No. 8517, dated 22.07.1999
ON THE PROTECTION OF PERSONAL DATA
Based on articles 35 and 81 of the Constitution, upon the proposal of the Council of Ministers,
THE ASSEMBLY OF THE REPUBLIC OF ALBANIA
Scope of the law
The scope of this law is to guarantee protection and legitimate use of personal data, and their treatment by public authorities.
The following terms shall be understood as follows:
a) Personal data - shall mean any data ofan identified or identifiable person from this data directly or indirectly;
b) Personal sensitive data - shall mean such data as:
- racial and ethnic origin, political opinion or affiliation, religious and other convictions;
- health conditions, sexual life and criminal records.
c) Data processing - shall mean any act carried out with or without support of electronic equipment for the accumulation, registration, organisation, protection, elaboration, modification, selection, extraction, confrontation, use, suspension, communication, distribution, deletion, destruction, as well as any other act with regard to the data;
ç) Personal data subject - shall mean every individual person to whom the personal data relates;
d) Person in charge of data processing - shall mean every individual person legally entrusted with the processing of personal data of others;
dh)Data user - shall mean any individual person, other than the data subject, authorised for the processing of data by the person in charge of data processing.
e) Anonyrnous data - shall mean any data whereby no legal or natural person can be identified directly or indirectly;
ë) Public - shall mean at least one natural or legal person, domestic or foreigner.
The public may have access to personal data of an individual, only according to the manner and extent provided by this law.
Provisions of this law shall not apply on the following cases:
a) Processing of personal data from the data subject itself;
b) Processing of anonymous data;
c) Personal data obtained in the course of criminal investigations and court proceedings;
ç) Processing of data classified state secret;
d) Processing of data for the purposes of national security, crime prevention and protection of public health
dh) Processing of data for the purpose of population's registration.
PERSONAL DATA PROCESSING
Condition for the processing of personal data
Modalities of personal data processing
Personal data processing shall be conducted:
a) as provided by this law;
b) with a definite, clear and legitimate purpose;
c) in an accurate way and making use of updated data;
ç) without exceeding the scope they are processed and not for a longer period than it is necessary to achieve the purpose of processing;
d) through creating conditions that protect them from damages;
dh) making use of only such data that are relevant and necessary for the accomplishment of the original purpose;
Notification of data subject
Prior to personal data processing, the person in charge of the data processing shall notify the data subject on:
a) the name and address of the person in charge of data processing as well as all other persons who will process the data;
b) the purpose or purposes of the processing;
c) a description of the category or categories of personal data to be processed;
ç) the recipients or categories of recipient to whom the data might be disclosed;
d) possibility of transfer of data to third countries;
dh) a general description on the security of processing.
The Person in Charge of Data Processing
In order to effectively guarantee the fair processing of personal data, the person in charge of data processing and any other person involved with the processing shall me et certain requirements relating to experience, reliability and technical capacity.
Other Persons in Charge of Data Processing
Every other person who deals with data processing shall be authorised in written by the person in charge for personal data, except in cases when their processing is required by law.
Other persons who deal with data processing, shall comply with all rules determined by the person in charge of data.
The person authorised for personal data processing cannot transfer this data to a third person.
Security of data processing
The person in charge of data processing must implement appropriate technical and organisational measures to protect personal data against accident al or unlawful destruction or accidentalloss, alteration, unauthorised disclosure or access, in particular where the processing involves information technology and the transmission of data over a network, and against all other unlawful forms of processing.
In the case of sensitive data, such measures shall ensure a level of security proportional to the risk posed by the processing and the nature of these data.
Rights of the data subject
Preliminary consent requirement
Personal data processing by other subjects shall only be permitted if the data subject has unambiguously given the consent.
The preliminary consent may be given to the entire processing procedure or to one or more parts of the said procedure.
The preliminary consent shall be valid only if it was given freely upon the condition that the data subject is notified in accordance with the requirements of article 6 of the present law.
In the case of sensitive personal data, the preliminary consent shall be deemed valid only if it was given in writing.
Cases when preliminary consent is not necessary
The preliminary consent of the data subject is not necessary when one of the following conditions is fulfilled:
a) when the processing of data is necessary for the fulfilment of a contract in which the data subject is a party or conducts acts for his entrance into a contractual relationship;
b) when the processing of data is necessary for the fulfilment of a legal obligation pending on the data subject;
c) when the processed data are extracted by public registries, lists, acts or other publicly known documents;
ç) when the processing of data is necessary for safeguarding life and physical integrity of the data subject or of a third person, provided that the data subject is unable to provide his/her consent due to physical or legal impediment;
Right of access to one 's own personal data
Every person has the right of access, at any time, in the processing of his/her personal data. The person in charge with the data processing and other persons involved in the processing of personal data shall provide any requested information to the data subject with 10 days from the day when the request was lodged.
The data subject right to object
The data subject has the right to object any processing of his/her personal data, safe in the cases foreseen in articles 4 and 10 of the present law.
Any person is entitled to request the correction or deletion of false or inaccurate data or any other data that are collected in violation of the law.
The person in charge of data processing shall respond to the request of the data subject in a written form within 15 days from the day when the request was lodged.
In case the person in charge for the processing of personal data declines to accept the request of the data subject for their correction, then the data presented by the subject of this data is attached to data possessed by the person in charge and accompany them in every case of its processing.
Transfer of personal data abroad
Personal data may only be forwarded from the Republic of Albania to a foreign user, in following case:
a) when the data subject has given a written consent;
b) when is permitted by law;
c) when the conditions of data processing, as defined with by the present law, are satisfied by the foreign jurisdiction where the user operates.
Presentation of an appeal to People’s Advocate
Presentation of a complaint to the People's Advocate and his competencies in the field of personal data are regulated by Law No.8454, dated 04.02.1999, "On the People's Advocate. "
The People's Advocate creates a registry of personal data processing
Violation of the provisions of this law, to the extent it does constitute a criminal offence, violation of administrative rules, and is regulated according to Law No.7697, dated 07.04.1993, "On Violation of Administrative Rules", with the necessary changes and additions.
Everybody who believes that his/her rights, as recognised by this law, are infringed, is entitled to lodge an administrative appeal.
The procedure for the administrative appeal is provided for by law.
Everybody who believes that his/her rights, as recognised by this law, are infringed, is entitled to lodge a judicial appeal.
The procedure for the judicial appeal is provided for by the provisions of the Code of Civil Procedure on judicial review of administrative disagreements.
Compensation of the Damage
Everybody is entitled to seek compensation of the damage from subjects that violate the rights recognised by this law, when the mentioned violation constitutes a damage.
The procedure for the claiming and the awarding of the reparation is provided by law.
TRANSITORY AND FINAL PROVISIONS
Taking of technical-administrative measures for the implementation of this law
All subjects, whose activity is totally or partially related to the processing of personal data, within six months from the date this law enters into force, take all technical administrative measures to adjust and regulate their activity in accordance with this law.
Entry into Force
The present law shall come into effect four months after its publication in the Official Gazette.
Proclaimed with the Decree No.2432, dated 28.07.1999 of the President of the Republic, Rexhep Meidani.