Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Republic of North Macedonia - Data Protection Overview
Back

Republic of North Macedonia - Data Protection Overview

July 2022

1. Governing Texts

The Constitution of the Republic of North Macedonia guarantees the right to privacy of individuals in the scope afforded by the European Convention for the Protection of Human Rights and Fundamental Freedoms. The country is also a signatory to the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data 108/81.

A new data protection law was adopted in February 2020 to align the national data protection legislation with the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR').  Same as the GDPR, the territorial scope of the new data protection law is increased, and it applies to all organisations that process personal data of individuals residing in North Macedonia, including foreign organisations, if they offer goods or services to or monitor the behaviour of individuals in North Macedonia. As a result, many organisations that were not subject to the previous data protection legislation are now subject to the new data protection law, especially online businesses that process individuals' personal data in North Macedonia. Such online companies must appoint a local data protection representative in North Macedonia unless the processing of personal data is occasional, does not include, on a large scale, processing of special categories of data and is unlikely to result in a risk to the rights and freedoms of individuals.

Data controllers and processors must have ensured compliance with the provisions of the new data protection legislation by 25 February 2022.

1.1. Key acts, regulations, directives, bills

The principal legal instrument in the area of data protection is the Law on Personal Data Protection (only available in Macedonian here) ('the Law'). The relevant bylaws (only available in Macedonian here) include specific rules for controllers in connection with the obligation to conduct privacy impact assessment, the obligation for ensuring the security of the processing of personal data, procedures for obtaining authorisation for transfers of personal data outside of North Macedonia, requirements for reporting of personal data breaches, video surveillance, and others.

1.2. Guidelines

The Personal Data Protection Agency ('DPA') is the national regulatory authority that oversees the implementation of the Law. For the sake of the adoption of the new law, the DPA has issued Guidelines specified the steps that have to be taken (only available in Macedonian here).

In addition, the DPA issued the following:

  • Obligations of controllers to the Agency (only available in Macedonian here);
  • List of types of processing operations for which no personal protection impact assessment is required (only available in Macedonian here) ('the Whitelist');
  • List of types of processing operations for which an assessment of impact of personal data protection is required (only available in Macedonian here) ('the Blacklist'); and
  • Rule on reporting for processing of personal data with high risk (only available in Macedonian here);
  • Guidelines on DPIAs (only available in Macedonian here) ('the Guidance');
  • Rulebook on reporting for processing of personal data with high risk (only available in Macedonian here);
  • Privacy guide to design and privacy impact assessment (only available in Macedonian here) ('the Privacy Guide');
  • Manual for data protection officers 2017 ('DPOs') (only available in Macedonian here) ('the Manual'); and
  • rulebook on the process of data protection impact assessments (only available in Macedonian here) ('the Rulebook').

1.3. Case law

There is no relevant case law as the Law entered into force on 25 August 2021 and data controllers and data processors are allowed until 25 February 2022 to ensure compliance with the provisions of the Law.

2. Scope of Application

2.1. Personal scope

The Law applies only to identified or identifiable natural persons. An identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that person. Common examples of personal data are names of individuals, addresses, telephone numbers, identity card numbers, birth dates, personal identification numbers, occupations, account information, and financial information.

2.2. Territorial scope

The Law applies to all organisations (both public and private) in North Macedonia that process the personal data of individuals residing in North Macedonia.

The Law also applies to foreign organisations if they offer goods or services to or monitor the behaviour of individuals in North Macedonia. Foreign organisations who process personal data of Macedonian individuals must appoint a local data protection representative unless the processing of personal data is occasional, and does not include, on a large scale, processing of special categories of data or processing of personal data relating to criminal convictions and offences, and is unlikely to result in a risk to the rights and freedoms of individuals, taking into account the nature, context, scope and purposes of the processing or the processing is conducted by a public authority or body.

2.3. Material scope

The Law applies to the processing of personal data wholly or partly by automated means and processing other than by automated means of personal data that form part of a filing system or are intended to form part of a filing system. The Law does not apply to the processing of personal data collected by individuals for purely domestic or household activities, with no connection to a professional or commercial activity.

