Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Kosovo - Data Protection Overview
Back

Kosovo - Data Protection Overview

March 2022

1. Governing Texts

The protection of personal data in Kosovo is guaranteed by the Constitution of the Republic of Kosovo ('the Constitution'). Article 36, paragraph 4 of the Constitution stipulates that the collection, storage, access, correction, and use of personal data is regulated by law. In this regard, the first law regulating personal data protection was approved and entered into force in 2010, Law No.03/L - 172 on the Protection of Personal Data ('the Law'). The Law established the basic principles and measures concerning the protection of personal data and the institution responsible for monitoring the legitimacy of data processing.

Following the entry into force of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'), the data protection law in Kosovo has been amended and aligned with the GDPR. Since this law came into force, its provisions remain to be tested in practice.

1.1. Key acts, regulations, directives, bills

Data protection in Kosovo is regulated by Law No. 06/L-082 on Personal Data Protection ('the Data Protection Law'). The Data Protection Law determines the rights, responsibilities, principles, and punitive measures with respect to the protection of personal data and privacy of individuals, as well as the responsibilities of the Information and Privacy Agency ('AIP'), which is responsible for monitoring the legitimacy of data processing and access to public documents.

1.2. Guidelines

The Data Protection Law, which entered into force in March 2019, provides for secondary legislation following the implementation of the Data Protection Law, which has not yet been enacted. However, the Data Protection Law provides that secondary legislation that is currently in force shall continue to be applied until the issuance of new legislation, provided that they are not in contradiction with the Data Protection Law.

In this regard, the Regulation No.05/2015 on the Manner of Registering in the Records of Personal Data Filing Systems and the Pertinent Records Form ('Regulation No. 05/2015') is still in force and provides for the procedures of registering the data processors and controllers.

There are no other guidelines or sub-legal acts with regard to the protection of personal data.

1.3. Case law

Not applicable.

2. Scope of Application

2.1. Personal scope

The Data Protection Law applies to the processing of personal data by public and private bodies, and to diplomatic and consular offices and other official representative offices of the Republic of Kosovo abroad. 

2.2. Territorial scope

The Data Protection Law does not explicitly determine its jurisdiction, nor does it require that the data subject be a resident or citizen of Kosovo. The Data Protection Law also applies to data controllers who are not established in the Republic of Kosovo, which for the purposes of personal data processing make use of automatic or other equipment in the Republic of Kosovo, unless such equipment is used only for purposes of transit through the territory of Kosovo. In such circumstances, controllers must designate a representative registered in Kosovo.

2.3. Material scope

The Data Protection Law applies to the processing of personal data, see section on personal scope and territorial scope above, but does not apply to personal data processed by political parties, trade unions, associations or religious communities in relation to their members (Article 4(5) of the Personal Data Law). 

3. Data Protection Authority | Regulatory Authority

3.1. Main regulator for data protection

The AIP was established in 2010 by the Government of Republic of Kosovo ('the Government'). The AIP, having an independent status, has legal responsibilities to oversee the implementation of personal data protection regulations, as well as to advise public and private organs, take decisions on submitted claims, and conduct inspections and controls.

The AIP is be led by the Commissioner. The Commissioner represents the AIP and organises and coordinates its work. The AIP also has a Director General who carries out all duties of the Chief Administrative Officer in accordance with the relevant legislation.

3.2. Main powers, duties and responsibilities

The role, mandate, and responsibilities of the AIP is to ensure that data controllers are respecting their obligations regarding the personal data protection and that subjects of personal data are informed about their rights and obligations in accordance with the Data Protection Law. In this regard, the AIP independently assures internal application of legal provisions and maintains a filing system register.

Notwithstanding other duties defined in the Data Protection Law, the AIP performs the following duties:

  • supervises the implementation of the Data Protection Law;
  • provides advice to public and private bodies on issues related to data protection;
  • informs the public on issues and developments in the area of data protection;
  • promotes and supports fundamental rights on personal data protection;
  • decides about complaints submitted by data subjects;
  • provides advice to the Assembly, the Government, other internal institutions, and bodies on legislative and administrative measures in relation to protection of fundamental rights and freedoms of natural persons in terms of data processing;
  • carries out inspections regarding the implementation of the Data Protection Law;
  • as appropriate, carries out periodical review of issued certifications and may withdraw certification in case certification criteria are no longer met; and
  • on its own initiative or upon request it provides opinions for public institutions and other bodies, as well as publishes on any issue related to personal data protection.

