Republic of North Macedonia: DZLP adopts blacklist and whitelist on DPIAs
The Directorate for Personal Data Protection ('DZLP') adopted, on 12 May 2020, its list of types of processing which require a Data Protection Impact Assessment ('DPIA') ('the Blacklist') and its list of types of processing which do not require a DPIA ('the Whitelist') which were published in the Official Gazette of the Republic of Northern Macedonia No.122/20.
In particular, the Blacklist outlines that a DPIA is required when, among other things, processing personal data for systematic and comprehensive profiling or automated decision making which produces legal effects, when processing special categories of personal data, when processing special categories of personal data for the purposes of profiling or automated decision making, when processing children's personal for the purposes of profiling, automated decision making, or offering direct services, when tracking location or behaviour a natural person such as GPS, or data monitoring. In addition, the Black;ist highlights that a DPIA is required when an employer processes special categories of employee data.
Furthermore, the Whitelist notes that a DPIA is not required when processing does not pose a high risk to the rights and freedoms of individuals, when the DZLP has already approved such processing, and when there is already an existing clear and specific legal basis in the Republic of North Macedonia, and when the DPIA has already implemented as part of the establishment of the legal basis in accordance with Article 10(3) of the Law on Personal Data Protection 2020.