Data Protection in Albania

Online privacy in Albania

The Data Protection Law does not provide for regulatory measures targeting cookies. Accordingly, the general data protection rules, as provided for by the Data Protection Law apply to online privacy as well. 

Although there are no specific regulatory measures under the data protection regulatory framework, the Commissioner has tried to provide some clarifications on the notion of cookies and on their use, albeit in a minimalist way. 

The Commissioner has defined the cookies in an online dictionary as some data stored on the computer, which contain specific information. This rudimentary definition is further complemented by a short explanation which states that cookies allow any server to know what pages have been visited recently, just by reading them. 

In addition, the Commissioner has issued an opinion (which is slightly dated and as mentioned above does not have a binding effect on the data controllers) on the protection of personal data on the websites of public and private controllers. In this opinion the Commissioner reminds the data controllers on their obligations per the Data Protection Law and on the rights of data subjects, which apply to online personal data collection: 

  • The right to be fully informed and to give their approval if a website (or an application) processes their data;
  • The right to keep their online communications secret (including email, the computer's IP or modem No.);
  • The right to be notified if their personal data are compromised (data has been lost or stolen, or if their online privacy is likely to be negatively affected);
  • The right to request that their personal data to be excluded from data processing for direct marketing if they have not given their consent. 

Furthermore, in this opinion the Commissioner emphasizes the importance for data controllers to adopt privacy policies, which should include, inter alia:

  • The identity of the controller;
  • The information collected from the users, specifying the category of personal data;
  • Specific policies regarding cookies and other technologies that allow data controllers to gather information on the users that use the website and to notify the latter about their use. 

In addition to the above, it should be noted that the Electronic Communication Law (articles 124 -126), introduces rules on the processing of location data. 

Under these rules, electronic communication providers may process traffic data only as long as such data is necessary for the purpose of the transmission of the communication’s transmission and thereafter must delete such data or render them anonymous. 

Electronic communications service providers must provide in the contract entered into with the user details on the storage, the duration and the manner of processing of the traffic data. The Electronic Communication Law provides that these traffic data can be processed only by the relevant persons which are authorized by the electronic communications service providers, namely those who are responsible for billing or traffic management, customer service, marketing, fraud detection, or the provision of added value services, provided that the processing of traffic data should be limited only to the scope of their respective activity. 

In addition, the Electronic Communication Law provides that the processing of location data can be carried out for the duration value added services and only if the data is rendered anonymous or if the user has granted their prior consent, which consent may be revoked at any time. 

Prior to obtaining the consent of the users, the electronic communications service providers must provide information on: 

  • the type of location data to be processed;
  • the purposes and duration of processing;
  • the possibility that the location data be shared with third parties, for value-added service purposes. 

The location data can be processed only by the relevant persons which are authorized by the electronic communications service providers, namely those who are responsible for the provision of the service or by third parties which are responsible for the provision of added value services, provided that the processing of traffic data should be limited only to the scope of their respective activity.

Continue reading

  • no results

Previous topic
Back to top