Data Protection in Kosovo

Transfer in Kosovo

In the context of transfer of personal data, the LPPD addresses two situations: 

  • Transfer of personal data to countries and international organisations which ensure an adequate level of data protection, and
  • Transfer of personal data to countries and international organisations which do not provide adequate level of data protection.

With regards to the transfer of personal data to countries or international organisations that ensure proper and adequate level of data protection, as per a Decision adopted by the IPA, the list of countries and international organisations providing proper data protection, the latest being adopted on 17 April 2024 (“the Decision”) includes the following countries: Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, Iceland, Lichtenstein, and Norway.

Moreover, the LPPD expressly allows the IPA to rely on the decisions adopted by relevant EU bodies with regards to the transfer of personal data when drafting the list of approved countries providing adequate level of personal data protection (Article 46.2). Accordingly, based on the Decision, IPA considers some countries (including those outside the EU) to ensure proper level of data protection, in accordance with the EU Commission Decisions (Argentine, Andorra, Canada, Guernsey, Isle of Man, Jersey, Faroe Islands, Israel, Switzerland, New Zealand, Uruguay, Japan, United Kingdom, Republic of Korea and the United States of America).

With reference to the countries listed above, when transferring personal data, no special authorisation or permission is required from the IPA, provided the data subject is aware and informed that the personal data are being transferred, as required by the LPPD (Article 12.1.6). 

In case of transfer to third parties located in other countries, such application will depend on whether such countries are included in the list of the IPA Decision  or decisions of the EU Commission. 

With regards to the transfer of personal data to international organisations, the Decision of the IPA does not specifically identify or address international organisations providing adequate level of personal data protection. 

However, as a general principle, when deciding on the adequate level of data protection of another country or international organisation, the IPA shall firstly take account of the following elements (Article 47.1):

  • The rule of law, respect for human rights and fundamental freedoms, relevant legislation, both general and sectorial, including public security, defence, national security and criminal law and the access of public authorities to personal data, as well as the implementation of such legislation, data protection rules, professional rules and security measures, including rules for the onward transfer of personal data to another country or international organisation which apply within that country or international organisation, case-law, as well as effective and enforceable data subject right and effective administrative and judicial redress for the data subjects whose personal data are being transferred;
  • The existence and effective functioning of one or more independent supervisory authorities in the third country or to which an international organisation is subject, with responsibility for ensuring and enforcing compliance with the data protection rules, including adequate enforcement powers, for assisting and advising the data subjects in exercising their rights and for cooperation with the supervisory authorities;
  • The international commitments the third countries or international organisation concerned has entered into, or other obligations arising from legally binding conventions or instruments as well as from its participation in multilateral or regional systems, in particular in relation to the protection of personal data;
  • The type of personal data to be processed;
  • The purpose and duration of the proposed processing;
  • The legal arrangement in the country of origin and the recipient country, including the legal arrangement for protection of personal data of foreign citizens;
  • The measures to secure personal data used in such countries and international organisations. 

In addition, the above, in its decision-making process the IPA will particularly pay attention on (Article 47.2):

  • Whether the personal data to be transferred will be or are used solely for the purpose of which they are being transferred, or whether the purpose may change only on the basis of a permission of the data controller supplying the data or on the basis of personal consent of the data subject;
  • Whether the data subject has the possibility of determining the purpose for which his or her personal data will be used, to whom they are being transferred and the possibility of correcting or erasing inaccurate or out-dated personal data, unless this is prevented due to the secrecy of the procedure by binding international treaties;
  • Whether the foreign data controller or data processor performs adequate organisational and technical procedures and measures to protect personal data;
  • Whether there is an assigned contact person authorised to provide information to the data subject or to the IPA on the processing of personal data transferred;
  • Whether the foreign data recipient may further transfer personal data, which may be done only on the condition that another foreign data recipient to whom personal data will be disclosed ensures adequate protection of personal data also for foreign citizens;
  • Whether effective legal protection is ensured for data subjects whose personal data were or are being transferred. 

In accordance with the above, it is safe to assume that international organisations fulfilling the listed criteria will be considered as providing adequate level of personal data protection. Additionally, international organisations deemed as providing adequate level of personal data protection by the EU Commission, may also be accepted by the IPA (Article 46.2).

Continue reading

  • no results

Previous topic
Back to top