International Expert on Personal Data Protection to draft the strategy and the action plan for the Information and Privacy Agency (IPA)_(SSA)

Background:

The OSCE is supporting public institutions in enhancing their transparency through the implementation of the legal framework on the access to public documents and the protection of personal data, in a manner which balances the residents’ right to data and access with the right to privacy protection. 
To this end, the OSCE’s support to the IPA entails raising the awareness and building the capacities of key institutions, with particular emphasis on municipal institutions, on the implementation of the legal framework on the access to public documents and the protection of personal data. In addition, it has been supporting the IPA in enhancing its internal professional capacities, completing its regulatory framework, and developing its programs.  

As a result of the OSCE’s support and the IPA’s work, there has been continuous progress in enhancing transparency through the efficient implementation of the right to access official documents and the protection of personal data. At the local level, all municipalities have assigned focal points for data access and privacy protection, while the Association of Kosovo Municipalities has established a collegium of municipal officials responsible for access to public documents and the protection of personal data. 

The IPA regularly handles residents’ complaints for alleged violations of these rights and provides guidance to public and private institutions on matters related to personal data access and privacy protection. Depending on the findings of the investigations of the alleged infringements, IPA is mandated to issue fines in line with the relevant legal framework. Currently, the IPA is focused on enhancing the proactive publication of official information across public institutions, while further promoting the right to personal data protection.

In 2025, the OSCE will continue its collaboration with the IPA in its efforts to further increase the transparency of public institutions while ensuring respect for residents’ rights to the personal data protection. In this regard, and contributing to the overall process of digitalisation of public services in Kosovo as well as building from the support provided in 2024 in producing the IPA’s Transparency Program, the OSCE will support the IPA to draft its Strategy and Action Plan for 2025 – 2027. 

As the first Strategy, it will enable IPA to systematically and sustainably enhance transparency across public institutions. It will incorporate the latest European standards on data access and personal data protection, contributing to alignment with the three-year planning of the European Data Protection Board. 

Specifically, the Strategy is expected to entail: data mapping; legal framework; data protection by design/by default; Data Privacy Risk assessment; Data Protection Policy and Procedures; Registry of activities processing personal data; Data Retention period procedure; consent mechanism; standard model clauses for third parties; data breach; data subjects rights and obligations.

The Action Plan will thematically and chronologically prioritise its implementation points, and would also incorporate a monitoring component to track progress of implementation.

The Strategy and Action Plan will enable the IPA to design its actions in a structured manner. Through this approach, it will have an impact on the broad spectrum of public and private institutions, enhancing transparency while, at the same time, safeguarding the residents’ rights to personal data protection.

Objective of Assignment: 

The main objective of the consultant will be to draft IPA’s Strategy and Action Plan for 2025 – 2027. The overall objective of the three-year Strategy, the first of its kind for IPA, is to provide institutions with systematic and sustainable support for enhancing the transparency of public institutions. As part of this strategy, the Action Plan will prioritize implementation points both thematically and chronologically, and will also include a monitoring component.

Duration of Assignment:

The Consultant will be hired for 12 working days

Tasks and Responsibilities:

• Assess the IPA’s transparency program against General Data Protection Regulation (GDPR) requirements, particularly in the areas of data handling, personal data-access, and transparency of procedures;
• Work collaboratively and co-ordinate with IPA staff members and their external consultants, if any, in order to ensure harmonisation of the ongoing work on policy and regulation drafting;
• Engage with key stakeholders in the IPA to understand their data protection practices, institutional challenges, and alignment with laws and by-laws;
• Based on the desk review as well as the inputs and discussions provided by the IPA, develop a comprehensive. Strategy for IPA for the next three years that integrates personal data protection, emerging technologies, and data-access;
• Draft an Action Plan that supports the Strategy and includes specific timelines, milestones, and performance indicators;
• Compile the findings and recommendations into a final report for submission to OSCE.

Deliverables:

Within 20 working days from the contract signature submit the findings from the review process of the two laws, including actionable recommendations.

• Performance indicator: 
  Submission of the monthly report in English language summarising the core findings of the review and other work conducted   in agreement with the Activity Manager;
  Within 30 working days from the contract signature submit the first draft of the Strategy for IPA;
• Performance indicator: 
  Timely delivery of the first draft strategy to the OSCE and IPA for review and comments;
  Within 30 working days from the contract signature submit the draft Action Plan for Strategy implementation.
• Performance indicator: 
  Timely delivery of the first draft Action Plan to the OSCE and IPA for the review and comments;   
  Within 40 days from the from the contract signature address the comments and suggestions received in the review process of the draft Strategy.
• Performance indicator: 
  Timely delivery of the consolidated draft Strategy that is accepted and considered as final by all parties;
  Within 40 days from the from the contract signature address the comments and suggestions received in the review process of the draft Action Plan.
• Performance indicator: 
  Timely delivery of the consolidated draft Action Plan that is accepted and considered as final by all parties;
  Submission of all other deliverables to the Activity Manager, should that be the case (i.e., deliverables not listed here that might arise during the implementation process);
• Performance indicator: 
  Timely and qualitative delivery of deliverables that might emerge in the drafting process; 
  Effective engagement and efficient communication with the Activity Manager and the respective IPA departments.
• Performance indicator: 
  Regular communication and meetings (in person and/or virtual) with the IPA department for protection of personal data. Bi-weekly up-date to the activity manager on the drafting process. 
  Within 90 working days from the contract signature submit the consultancy final report to the OSCE inclusive:  
  (a) A brief reiteration of the consultancy objectives;
  (b)  A summary of the activities undertaken;
  (d)  An evaluation of the consultancy, including any problems or successes encountered; and
  (e)  The impact accomplished and/or expected.
• Performance indicator:
  Inclusion of summarized achievements, meetings held, and actions taken in the final report.

Necessary Qualifications:

• University degree in law, information technology, cyber security or a similar field;
• Certification by the International Association of Privacy Professionals on General Data Protection Regulation;
• A minimum of 5 years of relevant work experience in personal data protection law, compliance and data security;
• Extensive knowledge of European and international instruments on personal data protection;
• Experience in drafting policy papers, strategies, action plans and similar documents;
• Strong analytical and communication skills;
• Outstanding writing and reporting skills;
• Experience in conducting interviews, focus group discussions, and surveys for primary data collection;
• Capacity to co-ordinate with a multitude of interlocutors to ensure comprehensive data collection;
• Full professional fluency including excellent drafting and analytical skills in English language.

Remuneration Package:

Remuneration will be based on the selected consultant's/expert's qualifications, experience, the tasks and deliverables for this position and in accordance with the OSCE established rates.

In order to apply for this position, you must complete the OSCE's online application form, found under OSCE Careers - Jobs .  Applicants are encouraged to use the online recruitment and only fully completed OSCE applications will be accepted. However, if you have technical difficulties with the system, you may use the offline application form found at Offline application form | OSCE Employment and forward the completed form quoting the vacancy number by e-mail to: consultancy.omik@osce.org. In line with your qualifications please indicate a preference for one or more fields of expertise listed above (while using the online application the field of expertise preference can be indicated in the cover letter part). Kindly note that applications received after the deadline, submitted in different formats than the OSCE Application Form or other languages than the English language would not be considered. The OSCE is committed to diversity and inclusion within its workforce and encourages qualified female and male candidates from all national, religious, ethnic, and social backgrounds to apply.