The Law for Protection of Personal Data (LPPD) in Kosovo establishes guidelines for protecting personal data and regulates its transfer to other countries.
Companies in Kosovo can transfer personal data to a company outside of Kosovo without seeking prior approval from the Information and Privacy Agency (IPA) only if the receiving company is from a country part of the IPA’s list of countries with a satisfactory level of data protection (IPA’s list). If that is not the case, then the IPA’s approval shall be acquired for the transfer of personal data (IPA’s approval). The IPA will prepare its list or issue its approval, relying on the assessment of the level of protection offered by the legal framework governing personal data in the country to which the data is being transferred. This means that a Kosovar company’s efforts to ensure compliance with the LPPD may be futile if the IPA deems the receiving country’s data protection level insufficient. Fortunately, all EU Member States are part of the IPA’s list and no procedure needs to be followed for the transfer of personal data to a company in the EU.
Even though the LPPD does not foresee safeguarding measures for receiving companies processing personal data outside of Kosovo as the General Data Protection Regulation (GDPR) does, it requires that the processing of personal data is done in accordance with the requirements and principles set out in the LPPD. Therefore, when there’s a breach of personal data processed by a company outside of Kosovo, the company in Kosovo that transferred such data will be held liable for not ensuring proper safety measures for the processing of the personal data.
So, the question here would be whether there are any safeguarding measures for the processing of personal data outside of Kosovo allowed by the LPPD. Can companies adopt GDPR models as practical tools?
To highlight what the GDPR offers, under its rules, EU companies need to be compliant with certain safeguards and conditions when transferring personal data to a jurisdiction outside the EU (third country). Two recognized and often used mechanisms are: the Binding Corporate Rules (BCR) and the Standard Contractual Clauses (SCC), as foreseen under Articles 28(3), 46(2)(b), and 47 of the GDPR. BCRs are data protection policies adhered to by companies established in the EU for transfers of personal data outside the EU within a group of undertakings or enterprises, while SCCs are standardized and pre-approved model data protection clauses that allow controllers and processors (not necessarily under the umbrella of the same group of undertakings) to comply with their obligations under the GDPR. Both BCRs and SCCs are approved by a supervisory authority before entering into force.
Following GDPR models, companies in Kosovo might be prone to use BCRs or SCCs to safeguard personal data and also determine the responsibilities and liability when there is joint control over the data or the processor is from another country. In these cases, the LPPD does not prohibit the use of these two mechanisms, and neither does it foresee the requirement for any approval from the IPA. The LPPD mandates that companies implement internal policies for data control and processing and allows these processes to be governed by contractual agreements. Therefore, BCRs and SCCs can be seen as mechanisms implicitly allowed by the LPPD.
In cases of joint control over the data, companies in Kosovo might lean toward BCRs, specifically when they are part of EU corporate groups and they need to comply with the GDPR and the LPPD to also process data coming from EU countries. On the other hand, SCCs might be seen as more practical and easier to implement without seeking any approval from the corporate group.
In conclusion, the LPPD’s neutrality toward safeguarding measures allows companies in Kosovo to adopt GDPR models for protection. By implementing BCRs or SCCs, companies can strengthen data protection, reassure data subjects, and build trust with international partners.
By Art Sylaj, Head of TMT, and Lirika Berisha, Legal Assistant, RPHS Law
This article was originally published in Issue 11.11 of the CEE Legal Matters Magazine. If you would like to receive a hard copy of the magazine, you can subscribe here.
