Key contact
-
Data protection
- 1. Local data protection laws and scope
- 2. Data protection authority
- 3. Anticipated changes to local laws
- 4. Sanctions & non-compliance
- 5. Registration / notification / authorisation
- 6. Main obligations and processing requirements
- 7. Data subject rights
- 8. Processing by third parties
- 9. Transfers out of country
- 10. Data Protection Officer
- 11. Security
- 12. Breach notification
- 13. Direct marketing
- 14. Cookies and adtech
- 15. Risk scale
- 16. Useful links
-
Cybersecurity
- 1. Local cybersecurity laws and scope
- 2. Anticipated changes to local laws
- 3. Application
- 4. Authority
- 5. Key obligations
- 6. Sanctions & non-compliance
- 7. Is there a national computer emergency response team (CERT) or computer security incident response team (CSIRT)?
- 8. National cybersecurity incident management structure
- 9. Other cybersecurity initiatives
- 10. Useful links
jurisdiction
- Albania
- Algeria
- Angola
- Austria
- Belgium
- Bosnia and Herzegovina
- Brazil
- Bulgaria
- Chile
- China
- Colombia
- Croatia
- Czech Republic
- France
- Germany
- Hong Kong
- Hungary
- India
- Italy
- Kenya
- Luxembourg
- Mexico
- Monaco
- Montenegro
- Morocco
- Netherlands
-
North Macedonia
- Norway
- Oman
- Peru
- Poland
- Portugal
- Romania
- Saudi Arabia
- Serbia
- Singapore
- Slovakia
- Slovenia
- South Africa
- Spain
- Sweden
- Switzerland
- Turkiye
- UAE
- Ukraine
- United Kingdom
Data protection
1. Local data protection laws and scope
The Law on Personal Data Protection (“LPDP”) (Official Gazette No. 42/2020 and its subsequent amendments) is the primary data protection legislation in North Macedonia. It was published in the Official Gazette on 16 February 2020, entered into force on 24 February 2020, and became fully applicable on 24 August 2021. The LPDP is substantially aligned with the EU General Data Protection Regulation (“EU GDPR”) (Regulation (EU) 2016/679), reflecting North Macedonia’s status as an EU candidate country and its ongoing legislative harmonisation with the EU acquis communautaire.
The LPDP replaced the previous Law on Personal Data Protection of 2005 (as amended) and introduced a modern data protection framework based on the core principles and requirements of the EU GDPR. It applies to the processing of personal data wholly or partly by automated means, and to the processing by other means of personal data which form part of a filing system or are intended to form part of a filing system. The LPDP has both a material and territorial scope modelled on the EU GDPR, applying to controllers and processors established in North Macedonia and, in certain circumstances, to those outside the country who process the personal data of individuals in North Macedonia.
The Law on Electronic Communications (“LEC”) (Official Gazette No. 135/2025, as amended) also contains provisions relevant to data protection, particularly in relation to the privacy of electronic communications, direct marketing and cookies/tracking technologies.
2. Data protection authority
The Agency for the Protection of Personal Data (Агенција за заштита на личните податоци) (“APPD” or “AZLP”) is the independent supervisory authority responsible for monitoring and enforcing the application of the LPDP. The APPD’s website is: www.azlp.mk.
3. Anticipated changes to local laws
As an EU candidate country, North Macedonia continues to align its data protection framework with EU law and the input provided by the European Commission.
The APPD periodically issues secondary legislation, guidelines and recommendations to supplement the LPDP. Organisations should monitor the APPD’s publications for updated guidance on specific data protection topics.
4. Sanctions & non-compliance
Fines: The APPD has the power to impose administrative fines for infringements of the LPDP. In line with the EU GDPR model, the LPDP provides for two tiers of administrative fines:
For more serious infringements (e.g. breaches of core processing principles, data subject rights, or international transfer rules): fines of up to 4% of the total annual worldwide turnover of the preceding financial year for legal entities and fines in amount between EUR 100 and EUR 500 for individuals acting as authorized person in a legal entity, official in a state body or a controller/processor.. For other infringements (e.g. breaches relating to records of processing, data protection impact assessments, or data protection officer obligations): fines of up to 2% of the total annual worldwide turnover of the preceding financial year for the entity and fines in amount between EUR 100 and EUR 500 for individuals acting as authorized person in a legal entity, official in a state body or a controller/processor..
The APPD may also issue warnings, reprimands, orders to comply (including to bring processing into compliance within a specified period), and orders to communicate a personal data breach to data subjects. The APPD has the power to impose temporary or definitive limitations on processing, including a ban.
