Data & Privacy · Albania
Data protection & privacy laws in Albania (2026)
Albania shaded by its data & privacy status
Albania enacted Law No. 124/2024 on 19 December 2024, published in Official Gazette No. 9 on 17 January 2025 and in force from 31 January 2025, replacing the 2008 Law No. 9887. The new law is fully harmonised with the EU GDPR (Regulation 2016/679) and the Law Enforcement Directive (2016/680), introducing GDPR-equivalent rights, obligations, and sanctions. The independent supervisory authority is the Commissioner for the Right to Information and Protection of Personal Data (IDP), which has shifted to assertive enforcement with a marked increase in fines in early 2026.
Key points
Law No. 124/2024 repeals Law No. 9887/2008 and mirrors GDPR structure including definitions of pseudonymisation, profiling, data minimisation, and sub-categories of sensitive data (biometric, genetic, health, criminal). Certain provisions, including Data Protection Impact Assessment requirements and prior consultation with the Commissioner, are deferred to take effect within two years of publication (by January 2027).
The Commissioner for the Right to Information and Protection of Personal Data (IDP) is an independent public legal entity elected by the Albanian Assembly for a seven-year term. It issues binding guidance, conducts inspections, and imposes administrative fines.
Controllers must notify the IDP of data breaches within 72 hours and notify affected data subjects when risks are high. Controllers and processors outside Albania must appoint a local representative. The general registration obligation with the Commissioner has been abolished, but prior authorisation remains mandatory for high-risk processing activities.
Council of Ministers Decision No. 347 of 19 June 2025 created the Electronic Registry of Data Protection Officers, requiring designated DPOs to be registered with the state database, aligning Albania's governance infrastructure with EU standards.
Financial penalties mirror GDPR tiers: up to 1 billion Albanian Lek (or 2% of global annual turnover) for lower-tier violations, and up to 2 billion Albanian Lek (or 4% of global annual turnover) for the most serious infringements such as unlawful processing of special categories of data.
In the first two months of 2026 alone, the IDP issued six fines — three times the total issued in the entire preceding year — signalling a decisive shift to proactive enforcement. The IDP also issued binding guidance on CCTV/video surveillance (Guideline No. 03, April 2025) and law enforcement processing (Guidance No. 05/2025, July 2025).
Timeline - major decisions & events
In the first two months of 2026 the Albanian Data Protection Commissioner issued six administrative fines — triple the total imposed in all of 2025 — signalling a decisive shift from advisory to assertive enforcement under Law No. 124/2024. Sectors targeted include IT providers, call centres, travel agencies, and medical centres.
EY Albania ↗The Commissioner adopted Instruction No. 07/2025 governing personal data protection in written, electronic, and audiovisual media, repealing rules dating to 2010–2012 and introducing a modern framework that balances press freedom with privacy rights in line with GDPR principles.
Karanovic & Partners ↗The Commissioner adopted Guidance No. 05/2025 to operationalise Law No. 124/2024 in law enforcement contexts, aligning national practice with EU Directive 2016/680 (the Law Enforcement Directive) and clarifying conditions under which competent authorities may process data for public order and national security purposes.
Karanovic & Partners ↗The Commissioner published Decision No. 1 listing countries deemed to offer adequate data protection — including all EU/EEA states and EC-recognised third countries — allowing free transfers to those jurisdictions without additional safeguards such as standard contractual clauses.
Karanovic & Partners ↗Albania's new data protection law became operative, introducing data protection by design and by default, mandatory DPIAs, Data Protection Officers, GDPR-equivalent sanctions (up to ALL 20 million or 4 % of global turnover), and GDPR-aligned definitions for biometric, genetic, and health data; select articles have a two-year transition period.
Albanian Information and Data Protection Commissioner (IDP) ↗Albania forwarded its instrument of ratification for the Amending Protocol to Convention 108 (CETS 223), becoming the 19th state to ratify the modernised treaty whose principles mirror core GDPR concepts; the ratification helped the protocol reach half the signatures needed for its own global entry into force.
Council of Europe ↗Iranian cyber actors deployed ransomware and disk-wiping malware against Albanian government systems, shutting down e-government services and exfiltrating sensitive personal data including identities of intelligence officers; Albania severed diplomatic ties with Iran in September 2022 — the first country ever to expel a foreign mission solely over a cyberattack.
CISA (U.S. Cybersecurity and Infrastructure Security Agency) ↗Albania's Parliament amended the 2008 data protection statute, expanding the definitions section and refining processing rules; this was the final substantive modification before the complete replacement in 2024, and left the framework without the key GDPR concepts of pseudonymisation, profiling, or data protection by design.
Albanian Information and Data Protection Commissioner (IDP) ↗The Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (Convention 108) — the first binding international data protection instrument — came into force for Albania, establishing foundational international obligations that shaped the 2008 domestic law.
Council of Europe ↗Albania passed its inaugural data protection law, combining it with the right to information and placing oversight with the Ombudsman (Advocate of the People) rather than a dedicated authority; while rudimentary by later standards it established prior notification, consent requirements, and a personal data registry.
Refworld (UNHCR) ↗Albania - other topics
Last verified 5/24/2026 · Orientation, not legal advice - verify against the primary sources linked above. Explore the full world map →