Date: 03-Jul-2025

DATA PROTECTION IN KOSOVO

July 03, 2025

This article is the first in a series dedicated to personal protection in Kosovo. In this introductory part, we provide a historical and institutional overview to better understand the foundation upon which this system has been build.

Personal Data Protection in Kosovo Over the Years

Until 2010, Kosovo did not have a specific law regulating the protection of personal data. Therefore, up until that time, no supervisory authority existed to ensure the protection of personal data.

However, during that period, international human rights standards were mainly applied, which, although not detailed in practice regarding data protection, were considered applicable.

The third legislature of the Assembly of the Republic of Kosovo took the first and most important step toward data protection in 2010 by adopting Law No. 03/L-172 on the Protection of Personal Data. This law marked the first dedicated legal act that established rights, responsibilities, principles, and measures related to personal data protection and created the institution responsible for overseeing the legitimacy of data processing (the State Agency for Personal Data Protection).

Meanwhile, in 2016, the European Union adopted the General Data Protection Regulation (GDPR), which entered into force in May 2018. The entry into force of the GDPR introduced numerous innovations in the field of personal data compared to the previous EU legislation (Directive 95/46/EC).

The GDPR significantly strengthened data protection rights and introduced new obligations for organizations that process personal data. Its innovations mainly relate to stricter consent requirements, expanded rights for data subjects (such as the right of access, rectification, erasure, and restriction of processing), the obligation to report data breaches to the competent authority, as well as higher fines for non-compliance.

In response to the need to align its legislation with the European Union, the sixth legislature of the Republic of Kosovo adopted Law No. 06/L-082 on the Protection of Personal Data in 2019. This law is harmonized with the GDPR and, like the GDPR, strengthens data protection rights and introduces increased obligations for data controllers and processors in the Republic of Kosovo.

Did you know that Kosovo has a dedicated Agency that safeguards your data protection rights?

With the entry into force of Law No. 06/L-082 on the Protection of Personal Data, the Information and Privacy Agency was established as an independent authority responsible for monitoring the implementation of the data protection law.

The Information and Privacy Agency is mandated and competent to:

  • Monitor the implementation of the personal data protection law;
  • Provide guidance to public and private bodies on data protection matters;
  • Inform the public about developments in the field of data protection;
  • Promote and support fundamental rights regarding personal data protection;
  • Conduct inspections;
  • Issue opinions on matters affecting personal data protection.

The Agency also performs its key function deciding on complaints submitted by data subjects. So, for any complaint you may have regarding public or private entities, you can contact the Information and Privacy Agency.

The Agency has played, and continues to play, a vital role in personal data protection not only through sanctions and fines but also through ongoing awareness-raising and information efforts aimed at educating citizens about their rights and controllers and processors about their obligations.

The aim of this article was to provide a brief historical overview of personal data protection in the Republic of Kosovo and to inform those who may not have been aware that their data protection rights are overseen by the Information and Privacy Agency.

This article does not address substantive matters related to personal data protection, as we will continue publishing a series of informative articles each dedicated to specific aspects of the Law on the Protection of Personal Data, the GDPR, and the practices developed so far both domestically and within the EU.

Valuable practices from other countries and international organizations around the world will also be covered in future articles.

Author: Valmir Haziraj