3. Data Protection Authority | Regulatory Authority

3.1. Main regulator for data protection

The DPA is the national regulatory authority that oversees the implementation of the Law.

3.2. Main powers, duties and responsibilities

The DPA's main competencies include:

  • to promote awareness of the risks, rules, safeguards, and rights pertaining to personal data (especially concerning children);
  • to advise national and governmental institutions on the application of the Law;
  • to hear claims brought by individuals or their representatives, and inform individuals of the outcome of such claims;
  • to establish requirements for Data Protection Impact Assessments ('DPIAs');
  • to encourage the creation of Codes of Conduct and review certifications;
  • to authorise transfers of personal data outside North Macedonia and Standard Contractual Clauses ('SCC') and Binding Corporate Rules ('BCRs');
  • to keep records of sanctions and enforcement actions; and
  • to fulfil 'any other tasks related to the protection of personal data'.

4. Key Definitions

Personal data: Any information pertaining to an identified or identifiable natural person. An identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that person.

Data controller: Any natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. When a law or regulation determines the purposes and methods of personal data processing, the same law determines the controller or the particular criteria for its selection.

Data processor: Any natural person, legal entity, or authorised state administrative body, which process the personal data on behalf of the controller.

Personal data processing: Any operation or set of operations which is performed on personal data or sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.

Filing system: Any structured set of personal data which is accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis.

Data subject: Any natural person to whom personal data is processed.

Consent: Any freely given, specific, informed, and unambiguous indication of their wishes by which the data subject, either by a statement or by explicit affirmative action, signifies agreement to personal data relating to them being processed.

Special categories of personal data: Personal data that reveals racial or ethnic origins, political, religious, philosophical or other beliefs, membership of trade union organisations, and data relating to human health such as genetic or biometric data, or data which refers to the sexual identity of the individual.

Data breach: A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored, or otherwise processed.

Data concerning health: Personal data relating to the physical or mental health of an individual, including the provision of health care services, which reveal information about their health status.

Biometric data: Personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allows or confirms the unique identification of that natural person.

Pseudonymisation: The processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.

Profiling: Any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location, or movements.

Genetic data: means personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question.

Data Protection Impact Assessment: There is no definition of Data Protection Impact Assessment ('DPIA') in the Law. However, the Rulebook outlines that assessing the impact of personal data protection in terms of the Rulebook is a process designed to describe the processing of personal data, assess its necessity and proportionality, and assist in the management of risks to the rights and freedoms of natural persons that will arise from the processing, as well as to provide measures to deal with those risks (Article 2 of the Rulebook).

In addition, the Privacy Guide defines a 'Privacy Impact Assessment' as a tool for systematic analysis of privacy and data protection issues related to the information system of an organisation, noting that a Privacy Impact Assessment is an effective tool for informing the management of all risks and helping in the decision-making process to avoid any privacy-related disasters (page 9 of the Privacy Guide).

Data protection officer: A person authorised by the controller to ensure compliance with the Law and monitor its implementation (page 7 of the Manual).

5. Legal Bases

5.1. Consent

The processing of personal data can be conducted if an individual has provided their consent for the processing. The consent of individuals must be specific, informed, unambiguous, verifiable, and given freely. Consent cannot be inferred from silence or inactivity. Data controllers relying on individuals' consent to process their data must ensure that the consent will meet the standard of being specific, granular, clear, prominent, opt-in, properly documented, and easily withdrawn.

5.2. Contract with the data subject

The processing of personal data may be conducted to perform a contract to which the individual is a party or to take steps at the request of the individual before entering into a contract.

5.3. Legal obligations

Data controllers may process personal data to ensure compliance with a legal obligation to which the data controller is subject.

5.4. Interests of the data subject

Data controllers may process personal data to protect the vital interests of the individual or another natural person.

5.5. Public interest

The processing of personal data is allowed to perform a task carried out in the public interest or the exercise of official authority vested in an organisation.

5.6. Legitimate interests of the data controller

Processing of personal data is allowed for the legitimate interests pursued by an organisation or by a third party, except where such interests are overridden by the individual's interests or fundamental rights and freedoms, which require protection of personal data, particularly where the individual is a child.

