How the flow of private citizens' data happened in Kosovo

Private data of over 30,000 Kosovo citizens has been found to have been collected and processed against law by Kosovo businesses and institutions over the past few years.

The Information and Private Agency has found that during 2022 in 172 cases, data collection, ID photocopying, bank data receiving, phone numbers, and also publication of private data has been carried out in some cases.

The most recent case encountered during 2022 was the Regional Development Agency website, which on published lists of subsidies beneficiaries has published private data of over 20 thousand citizens.

This institution, according to the Information and Private Agency's decision, has been fined 30 thousand euros for violations in question, while materials have been ordered to remove them from the official page.

According to Information and Private Agency Commissioner Crenare Sogojeva Drmaku during 2022 The agency has ruled 172 decisions in which controllers have worked out personal data contrary to Law provisions No. 06/L-082 for personal data protection.

Among those decisions are other institutions in the country, including the Kosovo Tax Administration. The latter was fined because during the construction of a platform for controlling workers' data, no measures had been taken to ensure filters and password for publishing this data.

All privacy violations are listed on the Private Agency website.

There are also violations by institutions such as the Ministry of Health, which has been found to have banned cameras, while health data without criteria has also processed the Kosovo Philharmonic. The latter, according to a published decision, has worked out overindulgence during the concert ticket booking.

Under the decision, the Philharmonic had demanded that the public e-mail certificates of COVIDD-19 in order to book tickets.

That, according to the Agency's decision, was violation of the law and banned processing of data.

Another violation, according to Commissioner Crenare Sogojeva Dramaku, has been identified in employment data, when private data of citizens has been requested or published on official pages.

Monitoring the violation of the privacy Law has also ascertained defects in other public institutions.

Mejidie Demolli Nimani from organisation “FOL” indicates that during the monitoring of court's judgments, they encountered personal data that should not be public.

“We have found that out of the 35 thousand acts of prejudice in 1,200 of them are not covered with personal data, whether in whole or in part” says Demolli Nimani.

Apart from institutions in the country, there have been cases in which businesses have violated the Law for privacy.

The largest number of violations that have occurred by private controllers (businesss) concerns direct marketing application and camera surveillance system. In a smaller number of violations by private controllers are linked to the processing of personal data without legal grounds, such as copying identification document, publishing personal data on web pages” ♫ says Commissioner Sogojeva Drmaku.

Several businesses have been listed on the Agency's list of decisions that have been encountered in these violations.

Example: an airline has been found to have violated personal data when sending bids to the parties.

Similar actions have been recorded at a dental clinic, a derivative company, and a retail store.

Under the Law, message marketing should be carried out in agreement with the parties. According to this rule, if citizens have not given written consent to agree to accept these messages, it is a violation of the Law.

Private Agency inspector Arbian Arifi warns of the danger that digital marketing forms will be tough in the future. According to him, decisions to stop SMS will pave the way for e-mail marketing or access to Wireless.

According to him, citizens should take good care when giving signatures and preferences so that they can accept marketing messages in the future.

The Balkan region was shocked by the recent theft of personal data of Albania's citizens.

The lack of cyber security made the Albanian state systems fragile against Iranian hackers, who managed to extract millions of private data.

The security agencies' records in Kosovo have shown that during the year there have been several attempts at breaking government platforms, but the same have resulted in safety, with certain exceptions.

Despite this, it has been estimated that lack of publishing standards and data processing could put the country at constant risk.

Other investigations have found that the country has also faced problems of efficient cyberattack investigations.

Data from the Progress Report indicates that 37 reported cases during 2021 as cyberattacks have not been detected by police and prosecutors.

What's personal data?

Personal information is any information that identifies a person as it is: name and last name, citizen's personal number, physical address, e-mail address, health data, school record, behavior, bank accounts, tax statements, network identification (address IP), database location, biometric data (e.g. Fingerprints, passport number, ID number, etc.

What personal information is considered sensitive?

Sensitive data is considered all data that reveal racial or ethnic origin, political thought, religious or philosophical beliefs, or union membership, as well as the processing of genetic data, biometric data with the aim of unique identification of persons, health data, or data on sexual life or the sexual orientation of a physical or personal person in connection with penal penalties and criminal acts, and backlog.

Where do we complain about offenses?

Citizens who have arguments that their data has been misused may be directed to the Agency, but also by visiting the Agency website, and through this website they are able to file complaints.

The Information and Private Agency, which is also responsible for overseeing the implementation of the Law for access to public documents, which so far has accepted 26 complaints, has approved 12, meanwhile, there are 14 others in the review.

(This research article has been prepared as part of the “Turnout of Citizens in the Digital Aegean I CEDA” with the financial support of the European Union. The contents of this research article are the sole responsibility of the author and in no way reflect the European Union's attitudes. )