The AIP must consult with the Assembly, the Government, local governing community bodies, other state bodies, and holders of public powers in all matters regarding data protection including interpretation and application of relevant laws. The AIP must also consult private institutions on all data protection related matters where requested to do so including the interpretation and application of relevant laws.

Also, within its responsibilities, the AIP initiates legal proceedings with the Constitutional Court of Kosovo for the constitutional review of relevant acts deemed to be incompatible with the right to the protection of personal data. According to the requests and complaints, the AIP also initiates procedures regarding the implementation of the Data Protection Law.

4. Key Definitions

Data controller: Any natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines purposes and means of personal data processing.

Data processor: A natural or legal person, from public or private sector, which processes personal data for and on behalf of data controller.

Personal data: Any information related to an identified or identifiable natural person ('data subject'). An identifiable natural person is one who can be identified directly or indirectly, particularly by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.

Sensitive data: Personal data revealing ethnic or racial origin, political or philosophical views, religious affiliation, union membership, or any data related to health condition or sexual life, or any involvement in or removal from criminal or offence records retained in accordance with the law. Biometric characteristics are also considered sensitive personal data if the latter enable the identification of a data subject in relation with any of the abovementioned circumstances in this sub-paragraph.

Health data: All health condition-related data is considered sensitive personal data.

Biometric data: All personal data resulting from specific processing related to physical, physiological, or behavioural characteristics of an individual that allows or confirms the unique identification of that natural person, as well as visual images or dactyloscopy, psychological, and behavioural data of all individuals but which are specific and permanent for each individual, if it can be used for identifying an individual, such as: fingerprints, finger papillary lines, iris, retina, facial features, and DNA.

Pseudonymisation: Processing of personal data in such a manner that personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.

Data recipient: A natural or legal person from public of private sector, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry, in compliance with the legislation into force, shall not be regarded as recipients, the processing of those data by those public authorities shall follow the applicable data protection rules according to the purposes of the processing.

Written consent of the data subject: Consent given, with the addition that the data subject must put his or her signature or sign under his or her written consent to process his or her data.

Personal data breach: A breach of security measures leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored, or otherwise processed.

Genetic data: Personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question.

Data subject: An identified or identifiable natural person.

Filing system: Any structured set of personal data which is accessible according to specific criteria, whether centralised, decentralised, or dispersed on a functional or geographical basis.

5. Legal Bases

According to Article 5 of the Data Protection Law, personal data processing shall be lawful only if one of the following criteria applies:

5.1. Consent

One of the legal grounds for processing of personal data is the data subject consent to the processing of his or her personal data for one or more specific purposes.

5.2. Contract with the data subject

This is applicable if processing is necessary for the performance of a contract to which the data subject is a contracting party or in order to take steps at the request of the data subject prior to entering a contract.

5.3. Legal obligations

This is applicable if processing is necessary for compliance with a legal obligation to which the controller is subjected.

5.4. Interests of the data subject

This is applicable if processing is necessary in order to protect the vital interests of the data subject or of another natural person.

5.5. Public interest

This is applicable if processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

5.6. Legitimate interests of the data controller

This is applicable if processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child. This shall not apply to the processing carried out by public authorities in the performance of their tasks.

5.7. Legal bases in other instances

According to Article 73 of the Data Protection Law, data controllers may use personal data they obtained from publicly accessible sources or within the framework of the lawful performance of activities for the purposes of providing goods, services, employment, or temporary performance of work through the use of postal services, telephone calls, emails, or other telecommunications means ('direct marketing'). For direct marketing purposes, data controllers may use the following personal data: personal name(s), permanent or temporary address, telephone number, email address, and fax number. Based on the data subject's prior consent, data controllers may process other personal data, but sensitive personal data may only be processed if they have written consent.

When data controllers conduct direct marketing, they must inform data subjects of their rights under the provisions of the Data Protection Law. If data controllers intend to disclose personal data as personal name(s), permanent or temporary address, telephone number, email address, and fax number to other data recipients for the purposes of direct marketing or to data processors, they shall inform the data subject and get his or her written consent before disclosing such data. The notification of the data subject regarding the intended disclosure must contain all information that is intended to be disclosed as well as to whom and for what purposes. The costs of notification shall be borne by the data controller.

