August 2023

1. Governing Texts

The Constitution of the Republic of North Macedonia guarantees the right to privacy of individuals in the scope afforded by the European Convention for the Protection of Human Rights and Fundamental Freedoms. The country is also a signatory to the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data 108/81  ('Convention 108')

1.1. Key acts, regulations, directives, bills

The principal legal instrument in the area of data protection is the Law on Personal Data Protection 2020 ('the Law'). The Law was adopted in February 2020 to align the national data protection legislation with the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'). The relevant bylaws include the following:

• List of Types of Processing Operations for which Data Protection Impact Assessment ('DPIA') is not mandatory (only available in Macedonian here);
• List of Types of Processing Operations for Which a DPIA is mandatory;
• Methodology for the Implementation of DPIA;
• Rulebook on Security of Data Processing;
• Rulebook on the Process of DPIA;
• Rulebook on Reporting Personal Data Processing of High Risk;
• Rulebook on Data Transfers; and 
• Rulebook on the Method of Reporting Personal Data Breaches. 

1.2. Guidelines

The national regulatory authority responsible for overseeing the implementation of the Law is the Personal Data Protection Agency ('DPA'). Since the enactment of the Law, the DPA has issued a range of guidelines to promote best practices among controllers and processors in both the public and private sectors. These include:

• Guidelines for Data Protection Officers in the Public and Private Sector (only available in Macedonian here)
• Guidelines for the Transfer of Personal Data to Third Countries and International Organizations (only available in Macedonian here);
• Guidelines for Adopting Privacy Policies (only available in Macedonian here);
• Guidelines for Protection of Personal Data of Employees (only available in Macedonian here);
• Guidelines for the use of Cookies (only available in Macedonian here);
• Guidelines for Lawfulness of Personal Data Processing (only available in Macedonian here).

1.3. Case law

Currently, there is no pertinent case law in relation to the Law, as the DPA has not imposed penalties on controllers and processors for non-compliance. Instead, the DPA has provided guidance and direction to help rectify any identified deficiencies.

2. Scope of Application

2.1. Personal scope

The Law applies to all organizations (both public and private) in North Macedonia that process the personal data of individuals residing in North Macedonia.

The Law applies exclusively to natural persons who have been identified or are identifiable. An identifiable person refers to someone who can be identified, either directly or indirectly, by using an identifier such as their name, identification number, location data, online identifier, or other factors specific to their physical, physiological, genetic, mental, economic, cultural, or social identity. Examples of personal data include but are not limited to an individual's name, address, phone number, identification card number, date of birth, personal identification number, occupation, account information, and financial details.

2.2. Territorial scope

As mentioned above, the Law applies to all organizations (both public and private) in North Macedonia.

The Law also applies to foreign organizations if they offer goods or services to or monitor the behavior of individuals residing in North Macedonia. Foreign organizations that process the personal data of Macedonian individuals must appoint a local data protection representative unless the processing of personal data is occasional and does not include, on a large scale, processing of special categories of data or processing of personal data relating to criminal convictions and offenses, and is unlikely to result in a risk to the rights and freedoms of individuals, taking into account the nature, context, scope, and purposes of the processing or the processing is conducted by a public authority or body.

2.3. Material scope

The Law applies to the processing of personal data wholly or partly by automated means and processing other than by automated means of personal data that form part of a filing system or is intended to form part of a filing system. The Law does not apply to the processing of personal data collected by individuals for purely domestic or household activities, with no connection to a professional or commercial activity.

3. Data Protection Authority | Regulatory Authority

3.1. Main regulator for data protection

The DPA is the national regulatory authority that oversees the implementation of the Law.

3.2. Main powers, duties and responsibilities

The DPA's main competencies include the following:

• to promote awareness of the risks, rules, safeguards, and rights pertaining to personal data (especially concerning children);
• to advise national and governmental institutions on the application of the Law;
• to hear claims brought by individuals or their representatives and inform individuals of the outcome of such claims;
• to establish requirements for DPIAs;
• to encourage the creation of Codes of Conduct and review certifications;
• to authorize transfers of personal data outside North Macedonia and Standard Contractual Clauses ('SCCs') and Binding Corporate Rules ('BCRs');
• to keep records of sanctions and enforcement actions; and
• to fulfil 'any other tasks related to the protection of personal data'.

