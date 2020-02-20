The Directorate for Personal Data Protection (‘DZLP’) announced, on 18 February 2020, that the Parliament of the Republic of North Macedonia (‘Parliament’) had adopted, on 16 February 2020, the Law on Personal Data Protection 2020 (‘the Law’). In particular, the Law seeks to harmonise national data protection legislation with the General Data Protection Regulation (Regulation (EU) 2016/679) (‘GDPR’), even though North Macedonia is not an EU Member State. The Law applies to wholly or partially automated personal data processing, if the controller or processor is established in the territory of the Republic of North Macedonia, whether the data is processed on the territory of the Republic of North Macedonia or beyond its borders.

Derogation from GDPR

Anna Rizova and Zhulieta Markova, Partner and Associate respectively at Wolf Theiss, told OneTrust DataGuidance, “The Law is almost entirely aligned with the GDPR, but derogations are mainly introduced in terms of procedure and for certain specific data processing situations. The following derogations and special rules under the Law are to be noted [among others]:

lower threshold for the exemption from keeping records of processing activities;

special requirements for data protection officers, including fluency in Macedonian;

the requirements for personal data transfers envisaged in the Law do not apply to transfers from North Macedonia to countries within the EU/EEA, which are subject only to notification before the Agency for Personal Data Protection (‘the Agency’). Transfers to third countries, on the other hand, should comply with the transfer requirements set out in the Law (similar to the relevant provisions of the GDPR) and also require the prior approval of the Agency;

unless explicitly required by law, the processing of health, genetic and biometric data requires the prior approval of the Agency, even if it is based on the data subjects’ consent; and

processing for direct marketing purposes can only be conducted based on the data subject’s consent.”

Lawful grounds for processing

Article 10 of the Law contains the legal basis for the lawful processing of data. These are data subject’s consent, the fulfilment of a contract to which the data subject is party to, legal obligations of the controller, the protection of the vital interests of the data subject or another person, public interest or the performance of a public function as established by law. The Law also provides the controller’s legitimate interest or the legitimate interest of a third party as a lawful ground for processing, except where such interest overrides the interests or the underlying rights and freedoms of data subjects, especially when the data subject is a child.

In addition, Article 11 of the Law sets out the terms of consent. If consent is given in writing, the request for consent must be presented in a way that can be clearly distinguished from other terms, and it must be comprehensible and easy to understand. In case of a child under the age of 14, processing is legal only if consent is given by the child’s legal representative.

Transforming the DZLP

Gjorgji Georgievski and Marija Serafimovska, Partner and Associate at ODI Law, told OneTrust DataGuidance, “Under the Law, the existing data protection regulatory authority, DZLP, is transformed into the Agency. The Agency is empowered with much broader competencies than its predecessor to oversee the enforcement of the Law, investigate breaches of the Law, and bring legal proceedings where necessary. [The Agency’s mandate] includes to:

promote awareness of the risks, rules, safeguards and rights pertaining to personal data (especially in relation to children);

advise national and governmental institutions on the application of the Law;

hear claims brought by data subjects or their representatives, and inform data subjects of the outcome of such claims;

establish requirements for Data Protection Impact Assessments (‘DPIA’);

encourage the creation of codes of conduct and review certifications;

authorise model clauses and Binding Corporate Rules;

keep records of sanctions and enforcement actions; and

fulfil any other tasks related to the protection of personal data.”

In addition, if the DPIA shows that the processing will cause a high risk to data subjects, controllers must consult the Agency prior to the processing. Furthermore, in case of a personal data breach, the controller must notify the Agency immediately and not later than 72 hours after learning about it, unless it is likely that the breach will not result in a risk to the rights and freedoms of individuals.

With regard to enforcement, Georgievski and Serafimovska added, “The Agency is empowered to impose administrative fines to a controller or processor in breach of the rules of up to 4% of the annual worldwide turnover of the preceding financial year. Additionally, an individual who has suffered harm as a result of the unlawful processing of their personal data has the right to receive compensation from the controller or processor for the harm suffered.”

Way forward

Rizova and Markova continued, “Ensuring compliance with the Law will be a complex and time-consuming process, which will require the involvement of different stakeholders within the company. Practical measures should be taken, such as adopting the required internal documentation and putting in place appropriate technical and organisational measures. Taking into account that compliance with the new legal framework cannot be achieved overnight, Parliament has envisaged a transitional period of 18 months for companies to align their operations with the new requirements.

The Law will enter into force on 24 February 2020.