5.7. Legal bases in other instances

Employers are allowed to process employees' personal data in the employment context, in particular for the recruitment, the performance of the employment contract, including discharge of obligations stipulated by law or by collective agreements, management, planning and organisation of work, equality and diversity in the workplace, health and safety at work, protection of employer's or customer's property and for the exercise and enjoyment, on an individual or collective basis, of rights and benefits related to employment, and for the termination of the employment relationship.

The Law allows the processing of personal data by employers to be regulated in more detail by law or by collective agreements in order to ensure the protection of the rights and freedoms in respect of the processing of employees' personal data in the employment context. Those rules must include suitable and specific measures to safeguard the individual's human dignity, legitimate interests, and fundamental rights, with particular regard to the transparency of processing, the transfer of personal data within a group of undertakings, or a group of enterprises engaged in a joint economic activity and monitoring systems at the workplace. The DPA is empowered to provide its opinion on whether these rules are aligned with the Law.

6. Principles

The Law permits the processing of personal data by an organisation if that processing is conducted in accordance with the following seven key principles:

Lawfulness, fairness, and transparency: Personal data must be processed lawfully, fairly and in a transparent manner in relation to the individuals. Processing of personal data is lawful where it is conducted based on a freely given, specific, informed, and unambiguous consent by an individual or where the processing is necessary in the situations set out in section on legal basis above.

Purpose limitation: Personal data may be collected for specified, explicit, and legitimate purposes and not further processed in a manner incompatible with those purposes.

Data minimisation: Processing of personal data must be adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed.

Accuracy: Personal data must be accurate and, where necessary, kept up to date. Every reasonable step must be taken to ensure that inaccurate personal data, having regard to the purposes for which they are processed, are erased or rectified without delay.

Storage limitation: Personal data must be kept in a form that permits identification of individuals for no longer than is necessary for the purposes for which the personal data are processed.

Integrity and confidentiality: Personal data must be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and accidental loss, destruction or damage, using appropriate technical or organisational measures.

Accountability: Data controllers must demonstrate compliance with the principles for processing of personal data set out above.

7. Controller and Processor Obligations

7.1. Data processing notification

Data controllers are not required to register themselves as data controllers for data processing purposes or to register the collections of personal data unless a type of processing, in particular, using new technologies, and taking into account the nature, scope, context, and purposes of the processing, is likely to result in a high risk to the rights and freedoms of individuals. In such case, data controllers must give notice to the DPA, including details on the categories of data subjects, categories of personal data to be processed, transfers of personal data, technical and organisational security measures and others.

Prior approval

The controller must obtain prior approval from the Agency to process the following personal information, (Article 84(1) of the Law):

  • data related to human health;
  • genetic data, unless the data processing is performed by professionals for the needs of preventive medicine, medical diagnosis, or care and therapy of the personal data subject; and
  • biometric data.

Furthermore, prior approval outlined above is required where the processing of personal data is performed with the prior explicit consent of the data subject for processing for one or more purposes under Article 13(2)(1) of the Law (Article 84(2) of the Law).

The Agency must issue its decision regarding prior approval of the same within 90 days from the date of receipt of the application for approval (Article 84(4) of the Law). Appeals may be submitted to the competent court within 30 days of the receipt of the decision (Article 84(5) of the Law).

Prior approval under Article 84(1) of the Law (see section 3 above) is not required where the processing of the personal data is determined by law which contains protective measures to protect the rights and freedoms of data subjects in accordance with the law (Article 84(3) of the Law).

7.2. Data transfers

The DPA has the power to determine if certain countries, territories, or international organisations offer an adequate level of protection for data transfers and issue individual approvals to transfers of personal data to non-EU/EEA countries. When determining adequacy, the DPA must especially consider if the third country offers levels of protection that are substantially equivalent to that ensured in North Macedonia and that it provides individuals with effective and enforceable rights and means of redress. The DPA also has the power to repeal, amend, or suspend any adequacy decisions.

An adequacy decision from the DPA is not required to transfer personal data to EU/EEA countries. The Law operates under the assumption that the EU/EEA countries provide an adequate level of personal data protection. However, data controllers and data processors must give notice to the DPA of transfers of personal data to EU/EEA countries at least 15 days before the commencement of such transfers. The notice must be submitted either via email or via the electronic system of the DPA.

