On June 1, 2023, the Albanian data protection authority (IDP) published its decision in case No. 594/5 in which it imposed a fine of ALL 1,110,000 (approx. $11,809) on Posta Shqiptare SH.A, a postal service, for violations of the Law on the Protection of Personal Data No. 9887 of 10 March 2008 (as amended) (the Law) following an investigation. 

Background to the decision 

An administrative investigation was carried out regarding the collection, processing, storage, and security of personal data during the performance of activities by Posta Shqiptare. 

The IDP noted after the investigation that Posta Shqiptare operates in the postal services market and performs and offers financial and banking services and processes personal data for customers, employees, visitors, former employees, and job candidates, among others. Specifically for the personal data of former employees and job candidates, data is stored in physical and electronic archives and includes original, notarized, and photocopied documents including resumés, copies of identity cards, and proof of judicial status. Job candidate's personal data including name, surname, phone numbers, address, and education were stored in electronic archives. The IDP mentioned that all data was stored without specifying a specific term for storage or deletion. The IDP also highlighted that an investigation was conducted into the third-party electronic systems used by Posta Shqiptare to carry out its processing activities. 

Findings of the IDP 

The IDP stated that for the categories of data held by Posta Shqiptare, there must be a retention period that allows identification for a certain time, but no longer than is necessary to fulfill the purpose for which the data was collected as required by Article 5 of the Law. Once processing is completed, the data must be destroyed without further processing. As a result, the IDP determined that Posta Shqiptare failed to provide clear and detailed rules for the personal data it processed in violation of Article 5 of the Law.

The IDP also determined that Posta Shqiptare did not inform data subjects of all required details about data processing in violation of Articles 18, 21, and 22 of the Law. Regarding Posta Shqiptare contracts with data processors, the IDP determined that the contracts with data processors did not contain all necessary information regarding the obligations of both parties as required by Article 20 of the Law. Finally, the IDP mentioned that Posta Shqiptare did not take appropriate technical and organizational measures to protect personal data from illegal access from unauthorized persons, accidental destruction, or accidental loss in violation of Article 27 of the Law. 

Outcomes 

In light of the above violations, the IDP imposed a fine of ALL 1,110,000 (approx. $11,809) and also determined that Posta Shqiptare must:  

• conduct continuous audits on data collection and the operations of its systems;

• inform data subjects about the processing of personal data and update required notices;

• provide technical and organizational measures for the protection of personal data, methods of data processing, and rights of data subjects; and

• create and maintain an Information Security Management System (ISMS) for the protection of personal data.

Posta Shqiptare must complete the actions within the required deadlines and notify the IDP of measures taken.  

You can read the decision, only available in Albanian, here.