Print   

Unofficial translation

LAW

No. 8517, dated 22.07.1999

ON THE PROTECTION OF PERSONAL DATA

Based on articles 35 and 81 of the Constitution, upon the proposal of the Council of Ministers,

THE ASSEMBLY OF THE REPUBLIC OF ALBANIA

DECIDED:

CHAPTER I

GENERAL PROVISIONS

Article 1

Scope of the law

The scope of this law is to guarantee protection and legitimate use of personal data, and their treatment by public authorities.

Article 2

Definitions

The following terms shall be understood as follows:

Article 3

General Rule

The public may have access to personal data of an individual, only according to the manner and extent provided by this law.

Article 4

Exemptions

Provisions of this law shall not apply on the following cases:

CHAPTER II

PERSONAL DATA PROCESSING

SECTION I

Condition for the processing of personal data

Article 5

Modalities of personal data processing

Personal data processing shall be conducted:

Article 6

Notification of data subject

Prior to personal data processing, the person in charge of the data processing shall notify the data subject on:

Article 7

The Person in Charge of Data Processing

In order to effectively guarantee the fair processing of personal data, the person in charge of data processing and any other person involved with the processing shall me et certain requirements relating to experience, reliability and technical capacity.

Article 8

Other Persons in Charge of Data Processing

Every other person who deals with data processing shall be authorised in written by the person in charge for personal data, except in cases when their processing is required by law.

Other persons who deal with data processing, shall comply with all rules determined by the person in charge of data.

The person authorised for personal data processing cannot transfer this data to a third person.

Article 9

Security of data processing

The person in charge of data processing must implement appropriate technical and organisational measures to protect personal data against accident al or unlawful destruction or accidentalloss, alteration, unauthorised disclosure or access, in particular where the processing involves information technology and the transmission of data over a network, and against all other unlawful forms of processing.

In the case of sensitive data, such measures shall ensure a level of security proportional to the risk posed by the processing and the nature of these data.

SECTION II

Rights of the data subject

Article 10

Preliminary consent requirement

Personal data processing by other subjects shall only be permitted if the data subject has unambiguously given the consent.

The preliminary consent may be given to the entire processing procedure or to one or more parts of the said procedure.

The preliminary consent shall be valid only if it was given freely upon the condition that the data subject is notified in accordance with the requirements of article 6 of the present law.

In the case of sensitive personal data, the preliminary consent shall be deemed valid only if it was given in writing.

Article 11

Cases when preliminary consent is not necessary

The preliminary consent of the data subject is not necessary when one of the following conditions is fulfilled:

Article 12

Right of access to one 's own personal data

Every person has the right of access, at any time, in the processing of his/her personal data. The person in charge with the data processing and other persons involved in the processing of personal data shall provide any requested information to the data subject with 10 days from the day when the request was lodged.

Article 13

The data subject right to object

The data subject has the right to object any processing of his/her personal data, safe in the cases foreseen in articles 4 and 10 of the present law.

Any person is entitled to request the correction or deletion of false or inaccurate data or any other data that are collected in violation of the law.

The person in charge of data processing shall respond to the request of the data subject in a written form within 15 days from the day when the request was lodged.

In case the person in charge for the processing of personal data declines to accept the request of the data subject for their correction, then the data presented by the subject of this data is attached to data possessed by the person in charge and accompany them in every case of its processing.

Article 14

Transfer of personal data abroad

Personal data may only be forwarded from the Republic of Albania to a foreign user, in following case:

CHAPTER III

THE APPEAL

Article 15

Presentation of an appeal to People’s Advocate

Presentation of a complaint to the People's Advocate and his competencies in the field of personal data are regulated by Law No.8454, dated 04.02.1999, "On the People's Advocate. "

The People's Advocate creates a registry of personal data processing

Article 16

General rule

Violation of the provisions of this law, to the extent it does constitute a criminal offence, violation of administrative rules, and is regulated according to Law No.7697, dated 07.04.1993, "On Violation of Administrative Rules", with the necessary changes and additions.

Article 17

Administrative Appeal

Everybody who believes that his/her rights, as recognised by this law, are infringed, is entitled to lodge an administrative appeal.

The procedure for the administrative appeal is provided for by law.

Article 18

Judicial Appeal

Everybody who believes that his/her rights, as recognised by this law, are infringed, is entitled to lodge a judicial appeal.

The procedure for the judicial appeal is provided for by the provisions of the Code of Civil Procedure on judicial review of administrative disagreements.

Article 19

Compensation of the Damage

Everybody is entitled to seek compensation of the damage from subjects that violate the rights recognised by this law, when the mentioned violation constitutes a damage.

The procedure for the claiming and the awarding of the reparation is provided by law.

CHAPTER IV

TRANSITORY AND FINAL PROVISIONS

Article 20

Taking of technical-administrative measures for the implementation of this law

All subjects, whose activity is totally or partially related to the processing of personal data, within six months from the date this law enters into force, take all technical administrative measures to adjust and regulate their activity in accordance with this law.

Article 21

Entry into Force

The present law shall come into effect four months after its publication in the Official Gazette.

Proclaimed with the Decree No.2432, dated 28.07.1999 of the President of the Republic, Rexhep Meidani.