If we stop to think just for a moment that our personal data is collected, stored, processed even by servers located an ocean away, then we have to ask ourselves: How safe are our personal data?!

A common concern

Personal data is any information relating to a natural person, identified or identifiable, directly or indirectly, in particular with reference to an identification number or one or more specific factors for his physical, physiological, mental, economic, cultural or social identity. Today we are in front of a situation where we are faced with rapid technological and digital developments, which influence the activity of the controllers who manage this data, to be difficult to verify if they are really respecting privacy protection policies. One of the most serious risks is identity theft, where hackers or unauthorized persons gain control over personal data and use it for illegal purposes such as stealing money, opening fake accounts or even worse identity theft in criminal activities. The data subject's right to security corresponds to the controller's obligation to pay particular attention to this security during each stage of the processing activity.

From Directive to Regulation

The EU institutions initially thought to regulate the issue of the protection of this data with a Directive , leaving it to the member states to regulate this field through their internal mechanisms. Subsequently, the EU institutions realized that the protection of personal data required the adoption of stricter rules, thus bringing about the adoption of a Regulation . This Regulation has extended the scope of its legal effects to non-European processors and those who exercise their activity outside the EU area. The Regulation has shifted the attention more to the fact of what data is being processed, rather than where and who carries out this processing. Unlike the Directive, it has given special attention to the principle of accountability because controllers must prove in advance that the processing of personal data will be carried out respecting and effectively guaranteeing their protection. Also, each controller is directly responsible and has the burden of proof to prove that the processing activities are lawful. Likewise, it is necessary to apply effective measures which prove that data processing activities are within the limits provided by the legislation. So, the prior provision of personal data is a condition for the legal processing of these data.
The Regulation is considered violated if several cumulative elements are met: nature of the violation in an overview, the damage it caused and the time of its recovery, verification if the violation was committed intentionally or negligently, the fact whether the subject of the violation has taken any measures to mitigate the damage caused, the cooperation with the supervisory entity for the detection and correction of the violation, the determination of the category of data affected by the violation, the correct notification of the violation to the competent supervisory authority, the existence of the entity's certification in relation to approved codes of conduct and the existence of aggravating or mitigating factors, including financial benefits or losses avoided as a result of the violation. If we are in front of light violations Regulation, it has sanctioned the imposition of fines of up to 10 million euros, or 2% of the annual income of the firm worldwide from the previous financial year. While serious violations are sanctioned with fines of up to 20 million euros, or 4% of the company's annual worldwide revenue from the previous financial year. Meanwhile, for other lighter violations, the Regulation has sanctioned the imposition of fines of up to 10 million euros, or 2% of the annual income of the firm worldwide from the previous financial year.

Challenges and risks

There are cases when personal data is collected and administered by two or more controllers. There can be no full or partial exemption from the responsibility of those who do not properly protect personal data, even when the damage was caused by a force beyond their control. In this case, the priority is data recovery, then the distribution of responsibility. Meanwhile, certification organizations must perform their evaluations without bias and through a transparent process, while monitoring organizations must prove their independence, following the complaint handling procedure with precision, impartiality and transparency. The collection of personal data must be carried out only for a specific purpose, taking care of their accuracy and providing them with a high level of security. Not all data can be collected and processed. Sensitive data , which includes information on racial or ethnic origin, political opinions, union membership, belief, religion or philosophy cannot in principle be collected, unless there are deeply specific circumstances. The individual must be specifically familiar with the data to be processed, correction or transfer of rights for their processing to another entity.
The protection of personal data is a priority, therefore sustainable human resources must be strengthened through training and rigorous reporting protocols. Respecting the principles of data protection should be seen as a continuous process that extends to every stage of their collection, where their collection should be carried out to the minimum extent necessary.

Bibliography ● Law No. 9887, dated 10.3.2008, "On the Protection of Personal Data", as amended.
● Directive 95/46 of the European Parliament and of the Council, 24 October 1995.
● Regulation 2016/679 of the European Parliament and Council, April 27, 2016.
● Nini. D, (2020), "Regulation 2016/679 (Practical aspects of implementation in a comparative approach with previous data
protection provisions in Europe)", published in the Juridical Journal "Jus & Justicia 14", on the topic "International Protection of Human Rights".

Web page
https://qbz.gov.al/share/KPytvbNlQOuc5VhdPdjKsA
https://gdpr-info.eu/
https://edps.europa.eu/data-protection/our-work/publications/legislation/directive-9546ec_en
https://uet.edu.al/jus-justicia/wp-content/uploads/2022/03/jus-justicia-14.pdf

About Author

Sanela Lilaj

Sanela Lilaj holds a bachelor's degree in law and an MSc in Public Law. Her professional journey includes significant roles such as legal editor within the RISA project focusing on SDG implementation in Albania, and co-authorship of "Vademekun on the legal issues of LGBTI+ persons". She has also served as a Legal Specialist at the Central Election Commission, specializing in Electoral Entities and Decriminalization.
Through active participation in various legal trainings and workshops, Sanela has deepened her knowledge in liability law and public law. Noteworthy among these are the training "Development of the due process within a reasonable time", as well as sessions on the jurisprudence of the European Court of Human Rights and the European Right of Asylum organized by prestigious institutions.
Additionally, she has contributed articles to EuroSpeak Online Magazine and the Connecting Youth Online Platform, reflecting her commitment to legal discourse and advocacy.