In January 2026, the Commissioner for Data Protection fined three companies in a single day. No one can say "nobody enforces it" anymore. Here's what you need to know — and what you need to do.
Law No. 124/2024 "On the protection of personal data" entered into force, replacing the old law. Most Albanian businesses treated it as a formality. The Commissioner showed in January 2026 that it is not.
On 30 January 2026, the Commissioner issued three fining decisions — against Engineering Albania, Instant AL, and Sisal Albania. Three technology companies, three fines, one message: the era of "we'll get around to it" is over.
I am not speaking about the law in the abstract. I am speaking about concrete fines imposed on real commercial entities in Tirana. If you run a business that holds client, employee, or supplier data — this article is for you.
Four things the Commissioner checks before anything else
From the January 2026 decisions, the inspection priorities are clearly identifiable:
1. Privacy policies on your website
The Commissioner has been explicit: a general policy from an international group is not sufficient. You need a dedicated policy, in Albanian, with the identity of the local controller, specific legal bases, and actual retention periods. Engineering Albania was fined precisely for this.
2. Internal regulations (a draft is not enough)
Instant AL submitted documents that were still in draft form. The Commissioner's response: drafts do not produce legal effect. The document must be approved, signed, and communicated to employees.
3. ISMS (Information Security Management System)
For large companies, the Commissioner requires an ISMS based on ISO 27001. It is not enough to say "we have a firewall." Written security policies, incident management procedures, and documented access controls are required.
4. Staff training — under Albanian law
Training based solely on GDPR is not sufficient. Specific training on Law 124/2024 is required. The Commissioner verifies attendance lists and minutes.
How large are the fines?
The law provides for two tiers of sanctions:
Article 94, paragraph 1: Up to 1 billion ALL or 2% of annual global turnover — for violations of organizational obligations (RoPA, ISMS, notifications).
Article 94, paragraph 2: Up to 2 billion ALL or 4% of annual global turnover — for violations of fundamental principles (legal basis, data subject rights, information duties).
In the January decisions, the Commissioner calculated the fine based on the minimum thresholds and took into account the cooperation of the subjects. In other words: if you cooperate, the fine decreases. If you don't, it increases.
What you need to do now
If you have done nothing so far, start with these — in order of priority:
- Publish a privacy policy on your website, in Albanian, with all the elements required by Article 13.
- Draft and approve your internal regulations — not a draft, but a document signed by the administrator.
- Complete the RoPA — the record of processing activities. Without it, you cannot prove you know what data you hold.
- Conduct staff training, with minutes and an attendance list. The Commissioner requires them.
- Assess whether you need a DPO — if you process data on a large scale or carry out systematic monitoring, the answer is likely yes.
This is not a one-day job. But the longer you delay, the higher the risk — because the Commissioner has begun inspections, and has no intention of stopping.
Want to know where you stand with Law 124/2024? OnLaw Office conducts compliance assessments and provides external DPO services for businesses. Contact us.