Aligning EU standard in Albanian data protection legislation

To achieve its ambition towards integration into the European Union, which has been often a complex process, Albania has undertaken significant initiatives towards the fulfillment of the objectives set in 2006 through the signing of the Stabilization and Association agreement and the annual recommendations of the European Commission. In July 2022, Albania officially opened negotiations to become part of the EU, thus materializing the efforts started 16 years ago. Among the key objectives of this process is the alignment of local legislation with EU acquis, a process guided by the recommendations of the European Commission. This paper will focus on the process of approximation of legislation in the field of personal data, which is a well-known and consolidated concept in the European Union, through the General Data Protection Regulation (GDPR). The GDPR guarantees the highest processing security and the use of personal data for European citizens, as well as Directive 2016/680 of the Parliament and of the European Council. The process of approximation of the legislation in this sector is also dictated by the recommendations made by the European Commission, which has emphasized that Albania should improve the process of personal data protection by taking the necessary legal measures to revise the legislation in force in full compliance with the EU acquis. Secondly, through this study we aim to address the concept of “the right to be forgotten”, a concept enshrined in EU law but not yet incorporated into Albanian legislation. This right allows individuals to request the deletion of their personal data when it is no longer necessary for the purposes for which it was collected, or when they withdraw consent. The absence of this provision in Albanian law poses challenges for individuals seeking to exercise this right and creates inconsistencies with the EU's data protection standards. Another topic that this paper presents is the treatment of penal data under Albanian law that is also connected with the right to be forgotten, a subject of significant concern given its implications for privacy and data protection. Penal data, which includes information related to criminal convictions and offenses, is subject to stringent rules under EU law to prevent misuse and ensure adequate safeguards. The study highlights how Albanian legislator need to adapt those standards, not only in the new data protection law, but also by amending certain articles of the Criminal Code and Criminal Procedural Code, to guarantee its individuals’ privacy and rights. Finally, the paper analyzes relevant EU case law that addresses the aforementioned topics. Key cases are reviewed to elucidate the interpretation and application of the right to be forgotten and the handling of penal data within the EU legal framework, that will serve as a benchmark for assessing Albania's legislative gaps and to prepare it for the implementation of the new law that is going to be adopted by the Parliament.