Biometric cameras and scanners, which process data such as facial or fingerprint scanning, are prohibited for use in Kosovo. The only entities allowed to use these devices are security institutions and companies that have notified their staff about the processing of such data.

An investigation by BIRN revealed that there are several stores in the country selling such devices, with final customers not being widely known.

“We import them from China and Spain, and there are some customers who buy them,” sayid one of the sellers in one of the stores in Prishtina.

The seller was unwilling to discuss the sale of these devices in a standard interview. From a previous conversation, it became apparent that he was apprehensive of the potential repercussions that could arise from an article’s publication.

A few hundred meters away, another establishment in the ‘Veternik’ neighborhood in Prishtina admitted to having traded such devices.

“The security institutions use them more, but there are also businesses that buy them,” says the seller.

The seller declined to disclose whether such devices were in stock or their selling prices. Both he and the owner refused interviews, citing their preference to stay out of media coverage.

The import of such devices is allowed; however, their installation is prohibited unless done according to the law.

Kosovo Customs has not provided details on the number of imported cameras and devices. They have stated that it takes time to compile statistics on the number and entities that have carried out the imports.

The Kosovar Privacy Agency reports confirm the chaos in the trade and installation of these devices.

In the past year, the agency has encountered such devices in three cases. 

“During inspections, we found that two public and one private controllers processed biometric characteristics of data subjects.  These controllers had installed devices to process biometric characteristics of data subjects for the purpose of recording employees’ attendance at work,” states the Agency’s response.

But what is biometric data?

The Personal Data Protection Law defines biometric data as any data derived from specific processing related to the physical, psychological, or behavioral traits of an individual. These traits allow for the unique identification of the individual and can include visual images or dactyloscopic data such as fingerprint patterns, retinal scans, facial features, among others.

However, the use of Biometric devices, according to the Law on the Protection of Personal Data, is permitted for the public sector only if it is essential for the security of individuals, the protection of property, or the safeguarding of confidential and business secrets, if this cannot be achieved by other means.

For the private sector, the use of biometric characteristics is allowed only if it is necessary for carrying out activities for the security of individuals, the protection of property, or the protection of confidential or business secrets.

Data subjects are required to be informed in writing about the processing of their data and their rights beforehand.

During an investigation by BIRN, three decisions were identified on the Privacy Agency’s website where entities were prohibited from further using these biometric devices.

One of these decisions involved the “Regional Water Company HIDRODRINI” in Peja. This entity processed biometric data [facial features] for employee identification during check-in/check-out times from work across all its operational units.

The Agency ordered this entity to delete and destroy the data collected through the devices, nine of which are Facepass7 and FaceDeep3 models, operating based on the “CrossChex” application.

In response to editorial queries, HIDRODRINI confirmed that the data processed by those devices have been destroyed and deleted from the databases, in compliance with the Agency’s decision.

“We have implemented the decision in full and within the given deadlines,” it is said in the answers of Hidrodrini.

Notably, the employees’ prior consent was not obtained for the processing of this data.

BIRN has contacted the company that operated these devices for details about the applicability of the Agency’s decision and whether it has destroyed the data collected from the employees. However, BIRNhas not received a response at the time of publication of this article.

The second decision issued by the Agency concerned the Rectorate of the University of Prishtina and is also related to the processing of biometric data of individuals working at this institution.

The case involves a device installed in the Rectorate building used for recording employees’ check-in and check-out times from work.

The device recorded the employees by collecting biometric data (facial features). According to the agency, the Rectorate has 14 academic units, where such equipment was installed in each unit.

According to the Agency’s information, the controller of this data did not obtain authorization for the processing of biometric data. The Agency ordered the University of Prishtina to stop processing biometric data and decided to destroy and delete all the data from these devices.

For this case as well, BIRN attempted to contact the office of the rectorate, and is still awaiting a response.

The third decision issued by the Information and Privacy Agency related to the processing of biometric data through papillary traces [fingerprint marks] by the company ‘Prishtina Parking’.

Conversely, no private businesses have been discovered to possess such devices. This is attributed to the fact that institutions have not yet conducted checks to determine where the devices imported in recent years have been installed within the country.