Overview
Albania is steadily building a mature, GDPR-aligned data protection ecosystem, and the law enforcement sector is no exception. A newly adopted Joint Instruction No. 36, dated 27 February 2026, issued by the Ministry of Interior and the Albanian Data Protection Commissioner, establishes a comprehensive framework governing how the State Police collect, use, store, and share personal data.
A Structured and Risk-Based Approach to Police Data
The Instruction applies to all personal data processing carried out by the State Police, whether manual or electronic, strictly for policing purposes. It introduces a clear categorisation of data processed, ranging from basic identification and contact details to highly sensitive categories such as biometric, health, criminal, and even social and behavioural data (e.g., visited locations or associations).
Notably, the breadth of data categories reflects a risk-based approach, acknowledging the operational realities of modern policing, while simultaneously raising the bar for compliance and safeguards.
Reinforcing Core Data Protection Principles
The Instruction explicitly anchors police data processing in the principles of lawfulness, necessity, and proportionality, as set out in the national data protection law. This is an important alignment, ensuring that law enforcement activities remain subject to fundamental rights protections, even in sensitive or high-risk contexts.
In practice, this means that the Police must be able to always demonstrate that personal data processing is justified, limited to what is necessary, and carried out for legitimate purposes.
Enhanced Accountability and Traceability
One of the most impactful aspects of the new framework is the strict documentation and logging obligation. Every data processing operation must be recorded in a way that allows verification of:
- the purpose and timing of the processing;
- the identity of the person accessing or disclosing the data;
- the recipients of the data.
This introduces a level of traceability comparable to GDPR standards and significantly strengthens auditability and oversight.
Security Measures and Internal Controls
The Instruction requires the implementation of robust technical and organisational measures, including:
- secure electronic systems with audit trails;
- restricted access based on authorisation;
- staff training on confidentiality and data protection;
- physical and IT security safeguards.
Additionally, the introduction of confidential reporting mechanisms (whistleblowing channels) for data protection violations marks an important cultural shift toward internal accountability and compliance.
Data Subject Rights – With Law Enforcement Nuances
Individuals whose data are processed by the Police retain key rights, including access, correction, and erasure. However, these rights may be restricted where necessary for law enforcement purposes, in line with the limitations permitted under the national data protection law.
This reflects a balanced approach between individual rights and public security needs.
Why This Matters
This Instruction signals a clear intention by Albanian authorities to operationalise data protection within law enforcement, moving beyond high-level legal provisions to concrete, enforceable procedures. Organisations should take this as a signal to reassess their own compliance frameworks, particularly around documentation, accountability, and sensitive data handling.
FAQ
What is Albania’s Joint Instruction No. 36?
It is a framework issued on 27 February 2026 that sets rules for how the Albanian State Police can collect, use, store, and share personal data.
Who must follow these rules?
All personal data processing carried out by the State Police, whether manual or electronic, strictly for policing purposes.
What types of personal data are affected?
Data ranges from basic identification and contact details to sensitive categories like biometric, health, criminal, social, and behavioural data.
How does it improve accountability?
All processing must be documented, recording purpose, timing, user access, and data recipients, enhancing traceability and auditability in line with GDPR principles.
What rights do individuals have?
Individuals can access, correct, or request deletion of their data, though these rights may be limited for legitimate law enforcement purposes.
Conclusion
Albania’s Joint Instruction No. 36 strengthens GDPR-aligned data protection in policing. It sets clear rules, accountability measures, and safeguards for sensitive personal data, signalling a commitment to transparency and compliance.
The information in this document does not constitute legal advice on any particular matter and is provided for general informational purposes only.
