Foreign Investors Association of Albania in its mission to support the thriving of businesses and the improvement of business climate in Albania, in collaboration with Vodafone Albania, PwC Albania, the Commissioner for Data Protection as well as ProCredit Bank Albania and Teleperformance organized a workshop to share best practices of FIAA members, active in data intensive sectors such as telecommunications, banking, BPO and technology, and consulting, in the field of GDPR rules implementation.
This workshop offered an amazing opportunity to the participants, composed of data protection specialists from many companies operating in the Albanian market, to learn from the best. As Mr. Sokol Elmazaj, a Board Member and Deputy President of FIAA highlighted, this workshop came as a logical and a necessary follow up to an initial event which took place on March 10, 2025, in collaboration with the Albania Investment Council and the Commissioner for the Right to Information and the Protection of Personal Data aimed at presenting the recently passed law on data protection, and at the proper time as the Commissioner has placed the drafted sub-laws in public consultation.
Mrs. Arjola Rushiti, a lawyer and Legal Director at PwC Albania shared results from the survey they conducted with businesses to understand the level of knowledge and of implementation of GDPR rules in Albania, which make clear that for most of them there is a long way ahead to be able to cope with the new legislation. Mrs. Rushiti furthermore informed the audience on the most important concepts and novelties of the law by focusing especially on the extension of the rights of the subjects included in the law, as well as the necessity of creating the position of Data Protection Officer, the introduction of the concepts of privacy by design and privacy by default, and the international transfer of data. The PwC Albania example shows that there is need for an initial assessment to understand what kind of data is being handled, followed by the creation of an internal system to deal with how this data is going to be protected, and the continuous testing of the system.
Vodafone Albania represented by Mrs. Jonida Lakuriqi, Director of Legal & Public Policies & External Affairs and Mr. Marsel Llupa, Head of Legal & Compliance offered a short master class on how GDPR was implemented in Vodafone Albania in the past 7 years. As highlighted by Mrs. Lakuriqi, who gave a very eye-opening introduction on how we are surrounded by cases of data breaches and how our data protection is trespassed daily, Vodafone’s case shows in the most concrete way how all paragraphs of the GDPR law are combined in the case of a corporate. Mrs. Lakuriqi emphasized that the real power lies not in keeping but in sharing knowledge on this sensitive topic, not only as professionals but also as citizens.
Mr. Llupa made a detailed and frank presentation of the concrete steps that Vodafone undertook in establishing a system at group and local level on how data can be best protected. This system included the identification of the different GDPR fields that need to be addresses, the continuous assessment of these fields and of the control measures that have been put in place, the assignment of the data protection roles not only to the officers but the distribution of this task to all departments, also including executives of the company, and the usage of several digital platforms to manage the whole system. This extension of responsibilities within the company comes with a considerable financial cost, which includes numerous staff which is completely or partly working to address the tasks, the necessity for continuous training and for access in specialized digital platforms. Mrs. Lakuriqi added that this whole process changes the culture of the company, and the case of Vodafone Group again highlights how this can be enabled. Once a year, the Vodafone CEO releases a statement in which he provides a guarantee towards the group and a snapshot of the GDPR implementation status in the different markets where the company is active, including the risks and gaps that have been identified by the audit and compliance, and which need to be addressed. Mrs. Lakuriqi further expressed the readiness to prepare a follow up workshop dedicated to CEOs of companies active in Albania, to further support the sharing of knowledge in the GDPR field.
Mr. Emiljan Dyrmishi, Coordinator of the Compliance Unit at ProCredit Bank Albania accentuated the very important role that GDPR has in the banking sector since almost all population have at least one banking account, conduct payments, and are steadily exposed and prone to risk related to data breach and cybersecurity threats. The challenges for implementing GDPR rules in the banking sector are related among others to the fact that GDPR is a matter of introducing a new ethics and culture in how to conduct business, to the relations with subcontractors who process data, to technological developments, including the usage of cloud solutions and partly artificial intelligence, to the need for training for all employees, and to the interpretation in practice of the law and the approval of the sub-legal acts. In the concrete case of the banking sector in Albania, there needs to be an alignment between requirements of the Bank of Albania and the Commissioner for the Right to Information and the Protection of Personal Data. Mr. Dyrmishi emphasized the fact that for most of the banks the transition phase to a GDPR compliant way of conducting business has been easier due to the support provided by their groups which are based in EU countries, while for the rest of the companies this is not provided. His recommendations were for a stronger alignment among the interested actors included in this process, a more harmonize approach on the side of the state institutions, and for a continuous education of the public.
Mrs. Elona Hilviu, Manager of Privacy, Risk and Compliance at Teleperformance, emphasized again the fact that being part of a global group has been crucial in the successful and smooth implementation of the GDPR rules over a period of around seven years. Mrs. Hilviu listed many of the measures that Teleperformance has implemented as part of its data protection system, including encryption, management of the access to critical systems, automatic deletion of old emails, the policy of data minimization, the usage of penetration test and risk analysis, the increase of the number of controls that are undertaken, the information retention period according to the type of data, the structured process of analyzing requests by the subject of interest in the law.
Considering the input provided by the companies, Mrs. Lindita Komani, a consultant at FIAA, as a moderator of the event, made a remark and request on behalf of FIAA and the businesses present in the workshop directed to the Commissioner to extend the deadlines of implementation of the GDPR measures as foreseen in the law, in order that the companies have the necessary time to comply with what is requested in a sustainable way that does not disrupt their business activities.
Mrs. Besa Velaj, as a representative of the Commissioner for the Right to Information and the Protection of Personal Data, presented details of the drafted sub-laws and part of the methodology of sanctions that are planned to be implemented on the businesses that will not comply with the law. Following her presentation, Mrs. Velaj addressed several questions from the participants in the workshop, by emphasizing the fact that there will be information campaigns all over Albania, with businesses, chambers and associations representing business, as well as citizens and expressed the readiness of the Commissioner to extend the deadline of public consultation for the drafted sub-legal acts of the law. The Commissioner’s Office is furthermore considering discussing a collaboration with universities to support the training of the future Data Protection Officers.
In conclusion of the event, FIAA expressed its commitment to further focus its attention on the raising awareness among the businesses and wider audience on this important topic. FIAA business community expresses its complete readiness to engage in adapting its business activities in full compliance with the new data protection law and lead by example.
