Republic of North Macedonia: Overview of Vendor Privacy Contracts
1. Governing Texts
- The General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'). For requirements under the GDPR, please see our EU - Vendor Privacy Contracts Guidance Note, or select 'EU' within the Comparison tool
- Law on Personal Data Protection 2020 (only available in Macedonian here) ('the Law')
1.2. Regulatory authority guidance
The European Data Protection Board ('EDPB') has released:
- Opinion 14/2019 on the draft Standard Contractual Clauses submitted by the DK SA (Article 28(8) GDPR) (12 July 2019); and
- Guidelines 07/2020 on the Concepts of Controller and Processor in the GDPR (version under public consultation).
The Personal Data Protection Agency ('the Agency'), is the national regulatory authority that oversees the implementation of the Law, has issued the following guidance:
- Rules on the form and contents of the records relating to the international transfer to personal data (only available in Macedonian here);
- Guidelines for controllers on personal data transfers (only available in Macedonian here);
- Rulebook on data transfers (only available in Macedonian here); and
- Manual for data protection officers 2017 ('DPOs') (only available in Macedonian here).
1.3. Regulatory authority templates
The European Commission ('the Commission') has released the following decisions on standard contractual clauses ('SCC') for transfers of personal data to jurisdictions outside of the EU/EEA:
- Commission Decision of 5 February 2010 on standard contractual clauses for the transfer of personal data to processors established in third countries under Directive 95/46/EC of the European Parliament and of the Council;
- Commission Decision of 27 December 2004 amending Decision 2001/497/EC as regards the introduction of an alternative set of standard contractual clauses for the transfer of personal data to third countries; and
- Commission Decision of 15 June 2001 on standard contractual clauses for the transfer of personal data to third countries, under Directive 95/46/EC (2001/497/EC).
The Article 29 Working Party ('WP29') released the following documents, which have been endorsed by the EDPB:
- Recommendation on the Standard Application form for Approval of Controller Binding Corporate Rules for the Transfer of Personal Data | WP 264 rev.01 (18 April 2018);
- Recommendation on the Standard Application form for Approval of Processor Binding Corporate Rules for the Transfer of Personal Data | WP 265 rev.01 (18 April 2018);
- Working Document setting up a table with the elements and principles to be found in Binding Corporate Rules | WP 256 rev.01 (9 February 2018); and
- Working Document setting up a table with the elements and principles to be found in Processor Binding Corporate Rules | WP 257 rev.01 (9 February 2018).
Data controller: The natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law (Article 4(7) of the GDPR).
Data processor: A natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller (Article 4(8) of the GDPR).
3.1. Are there requirements for a contract to be in place between a controller and processor?
The Law stipulates that processing by the processor must be regulated by a contract or another legal act that is in accordance with the Law, which is binding on the controller processor relationship, and which regulated the subject and duration of the processing, the nature and purpose of the processing, the type of categories of personal data and the categories of personal entities, as well as the obligations and rights of the controller (Article 32(3) of the Law).
3.2. What content should be included?
The contract must include provisions outlining that the processor (Article 32(3) (a) – (h) of the Law):
- only processes personal data in accordance with documented instructions, including the transfer of personal data to a third country or international organisation, except when required to so by law in which case the processor will inform the controller of the legal requirement before processing, unless the law prohibits such informing for important reasons of public interest;
- ensure that persons authorised to process personal data respect confidentiality;
- take all necessary measures in accordance with the security obligations under Article 36 of the Law;
- comply with all the conditions governing sub-processors in the Law;
- assist the controller through the application of appropriate technical and organisational measures to fulfil the obligations of the controller to respond to data subject rights;
- assist the controller in ensuring compliance with its obligations under Articles 36 – 40 of the Law;
- at the discretion of the controller, delete or return all personal data to the controller after the completion of the services related to the processing of personal data and deletion of existing copies, unless there is a legal obligation to keep personal copies data; and
- provide the controller with access to all information necessary for providing the fulfilment of the obligations under the contractual relationship, as well as the contributing to the performance of audits, inspections by the controller or another auditor authorised by the controller.
4.1. Are processors required to assist controllers with handling of data subject requests?
With respect to the contract referred to above in section 3.1., Article 32(3)(e) of the Law notes that data processors are obliged to take into account the nature of the processing, assist the controller, through the application of appropriate technical and organisational measures, and as far as possible fulfil the obligations of the controller to respond to the requests for exercising the rights of the subject of the personal data determined in Chapter III of the Law.
For further information on data subject rights under the GDPR see EU-GDPR Data Subjects Rights.
5.1. Are processors required to keep records of their processing activities?
Each processor and his authorised representative must keep records of all categories of processing operations performed on behalf of the controller including (Article 34(2) of the Law):
- the name and surname and contact details of the processor or processors and each controller on whose behalf the processor acts, the authorised representatives of the controller or processor and the personal protection officer data;
- the processing categories performed on behalf of each controller;
- the transfer of personal data to a third country or international organisation including the identification of that third country or international organisation and in the case of transfers of personal data the documentation of appropriate protective measures; and
- a general description of the technical and organisational security measures as outlined under Article 36 of the Law.
Furthermore, the records should be kept in writing or electronic form and access to the records should be made available to the Agency by the processor or their authorised representatives (Article 34(4) of the Law).
Additionally, the obligations in relation to records of processing shall not apply to a trade company or organisation with less than 50 employees unless it is likely that the processing of personal data poses a risk to the rights and freedoms of data subject or if the processing is not occasional or includes special categories of personal data e.g. data related to criminal conviction and penalties referred to in Article 14 of the Law (Article 34(5) of the Law).
