Privacy Notice

PRIVACY NOTICE

NOA Control SHPK | www.noacontrol.al

Updated on: 20.05.2026 | Version 1.0
Governing law: Law No. 124/2024 "For the Protection of Personal Data" (Official Gazette No. 6, 17 January 2025)

1. WHO WE ARE AND HOW TO CONTACT US

NOA Control SHPK ("NOA Control", "we", "us") is an accredited conformity assessment, inspection, testing, and certification company (NUIS: L51622005C). Under Article 5(8) of Law No. 124/2024 "For the Protection of Personal Data" ("the Law"), NOA Control SHPK acts as controller of personal data collected through this website and in connection with our services.

Details	Information
Data Controller	NOA Control SHPK
NUIS	L51622005C
Address	Bulevardi Dëshmorët e Kombit, Kullat Binjake, Kati 2, Tiranë, Shqipëri
Email	info@noacontrol.al
Telephone	+355 44500378
Website	www.noacontrol.al

2. WHAT PERSONAL DATA WE COLLECT

Under Article 5(3) of the Law, "personal data" means any information relating to an identified or identifiable natural person (data subject). We collect:

2.1 Data You Provide Directly

Identity data: full name, job title, professional role
Contact data: email address, telephone number, postal address
Professional data: company name, NUIS/VAT, sector of activity
Communication data: content of messages submitted via contact forms or email
Service-related data: technical details, equipment information, project documentation

2.2 Data Collected Automatically

Technical data: IP address, browser type and version, operating system, device type
Usage data: pages visited, time spent, referring URL, links clicked
Cookie and tracker data: as described in our Cookie Policy
Data transmitted to third parties (e.g. Google Fonts, social media buttons) by mere website visit

2.3 Data from Service Request Forms

Where the website is used to request services, we may collect additional professional and technical data needed to deliver those services, also governed by the applicable service agreement.

3. LEGAL BASES AND PURPOSES OF PROCESSING

Under Article 6 of the Law (lawfulness, fairness and transparency) and Article 7(1) (legal criteria for processing), we process personal data only where at least one of the following lawful bases applies. All references below are to Article 7(1) of Law No. 124/2024:

Purpose	Legal Basis — Art. 7(1)	Notes
Responding to enquiries and contact forms	Letter "dh" (legitimate interests) / Letter "b" (pre-contractual)
Providing inspection, certification, testing services	Letter "b" — performance of contract
Accreditation and regulatory compliance	Letter "c" — legal obligation	Mandatory
Service-related communications	Letter "b" / Letter "dh"
Marketing communications and newsletter	Letter "a" — consent	Freely withdrawable
Website analytics and improvement	Letter "dh" — legitimate interests (subject to cookie consent)
Fraud prevention and system security	Letter "dh" — legitimate interests
Recordkeeping for accreditation requirements	Letter "c" — legal obligation	Mandatory

Note on Albanian alphabet: the Law uses the Albanian alphabetical system for sub-articles (a, b, c, ç, d, dh). Letter "dh" corresponds to GDPR Article 6(1)(f) (legitimate interests); letter "a" corresponds to GDPR Article 6(1)(a) (consent).

4. COOKIES AND TRACKING TECHNOLOGIES

Our website uses cookies and similar tracking technologies. Additionally, certain website elements (Google Fonts, social media buttons) automatically transmit your IP address to third parties upon mere page visit. Our Cookie Policy, available on our website, provides full details and preference management options.

5. WHO WE SHARE YOUR DATA WITH

Under Article 13(1)(e) of the Law, we inform you that data may be made available to the following categories of recipients (Article 5(10)):

Group companies: NOA Holding SHPK and other NOA Holding group entities, for administrative and governance purposes — basis: Art. 7(1)/dh (legitimate interests).
Contracted processors: IT infrastructure, hosting, email, analytics providers — all bound by Data Processing Agreements under Article 27 of the Law.
Public authorities: General Directorate of Accreditation, the Commissioner, sector regulators — basis: Art. 7(1)/c (legal obligation).
Professional advisors: lawyers, auditors, accountants as necessary.
International accreditation networks (EA, ILAC): with appropriate safeguards under Chapter IV of the Law.

We do not sell your personal data to any third party.

