Home > Legal info > Legal notice

Data Protection Regulation

The object of this Regulation is the definition of organizational and technical procedures, measures for personal data protection and security, storage and administration of personal data by the structures of Kukës International Airport (KFZ).

CHAPTER I
GENERAL PROVISIONS

Article 1
object

The object of this Regulation is the definition of organizational and technical procedures, measures for personal data protection and security, storage and administration of personal data by the structures of Kukës International Airport (KFZ).

Article 2
Purpose

This Regulation aims to set out the general principles and organizational and technical measures for the protection, storage, security and administration of personal data. It applies to all data processed by the CFC in accordance with the "Law on Personal Data Protection".
Data processing must be done in accordance with the Constitution, the Law on Personal Data Protection, respecting the rights of employees and any other entity.

Article 3
Definitions

1. For the purposes of this Regulation, the following terms have this meaning:

1. "Controller" For the effect of this regulation is the CFC, which alone or together with others, determines the purpose and manner of processing personal data, in accordance with the laws and bylaws in the field, and is responsible for fulfilling obligations defined in this law.


2. "Processor" For the purpose of this regulation is or are any department of the administration of the CFC, except the employees of the controller, who process data for the controller himself.

3. "Recipient" is any natural or legal person, public authority, agency or any other body to which the data of a third party has been provided or not.

4. Other terms used in the implementation of this Regulation shall have the same meaning as with law no. 9887, dated 10.03.2008 "On the protection of personal data", as amended.

Article 4
Scope of application

This Regulation applies to the processing of personal data in whole or in part, through automatic means, and by other means kept in an archiving system or intended to form part of the archiving system at the KFZ.

CHAPTER II
PROCESSING OF PERSONAL DATA

Article 5
Protection of personal data

Every employee of the KFZ structures, who deals with the processing of personal data of entities, is obliged to comply with the requirements of Articles 2 and 5 of the law "On personal data protection", as amended, as follows:
• Respecting the principle of lawful processing of personal data, respecting and guaranteeing fundamental human rights and freedoms and, in particular, the right to privacy;
• Carrying out processing in a fair and lawful manner;

• Collecting personal data for specific, clearly defined, legitimate purposes and processing them in accordance with those purposes;
• The data to be processed must be sufficient, relevant to the purpose of the processing and not exceed this purpose;
• The data must be factually accurate and, where necessary, any action must be taken to update and ensure that inaccurate and irregular data is deleted or altered;
• Data should be kept in such a way as to allow the identification of data subjects for a period of time, but not longer than necessary for the purpose for which they were collected or further processed.

Article 6
Purpose of processing

Every KFZ employee may use personal data only for the performance of the duties provided by law and in accordance with the laws and bylaws that regulate the manner of processing personal data.

Article 7
Personal data processing criteria

Each KFZ structure that processes personal data of entities, are based on the criteria set out in Article 6 of the law "On personal data protection".
• for fulfilling a legal obligation of the controller;
• for the fulfillment of contracts for which the data subject is a contracting party;
• to perform a legal task in the public interest;
• to pursue the legitimate interests of the controller or of a third party to whom the data has been disseminated, except where those interests prevail over the interests of protecting the fundamental rights and freedoms of the data subject.

Article 8
Sensitive data processing

The processing of sensitive data is performed in accordance with the criteria set out below:
• data are required for the provision of health care, medical diagnosis and their use is performed by medical staff at the CFC;
• processing is necessary for the fulfillment of the legal obligation and the specific rights of the controller in the field of employment, in accordance with the Labor Code.

CHAPTER III
DATA SUBJECT RIGHTS

Article 9
Enforcement of the rights of personal data subjects

Article 10
Request for information

The request for information can be made by:
• The person himself;
• Legal representative provided with the relevant authorization.
The answer in each case is sent to the address requested by the applicant.

CHAPTER IV
PERSONAL DATA SECURITY
Article 11
Data security measures

KFZ and its subordinate bodies take appropriate organizational and technical measures to protect personal data from illegal destruction, accidental, accidental loss, to protect access or dissemination by unauthorized persons, especially when data processing is done on the network , as well as from any other illegal form of processing.
They take these special security measures:

• Define the functions between organizational units and operators for its use
data;
• The use of data is done by order of the KFZ executives or persons authorized by them;
• Prohibit the entry of unauthorized persons into the premises of the controller or data processor.
• Access to data and programs is made only by authorized persons, prohibit access to archiving tools and their use by unauthorized persons;
• Commissioning of data processing equipment is done only with the authorization of the representatives of the CFC and each tool is provided with preventive measures against the authorized commissioning;
• Record and document modifications, corrections, deletions, transmissions, updates, etc.
• Whenever CFC employees leave their place of work, they must close their computers, cupboards, safes and office, in which personal data are stored;
• They should not leave the workplace when there is unprotected data on the table, and is in the presence of persons who are not employed by the CFC;
• Do not keep personal data on the monitor, when an unauthorized person is present and especially in non-public places;
• Do not take computers, laptops, flash drives or other devices containing personal data out of the office under any circumstances and should not leave them in unsafe places, without ensuring the deletion or destruction of data;
• Data is protected by verifying the identity of the user and allowing access only to authorized individuals.
• Instructions for using the computer must be stored in such a way that they are not accessible to unauthorized persons;
• Constantly perform the login and logout procedure using personal passwords at the beginning and end of their access to protected data stored in CFC databases;
• Recognition and registration of terminal operators and users is performed using passwords for entering the database. Passwords are considered secret and are personal;