Criminal sanctions: The Criminal Code of North Macedonia includes offences relating to the unlawful collection, processing and use of personal data. Individuals responsible for such offences may face monetary penalty or imprisonment, while the legal entities responsible for such offences may face monetary penalty.
Data subjects who have suffered material or non-material damage as a result of an infringement of the LPDP have the right to seek compensation from the controller or processor through the courts.
5. Registration / notification / authorisation
Under the LPDP, the previous requirement to register data processing operations (filing systems) with the APPD has been abolished, in line with the EU GDPR approach. Instead, controllers and processors with 50 or more employees are required to maintain internal records of processing activities in accordance with the LPDP. Controllers and processors fewer than 50 employees are required to maintain internal records of processing activities in accordance with the LPDP if the processing it carries out is likely to result in a risk to the rights and freedoms of data subjects, the processing is not occasional, or the processing includes special categories of data or personal data relating to criminal convictions and offences.
There is no general requirement for prior authorisation from the APPD before commencing processing, although in certain cases a data protection impact assessment (“DPIA”) must be carried out before processing begins, and the APPD must be consulted where a DPIA indicates that the processing would result in a high risk to data subjects in the absence of mitigation measures.
6. Main obligations and processing requirements
The LPDP is substantially aligned with the EU GDPR and sets out the same core data protection principles that apply to controllers:
Lawfulness, fairness and transparency: Personal data must be processed on a valid lawful basis, in ways that are transparent to individuals. The lawful bases for processing under the LPDP mirror those under the EU GDPR, namely: consent, performance of a contract, legal obligation, vital interests, public interest/official authority, and legitimate interests.
Purpose limitation: Personal data must be collected for specified, explicit and legitimate purposes and not further processed in a manner incompatible with those purposes.
Data minimisation: Only personal data that is adequate, relevant and limited to what is necessary for the stated purpose(s) may be processed.
Accuracy: Personal data must be accurate and, where necessary, kept up to date; reasonable steps should be taken to correct or delete inaccuracies without delay.
Storage limitation: Personal data must be kept only for as long as necessary for the purposes for which it is processed.
Integrity and confidentiality (security): Personal data must be processed in a manner that ensures appropriate security, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage.
Accountability: Controllers are responsible for, and must be able to demonstrate, compliance with all of the above principles through appropriate policies, records and governance.
Special categories of personal data: Where special categories of personal data are processed (i.e. data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data used for identification, health data, or data concerning sex life or sexual orientation), a lawful basis under the general processing provisions must be met, plus one of a further set of more stringent conditions specified in the LPDP (modelled on Article 9 of the EU GDPR).
Children’s data: The LPDP sets the age threshold for children’s consent in relation to information society services at 14 years. Below this age, consent must be given or authorised by the holder of parental responsibility.
7. Data subject rights
Individuals have substantially the same core data protection rights as are set out under the EU GDPR:
Right to be informed: Controllers must provide transparent information to individuals about how their personal data is collected and processed, including the purposes of processing, the applicable lawful basis, recipients of personal data, details of international transfers, retention periods and the rights available. This information is usually provided via a privacy notice.
Right of access: Individuals can obtain confirmation as to whether their personal data is being processed and, if so, receive a copy of the data together with information about the processing.
Right to rectification: Individuals can have inaccurate personal data corrected and incomplete data completed.
Right to erasure (“right to be forgotten”): Individuals can request deletion of their personal data in specific circumstances, including where the data is no longer necessary for the purposes for which it was collected, where consent has been withdrawn, or where the data has been unlawfully processed.
Right to restrict processing: Individuals can restrict processing of their personal data in certain cases, such as where the accuracy of the data is contested or where the processing is unlawful but the individual opposes erasure.
Right to data portability: Individuals can, in certain cases, receive personal data they have provided to a controller in a structured, commonly used, machine-readable format, and have it transmitted to another controller.
Right to object: Individuals can object to processing based on legitimate interests or public interest grounds. There is also an absolute right to object to processing for direct marketing purposes (including related profiling).
Rights in relation to automated decision-making, including profiling: Individuals have protections against decisions based solely on automated processing (including profiling) that produce legal or similarly significant effects. They are entitled to obtain human intervention, express their view and contest the decision.
Consent withdrawal: Where processing relies on consent, individuals can withdraw consent at any time, without affecting the lawfulness of processing carried out prior to the withdrawal.
Complaints and remedies: Individuals can lodge a complaint with the APPD and may also seek a judicial remedy (including compensation) for infringements of the LPDP.
