On 20 November 2025, the Commissioner for the Right to Information and the Protection of Personal Data adopted two instructions that, taken together, build the first complete certification mechanism under Law No. 124/2024 "On Personal Data Protection": Instruction No. 08 on the additional criteria for accrediting certification bodies, and Instruction No. 09 on the general criteria for certification and the granting of data protection seals and marks.
Both instructions replace the old 2018 regime (Instructions No. 47 and No. 48, dated 14.09.2018). For most Albanian companies, this development passed unnoticed - yet it is exactly the kind of development that, within a year or two, will separate the companies that treat data protection as a formality from those that turn it into a competitive advantage.
This article explains what certification is, how the new mechanism works and - most importantly - what it means in practice for a data controller or processor in Albania.
What data protection seals and marks are
The certification provided for in Article 37 of Law 124/2024 is a conformity assessment of a specific processing operation - not of the company in the abstract. An independent, accredited body assesses whether a given processing operation (for example, processing customer data on a particular platform, or processing employee data) is carried out in line with legal requirements. If it is, the client receives a seal and mark attesting to that fact.
A few fundamentals to get right:
- It is voluntary. No company is required to be certified. But certification is a trust signal: it publicly demonstrates that a processing operation has been assessed by an independent third party and found compliant.
- It is operation-specific. What gets certified is one or more processing operations, not the "company" as a whole. The scope of certification is clearly defined in the certificate.
- It is time-limited. Certification is valid for a period of no more than 3 years and is renewed under the same criteria.
- It does not release you from your legal obligations. Even after certification, the controller remains fully responsible for compliance. Certification is evidence, not a shield.
How the mechanism works: two layers
The new mechanism is built on two layers, and it is important not to confuse them.
Layer one - accreditation of certification bodies (Instruction No. 08). Before anyone can certify other companies, they must themselves be accredited as a certification body by the General Directorate of Accreditation, under Law No. 116/2014 and the additional criteria of Instruction 08. These bodies must apply the international standard ISO 17065 and meet strict requirements for independence, impartiality, confidentiality, financial resources and staff competence. Accreditation is granted for a maximum term of 5 years.
One detail that will only grow in importance: Instruction 08 prohibits a certification body from simultaneously providing consultancy services or acting as a data protection officer (DPO) for the same client it certifies. This separation is the heart of impartiality - whoever advises you cannot assess you.
Layer two - certification of controllers and processors (Instruction No. 09). Once bodies are accredited, they certify controllers and processors (clients) against the legal criteria of Law 124/2024 and the standard ISO 27701 (Privacy Information Management System - PIMS), underpinned by a functional ISO 27001 (Information Security Management System - ISMS).
What is required of a company that wants to be certified
This is where Instruction 09 becomes practical. To be certified, a company must demonstrate that it has built - and keeps operational - a real data protection infrastructure. The key criteria include:
- A functional ISMS (ISO 27001) with specific controls over personal data, and a PIMS (ISO 27701) with key performance indicators (KPIs), an annual management review and an internal audit at least once a year.
- Application of the processing principles: lawfulness, fairness and transparency; purpose limitation; data minimization; accuracy; storage limitation; integrity and confidentiality; and accountability. The legal basis for each operation must be identified, documented and periodically reviewed.
- Clear separation of roles between controller, processor and sub-processors, with processing agreements that define responsibilities and due diligence over sub-processors.
- Processes that enable data subjects to exercise their rights - information, access, rectification and erasure, the right to be forgotten, restriction, portability, objection and not being subject to automated decisions - with identity verification, request logging and tracking, and respect for statutory deadlines.
- Data breach procedures, periodically tested through simulation, and notifications to the Commissioner and affected data subjects.
- Data protection by design and by default.
- A data protection impact assessment (DPIA) for high-risk operations, under Article 31 of Law 124/2024.
- Technical and organizational measures appropriate to the risk: pseudonymization and encryption, access control and identity management, resilience and recovery, penetration testing and vulnerability assessments.
- Safeguards for international transfers, where applicable, with documentation of the transfer mechanism (adequacy decision, standard contractual clauses, or binding corporate rules).
- A record of processing activities (ROPA) under Article 27 of the Law, covering data categories, purpose, legal basis, retention period and transfer mechanisms.
Read carefully, this list is not a set of new requirements: it is precisely the infrastructure that Law 124/2024 already requires of every controller. Certification simply makes verifiable and visible what should exist regardless.
Why it matters for your company
Three reasons make this more than a regulatory footnote:
1. Certification becomes a trust signal in a market where no one holds one yet. Albania is at the start of the curve. The first company in your sector to place a data protection seal next to a processing operation gains an advantage that competitors will only catch up to later.
2. The preparation is the same as the legal obligation. Even if you decide not to certify today, building your ROPA, your data subject rights processes, your breach procedures and your impact assessments is not "work for certification" - it is simply meeting the law. Certification only raises the bar and documents it.
3. The ecosystem is being built right now. During 2026, the first bodies are expected to be accredited and certification schemes to take shape. Companies that start preparing now will be ready when certification actually becomes available - and, perhaps more importantly, will be compliant well before the Commissioner comes knocking.
What to do now
Even before accredited bodies exist on the market, there are concrete steps that reduce risk and put you ahead:
- Build your record of processing activities (ROPA). Without it, nothing else stands. It is also where the Commissioner begins every inspection.
- Put clear data subject request processes in place, with deadlines and an audit trail.
- Identify your high-risk operations and carry out impact assessments (DPIAs) for them.
- Consolidate the foundations of your ISMS and PIMS - security policies, access control, tested breach procedures.
- Keep the separation of roles in mind when choosing partners: the body that certifies you cannot be the same one that advises you or provides your DPO.
This article is general information and does not constitute legal advice. Article references are to Law No. 124/2024 and Instructions No. 08 and No. 09, dated 20.11.2025; before making any decision, they should be verified against the official text published in the Official Gazette and, where appropriate, with a licensed lawyer.
Want to understand where your company stands against these requirements? Book a 30-minute conversation or subscribe to Privacy Brief Shqipƫri for practical updates on Law 124/2024.