Attorney at law in cooperation with Karanovic & Partners
What law(s) specifically govern personal data / information?
The Republic of North Macedonia regulates personal data protection issues with the Law on Personal Data Protection (Official Gazette of the Republic of North Macedonia, nos. 42/20 and 294/21, “DP Law”), effective since 24 February 2020.
What are the key data protection principles in this jurisdiction?:
The key principles that apply to data protection in North Macedonia are the principles of lawfulness, fairness and transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity, confidentiality and accountability.
What is the supervisory authority / regulator in charge of data protection?
The Personal Data Protection Agency (“Agency”) is the data protection authority in North Macedonia
Is there a requirement to register with a supervisory authority / regulator?
With the old Law on Protection of Personal Data (2005), data controllers or data processors were required to register their databases in the Agency’s Central Registry of Personal Databases (“Registry”).
Under the current DP Law (2020), the Registry continues to exist only as a registry of databases involving high risk data. Data controllers or data processors must notify the Agency about their respective high-risk databases.
The DP Law does not define what is considered as “high risk data”. Instead, it is up to the data controller to determine whether the processing of the personal data may pose a high risk to the rights and freedoms of the natural persons, by conducting a Data Protection Impact Assessment (“DPIA”). The Agency has adopted a List of the Types of Operations for which a DPIA is required, which include, among others:(i) systemic profiling or automated decision making; (ii) processing of special categories of personal data;(iii) large scale processing of special categories of personal data; (iv) use of new technologies, etc.
Data controllers or data processors are also required to report subsequent changes to registration details within 30 days of change.
Data controllers or data processors are required to keep records of the collected data and are obliged to submit them to the Agency at the Agency’s request, without any fee.
Is there a requirement to notify the supervisory authority / regulator?
Yes, there is a requirement to notify in specific cases, such as: (i) use of technology which is likely to pose high-risk to personal data subjects; (ii) cross-border data transfers; (iii) in case of a personal data breach; and (iv) when appointing a data protection officer.
When using technologies for some types of processing, which are likely to pose a high risk to the rights and freedoms of natural persons (e.g. in terms of the nature, scope, context and purposes of personal data processing), the data controller must inform the Agency.
The notification shall contain the following:
- the name of the personal databases;
- the name (the name and surname or company name), and contact information of the data controller, of all joint controllers (if applicable), of the authorised representative of the data controller (if applicable), and of the personal data protection officer;
- the purpose or purposes of the processing;
- the legal basis for establishing the personal databases;
- a description of the categories of the personal data subjects and of the categories of the personal data relating to them;
- the categories of users to whom the personal data are being, or will be disclosed, including users in third countries or international organisations;
- how long the personal data will be stored, i.e. the planned deadlines for deletion of the different categories of personal data;
- the transfer of personal data to a third country or international organisation; and
- a general description of the technical and organisational measures used.
The notification is submitted by the data controller in electronic form through the Agency’s website for the purpose of recording the processing of high-risk data.
In case of transfer of personal data to a member state of the EU/EEA, both data controllers and data processors must inform the Agency.
For the transfer of personal data to third countries and international organisations for which no adequacy decision was made and no prescribed transfer safeguard is available, the data controller or the data processor is required to submit a request for approval of the transfer to the Agency. The request is submitted electronically through the Agency's e-reporting system or by email in a scanned copy, no later than 15 days before the start of the transfer of personal data.
In case of a data breach, please refer to our answer below regarding data breach notification requirements.
The data controller or data processor have an obligation to publish the contact information on the data protection officer, and notify the Agency accordingly. The contact information includes a telephone number and email address of the data protection officer. In practice, a decision for appointing a data protection officer adopted by the data controller is submitted to the Agency.
Is it possible to register with / notify the supervisory authority / regulator online?
https://dzlp.mk/
https://eprijavi.privacy.mk/login
What are the key data subject rights under the data protection laws of this jurisdiction?
Data subjects are entitled to a range of rights under the DP Law, including right of access, right to rectify, right to erasure (‘right to be forgotten’), right to restrict processing, right to data portability, right to object, right not to be subject to automated decision making, including profiling.
Is there a requirement to appoint a data protection officer (or equivalent)?
Yes, a data protection officer must be appointed when: (i) personal data is processed by a state authority; (ii) the data processing requires the regular and systematic monitoring of data subjects on a large scale; or (iii) the basic activities of the data controller or data processor consist of processing of special categories of personal data or personal data connected to criminal offences on a large scale.
