights which should be taken in of violations, the authority responsible for
consideration when processing the personal data assessing the situation and imposing fines is the
and the legal way how it must be protected by Commissioner, which also attaches to the
the controllers and/or processors. documentation all the necessary notifications
about the violations by the controller, of the
Personal Data Protection Commissioner obligations set by law. After that, 30 days after
On the other hand, in the Albanian legal the fine or notification that a violation has been
framework it is stated that the responsible and committed, the controller has the right to appeal
supervisory authority/ institution for the lawful to the court, but if this does not happen, 30 days
and fair processing of personal data is the within the notification, the offender must pay the
Commissioner for Personal Data Protection, imposed fine, the amounts of which are collected
who contributes to the protection of the rights on behalf of the State Budget.
and freedoms of the citizens. The Commissioner
main purpose is supervision of the process and it Furthermore, when it comes to the level of
is obliged to respect the principle of administrative fines applied to a controller which
confidentiality even after the end of his / her has conducted an unfair processing of personal
duty. It acts as a mechanism to ensure the proper data of a subject, in the Albanian legal
implementation of the protection and security of framework, it is said that the lowest level of fines
personal data. It is an independent authority, is 10 000 ALL, which is applied when controllers
with full power and has at its disposal all the use personal data in contradiction with Chapter II
necessary human and technical means and of the Law, "Processing of personal data", while
resources, to ensure the protection required by the highest level is calculated around 50 000
European standards. Having said that, the ALL, applied when controllers, do not fulfill the
collection, processing, storage and all the obligation to notify the subject, according to the
processes through which personal data passes, definition in article 21 of this law [10]. Surely, the
must be based on some basic principles of maximum amount of a fin does not mean that by
justice and security. default it is applied the highest level of the
administrative measure, because the exact level of
According to Article 30 of the Law on the fine depends on many other factors, analysed
Personal Data Protection, the Commissioner has by the Commisioner.
the right to conduct an administrative
investigation, to have access to the processing of But what is the result of the Albanian legal framework
personal data, as well as to collect all the for Personal Data Protection and is it enough helpful to
information necessary for the performance of address all recent challenges that technologhy has
supervisory duties. It can also order the created, in the same way GDPR has been to the
blocking, deletion, destruction of data, or even European Union citizen? First of all, people are still
suspend the processing of personal data when not fully aware that their personal data is a very
the process is considered illegal. Moreover, in valuable asset that needs to be protected. Exposure to
cases of serious, repeated or intentional the web and cyberspace, or even the flow of
information along the way, still causes Albanian recommended solution.
citizens data to fall into the hands of unauthorized
parties and people still do not consider it as a major 5. Acknowledgements
problem. Last month, the media published details I am very thankful to Prof. Assoc. Dr. Edlira
of a large database leak that contained the Martiri for leading me in this research and for
personal information of more than 910,000 always supporting, helping and inspiring me to
voters. It included members of the public, become a good professional in the Information
journalists, members of civil society, and well- Security field, since the beginning of my studies.
known personalities, allegedly taken from the
Civil Registry e-Albania, provided to the
Socialist Party for use in the electoral campaign. 6. References
The data included the subject’s ID number, [1] Boardman R., Mullock J., Mole A.,
name, fathers name, surname, date of birth, “Guide to General Data Protection
voting center, place of birth, residence code, list Regulation”, Bird& Bird Publications,
number, phone number, whether they are an 2020
emigrant and if so, which country, whether they [2] Ingley C., Wells P., “GDPR: Governance
are likely to vote for the Socialist Party, Implications for Regimes outside the
birthplace, employer, and their Patron. This is EU”, 14th European Conference on
undoubtedly one of the biggest data breaches in Management, Leadership and
the history of Albania, but the authorities have Governance, Victoria, Australia, 2018
not launched any responsible person/ party, [3] Sorensen J., Kosta S., “Before and after
stating that verifications are still being GDPR: The changes in third party
conducted. Furthermore, despite of being part of presence at public and private European
the legislation, Albanian legal framework for websites”, The World Wide Web
Personal Data Protection is not enough to bring Conference, 2019
helpful results for personal data security and privacy, [4] “Directive 95/46/EC of the European
because compared to GDPR, in the Albanian Parliament and of the Council of 24
legislation, the amount of fines reach modest October 1995 on the protection of
levels and in case of violation it would cost a individuals with regard to the processing
company less to pay the fine, rather than to hire of personal data and onthe free movement
a professional/ information security specialist of such data”, Official Journal L 281,
responsible for data security and protection, 23/11/1995 P. 0031– 0050: EUR-Lex -
which would provide a persistent experience and 31995L0046 - EN (europa.eu)
assistance in that field. [5] The e-Privacy Directive (Directive
2002/58/EC of the European Parliament
and the Council of 12 July 2002 (OJ L
4. Conclusions and future work 201, 31.7.2002, p. 37) and Regulation
In this paper it was stated that the GDPR is the (EC) No 2006/2004) of the European
strictest regulation ever adopted so far to protect Parliament and of the Council of 27
the personal data and under certain October 2004 (OJ L 364, 9.12.2004, p.
circumstances, its global impact affects even 1).
companies and organizations outside the [6] “Reform of EU Data Protection rules”,
European Union. On the other hand, the European Commission: (europa.eu), 2012
Albanian law on protection of personal data, is [7] “The Territorial Scope”, Article 3, The
currently not sufficient to provide the necessary General Data Protection Regulation, 2016
security and protection and without the [8] “General conditions for imposing
necessary changes and/ or interventions, it is not administrative fines”, Article 83, The
be ready to face the changes of the European General Data Protection Regulation, 2016
legislation. As a result, first of all I would [9] “European Regulation (EU) 2016/679
recommend that for the Albanian society, the (General Data Protection Regulation)” |
first step towards the necessary changes would https://gdpr-info.eu/
be rising awareness on personal data protection. [10] Albanian Law nr. 9887 on
Moreover, the Albanian law on data protection is Personal Data Protection, dated 10. 03.
currently very old and can not address cyber 2008:
security attacks of the last years, when the http://www.pp.gov.al/web/ligj_mbrojtja_
technology is being developed rapidly. Thus, not e_te_ dhenave_personale_40.pdf
only it is needed the law to be changed, but also
to follow the best international/ European
practices. Higher administrative fines and other
strict sanctions similar to GDPR, would be a