There are many derogations permitting transfers of personal data in limited circumstances, which include: explicit consent, contractual necessity, significant reasons of public interest, legal claims, vital interests, and public register data. There is also a derogation for non-repetitive transfers involving a limited number of individuals where the transfer is necessary for compelling legitimate interests of the controllers (which are not overridden by the interests or rights of the individual) and where the controller has assessed and documented all the circumstances surrounding the data transfer and concluded there is adequacy. The controller must inform the DPA and the individuals when relying on this derogation.

In the absence of an adequacy decision or a derogation, the Law allows a transfer if the controller or processor has provided 'appropriate safeguards' as follows:

Standard Contractual Clauses 

SCC are model data protection clauses either adopted by the DPA or approved by the European Commission. The clauses contain contractual obligations on the data exporter and the data importer and rights for the individuals whose personal data is transferred. Individuals can directly enforce those rights against the data importer and the data exporter. The DPA adopted a Decision on Establishing SCCs between Controllers and Processors (only available in Macedonian here) and Decision on Establishing SCCs for the Transfer of Personal Data to Third Countries (Official Gazette of RSM No. 280/21) (only available in Macedonian here).

Binding Corporate Rules

BCRs form a legally binding internal code of conduct operating within a multinational group, which applies to transfers of personal data from the group's Macedonian entities to non-EU/EEA entities. BCRs are legally binding data protection rules with enforceable individual rights contained in them, approved by the DPA.

Approved codes of conduct

Codes of conduct are voluntary and set out specific data protection rules for categories of controllers and processors. They can be a useful and effective accountability tool, providing a detailed description of the most appropriate, legal, and ethical behaviour within a sector. Codes of conduct that relate to personal data processing activities by controllers and processors in more than one EU Member State, and for which the European Commission has adopted an implementing act, together with binding and enforceable commitments of the controller or processor in the third country, could be used as a transfer tool in the future.

Approved certification mechanisms

Under the Law, certification is 'the provision by an independent body of written assurance (a certificate) that the product, service or system in question meets specific requirements'. Therefore, certification mechanisms may be developed to demonstrate the existence of appropriate safeguards provided by controllers and processors in third countries. These controllers and processors would also make binding and enforceable commitments to apply the safeguards, including provisions for individual rights.

Legally binding and enforceable instruments between public authorities

An organisation can make a restricted transfer if it is a public authority or body and is transferring to another public authority or organisation, with both public authorities having signed a contract or another instrument that is legally binding and enforceable. This contract or instrument must include enforceable rights and effective remedies for individuals whose personal data is transferred. This is not an appropriate safeguard if either the transferring organisation or the receiver is a private body or an individual. If a public authority or organisation does not have the power to enter into legally binding and enforceable arrangements, it may consider an administrative arrangement that includes enforceable and effective individual rights instead.

Data controllers or processors must apply to the DPA, either via email or via the electronic system of the DPA, seeking approval for transfers of personal data based on the above safeguards. The DPA must adopt a decision on the application within 90 days from receipt.

7.3. Data processing records

Data controllers and their local data protection representatives (if applicable) must maintain data processing records in written and electronic form. The data processing records, as a minimum must contain the following:

  • the name and contact details of the data controller and, where applicable, the joint data controller, the data controller's representative and the data protection officer ('DPO');
  • the purposes of the processing;
  • a description of the categories of data subjects and the categories of personal data;
  • the categories of recipients to whom the personal data have been or will be disclosed, including recipients in third countries or international organisations;
  • transfers of personal data to a third country or an international organisation, including the identification of that third country or international organisation and, the documentation of suitable safeguards;
  • the envisaged time limits for erasure of the different categories of data; and
  • a general description of the technical and organisational security measures

Data processors and their local data protection representatives (if applicable) are also required to maintain data processing records, including the name and contact details of each controller (and its DPO and data protection representatives, if applicable) on behalf of which the data processors are acting, and the categories of processing carried out on behalf of each controller.

Data controllers and data processors must make available to the DPA the data processing records upon its request.