Do data protection/ privacy impact assessments need to be carried out in certain circumstances?
When it is likely that the use of new technologies for the processing of data may pose a high risk to the rights and freedoms of natural persons, a DPIA is required prior to such processing taking place.
Does this jurisdiction have any specific data breach notification requirements?
In case of a data breach, data controllers are obliged to notify the Agency immediately (and in any case not longer than 72 hours) after discovering the data breach.
If the breach poses a high risk to the rights and freedoms of data subjects, the data subjects must be immediately notified, in a clear and easily understandable manner, unless: (i) appropriate technical and organisational measures have been implemented to ensure the personal data would be unrecognisable to unauthorised persons; or (ii) additional measures have been implemented to ensure that there is no longer a high risk to the rights and freedoms of data subjects.
The notification must be submitted using a special form prescribed by the Agency.
What restrictions apply to the international transfer of personal data / information?
When transferring personal data to the EU/EEA, entities must notify the Agency at least 15 days before the transfer.
In other cases, the best approach is to rely on standard contractual clauses adopted by the Agency or the European Commission which are adopted between the transferring entities.
The companies can also rely on other transfer safeguards, such as the approved binding corporate rules, codes of conduct and certification mechanisms, and in certain specific situations there are other alternatives to be considered (such as data subject’s explicit consent, necessity for the establishment, exercise or defence of legal claims, or even the company’s compelling legitimate interests). However, note that in practice the Agency still insists on the need for it to approve each of the above transfers, despite the fact that the DP Law does not require so.
If none of the above is available, the transfer may be conducted only if the Agency provides its prior approval.
Do the data protection laws in this jurisdiction have “extra-territorial effect” (i.e. do they apply to organisations outside this jurisdiction)?
Yes, the DP Law applies to the processing of personal data of local data subjects by a controller or processor not established in North Macedonia, if the processing activities are related to offering of goods and services (irrespective whether a payment of the data subject is required) or monitoring of their behaviour as far as their behaviour takes place in North Macedonia.
What rules specifically deal with marketing?
The DP Law regulates the processing of personal data for purposes of direct marketing.
Do different rules apply to business-to-business and business-to-consumer marketing?
In cases of business-to-consumer (i.e. data subject – natural person) marketing, prior consent from the data subject is required, as well as opt-out option.
Business-to-business marketing falls out of the scope of the DP Law, and therefore no prior consent is required.
What rules specially deal with electronic marketing (for example, by email, text message, WhatsApp message, online ads etc)?
Under the DP Law, processing of personal data for the purpose of electronic (direct) marketing (including profiling) is permitted only upon obtaining explicit consent from the data subject. The data subject has the right to object against processing of their personal data for the purposes of direct marketing.
The same rules apply under the applicable Law on Electronic Communication which prohibits unsolicited electronic marketing to natural persons, while the protection to businesses is only to the extent that they are provided with an opt-out option.
What rules specifically deal with cookies?
The Rulebook on the Security of Personal Data Processing (122/2020) briefly touches on the use of cookies in securing the data from the web page of the data controller. Namely, when using cookies which are not necessary from the service, the data controller should obtain previous consent from the internet user after notifying them of the same, before the cookie is deposited.
What are the consequences of non compliance with data protections laws (including marketing laws)?
Legal entities can be fined up to 2% (this applies for, for example , processing of personal data contrary to the provisions for direct marketing) and up to 4% of the total annual turnover from the previous financial year, whereas smaller fines of several hundred euros are envisioned for the responsible person within the legal entity, as well as data controllers and data processors who are natural persons.
Additionally, a fine ranging between EUR 1,000 and EUR 10,000 is envisioned for data controllers – legal entities who do not adhere to the video surveillance requirements.
In broad terms, multinational organisations should be aware of what key factors if they process personal data / information from individuals within this jurisdiction, without being located there?
Data controllers or data processors which are not located in North Macedonia are obliged to appoint an authorised representative when processing personal data from data subjects located in North Macedonia, except when (i) the processing is periodical, (ii) it does not include processing of special categories of personal data, or (iii) it is not expected to cause a risk to the rights and freedoms of natural persons.
What upcoming data protection developments should multinational organisations be aware of?
Currently, there are no new announced data protection developments in North Macedonia.