ON PROTECTION, PROCESSING, STORAGE AND
SECURITY OF PERSONAL DATA
This regulation was drafted on the recommendation of the Commissioner for Protection of Personal Data.
This Regulation aims to establish general principles and organizational and technical measures for the protection, preservation, security and administration of personal data. It applies to all data processed by Travel.al, in accordance with the “Privacy Protection Law”. The processing of data should be done in accordance with the Constitution, the Law on Personal Data Protection as amended, as well as with the Mission of Travel, as defined in Law No. 9741, dated 21.05.2007 “On Higher Education in the Republic of Albania “, as amended and in the statute of this university, respecting human rights and freedoms.
PROCESSING OF PERSONAL DATA
Protection of personal data
- Every employee of ATHS KPS structures dealing with processing of personal data of subjects is obliged to comply with the requirements of articles 2 and 5 of the law “On personal data protection”, as amended, as follows:
- Respecting the principle of lawful processing of personal data, respecting and guaranteeing the fundamental human rights and freedoms and, in particular, the right to privacy;
- Conduct processing fairly, fairly and lawfully;
- Collecting personal data for specific, clearly defined, legitimate purposes and performing their processing in accordance with these purposes;
- The data to be processed must be sufficient, related to the purpose of the processing and not to exceed this purpose;
- The data must be factually accurate and, where necessary, update and perform each action to ensure that inaccurate and improper data are deleted or altered;
- Data must be kept in that form to allow identification of data subjects for a time, but no more than necessary for the purpose for which they are collected or further processed.
Purpose of processing
Every Worker at Udhetim can use personal data only for performing the duties provided by law and in accordance with the legal and sub-legal acts regulating the processing of personal data.
Personal Data Processing Criteria
- Employees of any travel organization dealing with the personal data processing of subjects (natural persons) are based on the criteria set out in Article 6 of the Law “On Personal Data Protection”, as amended.
- Personal data shall be processed only:
if the personal data subject has given his consent;
for drafting and execution of contracts in which the personal data subject is a party;
for the fulfillment of a controller’s legal obligation.
Processing sensitive data
- Sensitive data relate to any information about a natural person that has to do with his or her racial or ethnic origin, political opinions, union membership, religious or philosophical beliefs, criminal convictions, as well as data on health and life sexual.
- The processing of sensitive data by any employee dealing with their processing shall be carried out in accordance with the criteria set out in Article 7 of the Law “On Personal Data Protection”, as amended.
- Udhetim does not take sensitive data.
International data transfer
1. Any employee who processes personal data shall be required to comply with the requirements set out in Articles 8 and 9 of the Law “On Personal Data Protection”, as amended, and DCM no. 934, dated 2.09.2009 “On the Determination of States With a Sufficient Level for the Protection of Personal Data” and Instruction No. 1, dated 19.02.2010 “On allowing certain categories of international personal data transfers in a country that does not has a sufficient level of personal data protection “.
2.These data and information may be communicated to the partners of other States on the basis of cooperation agreements linked by the Travel Service provided that in the requesting State such data and information are handled and stored in accordance with legislation on data protection.
3.The information and information referred to in the preceding paragraph may be dealt with only by the relevant authorities of the requesting State.
4. During the transfer of data appropriate measures should be taken to prevent unauthorized persons from appropriating or destroying personal data or unauthorized access to their content.
5. The international transfer of the data from Traveling is done according to the provisions of the law “On the protection of personal data”, as well as the acts of the Commissioner issued for this purpose.
Personal data processing with video surveillance system
Travel compiles personal data “images” through CCTV surveillance cameras, based on Article 6, point 1, of the Law No. 9887, dated 10.03.2008 “On Personal Data Protection”, as amended. Establishment of the video surveillance system was done with the purpose of overseeing the Udhetim.al facilities for the protection of the security of people and property. These are the only environments that are surveyed with surveillance-recording cameras.