4. Key Definitions

Personal data: Any information pertaining to an identified or identifiable natural person. An identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that person.

Data controller: Any natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. When a law or regulation determines the purposes and methods of personal data processing, the same law determines the controller or the particular criteria for its selection.

Data processor: Any natural person, legal entity, or authorized state administrative body, which processes the personal data on behalf of the controller.

Personal data processing: Any operation or set of operations which is performed on personal data or sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.

Filing system: Any structured set of personal data which is accessible according to specific criteria, whether centralized, decentralized, or dispersed on a functional or geographical basis.

Data subject: Any natural person to whom personal data is processed.

Consent: Any freely given, specific, informed, and unambiguous indication of their wishes by which the data subject, either by a statement or by explicit affirmative action, signifies agreement to personal data relating to them being processed.

Special categories of personal data: Personal data that reveals racial or ethnic origins, political, religious, philosophical, or other beliefs, membership of trade union organizations, and data relating to human health such as genetic or biometric data, or data that refers to the sexual identity of the individual.

Data breach: A breach of security leading to the accidental or unlawful destruction, loss, alteration, or unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed.

Data concerning health: Personal data relating to the physical or mental health of an individual, including the provision of health care services, which reveal information about their health status.

Biometric data: Personal data resulting from specific technical processing relating to the physical, physiological, or behavioral characteristics of a natural person, which allows or confirms the unique identification of that natural person.

Pseudonymization: The processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data is not attributed to an identified or identifiable natural person.

Profiling: Any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular, to analyze or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location, or movements.

Genetic data: Personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question.

Data Protection Impact Assessment: A process designed to describe the processing of personal data, assess its necessity and proportionality, and assist in the management of risks to the rights and freedoms of natural persons that will arise from the processing, as well as to provide measures to deal with those risks.

In addition, the Privacy Guide defines a 'Privacy Impact Assessment' as a tool for systematic analysis of privacy and data protection issues related to the information system of an organization, noting that a Privacy Impact Assessment is an effective tool for informing the management of all risks and helping in the decision-making process to avoid any privacy-related disasters (page 9 of the Privacy Guide).

Data protection officer: A person authorized by the controller to ensure compliance with the Law and monitor its implementation.

5. Legal Bases

5.1. Consent

The processing of personal data can be conducted if an individual has provided consent for the processing. The consent of individuals must be specific, informed, unambiguous, verifiable, and given freely. Consent cannot be inferred from silence or inactivity. Data controllers relying on individuals' consent to process their data must ensure that the consent will meet the standard of being specific, granular, clear, prominent, opt-in, properly documented, and easily withdrawn.

5.2. Contract with the data subject

The processing of personal data may be conducted to perform a contract to which the individual is a party or to take steps at the individual's request before entering into a contract.

5.3. Legal obligations

Data controllers may process personal data to ensure compliance with a legal obligation to which the data controller is subject.

5.4. Interests of the data subject

Data controllers may process personal data to protect the vital interests of the individual or another natural person.

5.5. Public interest

The processing of personal data is allowed to perform a task carried out in the public interest or in the exercise of an official authority vested in an organization.

5.6. Legitimate interests of the data controller

Processing of personal data is allowed for the legitimate interests pursued by an organization or a third party, except where such interests are overridden by the individual's interests or fundamental rights and freedoms, which require the protection of personal data, particularly where the individual is a child.

5.7. Legal bases in other instances

Employment

Employers are allowed to process employees' personal data in the employment context, in particular for recruitment, the performance of the employment contract, including discharge of obligations stipulated by law or by collective agreements, management, planning and organization of work, equality, and diversity in the workplace, health, and safety at work, protection of employer's or customer's property and for the exercise and enjoyment, on an individual or collective basis, of rights and benefits related to employment, and for the termination of the employment relationship.

