Albania's Law on Protection of Personal Data (LPDP) extends its applicability to data controllers not established in Albania but using equipment located within the country for data processing.

Text of Relevant Provisions

LPDP Art.4(2)(c):

"2. This law shall apply to the processing of personal data by:c) Controllers who are not established in the Republic of Albania, making use of any equipment situated in the Republic of Albania;"

Analysis of Provisions

The LPDP explicitly extends its scope to data controllers who are not established in Albania but make use of equipment situated within the country. This provision is significant as it broadens the law's territorial reach beyond entities physically present in Albania.

The key elements of this provision are:

1. "Controllers who are not established in the Republic of Albania": This targets foreign entities that do not have a physical presence or establishment in Albania.
2. "making use of any equipment": The term "equipment" is broad and could potentially encompass various types of hardware or infrastructure used for data processing.
3. "situated in the Republic of Albania": The equipment must be physically located within Albanian territory.

This provision aims to ensure that the LPDP can be applied to foreign entities that process personal data of Albanian residents or citizens using equipment located in Albania, even if these entities do not have a formal establishment in the country.

It's worth noting that Article 4(3) of the LPDP adds an additional requirement for controllers falling under this provision:

"In circumstances stipulated in point 2 (c) of this article, the controller designates a representative established in the territory of Albania. Stipulations of this law applying to controllers are also applicable to their representatives."

This means that foreign controllers using equipment in Albania must appoint a local representative, who will be subject to the same obligations as the controller under the LPDP.

Implications

The inclusion of this factor in Albania's data protection law has several implications for businesses:

1. Foreign companies using servers, data centers, or other processing equipment in Albania will likely fall under the scope of the LPDP, even if they don't have an office or employees in the country.
2. Such companies will need to comply with Albanian data protection regulations, including appointing a local representative.
3. This provision may affect cloud service providers or other technology companies that use infrastructure in Albania to process data, even if their primary operations are based elsewhere.
4. Companies considering using equipment in Albania for data processing should carefully assess their compliance obligations under the LPDP.
5. The broad wording of "any equipment" suggests that even temporary or mobile equipment used for data processing within Albania could potentially trigger the law's applicability.

This factor effectively extends the territorial scope of Albania's data protection law, ensuring that the use of Albanian infrastructure for data processing is subject to local regulations, regardless of the controller's place of establishment.