8. Processing by third parties
The position under the LPDP is substantially aligned with the EU GDPR, as follows:
Due diligence: Controllers must select processors on the basis of sufficient guarantees that the processor will implement appropriate technical and organisational measures to meet the requirements of the LPDP and ensure the protection of data subject rights.
Mandatory contract terms (processor agreement): A written contract must be put in place with the processor, which must set out the subject matter and duration of the processing, the nature and purpose of the processing, the type of personal data, categories of data subjects, and the controller’s obligations and rights. The contract must require the processor to: process only on documented instructions of the controller (including in relation to international transfers), unless required by law; ensure persons authorised to process the data are under an appropriate duty of confidentiality; implement appropriate security measures; obtain the controller’s prior written authorisation for the appointment of any sub-processor and impose on each sub-processor the same data protection obligations; assist the controller in responding to data subject rights requests; assist the controller with security, breach notification, DPIAs and prior consultation obligations; at the controller’s choice, delete or return all personal data after the end of services; and make available all information necessary to demonstrate compliance and allow for audits/inspections.
Joint controllers: Joint controllers must have a transparent arrangement between them setting out agreed roles and responsibilities for complying with the LPDP.
9. Transfers out of country
The LPDP regulates the transfer of personal data to third countries or international organisations outside North Macedonia. Transfers are permitted where the APPD has determined that certain third country or international organisation ensures an adequate level of protection. The EU, EEA and NATO countries are generally treated as providing adequate protection and for transfer of personal data in the above mentioned countries only notification should be submitted to the APPD.
In the absence of an adequacy determination, transfers may be made subject to appropriate safeguards, including: standard contractual clauses (“SCCs”) adopted or approved by the APPD; binding corporate rules (“BCRs”) approved by the APPD; codes of conduct or certification mechanisms, together with binding and enforceable commitments of the controller or processor in the third country.
Certain derogations are available in limited circumstances, including explicit consent of the data subject, necessity for the performance of a contract, important reasons of public interest, the establishment, exercise or defence of legal claims, and the protection of vital interests.
10. Data Protection Officer
The LPDP incorporates data protection officer (“DPO”) provisions that are substantially aligned with the EU GDPR (Articles 37–39). The rules can be summarised as follows:
Circumstances when a DPO is mandatory (for both controllers and processors):
- Public authorities/bodies: All public authorities or bodies must appoint a DPO (courts acting in a judicial capacity are excluded).
- Large-scale monitoring: A DPO is required where an organisation’s core activities require the regular and systematic monitoring of individuals on a large scale.
- Large-scale special category/criminal data: A DPO is required where an organisation’s core activities consist of the large-scale processing of special category data or data relating to criminal convictions/offences.
If none of the above factors apply, appointment of a DPO is not mandatory, but voluntary appointment is permitted.
Who can be DPO: The DPO may be an employee or an external provider. A single DPO can serve a group of entities provided they are easily accessible from each establishment. The DPO must have expert knowledge of data protection law and practices. The DPO’s other roles within the organisation must not lead to a conflict of interest (i.e. the DPO must not determine the purposes or means of processing).
Position and tasks: The DPO must be involved in a timely manner in all data protection issues and must have necessary resources and access to personal data and processing operations. The DPO must report to the highest management level and must be able to work independently.
The DPO’s core tasks include informing and advising the organisation and employees of their data protection obligations; monitoring compliance with the LPDP and internal policies; advising on data protection impact assessments; and co-operating with and acting as the contact point for the APPD.
11. Security
The LPDP’s security provisions are substantially aligned with the EU GDPR. The rules can be summarised as follows:
Core legal duties
Integrity and confidentiality principle: Controllers must ensure that personal data is processed in a manner ensuring appropriate security, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical and organisational measures.
Security of processing: Controllers and processors must implement appropriate technical and organisational measures, taking into account the state of the art, costs of implementation, the nature, scope, context and purposes of processing, and the risk to individuals. Measures may include (as appropriate): pseudonymisation and encryption of personal data; ensuring ongoing confidentiality, integrity, availability and resilience of systems and services; timely restoration of availability and access to personal data after an incident; and regular testing, assessment and evaluation of the effectiveness of security measures.
When determining the appropriateness of measures, organisations are required to consider: state of the art security practices and technologies; cost of implementation relative to risk; nature of data (e.g. special category data, children’s data), processing context and volume; and likelihood and severity of risks for data subjects.
Accountability: Controllers must be able to demonstrate compliance with the integrity and confidentiality principle and with the LPDP’s security of processing requirements.
12. Breach notification
The LPDP’s breach notification provisions are substantially aligned with the EU GDPR. The rules can be summarised as follows:
A personal data breach is defined as any security breach leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.
