Attorney at law in cooperation with Karanovic & Partners
The following law(s) specifically govern personal data / information:
The Republic of North Macedonia regulates personal data protection issues with the Law on Personal Data Protection (Official Gazette of the Republic of North Macedonia, no. 42/20, “DP Law”), effective since 24 February 2020.
The key data protection principles in this jurisdiction are:
The key principles that apply to data protection in North Macedonia are the principles of lawfulness, fairness and transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity, confidentiality and accountability.
The supervisory authority / regulator in charge of data protection is:
The Personal Data Protection Agency (“Agency”) is the data protection authority in North Macedonia.
Is there a requirement to register with a supervisory authority / regulator?
With the old Law on Protection of Personal Data (2005), data controllers or data processors were required to register their databases in the Agency’s Central Registry of Personal Databases (“Registry”).
Under the current DP Law (2020), the Registry continues to exist only as a registry of databases involving high risk data. Data controllers or data processors must notify the Agency about their respective high-risk databases.
The DP Law does not define what is considered as “high risk data”. Instead, it is up to the data controller to determine whether the processing of the personal data may pose a high risk to the rights and freedoms of the natural persons, by conducting a Data Protection Impact Assessment (“DPIA”). The Agency has adopted a List of the Types of Operations for which a DPIA is required, which include, among others:(i) systemic profiling or automated decision making; (ii) processing of special categories of personal data;(iii) large scale processing of special categories of personal data; (iv) use of new technologies, etc.
Data controllers or data processors are also required to report subsequent changes to registration details within 30 days of change.
Data controllers or data processors are required to keep records of the collected data and are obliged to submit them to the Agency at the Agency’s request, without any fee.
Is there a requirement to notify the supervisory authority / regulator?
Yes, there is a requirement to notify in specific cases, such as: (i) use of technology which is likely to pose high-risk to personal data subjects; or (ii) cross-border data transfers.
When using technologies for some types of processing, which are likely to pose a high risk to the rights and freedoms of natural persons (e.g. in terms of the nature, scope, context and purposes of personal data processing), the data controller must inform the Agency.
The notification shall contain the following:
- the name of the personal databases;
- the name (the name and surname or company name), and contact information of the data controller, of all joint controllers (if applicable), of the authorized representative of the data controller (if applicable), and of the personal data protection officer;
- the purpose or purposes of the processing;
- the legal basis for establishing the personal databases;
- a description of the categories of the personal data subjects and of the categories of the personal data relating to them;
- the categories of users to whom the personal data are being, or will be disclosed, including users in third countries or international organizations;
- how long the personal data will be stored, i.e. the planned deadlines for deletion of the different categories of personal data;
- the transfer of personal data to a third country or international organization; and
- a general description of the technical and organizational measures used.
The notification is submitted by the data controller in electronic form through the Agency’s website for the purpose of recording the processing of high-risk data.
In case of transfer of personal data to a member state of the EU/EEA, both data controllers and data processors must inform the Agency.
For the transfer of personal data to third countries and international organizations for which no adequacy decision was made and no prescribed transfer safeguard is available, the data controller or the data processor is required to submit a request for approval of the transfer to the Agency. The request is submitted electronically through the Agency's e-reporting system or by e-mail in a scanned copy, no later than 15 days before the start of the transfer of personal data.
Is it possible to register with / notify the supervisory authority / regulator online?
The key data subject rights under the data protection laws of this jurisdiction are:
Data subjects are entitled to a range of rights under the DP Law, including right of access, right to rectify, right to erasure (‘right to be forgotten’), right to restrict processing, right to data portability, right to object, right not to be subject to automated decision making, including profiling.
Is there a requirement to appoint a data protection officer (or equivalent)?
Yes, a data protection officer must be appointed when: (i) personal data is processed by a state authority; (ii) the data processing requires the regular and systematic monitoring of data subjects; or (iii) the basic activities of the data controller or data processor consist of processing of special categories of personal data or personal data connected to criminal offenses on a large scale.
