On December 9, 2021, on the initiative of the ICEDA network, institutions and CSOs from the targeted Western Balkan countries met in the premises of Open Data Kosovo in Prishtina to discuss personal data protection and privacy. The purpose of this regional meeting was to exchange knowledge, ideas and good practices in regulating the right to personal data protection, transposing the GDPR into legislation, and implementing the Law on personal data protection in practice.

The meeting was held in a closed circle and was attended by all the ICEDA partners and representatives of institutions working to implement the laws governing the right to personal data protection and privacy, namely, Blerim Bajrami – International Cooperation Advisor at the Personal Data Protection Agency (North Macedonia), Gjorgji Rajchinoski – Junior Associate – Supervisor at the Personal Data Protection Agency (North Macedonia), Aleksa Ivanović – Expert on protection of personal data and former member of the Council of the Agency for Protection of Personal Data and FOI (Montenegro), Valon Kryeziu – Interim – General Director of the Information and Privacy Agency (Kosovo), Arbian Arifi – Legal Officer at the Information and Privacy Agency (Kosovo), and Besa Velaj – Head of the Cabinet at the Office of Commissioner for FOI and Data Protection (Albania).

The meeting was opened by Open Data Kosovo and Metamorphosis who welcomed the guests and explained the purpose of the meeting. Bardhyl Jashari emphasized the importance of opportunities for regional cooperation, exchange of knowledge and networking between institutions and CSOs such as this one. “At meetings like these we need to see what we can do together, both institutions and CSOs, so that we keep our privacy and human dignity intact. Data privacy and protection have become extremely important especially in the digital era and with artificial intelligence dominating the entire discourse when speaking about digital transformation. Institutions have a very important role in shaping policies so that they can keep our data personal and private.”

The Kosovo Case Study was delivered by the Interim – General Director of the Information and Privacy Agency (AIP) Valon Kryeziu. As a country, he mentioned that they have done considerable work to align their legislation with GDPR, but that they have noticed a couple of issues which they should work on. Their main challenges at first were the translation of GDPR to the local legislation, and afterwards putting it in practice. He shared that the Agency is working on the legal acts taking into consideration the local struggles, but the lack of an official Commissioner to lead the work of the Agency has significantly held back the whole staff and activities of the Agency. When the Prishtina Municipality developed an assistance package for people who have been affected by the COVID crisis, the system for online application they have developed was designed to gather a lot of personal data that was not necessary. This is where the Agency stepped in and assisted the municipality with improving their platform and only collecting the most needed personal data. The municipality managed to build the system where each person that applies gets a special code with which the applicants could later on find themselves on the list of awarded people by looking up their code in a list published by the municipality.

Faster digitalization and more use of technology naturally creates bigger data protection issues and bigger chances to misuse personal data. Such was the case in the medical sector and police departments in all of the targeted Western Balkan countries, as the participants agreed. What wasn’t working well was the communication between institutions of personal data of people who were infected and had to be in quarantine. Institutions needed to know how not to overshare the personal data of people and this is where the present Agencies stepped in with advice on how to communicate the data but not misuse it. In some cases of such data breaches, the location of people’s homes and phone numbers were also shared and this could be dangerous as there is a risk of them being verbally or even physically attacked, but most certainly socially excluded. In such cases the Agencies have inspected the cases and because they could not find the source of information or the controller of this data, their filed a charge for abuse of illegal processing of data to the Public Prosecution.

As the representatives of the Personal Data Protection Agency from North Macedonia reported, the Agency is currently working on the supervising and training of the controllers, processors and data protection officers. Regarding supervision in the last period people were using digital platforms to pay bills or for online shopping, so they decided to supervise the controllers’ websites so that they can check their functionality and security. Only in 2021 they did 190 regular supervisions and 83 irregular supervisions. Here is where their colleagues agreed to the regional struggle that was the evident lack of human resources in the Agencies in comparison to those in the EU countries, which naturally also affects the rest of the services that they offer.

Aleksa Ivanović, a former member of the Council of the Agency for Protection of Personal Data and FOI, and an expert on protection of personal data, applauded the civic initiative for this meeting. He admitted that COVID made a big mess but even in that mess he said that human rights need to be respected. There were a number of serious data breach cases in Montenegro that ended up in higher courts. He shared that GDPR is not part of the Montenegro Law, and at the time when he was promoting the GDPR he did not get understanding from any of the employees of the institution. He advised the Agencies when giving their advice not to call it an opinion, and not to make it 30 pages long. The Agencies agreed with the last comment saying that they always want to write long opinions because they feel there is much to say, but at the same time they struggle to make them comprehensive for people.

Besa Velaj – Head of the Cabinet: Office of Commissioner for FOI and Data Protection in Albania shared that through a twining project they just submitted the new draft Law wholly aligned with GDPR. They also focused on capacity building and raising awareness in different sectors (communication, banking, schools, etc.) because, as she said, it is important to have everyone but especially the new generation become aware of the privacy culture. She congratulated the ICEDA initiative coming from a civic sector because in Albania the focus of the civic sector is shifted on different topics so she thanked the team for shading light on this important topic. Aside from data breaches, she shared that they had no cases reported by citizens which to her shows that citizens are not aware of this issue.

Ana Toskic from Partners Serbia shared that in 2018 Serbia got a new Law aligned with GDPR, and that they only had 9 months to prepare. Their Law was a complete translation of GDPR and Police Directive. She shared that public institutions lack resources, they have this very complex Law and yet they do not have the sectoral laws aligned. She shared that there were cases of data breaches that were accidents, but also those that were leaked intentionally.

The discussion shifted to the understanding of the GDPR by institutions themselves saying that if they do not understand it how can we expect people to understand it. Data protection is a human right, and we should address the public services and address them as citizens whose data is being processed. The final conclusions were that there should be a bigger cooperation among institutions themselves on this issue and CSOs as well, in the direction of capacity building and awareness raising among the population where the civic sector can be of great assistance.

The album from this event can be accessed here.


Тhe project Increasing Civic Engagement in the Digital Agenda – ICEDA is co-funded by the European Union and implemented by the Metamorphosis Foundation (North Macedonia), Academy for e-Government (Estonia), Levizja Mjaft! (Albania), CRTA – Center for Research, Transparency and Accountability (Serbia), NGO 35mm (Montenegro) and ODK – Open Data Kosovo (Kosovo).