The right to privacy that is guaranteed by the Constitution of the Republic of Kosovo is embodied in the new Law on Protection of Personal Data, which was approved in January 2019 as an amendment and supplement to the old law, which had been in force since 2010. With the introduction of the new LPPD, Kosovo has implemented an advanced and comprehensive regulatory and institutional framework for data protection, incorporating the main principles and provisions of the EU General Data Protection Regulation.
The Information and Privacy Agency in Kosovo is the main authority responsible for policymaking and regulating personal data protection in Kosovo. The AIP is an independent institution from the public administration, with a Commissioner elected by Kosovo’s Assembly, and its mandate includes supervising the implementation of the LPPD, receiving individual complaints regarding suspected violations of personal data protection rights, and imposing fines for non-compliance with LPPD provisions.
As the pandemic has forced companies to conduct their operations online and provide their services remotely, data privacy requirements have taken on critical importance all over the world. This situation has prompted stakeholders to embed data protection features in each service and product. In Kosovo, one of the main controversies related to this issue is companies seated outside Kosovo using the data of the country’s citizens.
The issue is, unsurprisingly, covered by Kosovar law. With a few exceptions, where the processing of data is ordered by data controllers seated outside of Kosovo, the controller or processor is required to designate a representative in Kosovo to carry out activities in cooperation with the AIP and relevant data subjects on all issues pertaining to the processing of personal data.
The provisions of the LPPD also apply to controllers or processors that are not established in Kosovo but make use of automatic tools or other equipment to process data in Kosovo. In cases like these, the controllers or processors shall designate a representative in accordance with Article 26 of the LLPD, which is almost identical to Article 27 of the GDPR. Article 26 of the LPPD provides that the representative shall be the contact point for the Information and Privacy Agency which acts as a data protection authority, and for data subjects, on all issues related to the processing of personal data. Controllers or processors shall inform the data subjects about the identity of that representative whenever they are required to notify data subjects about the processing of personal data. Controllers or processors employing more than 250 people, or their representatives, are required to retain records of all data processing activities, and, when requested, must submit them to the IPA for review of compliance with the LPPD.
Based on the LPPD, controllers or processors must also designate a data protection officer, who can be either an employee or service provider and who should be responsible for informing and advising the controller or processor of all obligations arising out of the LPPD concerning the processing of personal data. The data protection officer serves as a contact point with the IPA and may consult with the IPA on any matter.
Additionally, two by-laws concerning data security are expected to be voted on by the Kosovo Assembly during the ongoing legislative session. These laws will help ensure that personal data is protected to the highest standard.
In light of the current trends, the regulatory authorities in Kosovo are embracing an expanded notion of data privacy and data protection, including imposing increased obligations on data controllers and processors not seated in Kosovo. Therefore, companies that process personal data, especially those seated outside of Kosovo, are encouraged to strictly follow the guidelines imposed by the law, and make sure they designate a representative and appoint a data protection officer in Kosovo.
By Kushtrim Palushi, Partner, and Festa Stavileci, Associate, RPHS Law