6. Principles

According to the Article 4 of the Data Protection Law, the personal data are processed based on following principles:

Principle of lawfulness, justice, and transparency: Personal data is processed in an impartial, lawful, and transparent manner, without infringing the dignity of data subjects.

Principle of purpose limitation: Data is collected only for specified, explicit, and legitimate purposes and cannot be further processed contrary to these purposes.

Principle of data minimisation: Personal data shall be adequate, relevant, and limited to the purposes for which it is further collected or processed.

Principle of accuracy: Personal data should be accurate and kept up to date. Every reasonable step must be taken to ensure that personal data that is inaccurate, having regard to the purposes for which it is processed, is erased or rectified without delay.

Principle of storage limitation: Personal data may be stored insofar as necessary to achieve the purpose for which it is further collected or processed. After the fulfilment of processing purpose, personal data shall be erased, deleted, destroyed, blocked, or anonymised, unless otherwise foreseen in the Law No. 04/L - 088 on State Archives (only available in Albanian here) or in another relevant law.

Principle of integrity and confidentiality: Personal data should be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organisational measures.

Principle of accountability: The controller should be responsible for and be able to demonstrate compliance with all principles set forth above.

7. Controller and Processor Obligations

Data processors will have to:

  • hold a record of the data processing performed on behalf of the controller;
  • implement the necessary security procedures and measures;
  • be able to notify the controller in case of security breach;
  • implement the necessary procedures to assist the data controller with any individual's request (subject access request, erasure, portability etc.);
  • be able to challenge the controller's instructions when considered against the Data Protection Law (the extent of this obligation is not clear but we can imagine that in case of massive or obvious breach of the GDPR, the data processor might be implicated and sanctioned by the authorities); and
  • ensure not to subcontract with a sub data processor without the necessary controller's consent or prior information and without entering into a contract with the data processor containing similar provisions as the ones in the contract entered into with the data controller.

A database holder and a database manager may be liable for holding or managing a database prior to its registration with the Registrar. A database holder must either allow a data subject access to any data about him/her kept in a database it holds according to the instructions of the database owner, or refuse to allow such access to the extent permitted by law.

A database manager must inform the Registrar as to the identity of an ISO appointed in the database it manages. Further a database holder and a database manager are required to comply with the security requirements set in the Data Security Regulations.

Privacy by Design

Taking into account the technology, the costs of implementation, and the nature, scope, context, and purposes of processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including, inter alia, as appropriate:

  • the pseudonymisation and encryption of personal data;
  • the ability to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services;
  • the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
  • a process for regularly testing, assessing, and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing; and
  • in assessing the appropriate level of security account must be taken into account, in particular, the risks that are presented by processing, particularly from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored, or otherwise processed.

Adherence to an approved code of conduct or an approved certification as referred to may be used as an element by which to demonstrate compliance with the requirements.

The controller and processor must take steps to ensure that any natural person acting under the authority of the controller or the processor who has access to personal data does not process them except on instructions from the controller, unless he or she is required to do so by any specific law.

The controller and processor shall take steps to ensure that any natural person acting under the authority of the controller or the processor who has access to personal data does not process them except on instructions from the controller, unless he or she is required to do so by any specific law.

7.1. Data processing notification

Registration

Pursuant to Article 20 of the Data Protection Law, the AIP maintains a register of controlling entities which process personal data of employees or clients in the registry. Controlling entities may report to the AIP in one of the following forms: by completing the registration form published on the AIP's website or by completing the physical copy of the registration form at the AIP's offices.

The procedures of registration at the AIP are regulated with Regulation No. 05/2015. Firstly, a data controller must deposit the notification for the registration. The data controller must provide a detailed filing system catalogue which contains the title of the filing system, the identity of the data controller and his or her representative, the legal basis for data processing, category of data subjects, categories of personal data in the filing system, purpose of processing, intended duration of storage of the personal data, information on whether personal data have been or will be transferred to another country, and general description of procedures.

Subject to certain exceptions, a data controller is required to register its database to the extent that one of the following conditions are met:

  • the database contains data in respect of more than 250 data subjects;
  • the database contains sensitive data;
  • the database includes data about persons, and such was not provided by them, on their behalf, or with their consent;
  • the database belongs to a public entity; or
  • the database is used for direct mailing services.

