A Critical Examination of Albania’s New Data Protection Regime and Its Implications for Employee Privacy

Abstract

The adoption of Law No 124/2024 ‘On the Protection of Personal Data’ marks a major transformation in Albania’s data protection framework.1 By repealing Law No 9887/2008 and aligning domestic law more closely with the EU General Data Protection Regulation (GDPR), the new statute introduces an accountability-based regime structured around transparency, purpose limitation, data minimisation, data protection by design, and stronger enforcement.2 Yet the reform leaves unresolved one of the most sensitive areas of contemporary data governance: the protection of employee data.3 This article critically examines the extent to which Albania’s new legal framework adequately safeguards personal data in the employment context. It argues that, despite significant modernization, the law lacks sector-specific rules capable of addressing the structural imbalance between employer and employee, particularly in relation to consent, workplace surveillance, biometric processing, and algorithmic management.4 Through comparative analysis of GDPR art 88 implementation in Germany and the Netherlands, the article demonstrates that Albania’s current framework remains incomplete without a lex specialis on employment data protection.5 It concludes that Law No 124/2024 is a necessary and important step toward regulatory convergence with European standards, but one that must be supplemented by targeted legislation, regulatory guidance, judicial specialization, and stronger safeguards for digitalized workplaces if employee privacy is to receive effective protection