The Law provides for the regulation of the processing of personal data by employers in more detail through law or collective agreements to ensure the protection of employees' rights and freedoms in the employment context. Such regulations must include specific and appropriate measures to protect an individual's human dignity, legitimate interests, and fundamental rights, with particular regard to transparency of processing, transfer of personal data within a group of undertakings or enterprises engaged in joint economic activity, and monitoring systems in the workplace. The DPA has the authority to provide its opinion on the alignment of such regulations with the Law. However, to date, there have been no initiatives to enact data protection legislation in the employment context or include data protection provisions in collective bargaining agreements.

6. Principles

The Law permits the processing of personal data by an organization if that processing is conducted in accordance with the following seven key principles:

Lawfulness, fairness, and transparency: Personal data must be processed lawfully, fairly, and transparently in relation to the individuals. Processing of personal data is lawful where it is conducted based on freely given, specific, informed, and unambiguous consent by an individual or where the processing is necessary in the situations set out in the section on the legal bases above.

Purpose limitation: Personal data may be collected for specified, explicit, and legitimate purposes and not further processed in a manner incompatible with those purposes. Further processing for archiving purposes in the public interest, for scientific or historical research purposes, or for statistical purposes is not considered incompatible with the initial purposes.

Data minimization: Processing of personal data must be adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed.

Accuracy: Personal data must be accurate and, where necessary, kept up to date. Every reasonable step must be taken to ensure that inaccurate personal data, having regard to the purposes for which they are processed, are erased or rectified without delay.

Storage limitation: Personal data must be kept in a form that permits the identification of individuals for no longer than is necessary for the purposes for which the personal data is processed. Personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, for scientific or historical research purposes, or for statistical purposes, subject to the implementation of the appropriate technical and organizational measures pursuant to the Law, in order to safeguard the rights and freedoms of the data subject.

Integrity and confidentiality: Personal data must be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and accidental loss, destruction, or damage, using appropriate technical or organizational measures.

Accountability: Data controllers must demonstrate compliance with the principles for processing personal data set out above.

7. Controller and Processor Obligations

7.1. Data processing notification

Data controllers are not required to register themselves as data controllers for data processing purposes or to register the collections of personal data unless a type of processing, in particular, uses new technologies, and takes into account the nature, scope, context, and purposes of the processing, is likely to result in a high risk to the rights and freedoms of individuals. In such cases, data controllers must notify the DPA, including details on the categories of data subjects, categories of personal data to be processed, transfers of personal data, technical and organizational security measures, and others.

Prior approval

The controller must obtain prior approval from the DPA to process the following personal information, regardless of whether the processing is based on the prior explicit consent by the individual:

• data concerning health;
• genetic data, unless the data processing is performed by professionals for the needs of preventive medicine, medical diagnosis, or care and therapy of the personal data subject; and
• biometric data.

The DPA must issue its decision regarding prior approval within 90 days from the date of receipt of the application for approval. Appeals may be submitted to the competent court within 30 days of the receipt of the decision. Prior approval is not required where the processing of personal data is determined by a law that contains protective measures to protect the rights and freedoms of data subjects in accordance with the law.

7.2. Data transfers

Adequacy decision

The DPA has the power to determine if certain countries, territories, or international organizations offer an adequate level of protection for data transfers and issue individual approvals for transfers of personal data to non-EU/EEA countries. When determining adequacy, the DPA must especially consider if the third country offers levels of protection substantially equivalent to that ensured in North Macedonia and provides individuals with effective and enforceable rights and means of redress. The DPA also has the power to repeal, amend, or suspend any adequacy decisions.

An adequacy decision from the DPA is not required to transfer personal data to EU/EEA countries. The Law operates under the assumption that the EU/EEA countries provide an adequate level of personal data protection. However, data controllers and data processors must notify the DPA of transfers of personal data to EU/EEA countries at least 15 days before the commencement of such transfers. The notice must be submitted via email or the electronic system of the DPA.

Derogations

There are many derogations permitting transfers of personal data in limited circumstances, which include: explicit consent, contractual necessity, significant reasons of public interest, legal claims, vital interests, and public register data. There is also a derogation for non-repetitive transfers involving a limited number of individuals where the transfer is necessary for compelling legitimate interests of the controllers (which are not overridden by the interests or rights of the individual) and where the controller has assessed and documented all the circumstances surrounding the data transfer and concluded there is adequacy. When relying on this derogation, the controller must inform the DPA and the individuals.