The controller must notify the APPD of a personal data breach within 72 hours unless the breach is unlikely to result in a risk to the rights and freedoms of natural persons. Notification must be “without undue delay” and, where feasible, within 72 hours of the controller becoming aware of it. If notification is made outside of the 72-hour period, the controller must provide reasons for the delay.
The notification should cover:
- the nature of the breach (including categories and approximate number of data subjects and personal data records concerned);
- the name and contact details of the DPO or other contact point;
- the likely consequences of the breach; and
- the measures taken or proposed to address the breach and mitigate adverse effects.
If all information is not available at the time of notification, it may be provided in phases without undue further delay.
The controller must also communicate the personal data breach to affected individuals without undue delay if it is likely to result in a high risk to their rights and freedoms. However, exceptions apply where:
- the controller has implemented technical and organisational measures that render the data unintelligible to unauthorised persons (e.g. encryption);
- the controller has taken subsequent measures to ensure the high risk is no longer likely to materialise; or
- it would involve disproportionate effort (in which case, a public communication or similar measure must be made).
Processors must inform the controller without undue delay after becoming aware of a personal data breach. Controllers must document all personal data breaches, whether or not notification is required.
13. Direct marketing
Direct marketing communications are regulated by both the LPDP and the LEC.
Under the LPDP, individuals have an absolute right to object to the processing of their personal data for direct marketing purposes at any time. Where the data subject objects to processing for direct marketing, the personal data must no longer be processed for such purposes.
Under the LEC, unsolicited electronic communications for direct marketing purposes (including by email, SMS and automated calling systems) require the prior consent of the recipient. Based on a prior consent of the customers/recipients, the individuals and entities can use customers’s electronic contact details in the context of a sale of sender’s product or service; the marketing relates to the sender’s own similar products or services; and the recipient was given a clear and simple means to refuse the use of their contact details for marketing purposes both at the time of collection and in each subsequent communication.
Direct marketing communications must identify the sender and include contact details. Where direct marketing involves the processing of personal data, the processing must comply with the LPDP, including the requirement for a valid lawful basis.
14. Cookies and adtech
Cookies and similar tracking technologies are regulated by the LEC.
The basic rule is that organisations must: provide clear and comprehensive information about the use of cookies and similar technologies; and obtain the user’s or subscriber’s consent before storing or accessing information on their terminal equipment, except where the cookie is: used for the sole purpose of carrying out the transmission of a communication over an electronic communications network; or strictly necessary for the provision of a service explicitly requested by the user.
Cookie consent must meet the standard of consent required under the LPDP, i.e. it must be freely given, specific, informed and unambiguous, and demonstrated by a clear affirmative action. These rules apply to online advertising and adtech that is cookies-based, whether or not personal data is used.
15. Risk scale
Moderate
16. Useful links
- Agency for the Protection of Personal Data (APPD): www.azlp.mk
- Law on Personal Data Protection (Official Gazette No. 42/2020 and its subsequent amendments): available via the APPD website.
- Agency for Electronic Communications (AEK): www.aek.mk
Cybersecurity
1. Local cybersecurity laws and scope
The key cybersecurity laws that apply in North Macedonia include the following:
Law on Network and Information Systems Security (Official Gazette No. 135/2025) (“LNISS”): The LNISS is the primary cybersecurity legislation in North Macedonia, establishing a framework for the security of network and information systems. It transposes the EU NIS 2 Directive (Directive (EU) 2022/2555) into Macedonian law.
Law on Electronic Communications (Official Gazette No. 135/2025, as amended) (“LEC”): The LEC contains provisions relating to the security of electronic communications networks and services, and imposes incident notification obligations on electronic communications providers.
Criminal Code (Official Gazette No. 37/1996, as amended): The Criminal Code of North Macedonia includes offences relating to computer crime, including unauthorised access to computer systems, interference with computer data and systems, and computer fraud.
Law on Personal Data Protection (“LPDP”): See the “Data Protection” section above for details of data protection laws, including the security and breach notification obligations that apply to controllers and processors.
2. Anticipated changes to local laws
North Macedonia may also adopt further secondary legislation to strengthen its national cybersecurity posture, including in relation to critical infrastructure protection and cybersecurity certification.
3. Application
Law on Network and Information Systems Security (LNISS) : The LIS applies to essential entities (“EEs”) and important entities (“IEs”) in North Macedonia.
EEs are companies and entities (public or private) within sectors designated as essential, that provide services dependent on network and information systems where an incident would have significant disruptive effects on that service. The designated sectors among other include: energy; transport; banking and financial markets infrastructure; health; production and distribution of food; production and distribution of chemicals; drinking water supply and distribution; waste management; DSp; and digital infrastructure.