Do data protection/ privacy impact assessments need to be carried out in certain circumstances?
When it is likely that the use of new technologies for the processing of data may pose a high risk to the rights and freedoms of natural persons, a DPIA is required prior to such processing taking place.
Does this jurisdiction have any specific data breach notification requirements?
In case of a data breach, data controllers are obliged to notify the Agency immediately (and in any case not longer than 72 hours) after discovering the data breach.
If the breach poses a high risk to the rights and freedoms of data subjects, the data subjects must be immediately notified, in a clear and easily understandable manner, unless: (i) appropriate technical and organizational measures have been implemented to ensure the personal data would be unrecognizable to unauthorized persons; or (ii) additional measures have been implemented to ensure that there is no longer a high risk to the rights and freedoms of data subjects.
The notification must be submitted using a special form prescribed by the Agency.
The following restrictions apply to the international transfer of personal data / information:
When transferring personal data to the EU/EEA, entities must notify the Agency at least 15 days before the transfer.
In other cases, the best approach is to rely on standard contractual clauses adopted by the Agency or the European Commission which are adopted between the transferring entities.
The companies can also rely on other transfer safeguards, such as the approved binding corporate rules, codes of conduct and certification mechanisms, and in certain specific situations there are other alternatives to be considered (such as data subject’s explicit consent, necessity for the establishment, exercise or defence of legal claims, or even the company’s compelling legitimate interests). However, note that in practice the Agency still insists on the need for it to approve each of the above transfers, despite the fact that the DP Law does not require so.
In none of the above is available, the transfer may be conducted only if the Agency provides its prior approval.
Do the data protection laws in this jurisdiction have “extra-territorial effect” (i.e. do they apply to organisations outside this jurisdiction)?
Yes, the DP Law applies to the processing of personal data of local data subjects by a controller or processor not established in North Macedonia, if the processing activities are related to offering of goods and services (irrespective whether a payment of the data subject is required) or monitoring of their behaviour as far as their behaviour takes place in North Macedonia.
The following rules specifically deal with marketing:
The DP Law regulates the processing of personal data for purposes of direct marketing.
Do different rules apply to business-to-business and business-to-consumer marketing?
In cases of business-to-consumer (i.e. data subject – natural person) marketing, prior consent from the data subject is required, as well as opt-out option.
Business-to-business marketing falls out of the scope of the DP Law, and therefore no prior consent is required.
The following rules specially deal with electronic marketing (for example, by email, text message, WhatsApp message, online ads etc):
Under the DP Law, processing of personal data for the purpose of electronic (direct) marketing (including profiling) is permitted only upon obtaining explicit consent from the data subject. The data subject has the right to object against processing of their personal data for the purposes of direct marketing.
The same rules apply under the applicable Law on Electronic Communication which prohibits unsolicited electronic marketing to natural persons, while the protection to businesses is only to the extent that they are provided with an opt-out option.
The following rules specifically deal with cookies:
The consequences of non compliance with data protections laws (including marketing laws) are:
Legal entity can be fined up to 2% (this applies for processing of personal data contrary to the provisions for direct marketing) and up to 4% (this applies for other non-compliance with the DP Law) of the total annual turnover from the previous financial year, whereas smaller fines of several hundred euros are envisioned for the responsible person within the legal entity, as well as data controllers and data processors who are natural persons.
Additionally, a fine ranging between EUR 1,000 and EUR 10,000 is envisioned for data controllers – legal entities who do not adhere to the video surveillance requirements.
In broad terms, multinational organisations should be aware of the following key factors if they process personal data / information from individuals within this jurisdiction, without being located there:
Data controllers or data processors which are not located in North Macedonia are obliged to appoint an authorised representative when processing personal data from data subjects located in North Macedonia, except when (i) the processing is periodical, (ii) it does not include processing of special categories of personal data, or (iii) it is not expected to cause a risk to the rights and freedoms of natural persons.
Multinational organisations should be aware of the following upcoming data protection developments:
Currently, there are no new announced data protection developments in North Macedonia.