Last updated: 11 May 2026. Virtual Era Ltd.’s position on the General Data Protection Regulation and equivalent national instruments. This statement summarises our capabilities as both a controller and a processor, our governance, and how clients and data subjects can engage with us.
Virtual Era Ltd. complies with Regulation (EU) 2016/679 (the General Data Protection Regulation, "GDPR"), Kosovo Law No. 06/L-082 on Personal Data Protection, and the equivalent national instruments in Albania, North Macedonia, Montenegro, and any other jurisdiction in which we operate. We treat data protection as a board-level governance matter, not a check-box exercise.
Virtual Era acts in two capacities under GDPR:
Virtual Era maintains a standard DPA aligned to Article 28 GDPR. The DPA covers:
The current DPA template is available to client procurement and legal teams on request to legal@virtualera.net. Variations to the standard DPA are reviewed on a case-by-case basis.
Where Virtual Era engages sub-processors to deliver services, each sub-processor is bound by a written contract imposing materially equivalent obligations to those agreed with the client controller. Sub-processors are vetted before onboarding and reviewed at least annually thereafter, with the review covering security posture, regulatory status, and geographic processing locations.
A current list of sub-processors used in our standard service catalogue is published on request to dpo@virtualera.net and updated when material changes occur. Clients on managed-service engagements receive prior notice of new sub-processors and may object on reasonable grounds within a defined window.
Personal data processed by Virtual Era is held primarily within the European Economic Area or within jurisdictions covered by a European Commission adequacy decision. Where transfers occur outside that perimeter (for example to a sub-processor in another region), Virtual Era relies on Chapter V GDPR transfer mechanisms — principally the European Commission’s Standard Contractual Clauses combined with a documented transfer-impact assessment ("TIA"). The TIA evaluates the laws and practices of the destination jurisdiction and the supplementary measures applied to protect the transferred data.
Virtual Era operates a documented incident-response process that classifies events involving personal data, escalates to the DPO and the relevant client controllers, and produces the notifications required by Article 33 GDPR within seventy-two (72) hours of becoming aware of a notifiable breach. Where the breach is likely to result in a high risk to the rights and freedoms of natural persons, affected individuals are notified without undue delay under Article 34 GDPR.
Where Virtual Era acts as processor, breach notifications to the client controller are issued within forty-eight (48) hours of becoming aware, providing the categories of information needed for the controller to fulfil its own seventy-two-hour notification deadline.
When Virtual Era receives a data subject request that concerns data processed on behalf of a client controller, the request is forwarded promptly to the client controller and we cooperate in fulfilling the response within the GDPR timelines. When the request concerns data for which Virtual Era is the controller, our DPO handles the request directly.
Virtual Era maintains records of processing activities under Article 30 GDPR for both controller and processor activities. The records are reviewed at least annually and at each material change to processing activities. Records are made available to supervisory authorities on lawful request.
For new services, products, or processing activities likely to result in a high risk to the rights and freedoms of natural persons, Virtual Era conducts a DPIA under Article 35 GDPR. DPIAs are reviewed by the DPO and, where required, the supervisory authority is consulted under Article 36 GDPR. DPIAs are revisited when the risk profile changes.
Virtual Era’s technical and organisational security measures are aligned to Article 21 of Directive (EU) 2022/2555 (NIS2), which sets out the cybersecurity risk-management framework expected of essential and important entities. Our measures address risk analysis, incident handling, business continuity and crisis management, supply chain security, security in network and information systems acquisition, development, and maintenance, policies and procedures to assess effectiveness, basic cyber hygiene practices, cybersecurity training, cryptography and encryption, human resources security, access control, and multi-factor authentication. Where Virtual Era provides services to entities within NIS2 scope, our DPA and master service agreements include the supplementary security commitments expected of supply-chain providers under Articles 21(2)(d) and 21(3) NIS2.
Where Virtual Era’s services involve the use of qualified electronic signatures, qualified electronic seals, qualified time stamps, qualified electronic registered delivery, or other trust services within the meaning of Regulation (EU) No 910/2014 ("eIDAS") as amended by Regulation (EU) 2024/1183 (eIDAS 2.0), such use is documented in the applicable engagement contract. Virtual Era treats qualified electronic signatures as having the legal effect of handwritten signatures under Article 25 eIDAS.
Virtual Era operates with executive accountability for data protection. The DPO has direct reporting access to the highest level of management, sufficient resources to perform their tasks, and is not penalised for performing those tasks. The DPO’s role and contact details are published in our Privacy Policy and in client DPAs.
For client and procurement-level enquiries: legal@virtualera.net.
For data subject rights and DPO contact: dpo@virtualera.net.
Postal: Virtual Era Ltd., Attn: Data Protection Officer, Rr. Agim Ramadani, Hy. C3, Nr. 2, 10000 Prishtina, Republic of Kosova.