Several public institutions in Kosovo have been fined thousands of euros for unlawfully publishing the personal data of citizens online, raising concerns about data protection practices and accountability in the public sector.
Kosovo’s Information and Privacy Agency, AIP, has fined public institutions—including municipalities, universities, and state agencies— a total of 110,000 euros for violating citizen privacy. These violations include unauthorized online publication of personal identification numbers, phone numbers, addresses, and even medical diagnoses.
The AIP press office told Prishtina Insight that “penalties were imposed because these institutions published personal data online, including sensitive categories of [personal] data, without a clear and valid legal basis to justify such processing.”
AIP is an independent state agency responsible for overseeing and enforcing the Law on the Protection of Personal Data and the Law on Access to Public Documents in the Republic of Kosovo.
The primary purpose of the Agency is to protect the fundamental rights and freedoms of individuals regarding the processing of personal data and to ensure access to public documents, thereby promoting transparency and accountability within public institutions.
According to the protection of personal data law, the “personal data are collected only for specified, explicit, and legitimate purposes, and may not be further processed in a way incompatible with these purposes.”
Moreover, it says that, “personal data may only be stored for as long as necessary to achieve the purpose for which they were collected or further processed. On completion of the purpose of processing, personal data shall be erased, deleted, destroyed, blocked, or anonymised.”
In an interview for “Kallxo Përnime” in April 2025, Krenare Sogojeva Dërmaku, Kosovo’s Commissioner for Information and Privacy, warned of an increase in privacy breaches, calling on citizens to report potential violations to the agency.
According to the agency’s 2024 Annual Report, AIP received 134 complaints on potential personal data violations in 2024.
Blerta Thaçi, Executive Director at the Prishtina based NGO Open Data Kosovo, ODK, told Prishtina Insight that, “exposing personal data can lead to serious consequences, from discrimination and lost job opportunities to financial exploitation and gender-based violence. Many citizens are unaware that consent to publish does not always protect them. They often don’t realise they have the right to withhold consent or withdraw it later.”.
“Continuous public education is necessary to empower citizens and build a safer digital culture,” she claimed, calling for mandatory and regular training sessions for all staff who handle personal data, not just legal or IT personnel.
“[We need further education] especially at the local [government] level and among public enterprise managers, who are frequently overlooked despite their high exposure to [citizens’ privacy violation] risks,” she said.
“Only through continuous education can we build a system where data protection is an integral part of every work process,” she added.
The Balkan Investigative Reporting Network, BIRN, has been monitoring, documenting and reporting violations of digital rights across the Western Balkans and Turkey through the BIRN Investigative Resource Desk, BIRD. Key areas of focus include privacy, freedom of expression, and surveillance.
Based on BIRD monitoring and other BIRN reporting on digital rights, it can be concluded that despite technological advancement which enhances efficiency and transparency, a new problem has arisen: civilian exposure to data-privacy risks through privacy violations by the very institutions entrusted with protecting it.
Thaçi told Prishtina Insight that, “it is troubling that the institutions that are supposed to set the standard for legal compliance are themselves being fined for violating privacy rights. These cases highlight significant gaps in both understanding and applying privacy standards, and they erode citizens’ trust in the state.”
She emphasised that most breaches stem from a lack of awareness about what constitutes personal data and when its disclosure becomes a violation.
“Often, data is published with operational or transparency-related intentions, but without proper risk assessment or legal consultation. This reflects a deeper issue—a lack of a data protection culture in public institutions,” she explained.
AIP fines for privacy violations

Illustration: BIRN/Besnik Krivanjeva
Following inspections carried out under the Law on the Protection of Personal Data, the AIP imposed the following penalties:
The Kosovo Tax Administration was fined 20,000 euros for publishing a list of individuals who benefited from public debt forgiveness which included personal ID numbers and phone numbers.
The Agency for Agricultural Development was fined 30,000 euros for publishing lists of subsidy recipients that included personal ID numbers, phone numbers, and home addresses.
The Municipality of Podujeva was fined 20,000 euros for publishing lists of agricultural subsidy recipients with personal and contact information.
Trepça Enterprise J.S.C., the public mining company, was fined 20,000 euros for publishing a candidate list for job applications that included personal ID numbers.
The Municipality of Gjakova was fined 20,000 euros for publishing a list of healthcare subsidy recipients, including sensitive health diagnoses.
Isa Boletini University, the public university in Mitrovica, was fined 20,000 euros for publishing a student list which included personal ID numbers.