Date: 14-Aug-2025

DATA PROTECTION OFFICER (DPO) IN KOSOVO

14 August, 2025

The Data Protection Officer (DPO) is a key figure in the implementation of the Law on Personal Data Protection in Kosovo. The appointment of a DPO does not depend solely on the size of the organization, but on the nature and intensity of the processing of personal data, especially when it involves sensitive or large-scale processing that may have a significant impact on the rights and freedoms of individuals.

When the appointment of a DPO is mandatory, what are their responsibilities and qualifications, as well as the registration procedures with the Information and Privacy Agency (IPA), are the questions we will address in this article.

When is the appointment of a DPO mandatory?

According to the Law on Personal Data Protection (LPDP) in Kosovo, the controller and processor must appoint a DPO in every case if:

  • The processing is carried out by a public authority (courts acting in their judicial capacity are exempt);
  • The core activities of the controller or processor consist of processing operations which, by virtue of their nature, scope, or purposes, require regular and systematic monitoring of data subjects;
  • The core activities of the controller or processor consist of large-scale processing of special categories of data and personal data relating to criminal convictions and offenses.

In practice, this means that many large organizations, healthcare, financial, technology sectors, and those performing complex analyses or monitoring, are required to have a DPO.

Independence and responsibilities of the DPO

The Data Protection Officer must operate independently within the organization. Their primary responsibilities include:

  • Informing and advising the controller or processor and their employees involved in data processing about their obligations concerning data protection;
  • Providing advice, as needed, regarding data protection impact assessments and monitoring performance;
  • Direct cooperation with the Information and Privacy Agency (IPA), serving as the main point of contact.

The independence of the DPO is essential to avoid conflicts of interest and to ensure that they can perform their role impartially and effectively.

Qualifications and skills required for the DPO

A DPO must have deep knowledge in the field of data protection, law, and privacy practices, as well as a good technical understanding of how data is processed within the organization. Key qualifications include:

  • Legal expertise in data protection and human rights;
  • Technical knowledge of information security and risk management;
  • Good communication skills and staff training abilities;
  • Practical experience in implementing international privacy standards, e.g., GDPR.

Organizations may choose either an internal employee or an external professional for this role, depending on their size and needs.

Communication of the DPO’s contact information to the Information and Privacy Agency (IPA)

The law requires that the appointment of the DPO be notified to the Information and Privacy Agency in Kosovo. This notification:

  • Ensures transparency regarding the persons responsible for data protection within organizations;
  • Facilitates communication between the IPA and the DPO;
  • Contains contact details and other relevant information for the effective functioning of the DPO.

Conclusion

The appointment of a Data Protection Officer is a crucial step for every controller or processor who wants to ensure compliance with the Law on Personal Data Protection in Kosovo and maintain the trust of clients and partners.

Author: Valmir Haziraj