Considered as two vital components for a sustainable democracy, Privacy and Data Protection, though interconnected, are commonly recognised as two separate rights. In this article, we will make a general overview on how these two terms are defined in Kosovo, as well as an outline on data protection legislation throughout the years, key legal points, and the supervistory authority along its court cases.

In countries such as Kosovo, human dignity is recognised as an absolute fundamental individual right, where in the same context, the right to a private life and to be in control of your own information plays a crucial role. Privacy in itself has a lot of definitions, but in its core is considered as a person’s right to control access to his or her personal information. However, as a simple of a premise as it might look, privacy has a wide surface that is so important yet so complicated to systematize worldwide. The major thrust of any privacy discussion is on how to manage the tension between privacy, disclosure, and surveillance in a way that preserves civility and democracy, and takes into consideration changing technologies, economic conditions, social values, and political climates. On the other hand, data protection aims to ensure fair processing of personal data which includes, but not limited to: names, email addresses, dates of birth, numbers, IP addresses – to name a few.


Protection of personal data in Kosovo is a fundamental right which is guaranteed by the Constitution of the Republic of Kosovo. Article 36 of the Constitution stipulates that privacy and family life, inviolability of domicile, secrecy of correspondence, communication by phone and other means, and protection of personal data are guaranteed for each individual. Thus, the Constitution and the law guarantee implementation of some of the main International and European Conventions for the protection of human rights, fundamental freedoms and protocols. 

Legal History

Over the past two decades, there have been a couple of modifications in the legislation in this matter. Initially, processing of personal data and protection of privacy was part seven of the Law on the Information Society Services (Law No. 02/L-23) which was initially published on the 15 of December 2006. Gradually, considering the importance of personal data, Law on the Protection of Personal Data (Law No. 03/L-172) was introduced, approved, and then enforced on 15 June 2010, which repeals and substitutes the above mentioned segment seven.

This law remained for quite some years, until the European Union (EU) enforced the General Data Protection Regulation (GDPR) on 25 May, 2018 – which is the most important change in data privacy regulation in the last 20 years. Although Kosovo is not part of the EU yet, the rule of law has a crucial importance on the progress of pre‑accession process, wherefore it is necessary the commitment in direct law enforcement as well as in full harmonization with the EU legislation (GDPR in particular). Knowing the importance of this regulation all over the EU, Government of the Republic of Kosovo submits a draft of Data Protection Law – known as “the Draft Law” – to the Kosovo Assembly for its consideration on 11 June 2018. In particular, the Draft Law would apply to data controllers who were not established in the Republic of Kosovo. 

The Draft Law was set to progress through the legislative process, which includes several reviews by various committees within the Assembly of the Republic of Kosovo, prior to its adoption. The Law on Protecting Personal Data (Law No. 06/L-082) was eventually approved by the Assembly of the Republic of Kosovo on 27 November 2018, published on 25 February 2019, and enforced after 15 days on 11 March 2019. From the total of 120 Kosovo assembly members, 61 deputies were present, from which 60 deputies voted pro (98.36%), 0 against (0%), and 1 abstained (1.64%). The full list of present deputies who voted as well as the ones missing, can be found in the Vota Ime platform.

Source: Vota Ime
  • 15 December, 2006: Law No. 02/L-23 Published

    Law on the Information Society Services

  • 31 May, 2010: Law No. 03/L-172 Published

    Law on the Protection of Personal Data

  • 15 June, 2010: Law No. 03/L-172 Enforced

    Law on the Protection of Personal Data

  • 11 April, 2012: Law No. 04/L-094 Published

    Law on the Information Society Services

  • 14 April, 2016: GDPR (2016/679) Adopted

    General Data Protection Regulation

  • 25 May, 2018: GDPR (2016/679) Enforced

    General Data Protection Regulation

  • 25 February, 2019: Law No. 06/L-082 Published

    Law on the Protection of Personal Data

  • 11 March, 2019: Law No. 06/L-08 Enforced

    Law on the Protection of Personal Data

Draft Law Key Points

Foremost, it is worth noting that there are other general legislation which impact data protection in Kosovo as well: Law on General Administrative Procedure, Protection of Whistle-blowers, Police, Civil Status, and Access to Public Documents. When it comes to the Draft Law and its connections to other rules, there is a terminology or a set of key terms which are relevant. We will outline the most important ones, since this article is aimed towards the general audience:

  • Personal Data: Information which identifies directly or indirectly a natural person
  • Processing: Operations performed on personal data
  • Controller: An entity which defines data processing purposes
  • Data Subject: An entity who possesses personal data
  • Third Parties: Physical or legal persons which are authorized to process personal data by controllers

One of the most important sections in the law is related to data subject rights with reference to the processing of their own personal data. Realistically, few people actually are aware of entitlements they are eligible to, such as:

  • Right to access existing data: Means that the individual can obtain information on what personal data is being stored by entities, the purpose of processing such data, and the period in which personal information will be stored.
  • Right to be forgotten: Individuals can request data removal by the data controller, where the least is obliged to erase personal data immediately, however, in specific conditions such as when personal data is no longer necessary for the purposes which they were processed or in case they have been unlawfully collected.
  • Right to restrict processing: Data subjects can question the accuracy of personal data collected, and the controller must allocate a time period to verify information.
  • Right to withdraw consent: Individuals are entitled to withdraw their consent on processing data by third parties. Consequently, data controllers are eligible for financial penalties if they do not respect this decision.
  • Right to object to marketing: This is typically common in marketing campaigns through emails, in which the individual receiving such messages should be able to opt-out in case they subscribed to such third parties.

