DATA SUBJECT RIGHTS IN KOSOVO

July 31, 2025

Every individual has the right to know, control, and restrict how their personal data is used. In Kosovo, these rights are guaranteed by the Constitution and the Law on Personal Data Protection (LPDP).

The LPDP grants individuals, known as data subjects, a set of clear and enforceable rights that every public or private entity processing personal data is legally obliged to respect.

Accordingly, the processing of an individual’s personal data must be carried out with due importance, and the following rights are guaranteed:

1. Right to Information

Data subjects must be informed whenever their personal data is being processed. This applies both when data is collected directly from the individual and when it is obtained from other sources.

They must be informed of the identity and contact details of the controller, the data protection officer (if applicable), the purpose and legal basis of the processing, the recipients of the data, and whether the data will be transferred outside the country.

In addition, they must be informed of the data retention period, the right to access, rectify, or delete their data, the right to withdraw consent, the existence of automated decision-making including profiling, and the right to file a complaint with the Information and Privacy Agency.

2. Right of Access

Data subjects have the right to obtain confirmation as to whether or not their personal data is being processed. If it is, they are entitled to information regarding the purpose of processing, categories of data involved, recipients, storage period, the right to rectification or erasure, the existence of automated decision-making including profiling, the right to lodge a complaint, and any potential data transfers outside the country.

3. Right to Rectification and Erasure

Every individual has the right to request the rectification of inaccurate or incomplete personal data, including by providing a supplementary statement. They also have the right to request the deletion of data when it is no longer necessary, when consent is withdrawn, when data has been processed unlawfully, or when the individual objects to the processing.

If the data has been made public, the controller must inform all recipients of the request for erasure, taking into account available technology and the cost of implementation.

4. Right to Restrict Processing

The data subject may request the restriction of processing if they contest the accuracy of the data, when processing is unlawful but deletion is not requested, or when the controller no longer needs the data but the data subject requires it for legal claims.

In all cases of rectification, erasure, or restriction, the controller must notify all recipients of the data unless this is impossible or involves disproportionate effort.

5. Right to Data Portability

Data subjects have the right to receive the personal data they have provided to a controller and to transmit it to another controller without hindrance, where the processing is based on consent or contract and carried out by automated means.

6. Right to Object

Individuals may object at any time to the processing of their personal data, especially when it is based on legitimate interests or conducted for direct marketing purposes. If no compelling legitimate grounds exist that override the interests of the data subject, the controller must cease the processing.

7. Automated Decision-Making and Profiling

Data subjects have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects or significantly affects them in a similar way.

Data controllers are required not only to respect these rights but also to facilitate their effective exercise by data subjects.

These rights must be exercised free of charge, except in cases where requests are clearly unfounded, excessive, or repetitive in nature, in which case a reasonable fee may be charged.

However, these rights are not absolute and may be subject to restrictions in specific circumstances, such as to safeguard national security, public safety, criminal investigations, the exercise of official authority, the protection of the data subject or the rights and freedoms of others, or the enforcement of civil claims.

The rights granted to data subjects are a cornerstone of a functional and fair personal data protection system. They should not be regarded as mere administrative formalities but as essential tools that empower individuals with real control over their personal information. Only through the full implementation of these rights can a proper balance be achieved between data processing needs and the protection of privacy in a democratic society.

Author: Valmir Haziraj

You can read the next article here.