Senior management and organisation
Please identify the authority’s senior management.
According to our current national law on personal data protection, the National Agency for Personal Data Protection of the Republic of Kosovo (the Agency) is managed by a council of five members (who are politically appointed) mandated for a period of five years. Currently, the Agency has not filled these five positions, due to the expiration of their initial terms. The new draft law on personal data protection (expected to be adopted very soon) foresees substituting the managing council with a commissioner. The Agency’s director general acts as the authority’s highest official, in the capacity of a civil servant.
When was the head of the authority appointed?
The council of the Agency was appointed on 30 June 2011.
How long is their term of office?
The first-term duration was five years with the possibility of renewal; however, this didn’t happen due to legislative amendments to the current law on personal data protection.
What is the process for nominating the head of the authority?
The first council of five national supervisors was selected and proposed by the government and then elected by the National Assembly. According to the new draft law on personal data protection, the commissioner shall be elected by the Assembly of the Republic of Kosovo with the majority of votes from the total number of parliament members, for a five-year mandate with the right to be re-elected for another.
What was the authority’s budget for the most recently-available financial year?
The Agency’s budget for 2017 was over €353,000.
How many data protection/privacy-focused staff does the authority employ?
Of 18 civil servants, only six are directly focused on data protection/privacy issues. The rest deal with administrative, financial, public and international matters.
Contacting the authority
How and where should companies or their advisers contact the authority to notify a data breach? Please specify individuals, email addresses, URLs for online forms, etc.
The public in general (including data controllers and processors) can address the authority via:
- email: [email protected];
- the reception desk officer, Jehona Fetaj: +383 38 200 62 959; or
- the special complaint form at http://amdp-rks.org/?page=2,95.
Legal and enforcement framework
What are your investigative powers?
The Agency, among other things, carries out inspections and audits on its own initiative to monitor:
- compliance with data protection rules;
- the legitimacy of data processing;
- the suitability of procedures and measures taken for the protection of personal data pursuant to the personal data protection law;
- the implementation of the provisions of the personal data protection law regulating the filing system catalogue, the register of filing systems and the recordings of the disclosures of personal data to recipients; and
- the implementation of provisions regarding the transfer of personal data to other countries and international organisations.
Can you search premises or force the disclosure of information without having to approach the courts?
Yes. The authority may, among, other things examine premises in which personal data is supposed to be processed. It may also examine and confiscate computers and any other equipment and technical documentation.
What fines can you impose on companies that breach data protection rules?
Provisions of our current data protection law stipulate that fines (from a minimum of €200 to a maximum of €10,000) may be imposed by the court upon initiation of a court procedure by the authority.
However, the new draft law shall enable the Agency to directly impose fines on data controllers violating the respective law, considering the basic principles established in the Law on Minor Offences, and the maximum amount will increase to €40,000.
What other measures can you take against companies that breach data protection rules?
Upon noticing a violation of the law, the Agency shall have the right to immediately:
- order the elimination of irregularities or deficiencies – this may include the erasure, blocking, destruction, deletion or anonymisation of data in compliance with the law;
- impose a temporary or definite ban on the processing of personal data by controllers and processors in the public or private sectors who have failed to implement the necessary measures and procedures to secure personal data;
- impose a temporary or definite ban on the processing of personal data, as well as its anonymity, classification and blocking whenever he or she concludes that the personal data is being processed in contravention of legal provisions; and
- impose a temporary or definite ban on the transfer of personal data to other countries or international organisations, or their disclosure to foreign recipients if they are transferred or disclosed in contravention of legal provisions or international agreements.
What measures other than fines can you impose on a company that is breaching data protection rules?
In some cases of violations, the Agency can warn or admonish the data controller or data processor in writing.
What emergency or interim measures can you take pending the full conclusion of your investigations?
The Agency may also:
- examine and confiscate any documentation relating to the processing of personal data, irrespective of their confidentiality or secrecy, and the transfer of personal data to other countries and international organisations as well as the disclosure to foreign recipients;
- examine the contents of filing systems, irrespective of their confidentiality or secrecy, and the filing system catalogues;
- examine and confiscate any documentation and instructions regulating the security of personal data;
- examine premises in which personal data is supposed to be processed, and examine and confiscate computers and any other equipment and technical documentation; and
- verify measures and procedures intended to secure personal data, and the implementation thereof.
Priorities and the future
What are your enforcement priorities over the next year? For example, are you targeting any particular topics, or industry sectors?
Practical enforcement by the Agency has been suspended during the past two years because national supervisors authorised to conduct inspections and audits are no longer part of the Agency. Due to legislative changes being made, according to which civil servants in the capacity of inspection officers shall soon take over enforcement.
What data protection/privacy-related guidelines have you issued to date?
The Agency has so far produced the following data protection/privacy guidelines and sub-legal acts:
- Administrative Instruction No. 01/2011 on the Appointment of Personal Data Protection Official;
- Administrative Instruction for Official ID Cards of National Supervisors 03/2012; (approved by the Government with the proposal of the Agency by virtue of Article 47 of the Law No. 03/L-172).
- Regulation No. 02/2012 on the Manner of Keeping the Registry of Filing Systems of Personal Data and its Respective Form;
- Regulation No. 03/2012 on Internal Procedures of Considering Requests for Personal Data International Transfer;
- Administrative Instruction No 03/2014 on Internal Procedures of Considering Incoming Questions to the Agency;
- Guidelines for Personal Data Protection in Health Insurance Companies;
- Guidelines for Personal Data Protection in Health Sector;
- Guidelines with Practical Recommendations for Data Protection Officer in the Police Sector;
- Guidelines with Practical Recommendations Recommendations for Data Protection Officer in the Financial Sector;
- Guidelines for DPOs in Education Sector;
- Guidelines for DPOs in Microfinance Sector;
- Inspection Methodology Guidebook;
- Civil Status Registry Inspection Methodology Guidebook;
- Inspection Methodology Guidebook in the Sector of Criminal Record Registry;
- Data Inspection Methodology Guidebook Land Registry;
- Manual on IT Training Curriculum for IT Teachers on Data Protection Issues for Teenagers; and
- Manual on the Criteria for Video Surveillance in Education Sector.
Are you working on any further data protection/privacy guidelines or guidance, or on amending any of your current guidance? If so, what?
The Agency shall amend all its internal sub-legal acts in order to harmonise them with the new, soon-to-be-adopted Law on Personal Data Protection fully in line with the GDPR. We are also working on drafting a special manual on data protection dedicated to the media community.