7.4. Data protection impact assessment

Where a type of processing, in particular, using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of individuals, data controllers must, before the processing, carry out a DPIA. A single assessment may address a set of similar processing operations that present similar high risks. The data controller must review the DPIA if a processing activity, such as the use of new technologies or where personal data is used for another purpose, imposes an additional risk to the rights and freedoms of the data subject (Article 8 of the Rulebook). Notably, according to Article 12 of the Rulebook, the controller may decide whether or not to publish the DPIA. The controller can demonstrate compliance with the principles of accountability and transparency by publishing parts of the DPIA i.e. by publishing a short summary or conclusion of the completed DPIA (Article 12 of the Rulebook). Lastly, the controller is obliged to submit a report for the conducted DPIA at the request of the Agency (Article 12 of the Rulebook).

Please note data processors who, either solely or partially, perform the data processing activities, are obliged to assist the controllers in the implementation of the DPIA (Article 6(3) of the Rulebook).

Data controllers must carry out a DPIA in particular in the case of:

  • a systematic and extensive evaluation of personal aspects relating to individuals which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the individual or similarly significantly affect the individual;
  • processing on a large scale of special categories of data or personal data relating to criminal convictions and offences; or
  • systematic monitoring of a publicly accessible area on a large scale.

In addition, a DPIA is required where (the Blacklist):

  • processing of personal data for systematic and comprehensive profiling or automatic decision making in order to draw conclusions and make decisions that produce legal affects, which greatly affect the natural person and/or multiple persons;
  • processing of special categories of personal data for the purpose of profiling or automatic decision making;
  • processing of special categories of personal data, i.e. data that reveal racial or ethnic origin, political opinion, religious or philosophical belief or union membership, as well as processing of genetic data, biometric data for the sole purpose of identifying persons, health data or data on the sexual life or sexual orientation of the individual;
  • extensive processing of special categories of personal data or personal data related to criminal convictions and criminal offenses or misdemeanour liability;
  • processing of personal data of children for the purpose of profiling, automatic decision making, or for marketing purposes or for the direct offering of services intended for them;
  • processing of personal data collected by third parties, which are taken in account for making decisions related to the conclusion, termination, refusal or extension of contracts for providing services to individuals;
  • processing of personal data using systematic monitoring of publicly available space on a large scale;
  • use of new technologies or technological solutions for personal processing data or with the possibility of processing personal data used for analysis or forecasting the economic situation, health, personal desires or interests, the safety or conduct, location, or movement of individuals;
  • processing of personal data by linking, comparing or performing checking similarities from multiple sources;
  • processing of personal data in a way that includes location tracking or of the conduct of the natural person in the case of systematic processing of data on communication (metadata) generated - generated by the use of telephone, internet, or other means (channels) of communication, such as GSM, GPS, Wi-Fi, tracking, and processing of location data;
  • processing of personal data through the use of devices and technologies, in which if an incident occurs it may endanger the health of one person or more persons (personal data subjects); and
  • processing of special categories of personal data of employees that are used for unique identification by the employer and in other cases of processing of personal data for monitoring purposes such as using an application or system to monitor their work, movement, and communication.

Furthermore, a DPIA must contain (Article 9 of the Rulebook):

  • a description of the planned processing operations and processing objectives;
  • an assessment of the need and proportionality of the processing;
  • a risk assessment of the rights and freedoms of personal data subjects; and
  • measures provided for risk management.

A DPIA is not required if the processing of personal data is not likely to result in a high risk to the rights and freedoms of individuals or where the processing has a legal basis in a law that regulates the specific processing operation or set of operations in question, and a DPIA has already been carried out as part of a general impact assessment in the context of the adoption of that legal basis. More specifically, a DPIA is not required for certain types of processing operations, especially when (the Whitelist):

  • processing operations do not result in a high risk to the rights and freedoms of natural persons;
  • a previous DPIA has already determined that the processing operations would not result in a high risk;
  • the processing has already been approved by the Agency;
  • there is already a clear and specific legal basis for the processing in the legal system of the Republic of Northern Macedonia and when the DPIA has already been conducted as part of the establishment of that legal basis under Article 10(3) of the Law;
  • is performed as part of a DPIA arising from the basis of public interest and when the DPIA was an element of that assessment under Article 10(3) of the Law; and/or
  • the Agency decides to count certain processing as a processing operation in accordance with Article 39(5) of the Law.

