Date: 24-Jul-2025

LEGAL GROUNDS FOR THE PROCESSING OF PERSONAL DATA

July 24, 2025

In order for data controllers to lawfully process personal data, as required by the core principle of personal data protection, such processing must be based on a legal basis.

The Law on Personal Data Protection (LPDP) defines six legal bases for the processing of non-sensitive personal data, while it provides a separate list of ten additional bases for processing sensitive data.

The LPDP outlines the following legal bases for processing personal data:

1 CONSENT – This applies when the data subject (individual) has given clear consent for their personal data to be processed for one or more specific purposes.

    To be valid, consent must be:

    Freely given: In principle, consent is considered freely given when the data subject can refuse or withdraw it without external pressure or negative consequences. Consent may also be withdrawn at any time, and the withdrawal process must be as easy as granting it.

    Specific: For one or more defined purposes.

    Informed: The data subject must be clearly and understandably informed, using plain and accessible language, about the purpose of processing, the identity of the controller, the categories of data, any processors, and the right to withdraw consent.

    Unambiguous: The data subject must take a clear affirmative action to indicate their consent.

    2 CONTRACT – This applies when the processing of personal data is necessary for:

    Fulfilling a contract to which the data subject is a party.

    Example: When a customer places an order and the processing of their name, address, phone number, and payment details is required to complete delivery.

    Taking steps at the request of the data subject prior to entering into a contract.

    Example: When a bank processes personal data such as income, employment, and financial status to evaluate a potential credit agreement.

    It is important to note that when processing is based on a contract, it must be necessary for its execution. A controller may not condition the performance of the contract (including service provision) on consent for the processing of personal data that is not essential for the contract. If consent is obtained under such conditions, it is not considered freely given, which affects the lawfulness of processing.

    Besides consent and contract, most commonly used in practice, other legal bases include:

    3 LEGAL OBLIGATION – This applies when processing is necessary to comply with a legal obligation to which the controller is subject.

    To rely on this basis:

    – The obligation must be clearly defined in law.

    – The purpose of the processing must be explicitly stated.

    Example: A company processing and reporting employee salaries and personal data (such as name, personal ID number, salary, pension contributions) to the Kosovo Tax Administration.

    4 VITAL INTEREST – This applies when processing is necessary to protect the vital interests of the data subject or another natural person.

    Example: In the event of a workplace injury, an employer may provide a doctor with personal data about the injured employee, even if not normally authorized, in order to protect the worker’s vital interests.

    5 PUBLIC TASK OR OFFICIAL AUTHORITY This basis applies when processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

    This usually applies to public institutions (e.g., state administrations, police, hospitals, municipalities), but also to private entities with delegated public authority.

    Example: The Kosovo Tax Administration processes personal data to calculate tax obligations of individuals.

    6 LEGITIMATE INTEREST – This legal basis applies when processing is necessary for the legitimate interests pursued by the controller or a third party. However, this basis is limited and may not override the fundamental rights and freedoms of the data subject.

    Controllers intending to rely on this basis must carefully balance their interest in processing against the rights and freedoms of the data subject.

    Example: An employer installs security cameras in the workplace to protect property and confidential information while respecting employee rights.

    For any data controller, ensuring that personal data is processed on the appropriate legal basis is of critical importance. Failure to do so can result in specific legal obligations and may adversely affect the rights of the data subjects. Lawful processing is the foundation of responsible and accountable data management in any organization.

    Author: Valmir Haziraj