On the other hand, the law does require companies or organizations to register with the agency or notify the latter regarding their processing activities. Nevertheless, these entities should be careful with other implementations, for instance, with CCTV cameras. Both public or private sector entities must set up a notice for video surveillance systems, which must be plainly visible and made public. Installing cameras within a workplace is considered legal only when property security and people’s safety is in question; employees have to be notified beforehand.

When it comes to the data breach topic, both the controller and the processor shall implement proper Cyber Security measures to ensure the security (authorization, data loss or damage) of data using appropriate technical or organisational measures. In case of a data leak, the controller must feasibly notify affected customers within 72 hours after finding out about the breach (not to be confused with the time of the breach itself). Failure to comply is considered a misdemeanor in Kosovo and may impose companies to pay a fine of maximum €40,000. The latter statement also serves as an exception to international regulations, such as GDPR or CCPA, which means that businesses in Kosovo will not have to pay 4% of annual turnover or €20,000,000 (whichever is greater, according to GDPR), but instead the previously mentioned financial penalty of up to €40,000.

Data Protection Authority

The National Agency for the Protection of Personal Data (AMDP) is an independent agency in charge of supervising the implementation of data protection rules in Kosovo in accordance with the Law on Personal Data Protection, and which reports to the Kosovo Assembly. Furthermore, it has the responsibility to advise both public and private sector, conduct routine inspections and controls, and promote the fundamental rights on personal data as a part of awareness campaigns. International cooperation is also an important fragment of the main scope within the agency’s mission, mostly due to government’s priority for European integrations. The agency also offers an online complaint form to interact with Kosovo citizens in case you notice any misuse of personal data from local organizations or institutions.

The current sitting General Director of this agency is Bujar Sadiku, while the governing body is presided by a council consisting of the Chief National Supervisor and 4 other National Supervisors, elected by the Kosovo Assembly. After commencing procedures to update the law in 2018 due to the GDPR enforcement, the agency faces yet another challenge in 2019 – which is lack of competent personnel for this matter according to their last annual report.

Bujar Sadiku - General Director

Court Cases

While the concept of data protection has been mentioned for a long period of time, the events of the last five years, such as enormous data breaches globally, have shifted the attention over privacy and security to a great extent. AMDP has amplified the number of job offers, however, lack of data privacy experts remains a challenge in the country. Thus, there are not that many cases which fall under the Draft Law, yet.

In May 2016, the agency performed an inspection at ‘Mehmet Akif’ College, where it was found that the college had installed cameras in the workspace, such as offices, classrooms and sanitary spaces (college toilets). This way of processing personal data through camera surveillance contradicts provisions 62 and 64 of the Law on Personal Data Protection and as such constitutes an infringement of the privacy of the individual. At the request of the AMDP, a legal proceeding was initiated against the college on 5 May 2016, and later on 9 February 2018, the Basic Court in Pristina imposed a fine of €12,000 for unlawful processing of personal data through a camera surveillance system in spaces where the installation of cameras is not permitted. It is worth noting that camera surveillance is only permitted if it is considered necessary for the safety of people and security of property, and only at the entrances of buildings, but not in the interior of workplaces, much less in the sanitary areas, respectively toilets.

On 22 June 2016, one other interesting case commenced in the Basic Court in Prishtina upon the initiation request by AMDP for minor offence proceeding against the Kosovo Electricity Distribution and Supply Company (KES/CO). According to the findings of the inspection conducted by the agency, the company failed to properly enclose electricity bills during the distribution process, therefore failing to prevent unauthorized access to personal data of its customers. After almost two years of litigation, the Minor Offense Division of the Basic Court in Prishtina imposed a fine of €9,000 to KES/CO on 9 March 2018, due to violations to the provisions of Article 14 of the Law on Personal Data Protection.

KES/CO distributed electricity bills without properly enclosing personal data so they cannot be seen from someone passing by. A simple solution would be to enclose bills in a envelope, thus, if a subject whose bill is not intented for, would get fined instead of the company in this case. Image courtesy of Insajderi

Another case is the ‘Marketing Online – KS’, which was fined €5,000 through a misdemeanor procedure in the Basic Court in Pristina in 2015. The marketing company exploited an agreement signed with VALA and IPKO operators by sending SMS messages to citizens (without their prior consent) calling to vote for particular candidates during the May – June 2014 election campaign. As a result, it committed violations under Article 59, paragraphs 1 and 2, and was penalized under Article 82, paragraph 1 of the Law on the Protection of Personal Data (Law No. 03/L-172) – which is now already repealed.

On the other hand, AMDP has also made numerous appeals to various entities during the recent years (mostly private companies) that served as warnings as well. In case organizations did not abide by the decision, AMDP took immediate legal action against them.

Arti Karahoda
Author | Cyber Security Analyst
Renata Bajrami
Co-Author | Cyber Law Analyst