A database must be registered prior to managing or holding the database unless the Registrar permits performing such acts prior to registration. Although the Data Protection Law imposes the obligation to register on the data controller, the Data Protection Law also prohibits managing or holding a database that is required to be registered but has not been registered. Therefore, data controllers and data processors could also face liability in connection with a database that is not registered.

Upon receipt of notification for registration by the data controller, the AIP performs the verification of processing of the data that could lead to the violation of the rights of data subjects.

Filing system

A data controller or data controllers who intend to link two or more filing systems kept for different purposes shall, prior to doing so, notify in writing the AIP (Article 86(2) of the Law).

The linking shall not be permitted without the prior authorisation of the AIP if (Article 86(3) of the Law):

  • at least one of the filing systems to be linked contains sensitive data;
  • the linking would result in the disclosure of sensitive data; and
  • the implementation of the linking requires the use of a connecting code.

The AIP may authorise, with a decision, the linking described in Article 86(3) of the Law if it determines that the data controller ensures an adequate level of data protection (Article 86(4) of the Law).

7.2. Data transfers

The transfer of personal data can be done outside the country in accordance with procedures set by the Data Protection Law. There are two kinds of transfers:

  • data transfer to a country or international organisation that provide an adequate level of data protection; and
  • data transfer to a country or international organisation that does not provide an adequate level of data protection.

The AIP must maintain a list of countries and international organisations, or one or more sectors specified within them, for which it finds that they ensure an adequate level of data protection in the meaning of the Data Protection Law. In its decision-making on the adequate level of protection of personal data of another country or an international organisation, the AIP must determine all circumstances relating to the transfer of personal data (Article 46 of the Data Protection Law).

The data controller may transfer personal data to a country or international organisation that does not provide an adequate level of data protection, only upon receipt of the authorisation. In his or her request for authorisation the data controller must provide the AIP with all information necessary regarding the required transfer of personal data. This includes the categories of data, the purpose of the transfer, and the safeguards in place for the protection of personal data in the other country or international organisation. The AIP must decide on the application without delay and must define in a sub-legal act the details and internal procedures for filing such requests (Article 49 of the Data Protection Law).

7.3. Data processing records

According to Article 29 of the Data Protection Law, the obligation (of controller, processor, and where applicable, their representatives) to keep records of processing exists for enterprises or organisations that employ more than 250 persons, or in cases where processing is likely to result in a risk to the rights and freedoms of data subjects, in cases when processing is not occasional, or the processing includes sensitive personal data or personal data relating to criminal convictions and offences. In these cases, such records shall be made in writing (including in electronic form) and should contain the below-listed information:

  • name and contact information of the controller and, where applicable, of the joint controller, the representative of the controller, and the data protection officer ('DPO');
  • purpose of processing;
  • a description of data subjects' categories and personal data categories;
  • categories of recipients to whom personal data was or shall be disclosed, including recipients in third countries or international organisations;
  • where applicable, transfer of personal data to third countries or to an international organisation, including the identification of that third country or international organisation, the authorisation in cases of the above transfers, and documentation of adequate protective measures;
  • where possible, the envisaged time limits for erasure of the different categories of data; and
  • where possible, a general description of technical and organisational security measures.

The controller or the processor and, where applicable, the controller's or the processor's representative, should make the record available to the Data Protection Impact Assessment ('DPIA') on request.

7.4. Data protection impact assessment

According to Article 35 of the Data Protection Law, if a type of processing, in particular the use of new technology and taking into account the nature, scope, context, and purposes of the processing, may result in a high risk to the rights and freedoms of natural persons, the controller, before processing, shall carry out an assessment of the impact of the envisaged processing operations on the protection of personal data. Article 35 further provides that the AIP should compile and publish a list of the type of processing operations which are subject to the DPIA.

A DPIA shall, in particular, be required in the case of:

  • a systematic and extensive evaluation of personal aspects relating to natural persons, which is based on automated processing, including profiling, and on which are based decisions that produce legal effects concerning the natural person or similarly affect the natural person;
  • processing on a large scale of sensitive personal data; or
  • a systematic monitoring of a publicly accessible area on a large scale.

