/ Basic info / Legal instruments / Annual Reports / Forum / News / Internet & Privacy / Contacts / Links
Albanian Office for Personal Data Protection


I. Basic info, comprising:

1.  The legal ground for the protection of personal data in your country

2. The legal position of your authority

3. The legal rights of your authority

4. Limitations of your authority

5. Contact information

II. National Legal Instruments Concerning Protection of Personal Data

III. Guidelines concerning privacy on the internet, if any were issued in your country.

Name and postal address of DPA

Albanian Office for Personal Data Protection

Address: Rruga Abdi Toptani, Nr. 4

Katii dyte, Tirana


The independent supervisory body was established in accordance with Chapter VIII of the Law “On Personal Data Protection” No.9887, dated 10 March 2008, which is in line with the 95/46/EC Directive. The Head of the Office, the Commissioner, was elected by the Assembly by decision no.211 dated 11.9.2008 and the internal structure or organization of the Office was approved by the decision of the Assembly no.225, dated 13.11.2008.

In its structure the Commissioner’s Office comprises the Commissioner, the Adviser, the Secretary and 5 Department: Legal Procedural Affairs and Foreign Relations Department (Director and 5 Legal Experts), Registration Department (Director and 4 Experts), Inspection Department (Director and 4 Legal Experts (Inspectors), Public Relations Department (Director, 1 Expert and 2 IT Experts) and Supporting Services Department (HR) (Director and 6 Staff Members). The majority of the workforce was hired from July 2009 and by January 2010 the Office has filled all 29 positions it was allocated by the Parliament.

The Law also decreed the establishment of The Commissioner for Personal Data Protection (Komisioneri për Mbrojtjen e të Dhënave Personale) as an independent state supervisory body acting as a public legal person, for the purposes of supervision of the legality of activities of personal data processing on the territory of the Republic of Albania. This independent authority has an independent budged, but financed by the State Budged and from various donations.

The Law apply to the processing of personal data by: a) Controllers established in the Republic of Albania; b) Diplomatic missions or consular offices of the Albanian state; c) Controllers who are not established in the Republic of Albania, making use of any equipment situated in the Republic of Albania; In circumstances stipulated in point (c), the controller designates a representative established in the territory of Albania. Stipulations of this law applying to controllers are also applicable to their representatives.It covers all sectors, all public and private controllers. This law does not apply to the processing of data by a natural person for purely personal or family purposes.

Title of law under which the Authority is constituted: Law “On Personal Data Protection” No.9887, dated 10 March 2008 (Article 29).The law is into force and it is a binding and enforceable law. The law was introduced by the Council of Ministers and approved by the Albanian Assembly. The amendments can be approved only by the Albanian Assembly. This law can be revoked only by the Albanian Assembly and by the Albanian Constitutional Court.  The law is in line with all three European instruments.

The Commissioner is elected by the Assembly upon a proposal of the Council of Ministers for a 5 year term eligible for re-election.

The Assembly shall determine the remuneration of the Commissioner, the organizational structure and remuneration for the employees of the Commissioner for the protection of personal data. These employees shall enjoy the status of civil servant.

The Commissioner has his own independent budget which is funded by the state budget and various financial donations.

The Commissioner:

1.He or she can be proposed to the Council of the Ministers, by the Prime Minister or a Minister;

2.The Council of Ministers verifies the incompatibility of the function with the candidate pursuant to the Law;

3.The Council of Ministers present the candidate to the Assembly and the candidature is checked for the incompatibility of the function by the Legal Committee;

4.The candidate is presented and discussed in the plenary of the Assembly and can be approved by open voting.

The Staff:

The staff (civil servants) is appointed upon specific Testing procedures foreseen by the Law No. 8549, dated 11.11.1999, “On civil status” and bylaws, and it is managed by the Human Resources Department (Supporting Services Department) of the Commissioner’s Office.

The independence of the Commissioner and its staff derives from the fact that it exercises its competences and it is capable to handle, tackle and decide upon issues without interventions and pressures from governmental authorities or natural persons. By means of such provisions, the values and principles upon which this institution operates are independence, impartiality, professionalism and confidentiality.

In accordance with the Directive 95/46/EC, the Commissioner is independent when:

- It is possible to deal with complaints of individuals;

- It has powers to investigate and intervene

- It is possible to supervise the government and private sector.

The Commissioner may be discharged by the Assembly.

The mandate of the Commissioner shall have an early termination when:

a) he is given a final court decision for committing a criminal offence;

b) he is absent from duty without justification for more than one month;

c) he resigns;

ç) a final court decision declares his ineffectiveness.

The Commissioner may be discharged by the Assembly when:

a) he fails to act in compliance with the provisions arising from this law or other legal acts;

b) he engages in activities that generate a conflict of interests;

c) cases of incompatibility with the function are identified.

When the post of the Commissioner is vacant, the Council of Ministers proposes to the Assembly the new nominee within 15 days. The Assembly elects the new Commissioner within 15 days upon receipt of the nomination.

