“Albania” “Personal Data Security” Alketa Koja PR Specialist of The Commissioner for Personal Data Protection ALBANIA Personal Data Security- The Law 2 The Data Controller shall take measures in order to protect personal data (art.27 of Law on Data Protection). Also, the Data Controller should: Instructs all operators concerning their obligations, in conformity with this law and the internal regulations on data protection, including the regulations on data security; Personal data and their software shall be accessed only by authorized persons; Prohibits access to the filing system and their use by unauthorized persons; Records and documents the alteration, rectification, erasure, transfer, ecc.. The Cases Ex officio inspection Regional Hospital of Vlora Personal data security The Violations Personal medical records stored in unsuitable environments. Central data register with no restriction in access. How the Commissioner deal in this case? The Recommendations of DPA: To provide safe environments with limited access to the files of the personal data subjects. To ensure folders with sensitive personal data of data subjects in appropiate locations. To take measures for employees to access the computers at the user level (not administrator) via the "username" and "password appropriate“. The Cases Ex officio inspection Kukes Municipality Personal data security The Violations The lack of internal regulation on the protection of personal data. The use of personal email for official communication. No regulated access in the file system. How the Commissioner deal in this case? The Recommendations of DPA: To take measures in order to approve and write an internal regulation specific to data protection. To Take measures regarding communication through official electronic mail (e-mail), by applying the "Rules for the use of email in Public Administration", approved by the National Information Society Agency (NISA). To take measures for employees to access the computers at the user level (not administrator) via the "username" and "password appropriate“. The Cases Inspection based on a compliance. The second inspection at this personal data controller. The Albanian electricity distribution service. Personal data security The Violation: No specific consent for marketing purpose. How the Commissioner deal in this case? The Decision of the DPA • • • • Huge amount of Personal data collected ignoring the Data Protection Law. Personal Data Controller very well informed about the Law, due to continue relation with the Authority. The DPA decided to set e fine for this Data Controller The Data Controller objected the decision of the Commissioner in the Court. Komisioneri për Mbrojtjen e të Dhënave Personale Thank you for the attention! Hvala! The Commissioner for Personal Data Protection Adresa: Rr.“Abdi Toptani” Nr.4, Tiranë Email: info@kmdp.al Tel:+355(4)2237200