Date: 21-Aug-2025

DATA BREACHES AND THEIR NOTIFICATION

August 21, 2025

In an era where the processing of personal data is widespread and rapid, data security breaches represent a real and present risk for every data controller and processor. A data breach can severely impact the privacy and rights of individuals, causing serious legal consequences and reputational damage for the entities processing such data. For this reason, the Law on Personal Data Protection in Kosovo mandates clear measures for managing these incidents.

This article aims to explain what constitutes a data breach, how risk should be assessed, the deadlines and procedures for notification, as well as the key role played by the Agency for Information and Privacy (AIP) in this process.

What is considered a data breach?

A data breach is any security incident that results in the destruction, loss, alteration, unauthorized disclosure, or access to personal data processed by a data controller or processor. This includes, for example:

  • Unauthorized access or attacks on databases;
  • Loss or theft of devices containing personal data;
  • Sending data to incorrect recipients;
  • Any use or sharing of data without the necessary consent or legal basis.

Risk Assessment

Upon identifying a breach, the data controller must immediately carry out a risk assessment to determine whether the breach poses a high risk to the rights and freedoms of individuals. This assessment considers the nature, severity, and potential consequences of the breach

If the risk is deemed low or insignificant, notifying the data subjects may not be required.

Notification Deadlines

In accordance with the Law on Personal Data Protection in Kosovo, the controller must notify the Agency for Information and Privacy (AIP) of any personal data breach:

  • Without undue delay;
  • And in any case, no later than 72 hours after becoming aware of the breach.

If the notification is delayed, the controller must provide a justification for the delay.

Contents of the Notification to the Agency

The notification must include:

  • A description of the nature of the breach, including the categories and approximate number of data subjects and personal data records affected;
  • The name and contact details of the Data Protection Officer or another relevant contact person;
  • A description of the potential consequences of the breach;
  • The measures taken or proposed to address the breach and mitigate its possible adverse effects.

If it is not possible to provide all the information at once, the notification may be made in phases without undue further delay.

Notification to Data Subjects

Where a personal data breach is likely to result in a high risk to the rights and freedoms of individuals, the controller must communicate the breach to the affected data subjects without undue delay.

This communication should be in clear and plain language and include:

  • A description of the nature of the data breach;
  • Contact details of the Data Protection Officer or other responsible person for further information;
  • Possible consequences of the breach;
  • Measures taken or proposed to mitigate the adverse effects.

However, communication is not required if:

  • Appropriate technical and organizational protection measures have been applied that render the data unintelligible to unauthorized persons (e.g., encryption);
  • The controller has taken subsequent measures that ensure the high risk to data subjects no longer exists;
  • The notification would involve disproportionate effort; in such cases, a public communication or similar measure must effectively inform the data subjects.

If the controller fails to notify the data subjects, the Agency for Information and Privacy (AIP) may require that this be done or assess whether the conditions for exemption are met.

Role of the Agency for Information and Privacy (AIP)

The AIP plays a supervisory and supportive role in cases of data breaches by:

  • Receiving and reviewing notifications submitted by controllers;
  • Providing recommendations and requiring additional measures, if necessary;
  • Cooperating with controllers and data subjects to ensure implementation of appropriate data protection measures;
  • Initiating investigations and imposing sanctions in cases of serious or repeated breaches.

Conclusion

Proper management of personal data breaches is essential to protect the privacy and rights of individuals. Adhering to notification deadlines and conducting accurate risk assessments help minimize harm and maintain public trust in data-processing organizations. Close cooperation with the Agency for Information and Privacy (AIP) ensures a swift and effective response to incidents, securing legal compliance and preventing potential legal consequences.

Prompt and responsible action in the event of breaches is a key element in strengthening the culture of data protection and maintaining a high standard of security within every organization.

Author: Valmir Haziraj