Fines of up to 20 million euros in the personal data law raise questions for businesses

Penalties of up to 20 million euros foreseen in the legal framework for personal data that came into force at the beginning of this year seem to have worried the business community.

The Office of the Commissioner for the Right to Information and Personal Data Protection admitted this Thursday at a meeting organized by the American Chamber of Commerce that the penalty point is perhaps the one that has created the most panic, given the questions that have been received from businesses at this stage when the methodology is being discussed.

In his speech, Chief Commissioner Besnik Dervishi said that both the law and the by-laws are part of a broad consultation process that has also included business and that at its core it is the prevention of violations related to personal data. Mr. Dervishi said that this is the first law in the country that is fully aligned to 100 percent with the European Union and this also constitutes the main challenge related to implementation.

"We need to change the approach to personal data protection, a practice to create trust between business and citizens," said Mr. Dervishi, adding that the office he heads will create special training modules related to better implementation of the law.

In his speech to AmCham members, Commissioner Dervishi emphasized that the new law 124/2024 brings a series of essential innovations in the protection of personal data, which have a direct impact on businesses as controllers and processors, as they must ensure full transparency on how they process and administer this data.

“The new law provides better protection for data subjects and also defines more clearly the rights and obligations of each controller and processor. The law expands the rights of individuals over their data, including: The right to access and rectify data; the right not to be subject to automated decisions; as well as the right to be forgotten, which obliges businesses and online platforms to delete data that is no longer necessary for the purpose for which it was collected,” Commissioner Dervishi emphasized.

He stressed that businesses must take stronger measures to protect personal data against loss, unauthorized access or misuse. The law also requires businesses to appoint a Data Protection Officer (DPO), who will be responsible for overseeing compliance with the law and ensuring that appropriate measures are implemented.

“In addition to legal obligations, it is essential that we all change our approach to the protection of personal data. This is not only a legal requirement, but a necessary practice to build trust between businesses and citizens. Personal data is a valuable asset and its protection should be a priority for every organization,” Mr. Dervishi further underlined in his speech.

The Director of the Cabinet in the Commissioner's office, Besa Velaj, answered some of the questions related to the Methodology for Calculating Administrative Sanctions Measures by the Commissioner for Personal Data Protection.

She explained that despite the business request for a catalog of potential violations, this is impossible to do as the nature and dynamics of violations vary greatly and they will be assessed on a case-by-case basis.

Even the way the penalty is calculated takes into account, according to her, a series of elements related to the classification of the business, seriousness, turnover. And in addition to this. Other elements that influence are the nature of the violation, its duration, the importance of the violation.

Dhimitër Shuli, Member of the Digital Committee at the American Chamber of Commerce, explained the obligations and challenges brought by the new law for businesses, which attempts a more careful approach to the processing of personal data.

He outlined several steps that businesses can take regarding a more effective approach to compliance by linking it to the list of data, why this information is needed, its security, transparency and guaranteeing individuals' rights to data protection, as well as knowing how to manage the case of a data breach by notifying the Commissioner within 72 hours.

https://monitor.al/si-do-te-logariten-sanctions-for-violation-of-personal-personal-data/