6. INTERNATIONAL TRANSFERS

Under Chapter IV of the Law, any transfer of personal data outside Albania is carried out only where the receiving country offers adequate protection or appropriate safeguards have been implemented (standard data protection clauses under Article 5(5) or mechanisms approved by the Commissioner). This includes processors such as Google (Google Analytics, Google Fonts) who may transfer data outside Albania.

7. RETENTION PERIODS

Under the storage limitation principle (Article 6(5) of the Law), we retain personal data only for as long as necessary for the purpose for which it was collected:

Category of Data	Retention Period
Contact data (no contract concluded)	2 years from last contact
Client data under service contracts	Duration of contract + 5 years
Accreditation and inspection records	Per accreditation standards (min. 10 years)
Financial and invoicing records	5 years — Albanian accounting law
Marketing consent records	Until withdrawn + 1 year
Website analytics data	13 months
Cookie consent logs	12 months or until preference changed

8. YOUR RIGHTS

Under Articles 13–20 of Law No. 124/2024, you have the following rights. The controller must respond within 30 days (Article 12(4)), extendable by a further 60 days in complex cases:

Right to information (Art. 13) — to receive clear and complete information about how your data is processed.
Right of access (Art. 14) — to receive confirmation of whether we process your data and to obtain a copy.
Right to rectification and erasure (Art. 15) — to correct inaccurate data or request deletion in certain circumstances.
Right to be forgotten (Art. 16) — to request removal of links and copies where your data has been published.
Right to restriction of processing (Art. 17) — to limit how your data is used in certain circumstances.
Right to data portability (Art. 18) — to receive your data in a structured, machine-readable format where processing is based on consent or contract.
Right to object (Art. 19) — to object to processing based on legitimate interests or for direct marketing.
Right to withdraw consent (Art. 8(3)) — to withdraw consent at any time without affecting prior lawful processing.
Right to lodge a complaint (Art. 12(4)) — to lodge a complaint with the Commissioner (KDIM).

KDIM Contact

Details	Information
Full name	Commissioner for the Right to Information and Protection of Personal Data (KDIM)
Address	Rr. “Abdi Toptani”, Nr. 4, Tiranë, Shqipëri
Website	www.idp.al \| info@idp.al

To exercise any of your rights, send a written request to info@noacontrol.al or complete the Data Subject Request Form available on our website.

9. SECURITY MEASURES

Under the integrity and confidentiality principle (Article 6(6) of the Law), NOA Control implements appropriate technical and organisational measures to protect personal data against unauthorised access, alteration, disclosure, destruction, or any other unlawful processing. Our measures include:

Encryption of data in transit using SSL/TLS protocols (HTTPS) — active across all website pages
Encryption of sensitive data at rest
Access controls and authentication mechanisms to limit access to personal data to authorised personnel on a need-to-know basis
Regular security assessments and vulnerability scanning
Employee training on data protection and information security
Incident response and data breach management procedures — detailed in our internal Response Plan
Data Processing Agreements with all external providers who access personal data (Article 27 of the Law)

While we take all reasonable steps to protect your personal data, no system is completely secure. If you have reason to believe that your interaction with us has been compromised, please contact us immediately at info@noacontrol.al.

10. DATA TRANSFERS IN CORPORATE RESTRUCTURING

In the event of a merger, acquisition, reorganisation, demerger, or other corporate transaction affecting NOA Control SHPK or its group, your personal data may be transferred to the successor entity or acquiring party as part of the company's assets. Any such transfer will be carried out:

Only where the receiving entity agrees to honour data protection obligations equivalent to those set out in this Notice
In compliance with the requirements of Chapter IV of Law No. 124/2024 on data transfers
With prior notice to you where legally required

NOA Holding SHPK, as the parent company of NOA Control, remains bound by the same data protection standards as part of the group structure.

11. AUTOMATED DECISION-MAKING AND PROFILING

Under Article 20 of the Law, we do not make decisions based solely on automated processing, including profiling, that produce legal or similarly significant effects on you.

12. THIRD-PARTY WEBSITE LINKS

Our website may contain links to third-party websites. This Privacy Notice does not apply to those websites. We encourage you to review their own privacy policies.

13. CHANGES TO THIS NOTICE

We may update this Privacy Notice periodically. The updated version is published on our website with a revised date. Where changes are material, we will notify you actively. The current version always supersedes previous versions.