In July 2025, the Albanian Data Protection Commissioner adopted Guidance No. 05/2025 on the Processing of Personal Data by Competent Authorities (“Guidance”), marking an important step toward operationalising Law No. 124/2024, Albania’s GDPR-aligned data protection law. This guidance introduces essential obligations for authorities tasked with maintaining public order and national security, such as the police, prosecution, courts, and other public bodies involved in crime prevention or investigation.
While the concept of data protection in law enforcement isn’t new, this Guidance clarifies responsibilities and strengthens safeguards at a time when surveillance, profiling, and inter-agency data exchange are more prevalent than ever.
What’s New and Why It Matters
The Guidance addresses how personal data must be processed when used for criminal justice and public security purposes, an area where individuals’ rights are particularly vulnerable to being overlooked. It ensures that the use of data for law enforcement is not a legal “black box,” but subject to clear rules, oversight, and consequences.
Notably, the Guidance applies not only to traditional law enforcement actors but also to any institution granted public powers for crime-related functions, including local authorities engaged in administrative enforcement that borders on penal measures.
Key Obligations for Authorities
Authorities processing personal data under these functions must now:
- Appoint a Data Protection Officer (DPO) responsible for advising on compliance and acting as a liaison with the public and the Commissioner.
- Apply data protection principles rigorously, including lawfulness, purpose limitation, data minimisation, accuracy, storage limitation, integrity, and accountability.
- Maintain processing logs and risk assessments, especially when handling sensitive data or using technologies that could significantly affect individuals (e.g., facial recognition, behavioral profiling).
- Limit access and sharing to what is strictly necessary, based on clear internal protocols and secure systems.
Extra Caution Required for Sensitive Data
The Guidance sets higher standards when it comes to sensitive categories, such as racial or ethnic origin, political opinions, biometric or genetic data, health information, and sexual orientation. These types of data demand “double-lock” controls, including physical separation, dual-authorisation, and use of protected systems. Profiling based on such data must be documented and justified.
Data Subjects’ Rights
While individuals’ rights to access and rectification may be limited for legitimate investigative reasons, this does not mean they disappear. Any restriction must be proportional, justified, and documented. Individuals retain the right to appeal to the Commissioner, who serves as an independent safeguard.
This strikes a crucial balance: protecting the integrity of investigations without stripping individuals of meaningful oversight over their data.
Cooperation, Traceability, and Security
Given the growing interdependence of public databases, the Guidance emphasises that data sharing between institutions must be traceable and confidential. All actions must leave a digital footprint, and unauthorised access or transmission must be preventable and punishable.
In case of breaches, authorities must notify both the Commissioner and the affected individuals, restoring transparency and enabling redress.
Internal Whistleblowing Channels
A particularly innovative feature is the requirement for secure internal reporting mechanisms. Staff who observe data misuse, such as the unauthorised sharing of detainees’ personal data via messaging apps, must be able to report it safely and confidentially. Options range from encrypted emails to physical drop-boxes and digital portals.
Deleting What’s No Longer Needed
Authorities must define time limits for retaining data and ensure deletion or anonymisation once it is no longer necessary. This includes data related to acquitted individuals, rehabilitated offenders, or completed investigations. Special rules apply to minors and elderly individuals, with periodic reviews mandated.
A Call to Action
This Guidance is more than a technical compliance document; it is a legal and ethical shift toward accountable governance in the age of data-driven enforcement. It requires public authorities to embed privacy in their workflows, train personnel, secure systems, and respect the fundamental rights of individuals, even when investigating them.
The information in this document does not constitute legal advice on any particular matter and is provided for general informational purposes only.
