The meeting of the Working Group on Chapter 23 – Judiciary and Fundamental Rights was held on 15 July 2025, organized by the European Movement in Albania (EMA) in cooperation with the Commissioner for the Right to Information and Personal Data Protection, within the framework of the National Convention on European Integration, supported by the European Union. The meeting brought together around 40 participants: representatives of civil society, the business sector, lecturers, and legal professionals, who actively engaged in discussions and provided suggestions for the effective and concrete implementation of the new Law on Personal Data Protection, recently adopted in December 2024 and aligned with the European Union’s GDPR.

In her welcoming remarks, Blerta Nerguti, Secretary General of the Commissioner for the Right to Information and Personal Data Protection, emphasized that the Office of the Commissioner plays a specific role in Albania’s EU negotiation process, being involved in several chapters, particularly Chapter 23. She also mentioned the new Law on Personal Data Protection, adopted last December, stating that although the law is aligned with EU standards, implementation remains a challenge, and that for its effective implementation, inclusive meetings with relevant stakeholders are necessary.

Gledis Gjipali, Executive Director of European Movement Albania (EMA), in his remarks emphasized that such meetings are important for building bridges of cooperation and dialogue between public institutions and non-state actors who are interested in and affected by the ongoing reform processes undertaken within the European integration framework, which have intensified with the opening of accession negotiations. Gjipali stressed that these policy initiatives and legislative efforts, while important for aligning with EU legislation and being considered as fulfilled conditions to advance the process, must also be as inclusive as possible. They should provide various stakeholder groups not only the opportunity to be informed but also to actively participate in the discussion and public dialogue. Especially for laws that affect many sectors and are technically challenging, these joint meetings play an important role in sharing experiences and practices from different groups and experts.

Pjerina Mema, Director General for Personal Data Protection at the Commissioner for the Right to Information and Personal Data Protection, focused on the objective of the Office of the Commissioner to guarantee personal data protection by removing existing obstacles and ensuring protection from responsible institutions. According to Mema, the new law guarantees personal data protection more effectively and at the same time increases the accountability of private subjects or controllers of this data. In general, this law provides for more effective supervision, with a more comprehensive legal framework introducing several new elements, such as two rights: (1) the right to be forgotten and (2) the right to personal data portability. Mema emphasized that the law provides for raising awareness among various actors, given that data is processed and used by many sectors, and also includes sanctions and penalties in the event of violations of personal data protection. For Mema, it is still evident that there is a direct connection between the imposition of sanctions and increased awareness, while she stated that the work of the Commissioner and others is increasingly focused on information and awareness, without the need for punishments or penalties.

Continuing, Nerguti took the floor again, focusing on the drafting process and adoption of the Law on Personal Data Protection and its sub-legal acts, the consultation process carried out, and how this law is part of the measures undertaken within the framework of the European integration process and negotiations. She emphasized that so far, five sub-legal acts have been approved, while work continues on the approval of three other acts. According to Nerguti, these processes were carried out in cooperation and coordination with other responsible institutions, according to the topic and chapter, while recommendations and guidelines from the European Commission also played an important role through meetings and published reports. She focused on the intermediate benchmarks set for Chapter 23, noting that some of these criteria are related to the field of personal data protection. Regarding the new law, Nerguti stated that there are three areas where the Commissioner’s work is focused: (a) alignment of the national scope with the GDPR and the Police Directive; (b) building capacities for the implementation of the new legal framework on personal data protection; and (c) raising awareness among controllers and processors to ensure they act in accordance with the new law. She said that work is continuing on the approval of three sub-legal acts, which will bring the total number of acts to eight.

Zuzana Motuzova, Lawyer and Co-Founder of Motuzova & Lacko Law Company, shared with participants the experience of Slovakia as an EU member state and how public institutions, as well as non-state actors, adapted after the adoption and entry into force of the EU General Data Protection Regulation (GDPR), highlighting the challenges encountered in its practical implementation. She pointed out that the difficulty of the GDPR lies in the fact that it is directly applicable, but in the case of Slovakia, public institutions have very often interpreted it in different ways, creating challenges and uncertainty. On the other hand, duplications or clashes between domestic Slovak legislation and the GDPR have continued, leading to ambiguities and violations of its articles and standards. Another challenge, according to her, is related to the fact that the field of personal data protection, especially with rapid technological developments, requires not only legal expertise but also in-depth knowledge of technology and cybersecurity. In the case of Slovak public institutions, as well as other actors, it has been challenging to find the right experts to understand and implement the law. At the end of her presentation, she offered some concrete cases as good practices, lessons learned, and recommendations for responsible public institutions, as well as the business sector, civil society, and legal professionals. Based on her experience with GDPR implementation in Slovakia, Motuzova recommends the following points for Albania: (1) provide simple and practical guidance on compliance; and (2) focus on the real substance and not just the formality of data protection. For her, it is important that the sooner a process of awareness and information is launched on the impact this law has on all sectors, the easier the implementation process will be, promoting what she called a culture of personal data protection and digital security.

At the end of the presentations, participants engaged in an active discussion with questions and comments on the topics and issues addressed. Particular interest was shown in the process of drafting and approving the sub-legal acts of the Law on Personal Data Protection and the need for awareness and clear instructions for its correct implementation, given that not all non-state actors have the capacities or are aware of the obligations arising from this law. Although the work done so far by the Commissioner for Public Information was positively assessed, participants emphasized that it needs to be further intensified, targeting different interest groups and increasing cooperation with the media and AMA. There were also discussions on the need for cooperation between civil society, business, and the Commissioner for capacity building and training, as well as for better coordination of work between public institutions.