6.1. Are processors required to implement specific security measures? If so, what measures must be implemented?
As part of the contract between the controller and processor, the processor must take all necessary measures in accordance with the security obligations under Article 36 of the Law.
If the processing is performed on behalf of the controller, then the controller must only use processors that provide a sufficient guarantee for the application of appropriate technical and organisational measures in such a way that the processing will take place in accordance with requirements of the Law and will provide protection of data subject rights (Article 32(1) of the Law).
In particular, Article 36 states that according to the latest technology advances, implementation costs, and the cope and context of processing, as well as the risks and probability and seriousness of the rights and freedoms of natural persons, the controller and processor are obliged to apply appropriate technical and organisational measures to ensure a level of security appropriate to the risk including (Article 36(1) of the Law):
- pseudonymisation and encryption of personal data;
- ability to ensure continued confidentiality, integrity, availability and resilience of processing systems and services;
- the ability to timely re-establish access to personal information data and access to them in the event of a physical or technical incident; and
- a process of regular testing, evaluation of the effectiveness of technical and organisational measures in order to guarantee the safety of the processing.
Furthermore, in assessing the appropriate level of security, special consideration should be given to the processing-related risk, including accidental or unlawful destruction, loss, alteration, unauthorised disclosure of personal data or unauthorised access to transferred, stored, or otherwise processed personal data (Article 36(2) of the Law).
Additionally, approved codes of conduct can be used as mechanisms to prove compliance with the security obligation under Article 36 of the Law which the processor is obliged to demonstrate (Article 36(3) and (5) of the Law). Finally, the processor must take measures to ensure that each physical person acting under their authority, who has access to personal data, will not process this data if it is not provided to him under instructions from the controller unless obliged by law (Article 36(4) of the Law).
7.1. Are processors under an obligation to notify controllers in the event of a data breach? If so, are there timeframe and content requirements?
Data processors must report a breach to the controller immediately after becoming aware of it (Article 37(2) of the Law).
For more information see - Republic of North Macedonia - Data Breach.
For further information on breach notifications under the GDPR, see EU – GDPR – Data Breach.
8.1. Are subprocessors regulated? If so, what obligations are imposed?
A processor may not hire another processor without prior special or general written authorisation by the controller. In the case of a general written authorisation, the processor should inform the controller of any planned changes to hire or replace other processors thereby enabling the controller to counter these changes (Article 32(2) of the Law).
Moreover, if the processor hires another processor to perform specific processing activities on behalf of the controller then the same obligations to protect personal data as the obligation provided in the contract (see section 3) or other legal act between the controller shall be imposed on the other processor through a contract or other legal act in accordance with law, and in particular the obligation to provide a sufficient guarantee for the application of appropriate technical ad organisational measures. If the hired processor does not fulfil his obligation in relation to the personal data, the initial processor remains fully responsible to the controller for fulfilment of the obligations of the hired processors (Article 32(4) of the Law).
9.1. Do transfer restrictions apply to processors? If so, what restrictions and what exemptions apply?
According to Article 49(4) of the Law, data transfers to countries outside of the EU/EEA which have not been deemed to ensure an adequate level of protection of personal data by the Commission or the Agency are restricted.
Following the publication of the CJEU's judgment C-311/18 Data Protection Commissioner v. Facebook Ireland Limited, Maximillian Schrems ('Schrems II') on 16 July 2020, which generally validated the SCCs while invalidating the EU-US Privacy Shield data transfer certification mechanism, the EDPB has released its Recommendations on Measures that Supplement Transfer Tools to Ensure Compliance with the EU Level of Protection of Personal Data, as well as complementary Recommendations on the European Essential Guarantees for Surveillance Measures, aimed to assist controllers and processors to 'verify, on a case-by-case basis and, where appropriate, in collaboration with the recipient of the data, whether the law of the third country of destination ensures adequate protection, under EU law, of personal data transferred pursuant to standard data protection clauses, by providing, where necessary, additional safeguards to those offered by those clauses.'
For further information on data transfers under the GDPR, see EU – GDPR – Data Transfers.
10.1. Are processors required to assist controllers with regulatory investigations?
Under the Law, data processors must provide the controller with access to all information necessary for providing the fulfilment of the obligations under the contractual relationship, as well as the contributing to the performance of audits, inspections by the controller or another auditor authorised by the controller. In addition, the processor shall immediately notify the controller, if in his opinion certain instructions given by the controller to him violate the Law or other regulations relating to the protection of personal property data (Article 32(3)(h) of the Law).
11.1. Are processors required to appoint a DPO / representative?
Data Protection Officer ('DPO')
The processor must appoint a DPO when (Article 41(1) of the Law):
- the processing is carried out by a state authority, except for the courts;
- the core activities of the controller or processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; or
- the core activities of the controller or processor consist of extensive processing of special categories of personal data or personal data related to criminal convictions and criminal offenses under Article 14 of the Law.
For further information see Republic of North Macedonia – Data Protection Office Appointment.
For further information on DPOs under the GDPR, see: EU - GDPR - Data Protection Officer Appointment.
There are no national variations.
12.1. Are controllers obliged to supervise or monitor processors' compliance with the law and contract?
There are no national variations.
Authored by OneTrust DataGuidance DataGuidance's Privacy Analysts carry out research regarding global privacy developments, and liaise with a network of lawyers, authorities and professionals to gain insight into current trends. The Analyst Team work closely with clients to direct their research for the production of topic-specific Charts.