In the absence of an adequacy decision or a derogation, the Law allows a transfer if the controller or processor has provided 'appropriate safeguards' as follows:

Standard Contractual Clauses

SCCs are model data protection clauses adopted by the DPA. The clauses contain contractual obligations on the data exporter and the data importer and rights for the individuals whose personal data is transferred. Individuals can directly enforce those rights against the data importer and the data exporter. The DPA adopted a Decision on Establishing SCCs for the Transfer of Personal Data to Third Countries (only available in Macedonian here).

Binding Corporate Rules

BCRs form a legally binding internal code of conduct operating within a multinational group, which applies to transfers of personal data from the group's Macedonian entities to non-EU/EEA entities. BCRs are legally binding data protection rules with enforceable individual rights contained in them, approved by the DPA.

Approved codes of conduct

Codes of conduct are voluntary and set out specific data protection rules for categories of controllers and processors. They can be a useful and effective accountability tool, providing a detailed description of the most appropriate, legal, and ethical behavior within a sector. Codes of conduct that relate to personal data processing activities by controllers and processors in more than one EU Member State, and for which the European Commission has adopted an implementing act, together with binding and enforceable commitments of the controller or processor in the third country, could be used as a transfer tool in the future.

Approved certification mechanisms

Certification is 'the provision by an independent body of written assurance (a certificate) that the product, service, or system in question meets specific requirements'. Therefore, certification mechanisms may be developed to demonstrate the existence of appropriate safeguards provided by controllers and processors in third countries. These controllers and processors would also make binding and enforceable commitments to apply the safeguards, including provisions for individual rights.

Legally binding and enforceable instruments between public authorities

An organization can make a restricted transfer if it is a public authority or body and is transferring to another public authority or organization, with both public authorities having signed a contract or another instrument that is legally binding and enforceable. This contract or instrument must include enforceable rights and effective remedies for individuals whose personal data is transferred. This is not an appropriate safeguard if either the transferring organization or the receiver is a private body or an individual. If a public authority or organization does not have the power to enter into legally binding and enforceable arrangements, it may consider an administrative arrangement that includes enforceable and effective individual rights instead.

Data controllers or processors must apply to the DPA, either via email or via the electronic system of the DPA, seeking approval for transfers of personal data based on the above safeguards. The DPA must decide on the application within 90 days from receipt.

7.3. Data processing records

Data controllers and their local data protection representatives (if applicable) must maintain data processing records in written and electronic form. The data processing records, as a minimum, must contain the following:

• the name and contact details of the data controller and, where applicable, the joint data controller, the data controller's representative, and the data protection officer ('DPO');
• the purposes of the processing;
• a description of the categories of data subjects and the categories of personal data;
• the categories of recipients to whom the personal data have been or will be disclosed, including recipients in third countries or international organizations;
• transfers of personal data to a third country or an international organization, including the identification of that third country or international organization and, the documentation of suitable safeguards;
• the envisaged time limits for the erasure of the different categories of data; and
• a general description of the technical and organizational security measures.

Data processors and their local data protection representatives (if applicable) are also required to maintain data processing records, including the name and contact details of each controller (and its DPO and data protection representatives, if applicable) on behalf of which the data processors are acting, and the categories of processing carried out on behalf of each controller.

Data controllers and data processors must make available to the DPA the data processing records upon its request.

7.4. Data protection impact assessment

Where a type of processing is likely to result in a high risk to the rights and freedoms of individuals, data controllers must, before the processing, carry out a DPIA. Data controllers must carry out a DPIA where:

• processing of personal data for systematic and comprehensive profiling or automatic decision-making to draw conclusions and make decisions that produce legal effects, which significantly affect the natural person and/or multiple persons;
• processing of special categories of personal data for profiling or automatic decision-making;
• processing of special categories of personal data, i.e., data that reveal racial or ethnic origin, political opinion, religious or philosophical belief, or union membership, as well as the processing of genetic data, biometric data for the sole purpose of identifying persons, health data or data on the sexual life or sexual orientation of the individual;
• extensive processing of special categories of personal data or personal data related to criminal convictions and criminal offenses or misdemeanor liability;
• processing of personal data of children for profiling, automatic decision-making, or for marketing purposes or the direct offering of services intended for them;
• processing of personal data collected by third parties, which are taken into account for making decisions related to the conclusion, termination, refusal or extension of contracts for providing services to individuals;
• processing of personal data using systematic monitoring of publicly available space on a large scale;
• use of new technologies or technological solutions for personal processing data or with the possibility of processing personal data used for analysis or forecasting the economic situation, health, personal desires or interests, the safety or conduct, location, or movement of individuals;
• processing of personal data by linking, comparing or performing checking similarities from multiple sources;
• processing of personal data in a way that includes location tracking or of the conduct of the natural person in the case of systematic processing of data on communication (metadata) generated - generated by the use of telephone, internet, or other means (channels) of communication, such as GSM, GPS, Wi-Fi, tracking, and processing of location data;
• processing of personal data through the use of devices and technologies, in which if an incident occurs it may endanger the health of one person or more persons (personal data subjects); and
• processing of special categories of employees' personal data that are used for unique identification by the employer and, in other cases of processing of personal data for monitoring purposes such as using an application or system to monitor their work, movement, and communication.

A DPIA is not required if the processing of personal data is not likely to result in a high risk to the rights and freedoms of individuals. More specifically, a DPIA is not required where:

• processing operations do not result in a high risk to the rights and freedoms of natural persons;
• a previous DPIA has already determined that the processing operations would not result in a high risk;
• the DPA has already approved the processing;
• there is already a clear and specific legal basis for the processing in the legal system of North Macedonia, and when the DPIA has already been conducted as part of the establishment of that legal basis;
• is performed as part of a DPIA arising from the basis of public interest and when the DPIA was an element of that assessment and/or
• the DPA decides to count certain processing as a processing operation.

Consultation

The controller must consult with the DPA before processing if a DPIA indicates a high risk to the rights and freedoms of data subjects that the controller cannot mitigate. The controller must submit the following information:

• information on the respective responsibilities of the controller, joint controllers, and processor involved in the processing, in particular for processing within a group of undertakings;
• the purpose and means of processing;
• envisaged safeguards and other mitigation measures;
• contact details of the DPO;
• the DPIA; and
• all other information requested by the DPA.

Depending on the circumstances of each specific case for which the DPIA is prepared, the controller may seek the opinion of data subjects or their representatives, through various means, depending on the situation (for example, through a general study related to the purpose and means of the processing, by asking questions to the representatives of the personal data subjects, or through surveys that are sent to the future clients of the controller).

Methodology for implementation of a DPIA

To implement a DPIA, the DPA recommends the following methodology:

• Define the context: This includes information on the collection, purpose, transfer, method, means, entities involved, and retention period of personal data.
• Conduct a risk assessment: Identify adverse outcomes and determine the probability and impact of each risk.
• Implement risk management: Use security measures and mechanisms to reduce risks to an acceptable level, protect personal data, and demonstrate compliance with regulations.
• Compile a report: Describe the processing process, internal and external parties involved, risk assessment, risk management measures, summary/conclusion, action plan, and opinions of the DPO and any other relevant persons. Obtain approval from the responsible person.

The report should be submitted to the DPA upon request. The controller may decide to publish a summary or conclusion of the completed DPIA to demonstrate compliance with principles of accountability and transparency. Data processors must assist controllers in implementing DPIAs.

7.5. Data protection officer appointment

The appointment of a DPO is compulsory only for data controllers and data processors whose core activities require large-scale, regular, and systematic monitoring of individuals (for example, online behavior tracking) or consist of large-scale processing of special categories of data or data relating to criminal convictions and offenses. This obligation also applies to state authorities except for courts. The DPA, however, recommends that controllers or processors appoint a DPO even if it is not required under the Law.

The DPO must be appointed based on professional qualifications, professional knowledge of the legislation and practices in the field of personal data protection, and their ability to perform the necessary activities.

To be appointed as a DPO by a data controller or processor, an individual must meet the following criteria:

• meets the conditions for employment determined by the Law and other applicable laws;
• is fluent in the Macedonian language;
• has not been sentenced or has not been sanctioned that would prohibit them from performing a profession, activity, or duty;
• has completed higher education; and
• has acquired knowledge and skills regarding the practices and laws for the protection of personal data in accordance with the provisions of the Law.