Prior consultation

The controller shall consult the AIP prior to processing if a DPIA under Article 35 of the Law indicates that the processing would result in a high risk in the absence of measures taken by the controller to mitigate the risk (Article 36(1) of the Data Protection Law). In this regard, the controller shall provide the AIP with (Article 36(3) of the Data Protection Law):

  • where applicable, the respective responsibilities of the controller, joint controllers, and processors involved in the processing, in particular for processing within a group of undertakings;
  • the purposes and means of the intended processing;
  • the measures and safeguards provided to protect the rights and freedoms of data subjects pursuant to the Data Protection Law;
  • where applicable, the contact details of the DPO;
  • the DPIA provided for in Article 35 of the Data Protection Law; and
  • any other information requested by the AIP.

Where the AIP is of the opinion that the intended processing referred to in Article 36(1) of the Data Protection Law would infringe the Law, particularly if the controller has insufficiently identified or mitigated the risk, the AIP shall, within a period of up to eight weeks of receipt of the consultation request, provide written advice to the controller and, where applicable to the processor, in accordance with its powers in Article 64 of the Data Protection Law.

This period may be extended for six weeks, taking into account the complexity of the intended processing. The AIP shall inform the controller and, where applicable, the processor, of any such extension within one month from receipt of the request for consultation, together with the reasons for the delay. Those periods may be suspended until the AIP has obtained the information it has requested for the purposes of the consultation (Article 36(2) of the Data Protection Law).

Notwithstanding Article 36(1) of the Data Protection Law, the AIP may require controllers to consult with, and obtain prior authorisation, in relation to processing by a controller for the performance of a task carried out by the controller in the public interest, including processing in relation to social protection and public health (Article 36(4) of the Data Protection Law).

7.5. Data protection officer appointment

Appointment of a DPO is not always compulsory, pursuant to Data Protection Law, but there are cases described in the Data Protection Law when a compulsory appointment of DPO is needed.

The controller and the processor must designate a DPO in any case where (Article 37(1) of the Data Protection Law):

  • the processing is carried out by a public authority or body, except for courts acting in their judicial capacity;
  • the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; and
  • the core activities of the controller or the processor consist of processing on a large scale of special categories and personal data relating to criminal convictions and offences.

Pursuant Article 39 of the Data Protection Law, the DPO must have at least the following tasks:

  • to inform and advise the controller or the processor and the employees who carry out processing of their obligations pursuant to the Data Protection Law and to sub-legal acts on data protection;
  • to provide advice, where requested, as regards the DPIA and monitor its performance;
  • to cooperate with the AIP;
  • to act as the contact point for the AIP on issues relating to processing, including the prior consultation, and to consult, where appropriate, regarding any other matter; and
  • the DPO must, in the performance of his or her tasks, have due regard to the risk associated with processing operations, considering the nature, scope, context and purposes of processing.

Controllers and processors may still designate a DPO, if it is not required under Article 37(1) of the Law (Article 37(4) of the Law).

Additionally, a database holder must be required to appoint a DPO in certain circumstances, and adhere to the database owner's directions and requirements.

The DPO must be designated based on professional qualities and expert knowledge of data protection law and practices, as well as the ability to fulfil the tasks referred to in Article 39 of the Data Protection Law. The DPO may be a staff member of the controller or processor or fulfil the tasks based on a service contract. The controller or the processor must publish the contact details of the DPO and communicate them to the AIP (Article 37 of the Data Protection Law).

The DPO must have at least the following duties (Article 39 of the Law):

  • inform and advise the controller or processor and employees who carry out processing on their obligations in accordance with the Law;
  • provide advice on the Data Protection Impact Assessments ('DPIAs');
  • cooperate with the AIP, and act as point of contact for the AIP on processing matters, including the preliminary consultation referred to in Article 35 of the Law; and
  • consider the risks associated with processing, taking into account the nature, scope, context, and purposes of the processing.

The controller or processor must also ensure the following with regard to the role of a DPO:

  • the DPO is properly and timely involved in all matters relating to the protection of personal data and supported in the performance of their tasks by providing for the measures necessary to perform those tasks and to access personal data processing operations (Article 38(2) of the Law);
  • the DPO does not receive instructions regarding the performance of their duties;
  • the DPO is not dismissed or penalised by the controller or processor for the performance of their duties; and
  •  the DPO reports directly to the top management level of the controller or processor (Article 38(3) of the Law).

