1. HIGH-LEVEL EXCHANGE AND LEARNING WEEK
Brussels, 18-22 September 2023
#DataProtectionWeek

2. Interregional event - Joining forces

3. Aims
 A unique opportunity to:
1. Meet
2. Learn
3. Exchange
 Key EU actors
 Data Protection Authorities from EU Member States
 Western Balkans and Eastern Partnership Regions

4. Information and Data Protection Commissioner
Albania
Neritan Sulaj
Sectorial Investigation and Data
Security Department
General Directorate of Personal
Data Protection
Information and Data Protection
Commissioner

5. Institutional context
 With the enactment of the Law No. 9887, dated 10.03.2008 “On the Protection of Personal
Data”, in 2008 was established the Commissioner’s Office.
 In 2014 the Commissioner’s Office was vested with new powers with the adoption of the
Law No. 119/2014 “On the right to information”.
 The Commissioner’s Office is the independent, central authority in charge of supervising
and monitoring the protection of personal data.
 giving opinions on draft legislations and sublegal acts related to personal data;
 addressing of data subjects complaints;
 conducting administrative investigation and issuing Recommendation, Decision or Order;
 In cases of serious infringement of law by a controller or processor, especially in cases of
recurring failure to carry out the recommendations, the Commissioner has the right to impose
sanctions and may report the case publicly in accordance with his duties or report it to the
Assembly and the Council of Ministers.
 The Commissioner can submits an annual report to the Assembly. In addition
Commissioner may ask to the Assembly to be heard for issues that he deems to be
important.

6. Institutional context

7. Legal aspects of data protection
 Constitution of Albania (protection of personal data is referred in Article 35);
 Convention 108+, ratified with Law No. 49/2022, dated 12. 05. 2022;
 Law No. 9887, dated 10. 03. 2008 “On the Protection of Personal Data”, as amended;
Draft-Law “On the Protection of Personal Data” fully aligned with the GDPR and the Law
Enforcement Directive.
16 sub-legal acts associate the Draft-Law “On the Protection of Personal Data”

8. Challenges/opportunities
• Achieving the highest regulatory standards to enhance protection of personal data in the
digital era.
• Providing practical support to public authorities regarding the implementation of the new
legal framework.
• Active role with data controllers and processor, with the aim of ensuring more effective
information security;
• Active role in awareness raising and training activities related to fulfillment of legal
obligations and the modernized legal framework on Protection of Personal Data, with data
controllers and processors. Special focus will be also on younger generation.
• Broadening cooperation with EDPB, EDPS, TPD and counterpart authorities on exchanging
experience and best practices.
• Application for projects/potential assistances, aimed at supporting efficiently
implementation of the new law – within 2025.

9. JULIETA
MATEVOSYAN
Acting Head of Data Protection
Agency
ARMENIA
Add logo institution

10. eparate unit of the Ministry of Justice,
but independent in exercising its powers
Head of Agency
Registry
Management and
Monitoring
Department
Administrative
Proceedings
Department

11. Legal aspects of data protection
Convention for the protection of Individuals with regard
to automatic processing of personal data
Convention 108 (2012)/Convention 108+ (2021)
Constitution of Armenia of 2015:
Article 34
Law of Armenia on Protection of
Personal Data (2015)

12. Main Challenges and Solutions
• building capacities (human, professional,
technical resources) of the Authorized body
for Personal Data Protection
Lack of attention
and knowledge
regarding PDP
• bringing the legal acts to be adopted, as
well as the existing legal acts providing for
processing of personal data into compliance
with the Law on Personal Data Protection
Non-harmonized
legislation

13. Khayala Babayeva
Head of the Personal Data
Protection Department of
the Electronic Security
Service
Personal Data Protection in
Azerbaijan

14. Institutional context
• Regulatory Authority:
• handling and investigating data subject’s complaints for violations of the Law on Personal Data;
• licensing those engage in development and establishment of personal data processing systems or
offering services to them;
• maintaining the state registry of information systems processing personal data;
• organizing the state assessment of information systems processing personal data in the prescribed
manner;
• requiring state authorities, legal entities, and physical persons involved in the collection, processing,
and protection of personal data to eliminate violations of the Law on “Personal Data”;
• taking measures, in accordance with the established procedure, to bring to justice those who violate
the requirements of the relevant legislation on personal data protection.

