Albanian DPL

Law No. 124/2024 on the Protection of Personal Data

Flag of AL
AlbaniaOpt-inNational
Back to Regulations Guide

Key Facts

Effective Date
January 31, 2025
Enacted
December 19, 2024
Enforcing Authority
IDP (Information and Data Protection Commissioner)
Consent Model
Opt-in
Applies To
Any organization processing personal data of individuals in Albania

Overview

Albania enacted a comprehensive GDPR-aligned data protection law on December 19, 2024, incorporating both the GDPR and the EU Law Enforcement Directive. This is one of the most GDPR-aligned laws outside the EU/EEA, with penalties matching GDPR levels at up to 4% of global turnover.

What This Means for Your Website

  • Consent must be freely given, informed, and explicit for processing personal data of Albanian visitors
  • Direct electronic marketing requires prior, explicit, informed consent with an easy opt-out mechanism
  • Controllers must maintain documented proof of consent
  • Penalties match GDPR scale: up to 4% of global turnover or ALL 2 billion
  • Some provisions are phased in over two years from the January 2025 effective date

Key Requirements

The IDP (Information and Data Protection Commissioner) enforces the law with GDPR-scale penalties in two tiers: up to ALL 1 billion or 2% of turnover (Tier 1) and up to ALL 2 billion or 4% of turnover (Tier 2). The law requires documented proof of consent and clear withdrawal mechanisms. As an EU candidate country, Albania's strong alignment with EU standards is part of the accession process.

How ConsentStack Handles This

ConsentStack applies GDPR-compliant consent standards for Albanian visitors, meeting the law's requirements for explicit consent and documented proof of consent.

Penalties

Tier 1: Up to ALL 1 billion or 2% of global annual turnover. Tier 2: Up to ALL 2 billion or 4% of global annual turnover.

Maximum Fine
ALL 2,000,000,000 aggregate
Revenue-based
4% of annual revenue

Key Requirements

  • Consent must be freely given, informed, and explicit
  • Direct electronic marketing requires prior explicit informed consent
  • Controllers must maintain documented proof of consent
  • Clear easy-to-use withdrawal mechanism required
  • Right to withdraw consent at any time without detriment

Notable Provisions

  • GDPR-level penalty structure (up to 4% global turnover)
  • Incorporates both GDPR and Law Enforcement Directive
  • EU candidate country
  • Among the strongest non-EU penalty frameworks

Other Europe Regulations

GDPREuropean Union + EEA
The GDPR sets the global standard for data protection, requiring explicit opt-in consent before processing personal data of EU/EEA residents. For websites, non-essential cookies must be blocked until visitors actively consent. Pre-ticked boxes and implied consent are invalid.
PECRUnited Kingdom
PECR is the UK's cookie-specific law, requiring consent before storing or accessing cookies. The DUAA 2025 significantly increased penalties from GBP 500,000 to GBP 17.5 million and introduced analytics exceptions on an opt-out basis. Only strictly necessary cookies are exempt.
ePrivacy DirectiveEuropean Union + EEA
Article 5(3) of the ePrivacy Directive is the primary EU legal basis requiring cookie consent. It mandates prior informed consent before storing or accessing any information on a user's device, with narrow exceptions only for transmission necessity and explicitly requested services.
FDPAFrance
France has the most actively enforced cookie regime in Europe. CNIL issued 259 corrective decisions in 2025, with cookie-specific fines totaling EUR 486.8 million including EUR 325M against Google. A Refuse all button or Continue without accepting must appear on the first layer.
UK GDPRUnited Kingdom
The UK GDPR is the retained EU GDPR post-Brexit, with consent standards identical to the EU version. The UK adequacy decision was renewed December 2025, valid until December 2031. Combined with PECR, it forms the legal framework for cookie consent in the UK.
TDDDGGermany
Germany implements the ePrivacy Directive through Section 25 of TDDDG (renamed from TTDSG in May 2024). A Consent Management Ordinance (EinwV) became effective April 2025, establishing a voluntary framework for recognized consent management services. Cookie banners must not obscure website content.

Frequently Asked Questions

How strong is Albania's data protection law?

Very strong. Albania's Law 124/2024 is one of the most GDPR-aligned laws outside the EU, with penalties matching GDPR levels at up to 4% of global turnover.

What are the penalties under Albanian data protection law?

Up to ALL 2 billion or 4% of global annual turnover (Tier 2). Among the strongest non-EU penalty frameworks.

Is Albania aligning with GDPR?

Yes. As an EU candidate country, Albania's 2024 law incorporates both the GDPR and the EU Law Enforcement Directive, demonstrating strong EU alignment.

Stay compliant with Albanian DPL

ConsentStack helps you implement Opt-in consent for Albania automatically.

Get started free