Data Protection in Kosovo

Collection and processing in Kosovo

LPPD adopts a wide definition of processing. Namely, processing includes any operation or set of operations performed to personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction (Article 3(1)(2)). 

For the purposes of LPPD, data controller is defined as any natural or legal person, public authority or other body which, alone or jointly with others, determines the purpose and means of personal data processing (Article 3(1) (11)), whereas the processor is defined as a natural or legal person, from public or private sector which processes personal data for and on behalf of the data controller (Article 3(1) (14)). 

When collecting and processing of personal data, Controllers must abide to the basic principles of data processing set forth in the LPPD. Namely, personal data must be collected and processed based on the following principles (Article 4):

  • Principle of lawfulness, justice and transparency: personal data must be collected and processed in an impartial, lawful and transparent manner, without infringing the dignity of the data subjects.
  • Principle of purpose of limitation: personal data must be collected and processed only for the specified, explicit and legitimate purposes and cannot be further processed in a manner which is incompatible with the stated purposes. However, in cases of further processing for archival purposes in the public interest, scientific or historical research, as well as statistical purposes, will not be considered to be incompatible with the initial purpose.
  • Principle of data minimisation: the personal data should be adequate, relevant and limited to the purpose for which they are further collected or processed.
  • Principle of accuracy: personal data should be kept accurate at all times, and kept up to date. In this line, every reasonable measure should be taken to ensure that inaccurate personal data are rectified or erased without delay.
  • Principle of storage limitation: personal data may be stored insofar as necessary to achieve the purpose for which they are processed or collected; after which, the personal data should be erased, deleted, destroyed, blocked or anonymised, unless otherwise foreseen by another relevant law.
  • Principle of integrity and confidentiality: personal data should be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, by using appropriate technical and organisational measures;  
  • Principle of accountability: the controller is responsible for, and be able to demonstrate compliance with all the principles mentioned above. 

Legal basis for processing of personal data (Article 5) 

With reference to the list above, processing of personal data shall be considered lawful if one of the following criteria is met:

  • The data subject has given consent for the processing of his/her personal data for one or more specific purposes;
  • Processing is necessary for the performance of a contract to which the data subject is a contracting party or in order to take steps at the request of the data subject, prior to entering into a contract;
  • Processing is necessary for compliance with a legal obligation to which the controller is subjected;
  • Processing is necessary in order to protect the vital interests of the data subject or of another natural person;
  • Processing is necessary for the performance of a task carried out in the public interest or in the exercise of the official authority vested in the controller;
  • Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject, which require protection of personal data, in particular where the data subject is a child. This provision does not apply in cases where the processing is carried out by public authorities in the performance of their tasks. 

Where the legal basis for processing is not based on the consent of the data subject or on the relevant legislation in force, in order to comply with the LPPD and lawfulness principle when processing personal data for purposes different from the initial purpose of the data collection, the following should be considered (Article 5(2)): 

  • Any link between the purposes for which the personal data have been collected and the purposes of the intended further processing;
  • The context in which the personal data have been collected, in particular regarding the relationship between the data subjects and the controller;
  • The nature of personal data being processed, especially in cases of processing of sensitive personal data or data related to criminal convictions;
  • Possible consequences for the data subjects of the intended further processing;
  • The existence of appropriate safeguards, which may include encryption or anonymisation. 

Conditions for consent (Article 6) 

Where the collection and processing of personal data is based on the consent of the data subject, the Controller must be able to demonstrate that the data subject has consented to process his/her personal data. In this line, when consent is given as a written declaration, the latter must be presented in a manner which is clearly distinguishable from other matters, in an intelligible and easily accessible form, using clear and plain language (Article 6(2)). 

Processing of special categories of personal data (Article 8) 

As a principle, LPPD prohibits the processing of special categories of personal data. Special categories of personal data within the meaning of the LPPD are used synonymously with sensitive categories of personal data.

Notwithstanding the above, exemptions to prohibition of processing of sensitive personal data include the following circumstances (Article 6(3)):

  • The data subject has given his/her explicit consent to the processing of those personal data for one or more specific purposes, except where the relevant legislation in force provides that the general prohibition on processing of sensitive personal data cannot be lifted by the data subject;
  • Processing is necessary for the purpose of carrying out obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law, in so far as it is authorised by the relevant legislation in force or a collective agreement providing for appropriate safeguards for the fundamental rights and the interests of the data subject;
  • Processing is necessary to protect the vital interests of the data subjects or other natural persons, where the data subject is physically or legally incapable of giving consent;
  • If the data subject has made the sensitive personal data public, without limiting their use, in an evidenced or clear manner;
    processing is necessary for the establishment, exercise or defence of legal claims, or whenever courts are acting in their judicial capacity;
  • Processing is necessary for reasons of substantial public interest, on the basis of the relevant legislation;
  • Processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of relevant legislation or pursuant to contracts with a health professional when such data are processed by a professional or under his/her responsibility subject to the obligation of professional secrecy pursuant to respective legislation, established rules by national competent bodies or by another person subjected to professional secrecy;
  • Processing is necessary for reasons of public interest in the area of public health, such as protection against serious cross-border threats to health, or ensuring high standards of quality and safety of healthcare and of medicinal products or medical devices, on the basis of the relevant legislation;
  • Processing is necessary for archiving purposes in the public interest, as well as scientific or historical research purposes, or statistical purposes. 

Except in cases where the data subject has made his/her sensitive personal data public, special categories of personal data should be protected in a special manner and be classified for the purpose of preventing unauthorised access or use (Article 8(4)). Classification of sensitive personal data refers to marking of personal data to indicate their sensitive nature (Article 3(1) (4)).

Continue reading

  • no results

Previous topic
Back to top