KST Institute · Pristina — Western Balkans · EU-aligned infrastructure authority
Insights EU & IFIs Careers Join Network Contact
Home/Legal & Compliance/Privacy Policy
Governance · KST-LEG-PRIV-2026

Privacy Policy

How KST Institute collects, uses, stores and protects personal data — aligned to the EU General Data Protection Regulation (GDPR) and the Kosovo Law on Personal Data Protection.

Document reference KST-LEG-PRIVACY-2026
Last reviewed January 2026
Next review January 2027
Owner General Counsel
Status In force
01

Controller

KST Institute sh.p.k. (the "Institute") is the controller of personal data processed through this website and in the course of its engagements.

Contact for data protection matters. privacy@kstinstitute.com

02

Categories of personal data

The Institute processes personal data in the following categories:

  • Identification and contact data (name, email, phone, role, organisation)
  • Professional data (CV, qualifications, publications — for engagements, suppliers and career applicants)
  • Engagement data (correspondence, meeting notes, project data)
  • Technical data (IP address, device / browser information, session data)
  • Marketing preferences (newsletter subscription, event registration)
03

Lawful bases

The Institute processes personal data on the following lawful bases, per Article 6 GDPR:

  • Contract. To enter into and perform engagements.
  • Legal obligation. To comply with applicable law.
  • Legitimate interest. Business administration, direct communication with professional contacts, security and fraud prevention.
  • Consent. For newsletter marketing and non-essential cookies.
04

Data retention

Personal data is retained for the period necessary for the purpose for which it was collected and for statutory archival periods thereafter. A detailed retention schedule is maintained internally and is available on request.

05

Data sharing

The Institute shares personal data only where necessary, including with:

  • Authorised employees and consultants bound by confidentiality
  • Professional advisors (legal, audit, accreditation) under confidentiality
  • IT and hosting providers acting as data processors, bound by data processing agreements
  • Competent authorities where legally required
06

International transfers

The Institute processes personal data primarily within the EU / EEA. Where transfers outside the EU / EEA are necessary, the Institute applies appropriate safeguards, including Standard Contractual Clauses and supplementary measures as required under GDPR Chapter V.

07

Data subject rights

Under GDPR Articles 13–22 and equivalent Kosovo law, data subjects have rights of access, rectification, erasure, restriction, portability and objection, and the right to withdraw consent. Requests can be addressed to privacy@kstinstitute.com. The Institute responds within one calendar month.

Data subjects also have the right to lodge a complaint with the Kosovo Information and Privacy Agency (AIP) or the relevant EU supervisory authority where applicable.

08

Security

The Institute applies organisational and technical measures to protect personal data, aligned to ISO/IEC 27001 principles, including access controls, encryption in transit, logging, regular patching and staff training.

09

Changes

This Privacy Policy may be updated. Material changes are notified on this page and, where appropriate, by email to registered users.

Contact

Questions about this policy?

For questions related to this policy, contact the Institute directly or email the compliance team.

Contact the Institute Email compliance
Work with KST Institute

Engage the Institute on your next infrastructure mandate.

Contact us Partner with us Join expert network