Impact of the GDPR in North Macedonia

As a general remark, the General Data Protection Regulation (“GDPR”) is not a part of the legal framework of North Macedonia and is not directly applicable in North Macedonia.

The relevant Law on Data Protection (“LDP”) was adopted and entered into force in February 2020. Some of the relevant bylaws that were adopted in line with the LDP are:

• rulebook on the form and content of the forms for recording the transfer of personal data to other countries and record keeping ;
• rulebook on the form and content of the bylaw for the manner of performing video surveillance;
• rulebook on the transfer of personal data;
• rulebook on the security of personal data processing;
• rulebook on technical and organizational measures for providing secrecy and protection of personal data processing;
• rulebook for performing inspection supervision, etc.

Both the GDPR and LDP recognize personal data and special categories of personal data. The LDP specifies special categories of personal data in a similar way to the GDPR.

According to the LDP (Article 4, 13.), a special category of personal data is the data that reveals information about:

1. racial or ethnic origin;
2. political opinions, religious or philosophical beliefs;
3. trade union membership;
4. genetic data;
5. biometric data;
6. data concerning health; or
7. data concerning sex life or sexual orientation.

According to the LDP, the Data Controller’s (“Controller”) and Processor’s (“Processor”) obligations are fairly similar to the GDPR obligations.

According to the LDP (Articles 28-47), Controllers and the Processors are obliged to:

1. obtain a consent from the personal data Subject (“Subject”) before processing their data;
2. comply with the procedure for processing qualified personal data;
3. implement safety measures;
4. comply with the legal procedure for data transfers;
5. establish a procedure for notification in case of a security breach;
6. keep records of the data processing operations, etc.

Additionally, like the GDPR, Controllers are obliged to implement appropriate technical and organisational measures for:

1. protecting personal data (data protection by design and by default); and
2. ensuring that only necessary data is being processed.

According to the LDP (Articles 16-27), the data rights of the Subjects are regulated slightly differently than the GDPR, as follows:

1. transparency and right of access to personal data;
2. right to rectification/modification and right to be forgotten;
3. right to data portability;
4. right to object;
5. right to restriction of processing; and
6. right to the erasure of personal data.

According to the LDP (Articles 57-80), and in line with the GDPR, a separate supervisory authority is stipulated – the Data Protection Agency (“Agency”, previously the Directorate for Personal Data Protection).

The following protection is granted by the LDP:

1. The Subject has the right to complain to the Controller about the usage of their personal data. The Subject then has the right to be informed about the outcome by the next meeting/contact with the Controller;
2. the Controller is obliged to report to the Agency within 72 hours as of any security breach of the personal data; and
3. the Controller is obliged to estimate the influence of the data processing and the level of data protection in case of a risk of personal rights and freedoms violation as a result of using new technologies, and the Controller is obliged to consult the Agency if this risk is high.

Like the GDPR, the LDP (Articles 41-43) stipulates an obligation for appointing a Data Protection Officer if:

1. the core activities of the Controller or the Processor include processing operations, i.e. regular and systematic monitoring of Subjects; or
2. the core activities of the Controller or the Processor include processing special categories of personal data.

According to the LDP (Article 25), any Subject has the right to object to the Controller about the processing of their personal data. Please see the Protection Granted section above.

Additionally, any Subject can file a complaint to the Agency. Finally, a lawsuit against a legally binding decision of the Agency may also be filed to the competent Administrative Court (Articles 83 and 84 of the LDP).

The LDP generally stipulates three categories of fines (Articles 110-112):

1. first category (less serious breaches): e.g., not complying with technical protection requirements, not appointing a Data Protection Officer – penalty in the amount of 2% of the annual income;
2. second category (more serious breaches): e.g., failing to seek the Subject’s consent, failing to provide necessary information to the Subject – a penalty in the amount of 4% of the annual income; and
3. surveillance-related misdemeanors – a penalty in the amount of EUR 1,000 to EUR 10,000 for the legal entity and penalties for the responsible person.

N/A

The relevant LDP provisions were adopted to harmonise with EU law, and an obligation to align the other provisions with the LDP was stipulated, as stated below.

Additionally, as defined in the Chapter 1 above, some relevant bylaws were adopted by the Agency.

With the LDP’s entry into force, the Directorate for Personal Data Protection continued its operations as the Personal Data Protection Agency.

Additionally, within the (adaptation) period of 18 months (up to August 2021) the following obligations were stipulated:

1. the Controllers and the Processors should align their operations with the provisions of the LDP;
2. the laws, the bylaws, and other acts which regulate the collection, processing, storage, use, and submission of personal data should align with the provisions of the LDP; and
3. the Agency should adopt the relevant bylaws per the LDP (see Chapter 1 above). 

The LDP from February 2020 implemented a significant proportion of the GDPR provisions in the North Macedonia’s legal system. The relevant data protection legislation thus presents a mixture of GDPR and other (local) provisions.

There is no publicly available information about amendments to the relevant data protection legislation at the moment.