On April 29 2010 Parliament passed the new Law on Personal Data Protection (03/L-172), which entered into force on June 15 2010.

The purpose of the law is to set out the rights, responsibilities, principles and measures concerning the protection of personal data. Impartiality and legitimacy of data processing, which should not harm the dignity of the data subject, are considered the binding principles of the law.

For the legitimate processing of personal data, the law requires the fulfilment of certain conditions, such as the consent of the data subject, the controller/processor's legal obligation or the fact that the processing is necessary for the vital interests of the data subject.

These requirements become more stringent where the data to be processed or stored is sensitive. According to the law, 'sensitive data' is data that reveals the data subject's racial or ethnic origin, political or philosophical opinions, religious beliefs, membership of labour unions, health status or sexuality.

In exercising their activities, data controllers and processors should provide for appropriate measures in order to guarantee and secure their respective activities. In addition, the law requires mandatory notification of the competent authority (ie, at least 20 days in advance) for any intended new filing system or any new categories of personal data to be processed. Failure to take appropriate measures or to inform the competent authority will lead to fines of up to €10,000.

The law confers several rights on the data subject, incuding (i) the right to access processed or stored data, and (ii) the right to add, correct, block, destroy, erase, object to or delete data that is incomplete, inaccurate or outdated, or that is stored or processed contrary to the law.

Restrictions to these rights apply for national and public reasons, important economic or financial national interests or the prevention, investigation and prosecution of criminal offences.

The State Agency on the Protection of Personal Data has been established to guarantee the legitimacy of personal data processing. The agency operates as an independent authority, directly accountable to Parliament. The agency's executives (the chief state supervisor and four members) are directly appointed and discharged by Parliament.

The agency's remit includes:

• conducting inspections;
• overseeing subjects that process and store personal data;
• advising public and private entities on matters concerning personal data; and
• informing the public on developments and promoting the rights related to personal data protection.

The law also obliges both the legislative and executive branches of government to consult the agency on initiatives in the legislative/administrative field of its competence, and empowers the agency to address the Constitutional Court on the constitutional validity of laws.

The law contains special provisions on the transfer of personal data to other countries and/or international organisations. According to the law, a foreign entity must offer adequate levels of protection of personal data. This is subject to an agency decision based on the criteria set out in the law. For such purpose, the agency will publish a list of countries and international organisations that fulfil these criteria.

The law provides for a wide range of fines applicable to infringers. These are based on the gravity of the violation and vary from €200 up to €10,000.

For further information please contact Ened Topi at Boga & Associates by telephone (+355 42251050), fax (+355 42251055) or email (etopi@bogalaw.com).

"This article was originally edited by, and first published on, www.internationallawoffice.com - the Official Online Media Partner to the IBA, an International Online Media Partner to the ACC and the European Online Media Partner to the ECLA. Register for a free subscription at www.internationallawoffice.com/subscribe.cfm."