The LPDP explicitly states that it applies to data processing activities conducted by "Controllers established in the Republic of Albania". This provision sets a clear territorial scope for the law's applicability based on the establishment of the data controller.

The concept of "establishment" is crucial here, as it determines whether a controller falls under the jurisdiction of Albanian data protection law. While the LPDP does not provide a specific definition of "establishment" in this context, it generally refers to having a physical presence or conducting business activities within the country.

This approach ensures that entities with a significant connection to Albania are subject to its data protection regulations, regardless of where the actual data processing takes place. It reflects the principle that data protection laws should govern entities that have a meaningful presence within the jurisdiction.

Implications

The implications of this provision for businesses and organizations are significant:

1. Local companies: Albanian companies processing personal data must comply with the LPDP, regardless of where their data subjects are located or where the data is processed.
2. Foreign companies with local presence: International organizations with offices, branches, or subsidiaries in Albania will likely be considered "established" in the country and thus subject to the LPDP for their data processing activities.
3. Data processing location: The law applies based on the controller's establishment, not the location of data processing. This means that even if an Albanian-established company processes data outside the country, it would still be subject to the LPDP.
4. Compliance requirements: Controllers established in Albania need to ensure their data processing activities align with all provisions of the LPDP, including data subject rights, data protection principles, and any notification or registration requirements.
5. Potential dual regulation: Multinational companies with establishments in Albania may find themselves subject to both Albanian data protection law and the laws of other jurisdictions where they operate, potentially requiring compliance with multiple regulatory regimes.

This factor extends the reach of Albanian data protection law to all entities with a significant presence in the country, ensuring comprehensive protection for data subjects and creating a level playing field for businesses operating within Albania's borders.