5 July 2018
The Government submitted, on 11 June 2018, Draft Law no. 06/L-082 on Personal Data Protection (‘the Draft Law’) to the Assembly of the Republic of Kosovo for its consideration. In particular, the Draft Law aims to align Kosovo’s legislation with the General Data Protection Regulation (Regulation (EU) 2016/679) (‘GDPR’) and comply with the Charter of Fundamental Rights of the European Union. The Draft Law contains provisions regarding the designation of a data protection officer (‘DPO’), mandatory breach notification, data transfers, data subject rights, Data Protection Impact Assessments and record-keeping requirements in relation to processing activities.
In particular, the Draft Law would apply to data controllers who are not established in the Republic of Kosovo, which for the purposes of personal data processing ‘make use of automatic or other equipment in the Republic of Kosovo, unless such equipment is used only for purposes of transit through the territory of Kosovo.’ In such circumstances, controllers would be required to designate a representative established in Kosovo.
Regarding the designation of a DPO, the Draft Law provides for the circumstances of such designation, as well as the position and tasks of a DPO. Similar to Article 37 of the GDPR, Article 37 of the Draft Law states that a controller and processor must designate a DPO in cases where their core activities consist of processing operations which require regular and systematic monitoring of data subjects on a large scale, or in cases where their core activities consist of processing on a large scale of special categories of data and personal data relating to criminal convictions and offences.
Furthermore, the Draft Law contains a 72-hour mandatory breach notification requirement to the proposed Information and Privacy Agency, except where the data breach is unlikely to result in a risk to the rights and freedoms of natural persons. In addition, processors would be required to notify the controller without undue delay after becoming aware of a breach and controllers would be required to document any breaches, comprising the facts relating to it, its effects and the remedial action taken.
The Draft Law is set to progress through the legislative process, which includes several reviews by various committees within the Assembly of the Republic of Kosovo, prior to its adoption.
Alexis Kateifides Privacy Analyst