A group of legal entities may appoint a single DPO, provided that the DPO is readily available for each legal entity within the group, the DPA, and the data subjects. The controller or processor must make the DPO's contact information public and inform the DPA of this information. Moreover, the controller and processor must ensure that the DPO is adequately involved in all matters related to data protection and provide the DPO with the necessary support to carry out their tasks, including resources to maintain their expertise. The DPO cannot be dismissed for performing their duties.

Role

The DPO must perform at least the following activities:

• inform and provide advice to the controller or processor and employees for performing the processing of their obligations under the Law;
• monitor compliance with the Law, and other applicable data protection legislation and policies, including assigning responsibilities, raising awareness and training;
• where necessary, provide advice on DPIAs;
• cooperate with the DPA; and
• act as a point of contact for the DPA in relation to matters relating to processing, including prior consultation.

The DPO must consider the risks associated with processing operations, considering the nature, scope, context, and purposes of the processing. A DPO is bound by secrecy and confidentiality and must be independent.

7.6. Data breach notification

Data controllers and data processors must immediately report a notifiable breach to the DPA but no later than 72 hours after becoming aware of it. When reporting a breach, data controllers and data processors must provide a description of the nature of the personal data breach, including, where possible:

• the categories and approximate number of individuals concerned;
• the categories and approximate number of personal data records concerned;
• the name and contact details of the DPO (if appointed) or another contact point where more information can be obtained;
• a description of the likely consequences of the personal data breach; and
• a description of the measures taken or proposed to be taken, to deal with the personal data breach, including, where appropriate, the measures taken to mitigate any possible adverse effects.

Data controllers and data processors must also notify a breach to individuals if the breach is likely to result in a high risk of adversely affecting individual rights and freedoms.

Data controllers and data processors which are subject to the Law on Electronic Communications 2014 (only available in Macedonian here) ('the Electronic Communications Law'), are also required to report immediately, but in any case, no later than 24 hours, security incidents affecting their core services or personal data breaches to the Agency for Electronic Communications ('AEK'). Operators of electronic communications networks and services must notify subscribers about personal data breaches, but only when such breaches might adversely affect their privacy.

7.7. Data retention

Controllers must limit the collection of personal information to what is directly relevant and necessary to accomplish a specified purpose. They should also retain the data only for as long as is needed to fulfill that purpose. In other words, data controllers should collect only the personal data they need and should keep it only for as long as they need it. As an exception, data controllers and data processors subject to the Electronic Communications Law must retain communication meta-data for 12 months.

7.8. Children's data

Companies offering information society services to children must verify individuals' ages and obtain parental or guardian consent for any data processing activity. The Law sets the age when a child can consent to this processing at 14, and companies are required to obtain consent for children younger than that age from a person holding 'parental responsibility'.

7.9. Special categories of personal data

Processing of special categories of data is prohibited except in the following situations:

• the individual has given explicit consent to the processing of those personal data for one or more specified purposes, except where Macedonian laws provide that the individual may not lift the general prohibition for processing of special categories of data;
• processing is necessary for carrying out the obligations and exercising specific rights of the controller or of the individual in the field of employment and social security and social protection law in so far as it is authorized by Macedonian law or a collective agreement according to Macedonian law providing for appropriate safeguards for the fundamental rights and the interests of the individual;
• processing is necessary to protect the vital interests of the individual or of another natural person where the individual is physically or legally incapable of giving consent;
• processing is carried out in the course of its legitimate activities with appropriate safeguards by a foundation, association, or any other not-for-profit body with a political, philosophical, religious, or trade union aim and on condition that the processing relates solely to the members or former members of the body or to persons who have regular contact with it in connection with its purposes and that the personal data is not disclosed outside that body without the consent of the individuals;
• processing relates to personal data which is manifestly made public by the individual;
• processing is necessary for the establishment, exercise, or defense of legal claims or whenever courts are acting in their judicial capacity;
• processing is necessary for reasons of substantial public interest, based on the law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the individual;
• processing is necessary for preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services based on law or according to contract with a health professional;
• processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and medicinal products or medical devices, based on a law that provides for suitable and specific measures to safeguard the rights and freedoms of the individual, in particular, professional secrecy; or
• processing is necessary for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes which shall be proportionate to the aim pursued, respect the essence of the right to data protection, and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the individual.

