On 30 January 2026, the Commissioner for Data Protection issued three sanctioning decisions against technology companies in Albania. For the first time under Law 124/2024, we have real fines. Here's what they tell us about the entire market.
For years, Albanian businesses have treated personal data protection as a formal obligation — something they would "get to when their turn came." On 30 January 2026, their turn came.
The Commissioner issued Decisions No. 02, 03, and 04 — respectively against Engineering Albania shpk, Instant AL shpk, and Sisal Albania shpk. All three are active commercial companies in the technology and IT services sector. All three were investigated with the same focus: technical-organizational measures and the ISMS.
I will not provide a technical summary of every decision. Instead, I will analyse the five practical lessons every Albanian business should draw from them.
Lesson 1: International group policies will not save you
Engineering Albania — part of Engineering Group Italia — argued that the group's privacy policies, published on eng.it, also covered the Albanian subsidiary.
The Commissioner rejected this argument entirely. Finding: the general policies of an international group do not fulfil the legal obligation if they do not reflect the identity of the local controller, specific activities, domestic legal bases, actual retention periods, and local processors.
What does this mean for you? If you are a subsidiary of a foreign group and rely on the parent company's policies — you have the same problem. You need a dedicated policy, in Albanian, referencing Law 124/2024.
Lesson 2: A draft is not a document
Some of the investigated companies submitted documents that were still in draft form — unsigned internal regulations, policies in "draft" version, procedures yet to be finalised.
The Commissioner's response was unequivocal: the submitted documentation does not meet the requirements of the law and does not produce legal effect.
This should come as no surprise. Before a court or an inspection, "I was planning to do it" has no evidentiary value. Only what you have done, signed, and implemented counts.
The common mistake: Many companies have their documents "80% ready." But 80% does not count. Either it is 100% — approved, signed, communicated to staff — or it does not exist.
Lesson 3: ISMS is not optional for large companies
All three decisions focused primarily on technical-organizational measures, with particular attention to the ISMS (Information Security Management System). This obligation stems from Instruction No. 47/2018 (now replaced by Instruction No. 08/2025) and requires a systematic approach to security, based on ISO 27001.
Having antivirus software and a firewall is not enough. The Commissioner requires: written security policies, incident management procedures, access control matrices (RBAC), and evidence of implementation.
Who is considered a "large entity"? Companies with more than 50 employees, or those processing sensitive data on a large scale, or those providing IT/BPO services to multiple clients. If you fall into this category, ISMS is not "nice to have" — it is a legal obligation.
Lesson 4: Training must cover Albanian law, not just GDPR
One of the most interesting findings: the Commissioner pointed out that staff training based solely on GDPR does not fulfil the obligation. Law 124/2024 has domestic specificities that are not covered by general European materials.
And this applies not only to the content. The Commissioner checks: is there an attendance list? Are there minutes? Is there evidence that the training actually took place?
In practice, many companies say "we've trained our employees" but have no proof. Before the Commissioner, promises have no value — documents do.
Lesson 5: Cooperation reduces the fine. Significantly.
In all three decisions, the Commissioner emphasised the "degree of cooperation" from the controllers and calculated the fine based on the minimum thresholds.
This means: when the Commissioner knocks on your door, your response matters. If you cooperate, submit your documentation, and demonstrate willingness to rectify the situation — the fine stays at the minimum. If you obstruct, delay, or refuse — the sanction increases according to the methodology of Instruction No. 06/2025.
The smart strategy: It is better to invest now in compliance than to pay a fine after an inspection. And if the inspection comes — cooperate fully. This is not weakness, it is strategy.
What to expect next
These three decisions are only the beginning. The Commissioner has demonstrated executive capacity — investigation orders were issued in September 2025, decisions arrived in January 2026, and the compliance deadline is 45 days. This timeline shows that the administrative machinery is functioning.
If you have a business in Albania and are not yet compliant with Law 124/2024, the time to act is not tomorrow. It is today.
Want a quick compliance assessment? OnLaw Office, through ITAKA7, conducts full audits under Law 124/2024 and prepares documentation ahead of inspections. Contact us.