How can I ask a company for the data it holds about me?
Yes — you have the right to ask any company or institution for a copy of the personal data it holds about you, and the reply must come within the legal deadline. The biggest myth is about which law applies: most people still cite law no. 9887/2008, but it has been replaced by law no. 124/2024 “On the protection of personal data,” aligned with the EU’s GDPR and in force since 2025. Under it, the data controller must reply within 30 days of receiving the request, a period that can be extended up to 60 days when requests are numerous or complex. The first request is free of charge. If they fail to reply or refuse without reason, you can complain to the Commissioner for the Right to Information and Protection of Personal Data. So the right has existed for years — only the legal basis has changed, and citing the old law is the mistake to avoid.
📋 The rules
- The current legal basis is law no. 124/2024 “On the protection of personal data,” which replaced law no. 9887/2008 and is aligned with the GDPR.
- Anyone has the right to ask for confirmation and a copy of the personal data a controller holds about them, plus information on the purpose of processing.
- The controller must reply within 30 days of the request; the deadline extends to 60 days for numerous or complex requests.
- The first request is handled free of charge; a reasonable fee may be charged only for extra copies or clearly excessive requests.
- A complaint about non-reply or refusal goes to the Commissioner (IDP), who oversees enforcement and reviews complaints.
🔓 Exceptions
- The right of access can be restricted where it harms the rights of others or where special laws (for example, a criminal investigation) provide exemptions.
- The controller may require your identification before releasing the data, so as not to hand it to the wrong person.
- For clearly unfounded or excessive requests, the controller may charge a fee or, in certain cases, decline to respond.
⚠️ Penalties & fines
For the citizen, the real cost of not knowing the law is a lost right: many people give up because they believe “the company is not obliged,” or they cite the old law 9887/2008 that is no longer in force. For data controllers — businesses and institutions — the consequences are tangible. If they ignore a lawful access request, refuse without reason or miss the deadline, the Commissioner can open an administrative investigation, issue orders to satisfy the request, and impose administrative fines under the new law, which has significantly raised the penalties compared with the previous one. Beyond the fine, there is reputational damage and the duty to fix processing practices. For an individual who suffers harm from unlawful processing, the law also opens the route to compensation. So a written request, with a date and proof of delivery, is the best protection you have, because it fixes the clock and the evidence.
📎 Official sources
- QBZ · law 124/2024 on the protection of personal data →
- IDP · Commissioner for the Right to Information and Data Protection →
- e-Albania · services and complaints to the Commissioner →
❓ Frequently asked
Which law now applies to personal data?
The current legal basis is law 124/2024, which replaced law 9887/2008 and was aligned with the EU’s GDPR. That is why referring to the old law is a common mistake, since rights and deadlines are now set by the new law, in force since 2025.
Within how long must the company reply?
The data controller must reply within 30 days of receiving your access request. That deadline can be extended to 60 days only when requests are numerous or complex, and the company must notify you of the extension and its reason.
Do I have to pay to get my data?
No, the first request to access your data is handled free of charge under the law. A reasonable fee may be charged only for extra copies, or where the request is clearly excessive or repeats without genuine need.
What if the company does not reply or refuses?
You have the right to complain to the Commissioner for the Right to Information and Protection of Personal Data, who oversees enforcement. The Commissioner can open an investigation, order the request to be satisfied, and impose administrative fines on a controller that breaks the deadlines.
Can my access request be refused?
Yes, in limited cases, for example where access harms the rights of others or where special laws provide exemptions such as a criminal investigation. The controller may also first require your identification, so the data is not handed to the wrong person.
🔎 Common searches
What people search to land here:
- “data access request albania”
- “law 124 2024 data protection”
- “data subject rights albania”
- “how many days to reply data request”
- “data protection commissioner albania”
- “copy of my personal data”