15. Legal aspects of data protection
The Constitution of the Republic of Azerbaijan
 Article 32. Right to inviolability of private life
 Approved the Convention for the Protection of Individuals with regard to Automatic Processing of
Personal Data (CETS No. 108) in 2009
Adopted the Law on Personal Data of the Republic of Azerbaijan on 11 May 2010 regulates:
 Basic principles and conditions for data processing;
 Data subject rights and data controller and processor’s responsibilities;
 Cross-border transfer of personal data;
 Registrations of personal data processing systems;
 Regulatory authority's functions;
 Liability for violations.
Administrative Violations Code of the Republic of Azerbaijan;
The baseline requirements for the personal data protection of 6 September 2010.

16. Challenges/opportunities
• Approval of New Draft Law on Personal Data;
• Awareness-raising on personal data protection;
• Assist data controllers and processors in complying with new legislation;
• Development of training program for data protection officers.

17. Silvije Fučec
Head of Section for Public
Relations Personal Data Protection Agency
Bosnia and Herzegovina

18. Institutional context
• Personal Data Protection Agency in Bosnia and Herzegovina has
began its work in 2008 on the basis of the Law on Personal Data
Protection in Bosnia and Herzegovina.
• The Agency operates as an independent administrative organization.
• Decisions made by the Agency are final and only an administrative
dispute can be initiated against them before the Court of Bosnia and
Herzegovina.
• The estimated number of employees in the Agency is 45, and the
current number of employees is 26.

19. Legal aspects of data protection
• Constitution of Bosnia and Herzegovina
• European Convention for the Protection of Human Rights and
Fundamental Freedoms
• Convention for the Protection of Individuals with regard to Automatic
Processing of Personal Data (Convention 108)
• Law on Protection of Personal Data
• Sectoral laws and by-laws
• Criminal Codes in Bosnia and Herzegovina

20. Challenges/opportunities
• Harmonization of legislation on personal data protection in
Bosnia and Herzegovina with GDPR
• Capacities of the Agency

21. Ana Tokhadze
Head of International Relations,
Analytics and Strategic
Development Department
Nikoloz Popiashvili
Head of the Office of the
President of Personal Data
Protection Service of Georgia
Brief Review of Powers and Functions of the Personal
Data Protection Service of Georgia

22. Institutional context
Main Functions of PDPS
Reviewing of citizens’ applications regarding
the personal data protection
Examination of the lawfulness of data
processing (inspection)
Consulting on issues concerning data
protection
Providing information on important events to
the public and increasing its awareness

23. Legal aspects of data protection
National Regulatory Framework
• Scope of the Law of Georgia on Personal Data
Protection - adopted in 2011, in force until: March 1st,
2024.
• New Law of Georgia on Personal Data Protection –
adopted in 2023, in force from March 1st, 2024.
• International regulatory framework and the soft law.

24. Challenges/opportunities
Main Trends and Recommendations
 Implementation of the new law in accordance to the best practice recognized on international
level;
 Raising public awareness and enhancing the culture of the respect for privacy and data protection;
 Institutional development of the Personal Data Protection Service of Georgia;
 Fostering international awareness of the Personal Data Protection Service of Georgia and
cooperation with the foreign counterpart data protection.