Consultation

 

The controller must consult with the Agency prior to processing, if a DPIA indicates a high risk to the rights and freedoms of data subjects which the controller cannot mitigate (Article 40 of the Law). The controller must submit the following information (Article 40(3) of the Law):

  • information on the respective responsibilities of the controller, joint controllers, and processor involved in the processing, in particular for processing within a group of undertakings;
  • the purpose and means of processing;
  • envisaged safeguards and other mitigation measures;
  • contact details of the data protection officer;
  • the DPIA; and
  • all other information requested by the Agency.

Uniquely, depending on the circumstances of each specific case for which the DPIA is prepared, the controller may seek the opinion of data subjects or their representatives, through various means, depending on the situation (for example, through a general study related to the purpose and means of the processing, by asking questions to the representatives of the personal data subjects, or through surveys that are sent to the future clients of the controller) (Article 7 of the Rulebook).

Method

Article 11 of the Rulebook outlines the methodology the Agency recommends for the implementation of a DPIA:

  • Defining the context – the context of processing should be defined and at least the following information described:
    • collection of personal data;
    • purpose of processing;
    • transfer of data;
    • method(s) of obtaining the data;
    • method and means for processing the data;
    • entities that are involved in processing (controllers, processors etc; and
    • retention period of the personal data.
  • Risk assessment - in the second phase, the adverse outcomes shall be identified, as well as the probability and impact of the realisation of each risk is determined.
  • Risk management - the third phase should include safeguards, such as security measures and mechanisms designed to reduce the risk to an acceptable level, as well as to ensure the protection of personal data and to demonstrate compliance with the regulations for protection of personal data.
  • Compilation of a report on the implementation of the DPIA.

The report of the conducted DPIA in particular shall contain (Article 11 of the Rulebook):

  • a description of the processing process;
  • internal and external parties involved in the process of conducting the DPIA;
  • risk assessment;
  • defined risk management measures;
  • summary/conclusion;
  • action plan;
  • opinion of the DPO and any other persons involved in the process; and
  • approval of the DPIA by the responsible person.

The implementation process of a DPIA is further illustrated in Annex 1 of the Rulebook, accompanied by the DPIA methodology in Annex 2 of the same. In addition, the Privacy Guide contains a checklist to assist data controllers in carrying out a DPIA (pages 11-14 of the Privacy Guide).

7.5. Data protection officer appointment

The appointment of a DPO, tasked with ensuring data controller compliance with the Law and other applicable regulations, is compulsory only for data controllers and data processors whose core activities require large scale, regular, and systematic monitoring of individuals (for example, online behaviour tracking) or consist of large-scale processing of special categories of data or data relating to criminal convictions and offences. Importantly, controllers or processors may appoint a DPO even if it is not required (Article 41(4) of the Law).

Specifically, the controller and the processor must appoint a DPO when (Article 41 of the Law):

  • the processing is carried out by a state authority, except for the courts;
  • the core activities of the controller or processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; or
  • the core activities of the controller or processor consist of extensive processing of special categories of personal data or personal data related to criminal convictions and criminal offenses under Article 14 of the Law.

In addition, the DZLP has created a dedicated centre for DPOs for the exchange of knowledge and experience and for support in the performance of tasks (only available in Macedonian here).

Role

The DPO must perform at least the following activities (Article 43(1) of the Law):

  • inform and provide advice to the controller or processor and employees performing the processing of their obligations under the Law;
  • monitor compliance with the Law, other applicable data protection legislation and policies, including assigning responsibilities, raising awareness and training;
  • where necessary, provide advice on Data Protection Impact Assessments ('DPIA') in accordance with Article 39 of the Law;
  • cooperate with the DZLP; and
  • act as a point of contact for the DZLP in relation to matters relating to processing.

When performing their duties, the DPO must take into account the risks associated with processing operations, as well as the nature, scope, the context and purposes of processing (Article 43(2) of the Law). The DPO is bound by secrecy or confidentiality during the performance of their tasks (Article 42(5) of the Law). The DPO must be independent (Article 42(6) of the Law). In addition, the DPO must be appointed on the basis of their professional qualifications, and in particular on the basis of professional knowledge of the legislation and practices in the field of personal data protection, as well as their ability to perform the activities specified in Article 43 of the Law (Article 41(5) of the Law).