• They should not leave the workplace when there is unprotected data on the table, and is in the presence of persons who are not employed by the CFC;
• Do not keep personal data on the monitor, when an unauthorized person is present and especially in non-public places;
• Do not take computers, laptops, flash drives or other devices containing personal data out of the office under any circumstances and should not leave them in unsafe places, without ensuring the deletion or destruction of data;
• Data is protected by verifying the identity of the user and allowing access only to authorized individuals.
• Instructions for using the computer must be stored in such a way that they are not accessible to unauthorized persons;
• Constantly perform the login and logout procedure using personal passwords at the beginning and end of their access to protected data stored in CFC databases;
• Recognition and registration of terminal operators and users is performed using passwords for entering the database. Passwords are considered secret and are personal;
• In documents containing protected data, they must ensure the destruction of supporting materials (eg evidence or papers, matrices, calculations, diagrams and sketches) used or produced to create the document;
• Documented data are not used for other purposes, which are not in line with the purpose of the collection.
• The recognition or any processing of data recorded in the file for a purpose other than the right to discard data is prohibited. Excluded from this rule is the case when data are used to prevent or prosecute a criminal offense.
• Store data documentation for as long as is necessary for the purpose for which it was collected.
• The level of security should be appropriate to the nature of the processing of personal data.
• Respect other laws and bylaws that determine how personal data should be used.

Article 12
Environmental protection

The premises in which personal data will be processed must be protected by organizational, physical and technical measures to prevent the access of unauthorized persons to the premises and equipment with which personal data will be processed.
The implementation of security measures should be done in accordance with the level of security of data and information administered, as well as indicators of the level of risk that may arise from unauthorized exposure of stored information.
The following security measures are applied in the premises where personal data are processed:
• The entry of unauthorized persons is prohibited.
• Persons entering these premises must be provided with the relevant authorization
• Entrance facilities are monitored by cameras 24 hours a day.
• In addition to other protection measures and systems, equipment and systems are installed
electronic security (signaling systems, cameras, etc.).
• The premises are equipped with iron lockers, safe to protect files from damage i
them, with safes and locks with keys.
• Continuous surveillance is provided, day and night with physical guards

Article 13

In the premises where protected (personal) data are processed are allowed to stay:

Article 14
Directorate of Technology

The Information Technology Directorate should have a copy and a duplicate of all data and software stored or stored on the host computer. The duplicate copy must be kept in a safe place. DTI keeps a copy of the data and system located on the secondary computer.
A duplicate copy must be kept in a place or environment other than the building in which the DTI is located. The number and form of additional copies of documents and other means of communication in which they are stored are determined by the relevant department for each document.

Article 15
Protection of electronic devices

Electronic equipment for processing data and information in the CFC institution is used only for the performance of tasks defined in the regulations. These devices are used only by KFZ employees previously trained to use them. Training of personnel dealing with automatic data processing is done by the Directorate of Information Technology.
For any error or defect in the systems / databases of the CFC institution, the system administrator is notified, who on the basis of the request makes the relevant adjustment.

Article 16
Software protection

Programs for handling data and information purchased or donated by various donors are managed by the Directorate of Information Technology. When a program intended for the processing of data of the CFC institution is created at the initiative of an CFC employee who is not involved in the development of the organization and planning of programs, before being involved in the use of the program must be approved by the department. After approval the department organizes its installation in electronic devices.
For each program the Department / Directorate of Information Technology can determine:

Article 17
Passwords

Many of the applications and computer systems are password protected. For security reasons, these passwords should be changed from time to time (every 3 months or every 6 months). Some rules on using and setting passwords:
• The password for accessing technology and information resources (eg computer, etc.) should not be shared with other persons inside or outside the body. Employees are responsible for the storage and non-disclosure of this information.
• When setting the password, a word or phrase should be set that can be easily remembered, but not something that easily identifies, such as a name or address. It is advisable to use a strong password. A strong password is one that contains uppercase and lowercase letters, numbers, and punctuation.