25. Krenare Sogojeva
Dermaku
Commissioner for
Information and Privacy

26. Institutional context
• The Information and Privacy Agency of Kosovo* is an independent
supervisory body accountable to Assembly of Kosovo*
• Oversees the implementation of two laws:
1. Law No. 06/L-081 on Access to Public Documents
2. Law No. 06/L-082 on Personal Data Protection
• Mission
• IPA's responsibilities are defined by the two laws it oversees
* This designation is without prejudice to positions on status, and is in line with United Nations Security Council Resolution 1244/99 and the Advisory Opinion of the International Court
of Justice on Kosovo’s declaration of independence

27. Legal aspects of data protection
• Law No. 06/L-082 on Personal Data Protection is in full compliance with
GDPR:
• Seven (7) principles of data protection
• The rights of data subjects
• Lawful basis of data processing activities
• Data Protection Impact Assessments (DPIA)
• Data Protection Officer (DPO)
• Fines for data breach violations

28. Challenges/opportunities
Challenges:
• Political Status of Kosovo*;
• Non-Membership in the Council of Europe
• Inability to Adopt Convention 108
• Insufficient Knowledge Levels of Citizens and Institutions
• Lack of Professional Staff
Opportunities:
• Establishing Standards in Line with European Practices
• Full Implementation of ECHR Decisions
• Raising Awareness Among Citizens and Institutions
• Training of Data Protection Officers (DPOs)
• Participation in International Conferences as Members and Observers

29. Zoia Cojocari
Head of external relations
and European integration
NCPDP
Republic of Moldova
National Center for Personal
Data Protection
of the Republic of Moldova

30. Legal aspects of data protection

32. Republic of Moldova obtained
the observer status within the EDPB
since 2017

33. Muhamed Gjokaj
member of council
Zoran Vujičić
member of council AGENCY FOR PERSONAL DATA
PROTECTION AND FREE ACCESS TO
INFORMATION OF MONTENEGRO

34. Institutional context
The Agency was established in 2009 in accordance with the
regulations of the Law on Personal Data Protection (Official
Gazette of Montenegro no. 79/08 and 70/09), Directive 95/46/EC

35. Legal aspects of data protection
1. The Law on Personal Data Protection is in accordance with the Directive
95/46/EC which is still in force in Montenegro
2. Montenegro has not yet adopted Law that is in accordance with the GDPR
3. In 2018, a Working Group was formed for introduction of GDPR into our legal
systems

36. Challenges/opportunities
The essential matter for the functioning of the
Agency is:
• Independence of the institution
• Financial independence
• Free of political influence

37. Nikola Nikolov
https://www.linkedin.com/in/ni
kolanikolovit
North Macedonia
• Institution: Ministry of Information Society and
Administration
• Position: State Advisor for ICT
• Coordinator of the project National Population
Register

38. Institutional context
Personal Data Protection Agency
• Law on Personal Data Protections
• Adopted February 2020
-> Enter into force September 2021
• GDPR Compliant
Ministry of Information Society and Administration
• Information society
• Administration
• Media
• Telecommunications
• Trust service providers
• National Population Register System
• Founded with EU Support 2016 – 2019
• In production October 2019
• Base for eID
• Base register for trust service providers

39. Legal aspects of data protection
• 2019
• Law on Central Population Register
• Law on electronic documents, electronic identification and trust services
• 2020(2021)
• Law on Personal Data Protections

40. Challenges/opportunities
• Trained/Educated people who understand IT and personal data protection
• Services Digitalisation (including legal background) using personal data
• National Population Register system's connection through the
Interoperability system
• Digital Identity Wallet - following the last EU approach through the Digital
Europe Program

41. Milan Marinović
Commissioner for
Information of Public
Importance and Personal
Data Protection of Serbia

42. Institutional context
• An independent/autonomous state body
• The Commissioner is elected by the National Assembly of Serbia by a majority vote of all MPs
(also his/her 2 deputies).
• Mandate: 8 years (1 term limit) (previously: 7 years - with the possibility of a two-term limit)
• Protects two human rights:
1) The right to access information of public importance (as of 2004) - as a second-instance authority (deciding on appeals)
2) The right to personal data protection (as of 2009) - as the principal authority
• Head Office in Belgrade and offices outside the Head Office (Novi Sad, Niš, Kragujevac...)
• Workforce: up to 154 employees; currently: 102 employees; planned by the end of 2023: 133 employees: (2019: 94 employees)
• 10 Sectors + Cabinet + Offices outside Head Office - (2019: 7 sectors)
• Personal data protection:
- Inspection supervision
- Handling complaints and requests by (natural and legal) persons
- Giving opinions on draft laws and other regulations
- Imposing fines and submitting indictment acts to the competent courts
- Imposing measures on Data Controllers
- Education and raising awareness on the importance of personal data protection
- Deciding on requests for data transfer to other economies...