A person is appointed as DPO, who (Article 41(5) of the Law):

  • meets the conditions for employment determined by the Law and other applicable laws;
  • is fluent in the Macedonian language;
  • has not been sentenced or has been sanctioned that would prohibit them from performing a profession, activity or duty;
  • has completed high education; and
  • has acquired knowledge and skills regarding the practices and laws for the protection of personal data, in accordance with the provisions of the Law.

Furthermore, the controller or processor must publicly publish the contact information for the DPO and notify the DZLP of the same (), and a group of legal entities may appoint a single DPO, provided that the DPO is readily available for each legal entity within the group, the DZLP and the data subjects (Article 41(2) and (7) of the Law). Finally, the controller and the processor are obliged to ensure that the DPO is duly and timely included in all data protection matters, and must provide support to the DPO during the performance of their tasks, including resources to maintain expertise. The DPO cannot be dismissed for the performance of their tasks (Article 42 of the Law.

7.6. Data breach notification

Data controllers and data processors must immediately report a notifiable breach to the DPA, but no later than 72 hours after becoming aware of it. When reporting a breach, data controllers and data processors must provide a description of the nature of the personal data breach, including, where possible:

  • the categories and approximate number of individuals concerned;
  • the categories and approximate number of personal data records concerned;
  • the name and contact details of the DPO (if appointed) or another contact point where more information can be obtained;
  • a description of the likely consequences of the personal data breach; and
  • a description of the measures taken or proposed to be taken, to deal with the personal data breach, including, where appropriate, the measures taken to mitigate any possible adverse effects.

Data controllers and data processors must also notify a breach to individuals if the breach is likely to result in a high risk adversely affecting individual rights and freedoms.

Data controllers and data processors which are subject to the Law on Electronic Communications 2014 (only available in Macedonian here) ('the Electronic Communications Law'), are also required to report immediately, but in any case, no later than 24 hours, security incidents affecting their core services or personal data breaches to the Agency for Electronic Communications ('AEK'). Operators of electronic communications networks and services are also required to notify subscribers about personal data breaches, but only in circumstances where such breaches might adversely affect their privacy.

7.7. Data retention

Under the Law, data controllers must limit the collection of personal information to what is directly relevant and necessary to accomplish a specified purpose. They should also retain the data only for as long as is needed to fulfil that purpose. In other words, data controllers should collect only the personal data they need and should keep it only for as long as they need it. As an exception, data controllers and data processors subject to the Electronic Communications Law must retain communication meta-data for 12 months.

7.8. Children's data

Companies offering information society services to children must verify individuals' ages and obtain parental or guardian consent for any data processing activity. The Law sets the age when a child can give their consent to this processing at 14, and companies are required to obtain consent for children younger than that age from a person holding 'parental responsibility'.

7.9. Special categories of personal data

Processing of special categories of data is prohibited, except in the following situations:

  • the individual has given explicit consent to the processing of those personal data for one or more specified purposes, except where Macedonian laws provide that the individual may not lift the general prohibition for processing of special categories of data;
  • processing is necessary for carrying out the obligations and exercising specific rights of the controller or of the individual in the field of employment and social security and social protection law in so far as it is authorised by Macedonian law or a collective agreement according to Macedonian law providing for appropriate safeguards for the fundamental rights and the interests of the individual;
  • processing is necessary to protect the vital interests of the individual or of another natural person where the individual is physically or legally incapable of giving consent;
  • processing is carried out in the course of its legitimate activities with appropriate safeguards by a foundation, association or any other not-for-profit body with a political, philosophical, religious or trade union aim and on condition that the processing relates solely to the members or former members of the body or to persons who have regular contact with it in connection with its purposes and that the personal data are not disclosed outside that body without the consent of the individuals;
  • processing relates to personal data which are manifestly made public by the individual;
  • processing is necessary for the establishment, exercise, or defence of legal claims or whenever courts are acting in their judicial capacity;
  • processing is necessary for reasons of substantial public interest, based on law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the individual;
  • processing is necessary for preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services based on law or according to contract with a health professional;
  • processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and medicinal products or medical devices, based on law which provides for suitable and specific measures to safeguard the rights and freedoms of the individual, in particular, professional secrecy; or
  • processing is necessary for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the individual.

