North Macedonia's data protection law: ten months to comply

16 October 2020 | newsletters

Authors: Marija Vlajković and Andrea Lazarevska

It has been exactly eight months since the Republic of North Macedonia adopted the new Law on Personal Data Protection ("Law"), largely in compliance with the GDPR, entering into force only a few days after it was promulgated. Controllers and processors were afforded 18 months in which to align their operations with the new Law. While some have already done so, others have 10 months to comply with the provisions.

Some of the most important novelties are set out below:

High penalties introduced in line with the GDPR

The Law prescribes significantly higher penalties for controllers and processors compared to the previous Law on Data Protection. Under the new Law, the fines are set at up to 4 % of the company's total annual income in the preceding financial year. Under the previously valid Law on Data Protection, the maximum fine was only EUR 2,000.

Extension of the territorial application of the Law

The more precisely defined and extended territorial application of the Law is a significant change, as it applies to the processing of personal data by a controller or processor established in Macedonia, regardless of whether the data processing is carried out in Macedonia or outside its borders.

The application of the Law has also been extended to the processing of personal data of persons from Macedonia by controllers or processors not established in Macedonia, if the processing activities are related to the offer of goods or services to a data subject in Macedonia, whether for payment or not, and to monitoring the activities of the data subject if carried out in Macedonia. In addition, the Law is applied to personal data processing by a controller not established in Macedonia but in a territory where the law of Macedonia is applicable by virtue of international public law.

Video surveillance

The Law envisages much higher penalties for violations by the controller of the video surveillance provisions, ranging from EUR 1,000 to EUR 10,000. Currently, the maximum penalty for such a violation is EUR 1,000.

Damage compensation and liability

The Law more precisely defines damage compensation as material and non-material. Crucially, the Law envisages liability for damage compensation not just for the controller, but also for the processor, i.e. the right of the person who suffered damages to sue the controller or processor. Additionally, the Law envisages joint responsibility (солидарна одговорност) for controllers or processors allowing for the damaged person to request damage compensation from any controller or processor, thus opening the possibility for the controller or the processor who paid the full damage compensation to request from the other controllers or processors compensation corresponding to their part of the liability for the damage caused. However, this might lead to additional court proceedings.

Transfer of personal data to third countries and international organisations

Unlike the previous law, the Law regulates not only the transfer of personal data to third countries, but also to international organisations, including the further transfer from third countries or international organisations to other third countries or international organisations.

Under the Law, the transfer to a third country or international organisation is possible (i) if the Macedonian Agency for personal data protection ("Agency"), upon an assessment reaches a decision that the third country or international organisation provides an adequate level of protection, (ii) without assessing whether the third country or international organisation provides for an adequate level of protection, i.e. if the controller or the processor doing the transfer provides appropriate protection measures (having obligatory corporate rules included in the appropriate measures), and (iii) without reaching a decision on whether the third country or international organisation provides an adequate level of protection or the controller or the processor doing the transfer provides appropriate protection measures (having obligatory appropriate measures included in the appropriate measures), but by fulfilling one of the explicitly defined cases in the Law, such as if the data subject has provided explicit consent to the data transfer.  

Consent to processing

Unlike the previously applicable law, which requires a handwritten form of consent, the Law now includes an extended definition of consent. Consent is now defined as any freely given, specific, informed and unambiguous expression of will of the personal data subject, by which that person, through a statement or clear affirmative act (дејствие), grants their consent to the processing of personal data relating to them.

For the first time, the consent to processing of the personal data of a child is prescribed. Thus, in relation to directly offering information society services to a child, the processing of the personal data of a child will be lawful where the child is at least 14 years old. If the child is below 14, it is lawful only if the consent is given or allowed by the child's legal representative.

In this respect, the Law complies with the GDPR as the age limit for the lawfulness of the consent is not below 13.

Rights of data subjects

Notification of breach:

The controller is obliged to notify the data subject of the breach without delay if the breach can result in a high risk to the data subject's rights and freedoms.

Right to access:

The controller is obliged at the data subject's request to provide a copy of the data being processed free of charge. The delivery may also be made electronically. This change significantly increases transparency and improves the position of data subjects.

Right to correction of data: 

This right allows incorrect data about the data subject to be corrected, without undue delay. In addition, the data subject has the right to supplement incomplete personal data by providing an additional statement.