The DPO may be a staff member of the controller or processor, or perform duties based on a contract (Article 37(6) of the Law). Additionally, in the context of a group of undertakings, a single DPO may be appointed, provided that the DPO is easily accessible from any facility (Article 37(2) of the Law).

7.6. Data breach notification

In the case of a personal data breach, the controller must, without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the AIP, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where the notification to the AIP is not made within 72 hours, it must be accompanied by reasons for the delay.

The processor must notify the controller without undue delay after becoming aware of a personal data breach. When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller must communicate the personal data breach to the data subject without undue delay. The communication to the data subject must describe in clear and plain language the nature of the personal data breach and contain at least the information and measures.

7.7. Data retention

Personal data may be stored insofar as necessary to achieve the purpose for which it is further collected or processed. After the fulfilment of processing purpose, personal data must be erased, deleted, destroyed, blocked, or anonymised. A data subject may request that data about him/her be erased from a database.

7.8. Children's data

Article 7 of the Data Protection Law provides the requirements for the lawful processing of children's personal data in relation to the provision of information society services directed to the child.

In this regard, processing of personal data of a child shall be lawful if the child has given consent to the processing of his or her personal data for one or more specific purposes (i.e for providing the information society services directly to the child) and if the child is at least 16 years old. When the child is under the age of 16 years, such processing shall be lawful only if and to the extent of which the consent is given or authorised by the holder of parental responsibility over the child.

7.9. Special categories of personal data

Pursuant to Article 8 of the Data Protection Law, the processing of sensitive personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, data concerning health, or data concerning a natural person's sex life or sexual orientation is not permitted, except in the following cases:

  • the data subject has given explicit consent to the processing of the personal data for one or more specified purposes, except where the relevant legislation in force provide that the prohibition to process data may not be lifted by the data subject;
  • processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law, insofar as it is authorised by the relevant legislation in force or a collective agreement providing for appropriate safeguards for the fundamental rights and the interests of the data subject;
  • processing is necessary to protect vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent;
  • processing is carried out in the course of its legitimate activities with appropriate safeguards by a foundation, association or any other not-for-profit body with a political, philosophical, religious or trade union aim and on condition that the processing relates solely to their members or data subjects who have regular contact with it in connection with its purposes and that the personal data are not disclosed without the consent of the data subjects;
  • if the data subject has made them public without limiting their use in an evidenced or clear manner;
  • processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity;
  • processing is necessary for reasons of substantial public interest, on the basis of relevant legislation;
  • processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment, or the management of health or social care systems and services on the basis of relevant legislation or pursuant to contracts with a health professional when such data is processed by a professional or under their responsibility subject to the obligation of professional secrecy pursuant to respective legislation, established rules by national competent bodies or by another person subjected to professional secrecy;
  • processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices, on the basis of relevant legislation; and
  • processing is necessary for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes.

The lawful processing of personal data relating to criminal convictions and offences should be carried out under the control of official authority based on relevant law, and any comprehensive register of criminal convictions should be kept only under the control of such official authority.

7.10. Controller and processor contracts

Personal data processors may be entrusted by a data controller, under a written contract, to conduct such operations pursuant to procedures and security measures. The data processor may act only within the constraints of the authorisations given by the data controller and is not entitled to process personal data for other purposes. Mutual rights and obligations should be specified by a written contract, which should also contain a detailed description of procedures and measures in accordance with the Data Protection Law. Data controllers should oversee the implementation of procedures and measures in accordance with the Data Protection Law. They should also conduct periodical visits to the premises where personal data is processed. In case of a dispute between the data controller and processor, the latter should immediately, upon controller's request, return all the data in possession. The data processor is not allowed to keep copies of the data and further process it. In case of discontinuation of data processor's activity, personal data must immediately be returned to the data controller (Article 32 of the Data Protection Law).

