Date: 12-Nov-2024

Kosovars Privacy in the Digital World: How Personal Data is Protected during International Transfers

November 12, 2024

At a time when digital technology has revolutionized the way information flows across state borders, the sharing of personal data has become an inevitable and important process. With the data of Kosovo’s citizens traveling through global platforms, the main challenge is to guarantee the security and privacy of this data. But how is it ensured that the data of Kosovo citizens is protected when they cross the borders?

Law No. 06/L-082 on Protection of Personal Data, which purports to comply with Regulation (EU) 2016/679 of the European Parliament and of the Council – known as the General Data Protection Regulation (GDPR) – provides a clear legal framework for protection of personal data in the context of international transfers. GDPR is the legal basis that ensures the protection of personal data and their free circulation within the countries of the European Union. Kosovo’s adaptation to this regulation shows the country’s commitment to reach the highest international standards, with the hope that it will soon be considered as a country that offers adequate protection to facilitate the procedures of transferring the data of EU citizens to Kosovo.

It is a fact that Kosovo faces significant challenges in the field of personal data protection within the country. The implementation of data protection rules and the building of the necessary supervisory capacities remain issues that require continuous improvement. But in this article, the focus will be on the mechanisms and rules governing the international transfer of personal data, a topic that takes on particular importance in a digitally interconnected world.

1. Transfer of Data to Countries and Organizations Providing Adequate Protection

Article 45 of the Law on Protection of Personal Data determines that the transfer of personal data outside Kosovo is allowed if the receiving country or organization offers an appropriate level of protection of this data. The Information and Privacy Agency is responsible for evaluating and approving the list of countries and organizations that meet these protection standards. Countries and international organizations that are included in this list are considered to provide sufficient security and privacy for the personal data of Kosovo’s citizens.

The Agency verifies several key elements before granting approval to a country or international organization, including:

  • Ensuring that personal data will be used only for the purposes for which they were transferred and that the purpose will not be changed without the permission of the data subject.
  • The guarantee that technical and organizational safeguards are sufficient to protect personal data during their processing and transfer.
  • The assurance that the data will not be transferred further without obtaining another approval and that the data subject has the right to decide on the use and transfer of his data.

The list of countries and organizations that provide adequate protection is reviewed at least every four years, as defined by law, to ensure continued compliance with international standards of personal data protection. In April 2024, the Agency approved Decision No. 31/2024, which updated the list of countries with adequate protection of personal data. This decision replaced the previous 2021 decision and, for the first time, included the United States of America as a country providing adequate protection. On the other hand, the Republic of Albania continues to remain outside this list.

The improvement and suspension of this list is done according to strict criteria, guaranteeing that the protection of personal data of Kosovar citizens remains a priority, despite changes in international standards. The upgrades do not have retroactive effect, meaning that transfers made before the changes are not affected by subsequent suspensions.

2. Transfer of Data to Countries Not Providing Adequate Protection

When a country or organization is not included in the list of countries that ensure adequate protection, the transfer of personal data is not automatically prohibited. According to Article 49 of the Law on the Protection of Personal Data, such a transfer may take place in some specific cases, provided that the data controller obtains a special authorization from the Information and Privacy Agency.

These cases include:

  • When the data subject gives his clear and informed consent to the transfer.
  • When the transfer is necessary for the fulfillment of a contract between the data subject and the controller.
  • When the transfer is necessary for legal reasons or to protect the vital interests of the data subject.

To obtain such authorization, the controller must submit sufficient evidence that the data will be protected during and after the transfer. The Agency examines the technical and organizational safeguards, the category of personal data and the purpose of the transfer to ensure that the fundamental rights and freedoms of the data subject are protected.

Data Protection in Compliance with International Standards

The Law on Personal Data Protection in Kosovo is built on international standards, especially on the General Data Protection Regulation (GDPR). While Kosovo has not yet adopted standard contract clauses (SCC) for international data transfers, the current legal framework ensures that citizens’ data is protected during international transfers through strong legal mechanisms and procedures overseen by the Information and Privacy Agency.

Conclusion                     

In today’s digital world, protection of personal data during international transfers should be a priority for the Republic of Kosovo. Through the Law on Protection of Personal Data and ongoing oversight by the Information and Privacy Agency, Kosovo is building a foundation to ensure that the personal data of its citizens is protected, regardless of where it is processed or transferred. However, Kosovo still has a lot of work to do to reach the required level in this very delicate field for the whole world.