43. Legal aspects of data protection
• Constitution of Serbia: The Right to Personal Data Protection (Article 42)
• Law on Personal Data Protection (in force from August 22, 2019):
- 2 in 1: compilation of GDPR and Law Enforcement Directive
- Strengths and weaknesses
- The need for amendments to the law - reasons:
a) The existence of two parallel personal data protection regimes: general and special
b) Imprecise definition of the term "competent authorities that process data for special purposes"
c) Lack of legal basis for the possibility of using standard contractual clauses in the legal relationship between Data Controllers
d) Lack of regulation for the processing of biometric data and the processing of personal data via video surveillance
e) No time limit has been set for submitting a complaint to the Commissioner and the complaint procedure
f) The processing of personal data of deceased persons is not regulated
d) The processing of personal data by artificial intelligence is not regulated
• Personal Data Protection Strategy for the period 2023-2030 (Action plan)

44. Challenges/opportunities
• Raising awareness on the need and importance of personal data protection - everyone (citizens, Data Controllers and Data
Processors, media representatives, relevant citizen associations...):
- Education and training, panels, round tables...
- Implementation of personal data protection in elementary and high school curricula
- Education on the protection of personal data via short study programs at faculties
- Creating relevant TV and Internet content
• Increased need to protect personal data in the modern era - challenges:
- Fast-growing development of modern technologies
- Comprehensive digitization
- Processing of personal data by artificial intelligence
- Processing of genetic data...
• Change in the way of conducting supervision (analog and digital records of personal data)
• Chronic lack of IT experts
• Insufficient cooperation between competent bodies engaged in personal data protection from different economies
• The necessity of preventive normative action and a common, unique response to challenges

45. Yuliia Derkachenko
Representative of the
Ukrainian Parliament
Commissioner for Human
Rights on Information
Rights

46. Institutional context
•What is parliamentary control?
•What is the Secretariat of the Ukrainian Parliament
Commissioner for Human Rights?
•What tasks does the Information Rights Monitoring
Department of the Commissioner's Secretariat perform?
•What does the Expert Council at the Representative of
the Information Rights do?

47. Legal aspects of data protection
• Constitution of Ukraine of 1996;
• Law of Ukraine «On Personal Data Protection» of 2010;
• Order of the Ukrainian Parliament Commissioner for Human
Rights «On approval of documents in the field of personal
data protection» of 2014;
In 2010 Ukraine ratified the CoE’s
Convention for the Protection of
Individuals with regard to Automatic
Processing of Personal Data (Convention
108)
A new draft of the Law of Ukraine "On the Protection
of Personal Data" has been registered in the
Parliament of Ukraine.
The draft of the Law of Ukraine "On the National
Commission on Personal Data Protection and Access to
Public Information" was also registered in the Parliament
of Ukraine.

48. Challenges/opportunities
• War in Ukraine;
• Reforming legislation on data protection;
• The growing number of cyber threats;
• Prevalence of use of artificial intelligence;
• The need to educate citizens and employees of
state authorities about the importance of
personal data protection;
• Monitoring violations and responding to them;
• Interaction with other bodies etc.
Challenges: Opportunities:
• Completion of the reform of data protection
legislation and integration into the international
environment;
• Reduction of risks in the field of personal data
protection;
• Protection of critical infrastructure;
• Improving the qualifications of employees;
• Raising the awareness of citizens and others.

49. HIGH-LEVEL EXCHANGE AND LEARNING WEEK
Brussels, 18-22 September 2023
#DataProtectionWeek