Processing of personal data relating to criminal convictions and offenses, or related security measures must be carried out only under the control of official authority or when the processing is authorized by a state authority providing appropriate safeguards for the rights and freedoms of data subjects. Any comprehensive register of criminal convictions must be kept only under the control of an official authority.

7.10. Controller and processor contracts

A data controller and a data processor must enter into a legally binding written data processing agreement to manage their relationship. Under the agreement, the processor must:

• only act on the data controller's documented instructions;
• impose confidentiality obligations on all personnel who process the relevant data;
• ensure the security of the personal data that it processes;
• abide by the rules regarding the appointment of sub-processors;
• implement measures to assist the data controller in complying with the rights of individuals;
• support the data controller in obtaining approval from the DPA where required;
• at the data controller's election, either return or destroy the personal data at the end of the relationship; and
• provide the data controller with all information necessary to demonstrate compliance with the Law.

The DPA adopted a Decision on Establishing SCCs between Controllers and Processors (only available in Macedonian here).

8. Data Subject Rights

8.1. Right to be informed

Individuals have the right to be informed about the collection and use of their personal data.

8.2. Right to access

Individuals have the right to access to their personal data kept by data controllers.

8.3. Right to rectification

Individuals have the right to rectification; that is, to have inaccurate personal data rectified or completed if it is incomplete.

8.4. Right to erasure

Individuals have the right to erasure, that is, to have their personal data erased.

8.5. Right to object/opt-out

Individuals have the right to object, on grounds relating to their particular situation, at any time to processing personal data concerning them based on profiling. The data controller must refrain from processing the personal data unless the data controller demonstrates compelling legitimate grounds for the processing that override the interests, rights, and freedoms of the data subject or is for the establishment, exercise, or defense of legal claims.

If personal data is processed for direct marketing purposes, an individual has the right to object at any time to the processing of personal data concerning them for such marketing, which includes profiling to the extent that it is related to such direct marketing.

8.6. Right to data portability

Individuals have the right to receive the personal data concerning them, which they have provided to a controller, in a structured, commonly used, and machine-readable format, and have the right to transmit such data to another controller or have the personal data directly transferred from one to another.

8.7. Right not to be subject to automated decision-making

This right allows the individual to object to a decision based on automated processing. Using this right, an individual may ask for their request to be reviewed manually where they believe that automated processing of their request may not consider their unique situation.

8.8. Other rights

Individuals have the right to obtain from the data controller the restriction or suppression of processing where one of the following applies:

• the accuracy of the personal data is contested by the individual, for a period enabling the data controller to verify the accuracy of the personal data;
• the processing is unlawful, and the individual opposes the erasure of the personal data and requests the restriction of their use instead;
• the data controller no longer needs the personal data for processing, but the individual requires it for the establishment, exercise, or defense of legal claims; and
• the individual has objected to processing pending the verification of whether the data controller's legitimate grounds override those of the data subject.

If processing has been restricted, personal data may only be processed with the individual's consent or for the establishment, exercise, or defense of legal claims or the protection of the rights of another natural or legal person or for reasons of significant public interest of North Macedonia.

9. Penalties

Data controllers and processors are jointly responsible for ensuring compliance with the Law and for any potential infringements. Individuals and the DPA can hold both data controllers and processors to account if they fail to comply with their responsibilities under the Law. Data controllers and processors are jointly liable for the damage caused by personal data processing. A data processor or data controller held liable to pay compensation on this basis is entitled to recover from other relevant parties that are a part of the compensation corresponding to their responsibility for the damage.

Data controllers and data processors may be exposed to administrative fines ranging from 2% to 4% of their worldwide turnover in the preceding year for each incident of non-compliance with the core principles of processing personal data under the Law. Also, they may be exposed to fines ranging from €1,000 to €10,000 for each incident of non-compliance with the provisions of the Law in connection with video surveillance.

9.1 Enforcement decisions

The DPA has not imposed penalties on controllers and processors for non-compliance. Instead, the DPA has provided guidance and direction to help rectify any identified deficiencies.