Article 30

The rights

1. The Commissioner shall enjoy the right to:

a) conduct an administrative investigation, have access to personal data processing  and collect all necessary information with the view of fulfilling his supervisory obligations;

b) order for the blocking, erasure, destruction or suspension of the unlawful processing of personal data;

c) issue instructions prior to the data processing and ensure their publication;

2. In cases of recurring or intentional serious infringement of law by a controller or processor, especially in cases of recurring failure to carry out the Commissioner's recommendations, he acts in compliance with article 39 herein and may report the case publicly in accordance with his duties or report it to the Assembly and the Council of Ministers.

Article 21

Responsibility to notify

1. Every controller shall notify the Commissioner about the processing of personal data for which he is responsible. The notification shall be made before the controller processes the data for the first time, or when a change of the processing purpose notified earlier is required.

2. The processing of personal data the sole purpose of which is to keep a record, which in accordance with the law or sub-legal acts provides information for the public in general, is exempted from the obligation to notify the processing of data.

3. Data that are processed for the purpose of protection of the constitutional institutions, interests of national security, foreign policy, economic or financial interests of the state, prevention or prosecution of the criminal offences are exempted from the obligation to notify.

4. Other cases on which notification is not necessary are stipulated by a decision of the Council of Ministers.

Article 24

Prior Checking

  1. Authorization by the Commissioner is required for:

a)processing of sensitive data in accordance with Article 7, item 2, letter ‘c’ herein (it is authorized by the responsible authority for an important public interest);

b)processing of personal data in accordance with Article 9, item 1, herein (In cases other than those provided for in Article 8 herein, the international transfer of personal data with a state that does not have an adequate level of data protection, shall be carried out upon an authorization from the Commissioner).

  1. In cases when the data processing in compliance with point 1 herein is authorized by a legal provision, an authorization from the Commissioner is not required. 

Article 26

Publication of processing

1. As regards the data for which an authorization is required, a special decision is made and reflected in the register that is administered by the Commissioner and open for consultations by any person.

2.The register shall contain information according to Article 22 herein, except for the information according to Article 22 and letter ‘dh’ herein, which is not to be published.

3.Acontroller who is exempt from the obligation to notify shall at least make available information about his name and address, the categories of the processed personal data, the purposes of processing, the categories of recipients to which data are disclosed in an appropriate form to every person and in accordance with their request.

4.This article shall not apply to processing the purpose of which is to keep a record, which in accordance with the primary or secondary legislation provides information for the public in general.

Article 16

The right to complain

  1. Every person who claims that his rights, freedoms and legal interests concerning his personal data have been violated shall have the right to complain or to notify the Commissioner and to request his intervention to remedy the infringed right. Following this complaint, in accordance with the Code of Civil Procedure, the data subject may file a complaint in court.
  2. When the data subject has filed a complaint, the controller shall have no right to make  any changes to the personal data until a final decision ruled.


Article 39

Administrative offences

1. Cases of data processing in contradiction with the provisions of this law constitute an administrative offence and shall be subject to a fine as follows:

a) controllers who use personal data in contradiction with the Chapter II “Processing of Personal Data” shall be fined from 10 000 to 50 000 ALL;

b) controllers, who do not meet the obligation to inform, as specified in Article 18 of this law, shall be fined from  10 000 ALL to 30 000 ALL.

 c) controllers, who do not meet the obligations to correct or erase data, specified in Article 19 of this law, shall be fined from 15 000 ALL to 30 000 ALL;

ç) processors, who do not abide by obligations stipulated in Article 20 of this law, shall be fined from 10 000 ALL to 30 000 ALL

d) controllers, who do not meet the legal obligation to inform laid down in Article 21 herein, shall be fined from 10 000 ALL to 50 000 ALL;

dh) controllers or processors, who do not take the security measures specified in Article 27 of this law, shall be fined from 10 000 ALL to 15 000 ALL.

2. As regards the above offences, legal persons shall be fined double the figure for the fine specified in point 1 herein.

3. Maximum of the fine is doubled in cases of failure to comply with Article 16 point 2 and when the data are processed without an authorization pursuant to Article 31 point 1 (b).

4. Fines shall be imposed by the Commissioner when he finds that the obligations set forth in the law are infringed.

Article 31


1. The Commissioner shall be responsible for:

a) giving opinions on legal and sub legal acts concerning personal data;

b)authorizing in special cases the use of personal data for purposes not designated during the phase of their collection by observing the principles of article 5 of this law;

c) authorizing the international transfer of personal data in compliance to article 9 herein;

ç) issuing guidelines that regulate the length of retention of personal data according to their purpose in the activity of specific sectors;

d) ensuring the right to information and the exercise of the right to correct and update data;

dh) authorizing the use of sensitive data in compliance with Article 7 point 2 letter ‘c’ herein;

e) checking the processing of data in conformity with the law, upon request of a person when such a processing is exempted of the right to information and to inform the person that the check is carried out and whether the process is lawful or not;

ë) taking action regarding complaints of any private person for the protection of his/her private rights and freedoms in relation to the personal data processing and inform him/her on the progress;

f) issuing guidelines on security measures in the activity of specific sectors,

g) overseeing the execution of penalties;

gj) Preparing in cooperationthe of codes of ethics;

h) the publication and explanation of the rights related to the data protection and the periodic publication of his activities;

i) cooperating with the supervisory authorities on the personal data of foreign states regarding the protection of individuals who reside in those states;

j) representing the supervisory authority in the field of personal data protection in the national and international events; 

k) exercising other legal obligations.