Right to erasure of data: 

The data subject is entitled to ask the controller to erase personal data, to cease further data transmission, and to stop the processing of data by third parties in the case of erasure of data.
Data must be erased if it is no longer necessary to achieve the purpose of the processing or if consent to processing has been revoked. When deciding on a request for data erasure, it is also necessary to consider the public interest in the availability of these data, which may outweigh the private interest in erasing it, in which case there will be no erasure (the Law prescribes other exceptions from this rule).

Right to limit the scope of processing: 

The data subject is entitled to limit the processing of their data by the controller in the following cases: (i) if the data subject contests the accuracy of the data; (ii) if the processing is illegal, and the data subject is opposed to erasure and instead requests restriction of the use of the data; (iii) if the controller no longer needs the personal data for the purpose of the processing, but the data subject requested it for the purpose of submitting, exercising or defending a legal claim; and (iv) if the data subject has lodged an objection to the processing, and the assessment of whether the legal basis for processing by the controller prevails over the interests of that person is ongoing.

Right to data portability:

The person that previously provided data to the controller will have the right to receive the data from the controller in a structured, commonly used and machine-readable format, and the right to transmit this information to another controller, without interference from the first controller.

More precise and detailed definition of personal data

The Law introduces a more precise and detailed definition of personal data to ensure the broadest legal protection possible for individuals. Personal data is thus defined as any data that refers to a natural person whose identity has been determined or is determinable, directly or indirectly, based on identity parameters, such as name or identification number, location data, identifiers in electronic communication networks or one or more features of the person's physical, physiological, genetic, mental, economic, cultural or social identity. According to the Law, a natural person can now be determined based on identifiers in electronic communication networks, based on their devices, applications, tools and protocols, such as internet address protocols, cookie identifiers or other identifiers, such as radio frequency labels.

Protection measures

The controller will be obliged to implement necessary protection mechanisms during processing to protect the rights and freedoms of data subjects.

When determining the processing method, or during processing, the controller will be obliged to (i) use appropriate technical and organisational measures, such as pseudonymisation, aimed at ensuring the effective application of personal data protection principles, such as reducing the amount of data; and (ii) ensure the application of necessary protection mechanisms during processing to meet conditions for processing as prescribed by the Law and to protect the rights of data subjects.

The controller is obliged to ensure through the application of technical and organisational measures that only those personal data necessary for the realisation of each individual processing purpose are processed in an integrated manner. This refers to the amount of personal data collected, the extent of their processing, the period of their storage and their accessibility. These measures need to ensure that the personal data, without the consent of the data subjects, are not automatically available to an unlimited number of natural persons.

Legal remedies and liability

The Law abandons the right to appeal as a legal remedy and prescribes the right to directly initiate an administrative dispute against the decisions rendered by the Agency. Another legal remedy available to the data subject is an objection to the controller on the manner in which their personal data are processed.

More complete regulation of personal data security

Several personal data protection measures (technical and organisational) are prescribed:

  • pseudonymisation and cryptographic data protection; 
  • ensuring indefinite confidentiality, integrity, availability and resilience of processing systems and services; 
  • re-access and availability in case of physical or technical disruption; and 
  • regular testing, assessment and evaluation of processing safety measures.

Notification of a personal data breach to the Agency

Not later than 72 hours after having become aware of a personal data breach, the controller is obliged to notify the Agency, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons.

Privacy impact assessment (PIA)

If some type of processing is likely to result in a high risk to the rights and freedoms of natural persons, in particular due to the use of new technologies and taking into account the nature, scope, circumstances and purpose of processing, before starting the processing the controller will assess its impact on personal data protection. The Law further specifies cases in which an impact assessment is required. These include large-scale systematic surveillance in public areas, and systematic and comprehensive assessment of the status and characteristics of a natural person with the aid of automated processing, including profiling, etc.

Data protection officer (DPO)

Under the previously adopted law on personal data protection, the controller does not have an obligation to appoint a DPO if (i) it does not have more than 10 employees, or (ii) the processing refers to the personal data of members of associations founded for political, philosophical, religious or trade-union purposes.

The Law provides that the DPO will have to be appointed when the core activities of the controller or processor consist of processing operations which, by their nature, scope or purpose, require regular and systematic monitoring of many data subjects or processing of special categories of data or processing of personal data related to criminal convictions and criminal acts specified in the Law.

Conclusion

Although the Law has largely adopted provisions and solutions from the GDPR, it remains to be seen whether its effective implementation will be achieved or if Macedonia will remain behind EU countries with respect to fundamental rights to privacy and personal data protection.

Marija Vlajković

Local Partner

T: +382 20 228 137
m.vlajkovic@schoenherr.eu

country:

north macedonia

topics