IEs are all entities from the sectors with high risk which are not classified as EES and the entities which based on a risk assessment are classified ad IESMicro and small enterprises are generally excluded from the DSP obligations.
Law on Electronic Communications (LEC): The LEC imposes security obligations on providers of public electronic communications networks and services.
LPDP: The LPDP applies when personal data is being processed and imposes obligations in relation to security and personal data breach notification on controllers and processors.
4. Authority
A number of different authorities have competent jurisdiction depending on the relevant laws or regulations that apply:
Ministry of Digital Transformation (“MDT”): MDT is the lead government body responsible for information security policy and oversight of the LNISS framework.
Agency for Electronic Communications (“AEK”): The AEK is the regulator responsible for the electronic communications sector and oversees compliance with the security provisions of the LEC.
Agency for the Protection of Personal Data (“APPD”): The APPD is responsible for the administration and enforcement of the LPDP, including the security and breach notification provisions applicable to controllers and processors.
Sector-specific competent authorities may also be designated for specific essential services sectors (e.g. the Energy Regulatory Commission for the energy sector, the National Bank for the banking sector).
5. Key obligations
LNISS: ЕЕs and IEs must comply with obligations relating to:
Security measures: EEs and IEs must adopt appropriate and proportionate technical and organisational security measures to manage the risks posed to the security of the network and information systems on which their services rely. These measures must ensure a level of security appropriate to the risk, taking into account the state of the art.
Incident reporting: EEs and IEs must report incidents that have a significant impact on the continuity of the services they provide to the National Computer Incident Report Centar (MKD-CIRT) as a competent authority without undue delay. The notification must include information reasonably available to the operator to enable the competent authority to assess the impact of the incident.
LEC: Providers of public electronic communications networks and services must take appropriate technical and organisational measures to manage the risks to the security of their networks and services, and must notify the AEK of security breaches that have a significant impact on the operation of their networks or services.
LPDP: Controllers and processors must implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk when processing personal data (see the “Data Protection” section above for full details).
6. Sanctions & non-compliance
LNISS: EEs and IEs that fail to comply with the security or incident reporting obligations under the LNISS may be subject to administrative fines in the amount of up to 2% of their annual income for the prior year. The LPDP fine levels (see “Data Protection” section above) also apply to security and breach notification failures involving personal data.
LEC: The AEK may impose fines (between 4% and 7% of their annual income for the prior year) and other enforcement measures on electronic communications providers that fail to comply with their security obligations under the LEC.
Criminal Code: Individuals who commit cybercrime offences under the Criminal Code (e.g. unauthorised access to computer systems, computer fraud, interference with computer data) may face criminal prosecution and monetary penalty or imprisonment.
7. Is there a national computer emergency response team (CERT) or computer security incident response team (CSIRT)?
Yes. MKD-CIRT (the Macedonian Computer Incident Response Team) operates as the national CSIRT. MKD-CIRT is established under the Law on Network and Information Systems Security and is responsible for monitoring cyber incidents at the national level, providing early warning and alerts, responding to reported incidents, and coordinating with international CSIRTs and the EU CSIRTs Network.
MKD-CIRT’s core functions include: monitoring incidents at the national level; providing early warning, alerts and announcements about risks and incidents; responding to incidents; providing dynamic risk and incident analysis and situational awareness; participating in international CSIRT cooperation; and promoting the adoption of common practices for incident and risk handling.
8. National cybersecurity incident management structure
Yes. North Macedonia has established a national cybersecurity incident management structure under the Law on Network and Information Systems Security. The structure involves coordination between the MKD-CIRT, the competent authorities for EEs and IEs, and other relevant government bodies. The MKD-CIRT serves as the central coordination point for cybersecurity incidents at the national level.
9. Other cybersecurity initiatives
National Cybersecurity Strategy 2025-2028: North Macedonia has adopted a National Cybersecurity Strategy, which sets out the strategic priorities and objectives for improving the country’s cybersecurity posture. The strategy covers areas including critical infrastructure protection, capacity building, awareness raising, international cooperation, and the development of the legal and institutional framework.
Capacity building: North Macedonia has engaged in cybersecurity capacity-building initiatives, including training programmes, public awareness campaigns, and cooperation with international organisations (such as NATO and the EU) on cybersecurity resilience.
10. Useful links
- MKD-CIRT: www.mkd-cirt.mk
- Ministry of Digital Transformation (MISA): https://mdt.gov.mk/
- Agency for Electronic Communications (AEK): www.aek.mk
- Agency for the Protection of Personal Data (APPD): www.azlp.mk