In many Albanian companies, "DPO" has become a title added to someone who already has another job - usually the head of IT or in-house counsel. But under Law No. 124/2024 "On Personal Data Protection", the Data Protection Officer is not a title; it is a legal function with defined tasks, independence and responsibilities. Failing to grasp that distinction is one of the most common - and most costly - mistakes companies make at the start of their compliance journey.
This guide explains when a DPO must be designated, what the role actually does day to day, how independence is guaranteed, and when an external DPO makes sense.
When a DPO is mandatory
Designating a DPO (Article 33 of Law 124/2024) is mandatory in three main cases:
- Public authorities and bodies - except for courts acting in their judicial capacity.
- Controllers or processors whose core activities require regular and systematic monitoring of data subjects on a large scale - for example, companies engaged in profiling, behavioural tracking or continuous surveillance.
- Controllers or processors whose core activities involve large-scale processing of special categories of data (sensitive data such as health or biometric data) or data relating to criminal convictions.
There is also a fourth criterion that is often overlooked. Under Article 22 of the Law, designating a DPO must be considered regardless of the Article 33 criteria, especially where the processing operations carry other significant risk elements. In plain terms: even where the letter of the law does not compel it, a DPO may be the right call whenever you process data in ways that could materially affect individuals.
A practical note: do not focus only on the question "am I required to?". Even where designation is not mandatory, someone in the organization must be clearly responsible for data protection. The accountability gap is precisely what the Commissioner finds most often during investigations.
What a DPO actually does
Under Law 124/2024 (Articles 33-34), the DPO has a set of core tasks. Translated from legal language into practice, they are:
- Inform and advise the controller, processor and employees of their obligations under the law.
- Monitor compliance with the Law and internal policies - including the assignment of responsibilities, staff awareness, training and related audits.
- Advise on data protection impact assessments (DPIAs) and monitor their performance, under Article 31 of the Law.
- Cooperate with the Commissioner and act as the contact point for it, including in cases of prior consultation.
- Act as the contact point for data subjects on any matter relating to the processing of their data and the exercise of their rights.
Notice that none of these tasks says "decide everything yourself". The DPO advises and oversees; legal responsibility for compliance stays with the controller. This distinction has practical consequences: a good DPO is not the person who "does everything about privacy", but the person who ensures the organization does it properly.
Independence and conflict of interest
The Law protects the DPO's position in ways that are often missed but are essential:
- The DPO must be involved properly and in a timely manner in all matters relating to data protection - not called in after the decision has already been made.
- They must be given the necessary resources and access to processing operations.
- The DPO receives no instructions on how to perform their tasks and cannot be penalized or dismissed for performing them.
- They report to the highest level of management.
- They may hold other duties, but only if those do not create a conflict of interest.
That last point is more delicate than it looks. The head of IT who decides how data is processed cannot simultaneously be the person who independently assesses whether that processing is lawful. The same logic applies to the head of HR or marketing. The DPO must be sufficiently independent from the decisions they are meant to oversee.
What the role looks like week to week
In practice, a DPO's work is organized around several continuous streams. This is the "operational backbone" of the role:
- Keeps the record of processing activities (ROPA) up to date under Article 27 - the point from which every Commissioner inspection begins.
- Handles data subject requests (access, rectification, erasure, objection, etc.) within statutory deadlines, with identity verification and an audit trail.
- Oversees impact assessments (DPIAs) for high-risk operations, before they begin.
- Leads the response to data breaches - detection, assessment, notification of the Commissioner and, where applicable, affected data subjects, within deadlines.
- Assesses processors and sub-processors before contracting and throughout the relationship (due diligence, processing clauses, international transfers).
- Delivers training and awareness for staff, with measurable indicators.
- Maintains the relationship with the Commissioner and tracks its decisions and regulatory developments.
Most of a DPO's time goes not to "privacy strategy" but to these day-to-day processes. Without a system that keeps them organized - the register, the requests, the deadlines, the audit trails - the role quickly turns into an unmanageable spreadsheet and a trail of lost emails. This is exactly where most small teams fail: not from a lack of knowledge, but from a lack of operational infrastructure.
In-house or external DPO?
Law 124/2024 expressly allows the DPO role to be performed by an external person under a service contract. For many Albanian companies - particularly mid-sized ones that lack in-house data protection expertise - this is the most realistic option.
An in-house DPO makes sense when the organization is large, when processing is central to the business (banks, telecoms, healthcare) and when there is already qualified staff who can perform the role without a conflict of interest.
An external DPO (DPO-as-a-service) makes sense when the company lacks in-house expertise, when a full-time appointment would be unnecessary, or when you want greater independence from internal structures. The advantage is immediate expertise and independence; the condition is that the external provider has real access, timely involvement and genuine knowledge of your operations - not just a name on a contract.
Whatever the choice, the decisive question stays the same: does the role have a system through which the program is run - the register, the requests, the assessments, the deadlines and the audit trails - or does it depend on the memory and goodwill of one person?
A short readiness checklist
Before deciding who your DPO will be - or whether you need one at all - check:
- Have we assessed whether designating a DPO is mandatory under Article 33 (or advisable under Article 22)?
- Have we clearly defined who holds responsibility for data protection, in an internal act?
- Is this person sufficiently independent from the decisions they must oversee (no conflict of interest)?
- Do they have the resources, access and timely involvement to actually perform the role?
- Do we have an up-to-date ROPA, data subject request processes and breach procedures for the DPO to oversee?
- Have we communicated the DPO's contact details to data subjects and, where applicable, to the Commissioner?
If the answer to any of these is "no" or "I'm not sure", that is where the work begins.
This guide is general information and does not constitute legal advice. Article references are to Law No. 124/2024; before making any decision, they should be verified against the official consolidated text (Official Gazette / QBZ) and, where appropriate, with a licensed lawyer.
Assessing whether you need a DPO and what that means in practice? Download the LDP compliance checklist or book a 30-minute conversation.