Article 18
Monitoring and recording access to personal data

Access to data and information is subject to special security standards for maintaining and updating their inviolability. The system is built in such a way that it verifies the identity of the user. This requires the central server to recognize each terminal operator and each user through separate programs. This system enables the continuous identification of the user at any time, at a specific terminal, workplace or other device for the period for which specific data is stored.
Users should be familiar with the type of data in the daily recordings and the storage time of these recordings.
The daily records are administered by organizational units of the general administration of the CFC responsible for data protection, which determines the content of the daily record data and the time of storage of personal data. The retention period of the data record or information is equal to the retention period of the written document containing this data or information. After this deadline, this data is archived or destroyed. Recognition and registration of terminal operators and users is performed using passwords for entering the database. Passwords are considered secret and are personal.
Access to data and information is allowed or restricted by special electronic programs. Control and documentation of access to data and information is performed by persons responsible for data protection.

Article 19
Document protection

Classified documents and other means of communication in which personal data are kept must be marked with a kind of secrecy and a certain level of confidentiality. The secrecy and the level of confidentiality are determined in accordance with the normative acts in force.

Article 20
Secret documents

When documents are created that contain data that is considered "top secret" or "secret", the original document sets out data regarding the number of copies made to the document (written, printed, drawn, duplicated) and to whom it was given. Each copy must have its own registration number.
If the material referred to in the preceding paragraph consists of several pages or links to other documents or has other component parts then each page must be provided with a certain level of confidentiality or ensure that pages and links are not removed or deleted without a prior warning.
When confidential data is presented on a screen or other media system, the level of secrecy or confidentiality must be indicated in every part (illustrations, pictures, observations, predictions) of the presentation.

Article 21
Preservation of secret documents

Documents containing data that are "top secret" or "secret" must be locked in technically safe iron units, or collected on a locked and locked iron plate provided by a code, even though they are directly controlled by an employee who needs relevant (certain) documents for his job.
The keys to these units must be secured by officials in close physical contact, in their places or in envelopes sealed by the head office. Other keys should be held by the head office of the head of the respective organizational unit. If a key is lost, the key must be changed.
The places where the documents mentioned in the above paragraph are protected are only employees who create, use, protect or provide these documents.

Article 22

Preparatory materials used to create documents containing "top secret" or "top secret" data (matrices, calculations, diagrams, sketches, issues or printouts) must be destroyed by a panel of witnesses or observers. The way used to destroy them should be such as to ensure readability and prevent the reproduction of content.
The observer commission shall keep a report on the destruction of the material referred to in the preceding paragraph which shall be signed by all members of the commission. personal data is determined by the relevant superior.
The same procedure is used for the destruction of data and documents and other means of communication whose use has expired.


Article 23
Duplicate programs

Duplicates of data programs used in the event of natural disasters or in the event of a state of emergency or war must be stored in places or premises located outside the head office of the relevant organizational unit. The manner of creation, multiplication and preservation of these duplicates is determined separately for each document, in accordance with the rules of their preservation and guarantee, established by the respective organizational unit and with the rules applicable in case of natural disasters.

Article 24

If a document with confidential data is lost or disappears, the competent officer has the duty to immediately inform his superior and take any measure deemed necessary to determine the circumstances in which the document was lost and to eliminate the consequences of harmful.

CHAPTER V
ADMINISTRATIVE SANCTIONS

Article 25
Administrative measures

Any CFZ employee who violates the duty to protect personal data is liable for breaches of discipline, rules, and obligations in the course of his or her work. If their actions do not constitute a criminal offense, administrative and disciplinary measures are taken against them according to the normative acts in force.

Article 26
Supervision of protection measures and procedures
Supervision of the implementation of the rules for personal data protection for the observance of security norms, for the protection of automated data against their accidental or unauthorized tampering, as well as against their unauthorized entry, alteration and dissemination is performed by the persons responsible for supervision and protection of the respective data.

CHAPTER VI
FINAL PROVISIONS

Article 27
Confidentiality for data processing

Any KFZ employee who processes data or becomes aware of the processed data may not disclose the content of this data to other persons. He is obliged to maintain confidentiality and confidentiality even after the termination of the function.
Any person acting under the authority of the controller should not process the personal data to which he has access, without the authorization of the controller, except when required by law.


Article 28
Obligation to cooperate

KFZ is aware of the obligations it has to cooperate with the Commissioner and to provide all the information it requires for the fulfillment of duties, as the Commissioner has access to the computer system, archiving systems, which perform the processing of personal data and in all documentation related to their processing and transfer, for the exercise of the rights and duties assigned to them by law.

Article 29
Obligation to enforce

All legal acts of the Commissioner are mandatory for implementation by the CFC and its subordinate structures.
Every employee involved in the processing of personal data is aware that the processing of personal data in violation of the requirements of the law "On personal data protection" constitutes an administrative offense and is punishable by a fine.

Article 30
sanctions

This regulation is part of the internal regulation and non-compliance with its requirements constitutes a violation of work discipline and is punishable under applicable law.