Kosovo DPL

Law No. 06/L-082 on Protection of Personal Data

Flag of XK
KosovoOpt-inNational
Back to Regulations Guide

Key Facts

Effective Date
March 11, 2019
Enacted
February 25, 2019
Enforcing Authority
AIP (Information and Privacy Agency)
Consent Model
Opt-in
Applies To
Any organization processing personal data of individuals in Kosovo, including through technical means

Overview

Kosovo's Law 06/L-082 transposes the EU GDPR into Kosovo's legal framework, applying to processing by both private and public bodies. The AIP (Information and Privacy Agency) actively handles complaints and conducts investigations, though maximum penalties are modest at EUR 40,000.

What This Means for Your Website

  • Consent is required for personal data processing of Kosovo visitors, including through cookies
  • Data controller obligations align with GDPR standards
  • Maximum penalties are EUR 40,000 per violation
  • The AIP has taken initiatives to advance enforcement through complaints and proactive investigations

Key Requirements

The AIP enforces Law 06/L-082 with maximum penalties of EUR 40,000 per violation. The law provides GDPR-aligned data subject rights including access, correction, deletion, and data portability. The AIP can handle complaints, conduct investigations, and impose fines on both private and public entities.

How ConsentStack Handles This

ConsentStack applies GDPR-compliant consent standards for visitors from Kosovo, meeting the law's requirements for consent and data subject rights.

Penalties

Maximum EUR 40,000 per violation.

Maximum Fine
€40,000 per violation

Key Requirements

  • Consent for personal data processing including cookies
  • Data controller and processor obligations aligned with GDPR
  • Data subject rights: access, correction, deletion, portability
  • AIP complaint and investigation cooperation
  • Data breach notification requirements

Notable Provisions

  • GDPR-transposed framework
  • Maximum penalties capped at EUR 40,000
  • AIP actively handling complaints and imposing fines
  • Applies to both private and public bodies including diplomatic offices

Other Europe Regulations

GDPREuropean Union + EEA
The GDPR sets the global standard for data protection, requiring explicit opt-in consent before processing personal data of EU/EEA residents. For websites, non-essential cookies must be blocked until visitors actively consent. Pre-ticked boxes and implied consent are invalid.
PECRUnited Kingdom
PECR is the UK's cookie-specific law, requiring consent before storing or accessing cookies. The DUAA 2025 significantly increased penalties from GBP 500,000 to GBP 17.5 million and introduced analytics exceptions on an opt-out basis. Only strictly necessary cookies are exempt.
ePrivacy DirectiveEuropean Union + EEA
Article 5(3) of the ePrivacy Directive is the primary EU legal basis requiring cookie consent. It mandates prior informed consent before storing or accessing any information on a user's device, with narrow exceptions only for transmission necessity and explicitly requested services.
FDPAFrance
France has the most actively enforced cookie regime in Europe. CNIL issued 259 corrective decisions in 2025, with cookie-specific fines totaling EUR 486.8 million including EUR 325M against Google. A Refuse all button or Continue without accepting must appear on the first layer.
UK GDPRUnited Kingdom
The UK GDPR is the retained EU GDPR post-Brexit, with consent standards identical to the EU version. The UK adequacy decision was renewed December 2025, valid until December 2031. Combined with PECR, it forms the legal framework for cookie consent in the UK.
TDDDGGermany
Germany implements the ePrivacy Directive through Section 25 of TDDDG (renamed from TTDSG in May 2024). A Consent Management Ordinance (EinwV) became effective April 2025, establishing a voluntary framework for recognized consent management services. Cookie banners must not obscure website content.

Frequently Asked Questions

Is Kosovo's law aligned with GDPR?

Yes. Law 06/L-082 transposes the EU GDPR into Kosovo's legal framework, applying to both private and public bodies.

What are the data protection penalties in Kosovo?

Maximum EUR 40,000 per violation. While below GDPR levels, the AIP actively handles complaints and imposes fines.

Who enforces data protection in Kosovo?

The AIP (Information and Privacy Agency) handles complaints, conducts investigations, and imposes fines.

Stay compliant with Kosovo DPL

ConsentStack helps you implement Opt-in consent for Kosovo automatically.

Get started free