Data kept by the video surveillance system is stored for a period of up to 2 months and after the expiration of this period, the data is deleted.
THE DATA OF THE SUBJECT OF DATA
Enforcement of the rights of personal data subjects
- The dissemination or communication of personal data shall be in accordance with the purpose for which this data is processed.
- Everyone has the right to be acquainted with personal data processed through a written request.
- The request shall contain sufficient information to prove the identity of the applicant. The controller, within 30 days from the date of receipt of the request, informs the data subject or explains to him the reasons for not providing the information.
Request for information
The request for information can be made by:
The person himself
Legal Representative equipped with the appropriate authorization;
Other persons who, although have no direct interest, prove to have a legitimate interest in obtaining information about these data and that it is consistent with the purpose of collecting such data
Parent or guardian when
- The child does not have the full capacity to act
- The parent is acting in the interest of the child.
The answer in each case is sent to the address requested by the applicant himself.
Responsibility to notify
Notice to the Office of the Commissioner is compulsory and is performed in compliance
with Chapter VI of the Law on Personal Data Protection and DCM no.1232, dated
11.12.2009 “On the determination of cases for exemptions from the obligation to notify the personal data being processed”.
SECURITY OF PERSONAL DATA
Data security measures
- Udhetim.al takes appropriate organizational and technical measures to protect personal data from unauthorized, accidental, accidental loss, to protect the access to or spread by unauthorized persons, especially when data processing is done on a network, such as and any other illegal form of processing.
Travel also takes these special security measures:
- Determines the functions between organizational units and operators for data usage;
- Use of data is done by order of the organizational units or authorized operators;
- Instructs operators, without exception, for their obligations, in accordance with the law on personal data protection and internal data protection regulations, including data security regulations;
- Prohibits unauthorized persons entering the controller or data processor.
- Access to data and programs is done only by authorized persons, prohibits access to archiving tools and their use by unauthorized persons;
- Data processing equipment is only commissioned by an authorized person and every means is provided with preventive measures against unauthorized work;
- Record and document modifications, corrections, deletions, transmissions, updates, etc.
- Whenever Travel Workers leave their workplace, they must close their computers, lockers, safes and the office where personal data is stored;
- They should not leave the work premises when there are protected data at the desk, and are in the presence of persons who are not employed by the Travel
- Do not keep personal data monitored when an unauthorized person is present and especially in non-public places;
- Do not discard computers, laptops, laptops, or other devices containing personal data in any case and should not leave them in unsafe locations without being assured of the deletion or destruction of the data;
- Data is protected by verifying user identity and allowing access to authorized individuals only.
- Instructions for using the computer should be kept in such a way that they are not accessible by unauthorized persons;
- Perform the entry and exit procedure using personal passwords at the beginning and end of their access to the protected data, stored in the databases of Travel
- Recognition and registration of terminal operators and users is carried out using the passwords for entry into the data bank. Passwords are classified secrete and are personal;
- In documents that contain protected data, they must ensure the destruction of ancillary materials (eg evidence or records, matrices, calculations, diagrams and sketches) used or produced for the creation of the document;
- Documented data is not used for other purposes that are not consistent with the purpose of the collection.
- It is forbidden to recognize or process data recorded in a file for a purpose other than the right to input data. It is excluded from this rule when the data is used for the prevention or prosecution of a criminal offense.
- Maintain the documentation of the data as long as is necessary for the purpose for which it is collected.
- The level of security should be appropriate to the nature of personal data processing.
- Respect other legal and sub-legal acts that determine how personal data should be used.
- Protection of personal data shall be carried out, inter alia, with the taking of security measures as follows:
- a) By installing and updating the antivirus system and the dual system automatically
a firewall that is managed through the server system and network devices.
- b) Updating the operating system and updating the software.
- c) Enabling staff access only to the materials they need to perform the task;
ç) Use of passwords;
- d) Specify system backup procedures in case of damage.