Accession to the EU, New Data Privacy Standard in Kosovo

Law No.03/L-172 on the Protection of Personal Data is a data protection law that was passed in Kosovo in 2010. As Kosovo is part of the European Union’s expansion plan that seeks to achieve the accession of various countries within the Western Balkan region, Law No.03/L-172 on the Protection of Personal Data was recently amended to align the law the provisions of the General Data Protection Regulation or GDPR. To this point, Law No.03/L-172 on the Protection of Personal Data establishes the legal basis under which personal data may be processed within the country of Kosovo, a well as the sanctions that can be imposed against individuals or organizations who fail to comply with the law.

How are data controllers and processors defined under Law No.03/L-172 on the Protection of Personal Data?

Under Kosovo’s Law No.03/L- 72 on the Protection of Personal Data, a data controller is defined as “any natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines purposes and means of personal data processing”. Conversely, the law defines a data processor as “any natural or legal person, from the public or private sector, which processes personal data for and on behalf of the data controller”. What’s more, personal data is defined as “any information related to an identified or identifiable natural person (‘data subject’). An identifiable natural person is one who can be identified directly or indirectly, particularly by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person”.

What are the responsibilities of data controllers and processors under Law No.03/L-172 on the Protection of Personal Data?

In keeping with the harmonization between Kosovo’s data protection law and the EU’s GDPR law, Law No.03/L-172 on the Protection of Personal Data was amended to include various principles that data controllers and processors are charged with adhering to when engaging in data processing activities. These principles include:

• The Principle of lawfulness, justice, and transparency- Personal data must be processed in a manner that is lawful, impartial, and transparent, without infringing on the rights of data subjects.
• The Principle of purpose limitation- Personal data may only be processed for specific, explicit, and legitimate purposes, and personal data cannot be further processed for any reason that is not in accordance with these purposes.
• The Principle of data minimization- All personal that is processed must be relevant, adequate, and limited to the purposes for which it was processed.
• The Principle of accuracy- All personal data that is processed must be accurate and kept up to date when necessary. Additionally, data controllers and processors must that any personal data that has been found to be inaccurate is rectified or erased, without delay.
• The Principle of storage limitation- “Personal data may be stored insofar as necessary to achieve the purpose for which it is further collected or processed. After the fulfillment of processing purpose, personal data shall be erased, deleted, destroyed, blocked, or anonymized, unless otherwise foreseen in the Law No. 04/L-088 on State Archives, or in another relevant law”.
• The Principle of integrity and confidentiality- All personal data that is processed must be done so in a manner that “ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organizational measures”.
• The Principle of accountability- Data controllers and processors who operate within Kosovo are responsible for complying with the principles stated above at all times.

What are the rights of data subjects under Law No.03/L-172 on the Protection of Personal Data?

Under Law No.03/L-172 on the Protection of Personal Data, data subjects within Kosovo are entitled to the following data protection rights:

• The right to be informed.
• The right to access.
• The right to rectification.
• The right to erasure.
• The right to object or opt-out
• The right to withdraw consent.
• The right to data portability.
• The right not to be subject to automated decision-making.
• The right to restrict data processing.

In terms of penalties that can be imposed as a result of non-compliance with Law No.03/L-172 on the Protection of Personal Data, data controllers and processors who fail to comply with the law are subject to the following penalties:

• A monetary penalty ranging from €8,000 ($9,029) to €40,000 ($45,152).
• If the AIP finds that there is a serious and great violation of personal data, it may impose a fine from €20,000 to €40,000 or in the case of a company or an enterprise it may impose a fine amounting 2% to 4% of the general turnover of the previous fiscal year in compliance with the GDPR.
• Civil and criminal liabilities.

As Kosovo has begun taking steps to join the European Union, the country has also taken steps to align its legislation with that of the other nations that make up the EU. To this end, Law No.03/L-172 on the Protection of Personal Data achieves this goal in relation to data protection and personal privacy, as the amendments that have been made to the law provide data subjects within Kosovo with a similar level of protection as is offered to citizens of EU member states under the General Data Protection Regulation. In this way, citizens of Kosovo can rest assured that their personal data is being protected at all times, whether their country formally joined the European Union or not.