Kosovo citizens personal data leaks

Author: Kreshnik Gashi (kallxo.com)

Open Data Kosovo
5 min readJan 31, 2023
Image Source: kallxo.com

Personal data of over 30,000 citizens of Kosovo has been found to have been collected and processed illegally by businesses and institutions in Kosovo over the past years.

During 2022, the Information and Privacy Agency has found that in 172 cases the collection of data, photocopying of identity cards, obtaining bank data, obtaining telephone numbers, as well as the publication of personal data in these 172 cases were carried out without respect for requirements set by the Law on Data Protection Privacy.

The most egregious case encountered during 2022 was the website of the Regional Development Agency, which published personal data of over 20,000 citizens in the published lists of subsidy beneficiaries.

This institution, according to the decision of the Information and Privacy Agency, was fined EUR 30,000 for the violations in question, and was ordered to remove the data from its official website.

According to the commissioner of the Information and Privacy Agency, Krenare Sogojeva Dërmaku, in 2022 the Agency issued 172 decisions which concluded that the controllers processed personal data contrary to the provisions of Law no. 06/L-082 on Personal Data Protection.

Among these decisions, there are other national institutions, including the Tax Administration of Kosovo. The latter was fined because, during the development of a platform for checking the employees’ data, it did not undertake any security measures such as safety passwords that would prevent the leak of personal data.

The website of the Privacy Agency lists all the decisions on privacy breach.

There are also violations by institutions such as the Ministry of Health, which has been found to have installed the cameras in a prohibited manner, while the Kosovo Philharmonic also processed health data without taking into consideration the requirements of data protection that are set by the Law. The latter, according to a published decision, has processed data unlawfully during the booking of concert tickets.

According to the decision, the Kosovo Philharmonic had asked the public to e-mail their COVID-19 vaccination certificates in order to book tickets.

This, according to the Agency’s decision, was a violation of the law and prohibited data processing.

Another frequent violation, according to the commissioner Krenare Sogojeva Dërmaku, was identified in employment data in different public institutions (not specified which ones), when personal data of citizens was requested or published on official websites.

The monitoring of the violation of the Law on Data Protection Privacy has also found irregularities in other public institutions.

Mexhide Demolli Nimani from the organization “FOL” (anti-corruption and transparency organization) says that while monitoring court judgments, they came across personal data, which should not have been public.

“We found that out of 35,000 judgments, 1,200 of them did not hide personal data contained therein, either completely or partially,” says Demolli Nimani.

In addition to institutions in the country, there have also been cases where businesses have violated the Law on Data Protection Privacy.

“The largest number of violations that have occurred by private controllers (businesses) are related to the application of direct marketing and the video surveillance system. In a smaller number, violations by private controllers are related to the processing of personal data without a legal basis, such as: copying the identification document, publishing of personal data on the website” — says commissioner Sogojeva Dërmaku.

The list of the Agency’s decisions lists several businesses which were perpetrators of such violations.

For example, an airline was found to have breached personal data protection when it sent an offer to parties’ mobile phones.

Similar actions were found in a dental clinic, a derivatives (oil) company, and a retail store.

According to the Law, message marketing must be carried out in agreement with the parties. Based on this rule, if citizens have not given a written consent to receive such messages, it constitutes a violation of the Law.

The inspector of the Privacy Agency, Arbian Arifi, warns that in the future inspections of digital marketing area will become tougher. According to him, the decisions to ban SMS will pave the way for marketing via e-mail or other forms of online marketing.

According to him, citizens should be very careful when signing and consenting to marketing messages in the future.

The Balkan region was shocked by the recent theft of personal data of Albanian citizens.

The lack of cyber security made the Albanian state systems vulnerable to Iranian hackers, who managed to extract millions of personal data from there.

The data of the security agencies in Kosovo have shown that during the year 2022 there have been several attempts to break government platforms, but they remained safe, with some exceptions.

Despite this, it has been estimated that the lack of data publication and processing standards may put the country at constant risk.

Other research has found that the country has also faced problems with the efficiency of cyber-attack investigations.

The data from the Progress Report show that the 37 cases reported during 2021 as cyber-attacks were not detected by the police and the prosecution.

What is personal data?

Personal data is any information that identifies a person such as: first and last name, citizen’s personal number, natural person’s address, e-mail address, health data, salary data, school grades, bank accounts, tax declarations, network identifier (IP address), data location, biometric data (e.g., fingerprints), passport number, ID number, etc.

What personal data is considered sensitive?

Sensitive data are considered all data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade-union membership; these are also genetic data, biometric data processed solely to identify a natural person, health-related data, data concerning a natural person’s sex life or sexual orientation, or personal data related to criminal convictions, and criminal and misdemeanor offenses.

Read other answers at this link:

Where to complain about violations?

Citizens who have arguments that their data have been misused can go to the Agency to file a complaint, but can also do it by visiting the Agency’s website on this link.

The Information and Privacy Agency, which is also responsible for supervising the implementation of the Law on access to public documents, so far during the year 2022 received 26 complaints, of which 12 were approved, and 14 are still under review.

This investigative article was prepared as part of the project “Increasing Civic Engagement in the Digital Agenda — ICEDA” with the financial support of the European Union and the South East Europe (SEE) Digital Rights Network.

The content of this research article is the sole responsibility of Open Data Kosovo and the author and in no way reflects the views of the European Union or the SEE Digital Rights Network.