2. The Commissioner shall create a register to document all notifications and authorizations that he performs in exercise of his powers in the field of personal data protection.

3. The Commissioner shall submit an annual report to the Assembly and reports in front of the Assembly when asked to do so. In addition he may ask to the Assembly to be heard for issues that he deems to be important.

Article 32

Obligation to Cooperate

1. Public and private institutions shall cooperate with the Commissioner providing all the information required by this institution for the fulfillment of its duties.

2. The Commissioner shall have the right to access computer and filing systems that process personal data and all the documentation related to their processing and transferring, with the view of performing his rights and duties as stipulated in the law.

URL: www.kmdp.al

In the near future our website will be available in Albanian and English Language.

Legal Approach

Approved Decisions of the Council of Ministers

For the implementation of the law for the Personal Data Protection and the functioning effectively of the Institution, are drafted by the Commissioner’s Office and approved by the Council of Ministers the Decisions:

  • No.  934, dated 2.09.2009 “For the determination of the States with adequate level of the data protection”. Drafting this decision was an obligation of article 8, Law nr. 9887, dated 10.03.2008 on the “Personal Data Protection”.
  •  No. 1232 dated 11.12.2009 “On defining the cases for exemptions from the duty to notify the personal data processed”, as the obligation set forth in Article 21, point 4 of the law.

Drafting and approval of Commissioner’s Acts:

  • Commissioner’s office Internal regulation, which sets rules for organizing and functioning of the Office, as well as the competences, rights and obligations of the employees of the Commissioner’s Office, approved by the Commissioner’s Order No. 48, dated 31.07.2009;
  • Commissioner’s office Code of Ethics, which foresees rules on conduct of the employee of the  Commissioner’s Office, approved by the Commissioner’s Order No. 49, dated 31.07.2009;
  • By the Order of the Commissioner No. 67, dated 02.10.2009, acts of the Inspection Department on audits and inspection procedures have been approved, such as: Complaint Form; Order for Inspection; Minutes (Process-verbal) of the Administrative Inspection; Decision on Administrative Offences;
  • “Notification Form” and “Guidelines for completing the Notification Form”, for public and private data controllers, for fulfilling the obligation to notifying to the Commissioner’s Office, approved by the Commissioner’s Order No. 66 dated 01.10.2009;
  • Based on Law No. 9367, dated 7.04.2006 "On the prevention of conflict of interest in the exercise of public functions", was drafted a Regulation "On preventing conflict of interest in the exercise of public functions in the Institution of the Commissioner for Personal Data Protection”, approved by the Commissioner’s Order No. 112 dated 24.12.2009;
  • Decision of the Commissioner No. 1, dated 04.03.2010 “On detailed rules for the security of personal data”;
  • Decision of the Commissioner No. 2, dated 10.03.2010 “On Procedures for the administering of the data registration, data entry, their processing and disclosure” (point 6 of Article 27);
  • Guidance No. 1, dated 19.02.2010 “On the permission of several categories of international transfers of personal data to a state, which does not have an adequate level of protection of personal data” (point 3 of Article 9);
  • Guidance No. 2, dated 25.02.2010 “On measures to be assumed from the categories of controllers before the processing of data to be performed” (letter “c”, point1 of Article 30);
  • Guidance No. 3, dated 05.03.2010 ”On processing personal data by Systems of Recording and Monitoring Video Cameras (CCTV) in premises, bars and other environments”.
  • Guidance No. 4, dated 16.03.2010 “On Security measures for personal data in the Education Field”;
  • Guidance No. 5, dated 16.03.2010 “On basic rules for personal data protection in the Healthcare System;
  • Guidance No. 6, dated 26.05.2010, “On proper usage of SMS for promotional purposes, information, adverts and direct marketing by Mobile Telecommunications”;
  •  Guidance No. 7, dated 09.06.2010, “On personal data processing in the Education Field”.
  • The Commissioners Office has prepared and published online a special “Package on Protection of Privacy in relation to the usage of Social Networks”.

  The administrator of this web site is:
Inspector General for the Protection of Personal Data
ul. Stawki 2; PL-00-193 Warszawa
Phone: +48 (22) 531 03 00, Fax: +48 (22) 531 03 01, e-mail: kancelaria@giodo.gov.pl