Editor's note: The IAPP is policy neutral. We publish contributed opinion and analysis pieces to enable our members to hear a broad spectrum of views in our domains.

As Albania moves to join the European Union, it is taking significant steps to bring its laws as close as possible to those of EU member states. These efforts aim to address numerous legal gaps in several areas, which, until recently, lacked regulation consistent with the European context.

Albania is currently recognized as a candidate country for EU membership and is in negotiations to join the EU, which includes aligning Albanian laws with EU standards. Law No. 124/2024 on personal data protection, which passed in December 2024 and entered into force in February 2025, is important in the harmonization process as it significantly changes the national legal framework.

The law repeals the Law on the Protection of Personal Data, Law No. 9887/2008, and continues the process of harmonization with EU law. The official text states the new legislation is "fully aligned" with the EU General Data Protection Regulation and Law Enforcement Directive.

While there are certainly similarities between Albania's law and the GDPR, Law No. 124/2024 does slightly differentiate itself from the EU regulation.

From scope to sanctions: Albania's approach to EU data protection standards

Albania's law mirrors the GDPR in terms of objective, purpose and definitions.

When it comes to material and territorial scope, Albania has fully embraced the same criteria used by the EU. In practice, this means the law applies to data controllers and processors established in the country, regardless of whether their processing takes place in Albania.

In other words, Albanian companies working for or with foreign companies are subject to the law even in cases where they do not process data of people located in Albania. For example, an Albanian telemarketing provider offering services to Italian companies remains subject to the law, even if all of their data subjects are in Italy.

Moreover, the law incorporates key EU data protection principles, notably in Articles 6 and 23. It grants data subjects essentially the same rights established under the GDPR, including the right to be informed and the corresponding duty of the controller to provide transparent information.

It is worth noting a difference between Albania's law and the GDPR regarding the timeframe for handling data subject requests. Taking into account the complexity and number of requests received, the one month response period under the GDPR may be extended by two months for a total of three months, whereas under Albania's law — for consistency with national administrative laws — the 30 day response period may be extended up to 60 days. Controllers and processors, especially companies within international corporate groups, must consider this difference when drafting appropriate policies and procedures.

Controllers and processors operating under Albania's jurisdiction are also bound by obligations similar to those under the GDPR. These include obligations concerning the management of personal data breaches, responses to data subjects rights requests, the conduct of risk and data protection impact assessments, and the appropriate implementation of safeguards for international personal data transfers.

Obligations under Albania's law for maintaining and updating records of processing activities follow Article 30 of the GDPR. Article 27(1) of Albania's law recognizes ROPAs as a tool that should provide information in compliance with the law.

There is a noteworthy divergence from the GDPR's wording, however. Albania's law appears to require that the record only include security measures implemented at the controller's premises — Article 27(1)(f) — and the processor's premises — Article 27(2)(d)(h). To be precise, the reference in paragraph 1(f) mentions the processor rather than controller, a mere drafting error. Aside from this, the term premises must be interpretated broadly within the provision.

Articles 33 and 34 of Albania's law regulate the role and responsibilities of the data protection officer, who is given the same tasks as those attributed to a DPO under the GDPR. Furthermore, Article 34 introduces the possibility of organizing a network of DPOs to operate in coordination with the Right to Information and Personal Data Protection Commissioner. It is also specified that DPOs shall be designated based on certified professional qualities, which are not specified.

The commissioner's tasks and powers, under Articles 81–83, substantially replicate the tasks and powers given to member states' data protection authorities by the GDPR. Similar remedial tools are also offered to data subjects under Articles 86–91, though with some peculiarities.

Albania's new law significantly strengthens the country's sanctions regime, almost exactly replicating the content of Article 83 of the GDPR. Data controllers and processors who violate the law may face financial penalties. In cases deemed less serious, fines may reach up to ALL1 billion or up to 2% of the total annual global turnover for the previous financial year.

Violations deemed more serious and those violating certain obligations to cooperate with the commissioner may see fines of up to ALL2 billion or up to 4% of the total annual global turnover for the preceding financial year.

It remains to be seen what the commissioner's approach will be in imposing financial penalties and determining amounts. It goes without saying that genuine alignment with the EU's data protection framework also requires consistency in the approach to sanctions. Article 94(4) of Albania's law requires that the commissioner establish guidelines — based on those adopted by the European Data Protection Board — for conditions on imposing penalties.

Entry into force and final considerations

Albania's law entered into force in February 2025. Several key provisions will take effect in January 2027, including those related to communicating data breaches to data subjects, codes of conduct, and the processing of personal data by authorities for public or national security and the prevention and prosecution of criminal offenses.

Albanian companies have two years to achieve full compliance with the law and consequently adjust internal processes, policies and procedures.

Giovanni Ferorelli, CIPP/E, CIPM, is a lawyer at Studio Legale Lisi and RBT Legal in Italy. 

Vincenzo Lagonigro is a lawyer at Smart Law Studio Legale, also based in Italy.