The processing of personal data via video surveillance in North Macedonia is generally subject to the Law on Personal Data Protection (Official Gazette of Republic of North Macedonia no. 42/20 and 294/21) (hereinafter as the Law) and the by-laws adopted by the Personal Data Protection Agency.
The Macedonian legislation in this area is aligned with the General Data Protection Regulation (Regulation (EU) 2016/679) and the Guidelines 3/19 on processing of personal data through video devices adopted by the European Data Protection Board.
In this text we will present the main obligations for the controllers and main requirements for lawfulness of the processing of personal data through video surveillance systems.
The Law permits processing of personal data via video surveillance systems for the following purposes:
Therefore, the controllers must first conduct an analysis to determine the purposes for which the video surveillance system is installed and determine if those purposes fall within the legal framework. The next step is to adjust the entire video surveillance system according to the purposes.
Video surveillance can only be conducted within the necessary area to achieve its objectives and it is forbidden to be in operation in wardrobes, changing rooms, sanitary units, and similar places where the interests or fundamental rights and freedoms of the data subjects would override the interests of the controllers for monitoring.
If the controllers want to conduct video surveillance of a publicly available space on a large scale, they first have to make an assessment of the impact on the protection of personal data.
The controllers have to apply appropriate technical and organizational measures in line with the Law and the by-laws in order to ensure protection of the personal data.
The controllers performing video surveillance are obliged to display a clear and visible notification, in a way that allows the data subjects to become familiar with the video surveillance (easily noticeable, positioned approximately at eye level, etc.).
For this purpose, the Personal Data Protection Agency has adopted a form of notification which contains basic information for the identity of the controllers and the data protection officer, details of the purposes of processing, the rights of the data subjects, etc.
However, the controllers have to provide more detailed information to the data subjects, especially information regarding the rights of the data subjects. This can be done, for example, by way of publishing an information sheet on the website on the controllers or making it available at their reception desk.
The Law provides that the recordings should be stored until the set objectives are fulfilled, but not longer than 30 days. The recording can be stored for a longer period only if another law which includes protective measures and other measures for the protection of rights and freedoms of the data subjects provides for a longer period of storage.
The Law stipulates that only authorized persons may process data collected by video surveillance systems. For this purpose, the controllers must grant special authorization.
The authorized persons have to sign a declaration of ensuring the security of personal data processing via the video surveillance system.
According to the Law, the controllers have an obligation to adopt Video Surveillance Policy which shall contain all the relevant information pertaining to the video surveillance.
This includes: indication of the purposes for which the personal data are processed; categories of personal data processed; technical and organizational measures to ensure the security of the personal data; persons authorized to process the personal data; storage period of video surveillance recordings; technical specifications of the equipment, placement of the video surveillance system and other information.
The Law stipulates that the controller is obliged to periodically evaluate the results achieved by the video surveillance system every two years.
The objective of this evaluation is to establish:
This evaluation should serve as a guidance on whether and how to proceed with the processing of personal data through video surveillance system.
The processing of personal data through video surveillance in North Macedonia is generally subject to the Law on Personal Data Protection and the adopted by-laws in line with the GDPR.
In order to comply with the Law, the controllers have to meet various obligations, such as: conduct an analysis and define the purposes of the processing, optimize of the surveillance area, apply appropriate technical and organizational measures, notify the data subjects of the processing, ensure that the recordings are deleted after the defined period of storage, issue authorization for the processing, adopt a video surveillance policy, evaluate the results of the processing and other obligations.