Processing of personal data relating to criminal convictions and offences or related security measures must be carried out only under the control of official authority or when the processing is authorised by a state authority providing appropriate safeguards for the rights and freedoms of data subjects. Any comprehensive register of criminal convictions must be kept only under the control of an official authority.

7.10. Controller and processor contracts

A data controller and a data processor must enter into a legally binding written data processing agreement to manage their relationship. Under the agreement the processor must:

  • only act on the data controller's documented instructions;
  • impose confidentiality obligations on all personnel who process the relevant data;
  • ensure the security of the personal data that it processes;
  • abide by the rules regarding the appointment of sub-processors;
  • implement measures to assist the data controller in complying with the rights of individuals;
  • support the data controller in obtaining approval from the DPA where required;
  • at the data controller's election, either return or destroy the personal data at the end of the relationship; and
  • provide the data controller with all information necessary to demonstrate compliance with the Law.

8. Data Subject Rights

8.1. Right to be informed

Individuals have the right to be informed about the collection and use of their personal data.

8.2. Right to access

Individuals have the right to access to their personal data kept by data controllers.

8.3. Right to rectification

Individuals have the right to rectification; that is, to have inaccurate personal data rectified or completed if it is incomplete.

8.4. Right to erasure

Individuals have the right to erasure, that is, to have their personal data erased.

8.5. Right to object/opt-out

Individuals have the right to object, on grounds relating to their particular situation, at any time to processing personal data concerning them based on profiling. The data controller must refrain from processing the personal data unless the data controller demonstrates compelling legitimate grounds for the processing that override the interests, rights, and freedoms of the data subject or the establishment, exercise, or defence of legal claims.

If personal data are processed for direct marketing purposes, an individual has the right to object at any time to processing of personal data concerning them for such marketing, which includes profiling to the extent that it is related to such direct marketing.

8.6. Right to data portability

Individuals have the right to receive the personal data concerning them, which they have provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller or have the personal data directly transferred from one to another controller.

8.7. Right not to be subject to automated decision-making

This right provides the individual with an entitlement to object to a decision based on automated processing. Using this right, an individual may ask for their request to be reviewed manually because they believe that automated processing of their request may not consider their unique situation.

8.8. Other rights

Individuals have the right to obtain from the data controller restriction or suppression of processing where one of the following applies:

  • the accuracy of the personal data is contested by the individual, for a period enabling the data controller to verify the accuracy of the personal data;
  • the processing is unlawful, and the individual opposes the erasure of the personal data and requests the restriction of their use instead;
  • the data controller no longer needs the personal data for the processing, but the individual requires them for the establishment, exercise, or defence of legal claims; and
  • the individual has objected to processing pending the verification of whether the data controller's legitimate grounds override those of the data subject.

If processing has been restricted, personal data may only be processed with the individual's consent or for the establishment, exercise, or defence of legal claims or the protection of the rights of another natural or legal person or for reasons of significant public interest of North Macedonia.

9. Penalties

Data controllers and processors are jointly responsible for ensuring compliance with the Law and for any potential infringements. Individuals and the DPA can hold both data controllers and processors to account if they fail to comply with their responsibilities under the Law. Data controllers and processors are jointly liable for the entire damage caused by the processing of personal data. A data processor or data controller held liable to pay compensation on this basis is entitled to recover from other relevant parties that part of the compensation corresponding to their responsibility for the damage.

Data controllers and data processors may be exposed to administrative fines ranging from 2% to 4% of their worldwide turnover in the preceding year for each incident of non-compliance with the core principles of the processing of personal data under the Law. Also, they may be exposed to fines ranging from €1,000 to €10,000 for each incident of non-compliance with the provisions of the Law in connection with video surveillance.

9.1 Enforcement decisions

There are no enforcement decisions under the Law as the transitional period for ensuring compliance is still pending.