REGULATION

On the Protection, Processing, Storage and Security of Personal Data

This Regulation has been drafted based on the recommendation of the Commissioner for the Protection of Personal Data.

CHAPTER I – GENERAL PROVISIONS

Article 1 – Object

The object of this Regulation is to define the organizational and technical procedures and measures for the protection, processing, storage, and administration of personal data by the company ATHS SHPK.

Article 2 – Legal Basis

• National Acts: Constitution of Albania, Law No. 9887 (10.03.2008), Commissioner’s acts, and ATHS SHPK’s internal legal framework.
• International Acts: Universal Declaration of Human Rights, European Convention on Human Rights, EU Directives 2002/58/EC & 95/46/EC, and the Council of Europe Convention on Data Protection.

Article 3 – Purpose

This Regulation defines general principles and measures for protecting, securing, and administering personal data. It applies to all data processed by ATHS SHPK in compliance with the Law “On the Protection of Personal Data.”

Article 4 – Definitions

• Personal data: Any information relating to an identified or identifiable person.
• Sensitive data: Data on racial or ethnic origin, political opinions, religious beliefs, criminal record, health, or sexual life.
• Controller: ATHS SHPK through its employees managing personal data.
• Data subject: The individual whose data is processed.
• Recipient: Any person or entity receiving personal data.
• Processing: Any operation performed on personal data (collection, recording, modification, deletion, etc.).

Article 5 – Scope of Application

This Regulation applies to all personal data processed automatically or stored in ATHS SHPK’s systems.

CHAPTER II – PROCESSING OF PERSONAL DATA

Article 6 – Data Protection

Employees must ensure lawful, fair, and transparent processing, collect data only for legitimate purposes, ensure accuracy, and store it only as long as necessary.

Article 7 – Purpose of Processing

Data may be used only for fulfilling legal duties and in line with laws governing personal data processing.

Article 8 – Criteria for Processing

• The data subject has given consent.
• Processing is necessary for a contract.
• Processing is required by law.

Article 9 – Processing of Sensitive Data

Sensitive data must comply with strict legal conditions. ATHS SHPK does not collect sensitive data.

Article 10 – International Transfer

International data transfers occur only to countries ensuring adequate protection levels, per the law and Commissioner’s decisions.

Article 11 – Video Surveillance

ATHS SHPK uses CCTV for safety of people and property. Data is stored up to 2 months and then deleted.

CHAPTER III – RIGHTS OF DATA SUBJECTS

Article 12 – Exercising Rights

Data dissemination must align with its purpose. Individuals can request access in writing; responses must be provided within 30 days.

Article 13 – Requests for Information

• The data subject
• Authorized representative
• Persons with legitimate interest
• Parents or guardians acting in the child’s interest

CHAPTER IV – NOTIFICATION

Article 14 – Duty to Notify

Notification to the Commissioner’s Office is mandatory, in accordance with applicable law and government decisions.

CHAPTER V – DATA SECURITY

Article 15 – Security Measures

ATHS SHPK implements organizational and technical measures to protect data against unlawful or accidental destruction, unauthorized access, or disclosure. Measures include access control, encryption, antivirus systems, firewalls, and backup policies.

Article 16 – Fire Safety

• No smoking or open flames
• No gas cylinders or temporary electrical cables

Article 17 – Protection of Premises

Only authorized staff may enter data processing areas. All entry points are monitored 24/7.

Article 18 – Access Restriction

Only employees performing relevant duties or authorized maintenance personnel may enter.

Article 19 – Protection of Electronic Equipment

Only trained ATHS SHPK employees use data-processing devices. Any system malfunction must be reported immediately to the system administrator.

Article 20 – Software Protection

Software handling personal data must be licensed or open-source and approved by management.

Article 21 – Program Licensing

Purchased software must include valid licenses allowing installation across company units.

Article 22 – Monitoring and Logging

Access to data is continuously logged and monitored to ensure user identification and accountability.

Article 23 – Protection of Documents

Documents containing personal data must be marked with confidentiality levels.

Article 24 – Backups

Data backups are securely stored offsite for emergencies.

Article 25 – Loss of Documents

Any loss of confidential data must be reported immediately and investigated.

CHAPTER VI – ADMINISTRATIVE SANCTIONS

Article 26 – Disciplinary Measures

Employees violating data protection obligations are subject to disciplinary or administrative sanctions.

Article 27 – Supervision

Compliance is monitored by designated company data protection officers.

Article 28 – Confidentiality

Employees must maintain data confidentiality even after employment ends.

Article 29 – Cooperation Duty

ATHS SHPK must cooperate fully with the Data Protection Commissioner, providing access to systems and documents when required.

Article 30 – Implementation Duty

All legal acts of the Commissioner are binding. Violations of data protection laws constitute administrative offenses punishable by fine.

Article 31 – Sanctions

This Regulation is part of ATHS SHPK’s internal rules; non-compliance is a disciplinary violation subject to sanctions under applicable legislation and company policies.