The issue of personal data protection has become particularly relevant in recent years, especially with the development of the digital era. The latest regulation adopted by the EU to govern this issue is General Data Protection Regulation (Regulation (EU) 2016/679) (hereinafter: GDPR).
GDPR is not directly applicable in North Macedonia, but as a candidate for membership of the European Union, North Macedonia is in a continuous process of harmonizing its legislation with the EU acquis.
As a result, North Macedonia adopted the Law on Personal Data Protection (hereinafter: Law) which is almost fully in conformity with the GDPR. There are only small variations in some areas which include: specific deadlines for response by the controllers to the subjects’ requests and specific conditions for the data protection officer.
In line with the GDPR, the Law provides for the following main obligations of the controllers:
The controllers have to ensure in each specific case that they have legal basis for the processing. Some of the basis provided by the Law are: obtaining consent from the subject; processing based on a contract to which the data subject is party; processing based on a legal obligation etc.
The controllers have an obligation to provide the subjects with certain information defined by the Law before starting the processing. This includes information about the controller and the data protection officer, details about the processing (purpose, duration, scope, recipients), information about the rights of the subjects etc. The controllers also have to ensure that the subjects can exercise their rights stipulated by the Law.
The controllers have to identify if they are about to engage with other parties to process personal data on their behalf (processors). In such cases, the main obligations of the controllers are to conduct analysis of the processor to determine if can provide sufficient guarantees to implement the necessary technical and organizational measures required by the Law. The controllers also have to enter into an agreement with the processor to regulate the mutual relations.
With some exceptions, the Law provides obligations for the controllers to keep records of the activities of the processing. The information that should be included in these records is defined in details with the Law.
The Law stipulates that the controllers have to implement appropriate technical and organizational measures to ensure protection of the personal data. A detailed list of measures is further given in the Rulebook for Security of the Processing of Personal Data (Official Gazette of Republic of North Macedonia no.122/20). The controllers also have an obligation to adopt many internal policies to define those measures.
The controllers have to determine if they transfer personal data outside North Macedonia. If the transfer is made to a country within the EU, the controller solely has to inform the Agency for Personal Data Protection about the transfer. If the transfer is made to a third country, the Law provides for other specific conditions to be met for the transfer to be considered secure and legal.
The Law provides that when a type of processing is likely to result in high risk to the rights and freedoms of the subjects, especially when introducing new technologies, the controller is obliged to conduct a data protection impact assessment. The Law and the bylaws provide for a list of cases when this analysis is to be carried out.
The Law provides that in most cases, the controllers have an obligation to designate a data protection officer whose responsibility is to ensure that the controller operates within its legal obligations and takes appropriate measures to protect the personal data of the subjects.
The DPO may be employed by the controller or perform the duties on the basis of a service contract
The conditions that DPO has to meet before his/her appointment are the following:
These conditions are specific for the Law in North Macedonia and are not provided with the GDPR.
Even though GDPR is not directly applicable in North Macedonia, the Macedonian Law on Personal Data Protection is almost in full conformity with the GDPR and provides for the same obligations for the controllers with some minor variations.
The main obligations of the controllers include: ensuring lawfulness of the processing; providing information about the processing to the data subjects; identifying the processors and governing the relations with the processors; keeping records of the processing activities; implementation of technical and organizational measures; Identifying transfer of data and taking appropriate legal measures to protect the data; carrying out a data protection impact assessment; designation of a data protection officer.