8. Data Subject Rights

The data controller:

  • must either allow a data subject access to any data about him/her kept in the database, or refuse to allow such access to the extent permitted by law;
  • must respond to a data subject's request to rectify or erase any data about him/her kept in the database;
  • must be required to appoint an information inspection officer in certain circumstances;
  • must document any security incident, and in certain circumstances inform the AIP of such incident;
  • must notify the Registrar and data subjects of a transfer of ownership in the database (in a merger or acquisition context or otherwise);
  • may transfer, or permit the transfer of, data outside Kosovo in certain circumstances;
  • must require any of its contractors that have access personal data to adhere to certain requirements and shall monitor their compliance with such requirements;
  • must be required to comply with the security requirements set in the Data Security Regulations (only available to download in Albanian here);
  • may be subject to administrative fines, and to civil and/or criminal liability.

8.1. Right to be informed

Pursuant to Article 14 of the Data Protection Law, the data subject shall have the right to obtain from the controller confirmation as to whether personal data concerning him/her are being processed, and, where that is the case, access to the personal data and the following information:

  • the purposes of the processing;
  • the categories of personal data concerned;
  • the recipients or categories of recipient to whom the personal data have been or will be disclosed, and recipients in third countries or international organisations;
  • where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
  • the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;
  • the right to submit a complaint with the AIP; and
  • where the personal data are not collected from the data subject, any available information as to their source.

8.2. Right to access

According to Article 17 of the Data Protection Law, the data subject must have the right to obtain from the controller restriction of processing where one of the following criteria applies:

  • the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of personal data;
  • the processing is unlawful, and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
  • the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise, or defence of legal claims; and
  • the data subject has objected to processing, pending the verification whether the legitimate grounds of the controller override those of the data subject.

8.3. Right to rectification

The data subject must have the right to obtain from the controller, without undue delay, the rectification of inaccurate personal data concerning him or her. Considering the purposes of the processing, the data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement (Article 15 of the Data Protection Law).

8.4. Right to erasure

Subject to Article 16 of the Data Protection Law, the data subject must have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller must have the obligation to erase personal data without undue delay where one of the following grounds applies:

  • the personal data is no longer necessary in relation to the purposes for which it was collected or otherwise processed;
  • the data subject withdraws consent on which the processing is based and where there is no other legal ground for the processing;
  • the data subject objects to the processing and there are no overriding legitimate grounds for the processing;
  • the personal data has been unlawfully processed;
  • the personal data has to be erased for compliance with a legal obligation to which the controller is subject; and
  • the personal data has been collected in relation to the offer of the services of information society.

8.5. Right to object/opt-out

The data subject must have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her, including profiling. The controller must no longer process the personal data, unless the controller demonstrates compelling legitimate grounds for the processing which overrides the interests, rights, and freedoms of the data subject or for the establishment, exercise, or defence of legal claims.

Withdraw consent

The data subject is entitled to withdraw his or her consent at any time. The withdrawal of consent must not affect the lawfulness of processing based on consent before its withdrawal. Prior to giving consent, the data subject must be informed thereof. The withdrawal must be done in the same way as the giving of the consent.

8.6. Right to data portability

The data subject must have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used, and machine-readable format, and have the right to transmit that data to another controller without hindrance from the controller to which the personal data has been provided, where:

  • the processing is based on a consent, or on a contract; and
  • the processing is carried out by automated means.

8.7. Right not to be subject to automated decision-making

According to Article 14(1.8) of the Data Protection Law, in case of processing of his or her personal data, the data subject has the right to receive confirmation from the controller regarding the existence of automated decision making, including profiling, and appropriate information regarding the relevant logic, as well as the significance and expected consequences of such processing for the data subject.

8.8. Other rights

If processing has been restricted under the right of restriction of processing, such personal data must, with the exception of storage, only be processed with the data subject's consent or for the establishment, exercise, or defence of legal claims, or for the protection of the rights of another natural or legal person, or for reasons of important public interest.

9. Penalties

The sanctions for violation of the provisions on supervision from the responsible person for the protection of personal data are:

  • a fine of €8,000 to €40,000 must be imposed for a minor offence on a legal person:
    • if he or she carries out controls in contravention of Article 39 of the Data Protection Law; or
    • if he or she makes an official annotation in contravention of Article 39 of the Data Protection Law
  • if the AIP finds that there is a serious and great violation of personal data, it may impose a fine from €20,000 to €40,000 or in the case of a company or an enterprise it may impose a fine amounting 2% to 4% of the general turnover of the previous fiscal year in compliance with the GDPR.

9.1 Enforcement decisions

There are no such publicly accessible decisions.