|

Press release of the Commissioner’s Office

The Office of the Information and Data Protection Commissioner is carefully monitoring compliance by public and private controllers with the provisions of the Law No. 9887, dated 10.03.2008 “On personal data protection” as amended (hereinafter “the Law”), as well as with secondary legislation issued by the Commissioner, in the context of measures on managing and preventing COVID-19 pandemic.

In this regard, as you may be already aware of, in order to effectively guarantee and respect for the right to personal data protection as a human fundamental right, the Commissioner’s office has developed three guidelines in connection with the processing of personal data following the situation caused by COVID-19 pandemic: (https://tiranaticked.online/udhezime-ne-kuader-te-covid-19/).

However, it has recently been noticed an increased concern of data subjects (citizens) regarding legitimacy of processing their personal data, as well as on safeguarding their security and maintaining confidentiality. This issue has been spotted following the complaints received by data subjects claiming that personal data have illegally been disclosed, in particular on health-related data of patients infected with COVID-19.

The Commissioner’s Office brings to the attention of the controllers that health data consist of sensitive data in terms of article 7 of the Law and accordingly, citizens enjoy special protection both by national legislation and by international law binding on the Republic of Albania.

For this reason, we invite and request from public and private controllers to pay special attention to comply with their obligations within the legislation in force for the protection of personal data and the guarantee of the right to protection of personal data and privacy of the individuals whose data they process.

Maximum care, responsibility and commitment regarding the processing of sensitive personal data, in accordance with applicable law, is required, in particular, by the state authorities responsible for preventing the spread of COVID-19 and managing the situation created by the latter.

In view of the above, we recall that every institution of the health system, whether in the capacity of a controller or a data processor, is obliged to guarantee a lawful processing of personal data of data subjects in accordance with the principles and legal criteria sanctioned in Articles 5 and 6 of the Law, as well as to take technical and organizational measures to prevent the illegal dissemination of personal and sensitive data of patients, in accordance with Articles 27 and 28 of this law.

The Office of the Commissioner expresses its appreciation and gratitude for the professional and human efforts, as well as the commitment of all health personnel to prevent the escalation and serious consequences of COVID-19. On the other hand, it reminds the authorities responsible in the fight against COVID-19 that, in addition to paying efforts for preventing the tragic consequences for the life and health of COVID-19 infected patients, they also have an obligation to prevent the illegal disclosure of personal data of the patients concerned, an action which would have serious consequences for the privacy and dignity of the latter.

In full respect of freedom of expression – as another freedom and personal right sanctioned in the same chapter of the Constitution, along with the right to protection of personal data, the Office of the Commissioner expresses its consideration for the professional attention and coverage that media outlets, print, audiovisual, or online, have been dedicating to informing the public about developments and news of the pandemic situation. However, we take this opportunity to invite the entire media spectrum of Albania to show restraint, proportionality and professional ethics in leaking information that leads and/or may lead to the concrete identification of COVID-19 patients.

The Office of the Commissioner, in exercising the powers provided in Articles 29, 30 and 31 of the Law, will continuously monitor and react in accordance with the regulatory framework in force against any situation of illegality. For any illegal dissemination and/or publication of personal and/or sensitive data, contrary to the principles, criteria and obligations sanctioned in Articles 5, 6, 7, 27 and 28 of the Law, the Office of the Commissioner, in addition to blocking orders of further processing activities and public denunciation of violators, will proceed with administrative sanctions against the latter, according to the provisions of Article 39 of the Law.