New Law on Data Protection ("New Law") has been passed in North Macedonia and it applies since 24 February this year. The New Law harmonizes the Macedonian data protection regulations with the European Regulation (EU) 2016/679, and it broadens the scope of protection of natural persons (subjects of data) by stipulating new obligations as well as technical and organizational measures/procedures.
The main changes introduced by the New Law are as follows:
a) The territorial range of application of the data protection legislation gets broader i.e. the New Law also applies to entities which are incorporated outside of the territory of North Macedonia, if such entities:
- offer goods and services to subjects in North Macedonia regardless of whether compensation is required;
- or observe the behavior of subjects of personal data which takes place in North Macedonia.
b) Pseudonymization is new form of safety measure, which disables connecting the data to the subject unless using additional information that are kept separately;
c) Profiling is new form of data processing, which consist of using personal data for assessing certain personal aspects in particular analyzing and predicting certain professional duties, financial state, health, personal preferences, interests, behavior, location, etc.
d) Every subject has a right to submit an objection to the controller of personal data any time against the usage of personal data and to be informed about the outcome by the next meeting/contact with the controller;
e) The mandatory information that should be provided to the subject of data or to the person that submits the data on behalf of the subject of data are more detailed i.e. additional information should be also provided: the transfer of data, if planned; the right to submit request for protection of certain right to the Data Protection Agency; time period of the processing of personal data; the right to withdraw the consent for data processing, etc.;
f) The controller of personal data and the authorized representative are obliged to keep records of the operations related to processing of personal data. The records should list the purposes of data processing, the categories of subjects, potential transfer of data, etc.;
g) The controller is obliged to report to the Data Protection Agency within 72 hours as of any breach of the security of the personal data;
h) The controller is obliged to estimate the influence of the processing of data and the level of data protection in case there is a risk of violation of personal rights and freedoms as a result of using new technologies;
i) The controller is obliged to consult the Data Protection Agency if the estimation stated in point h shows high risk related to the protection of personal rights;
j) Micro, small and medium-sized enterprises, as well as associations and other bodies representing categories of controllers or processors are encouraged to prepare codes of conduct or amend or extend such codes for the purpose of specifying the application of the New Law; and
k) The transfer of personal data outside of EU is allowed even if the Data Protection Agency does not issue a decision on approval. Such transfer is allowed only if certain protection measures stipulated by the New Law are used, and only if court protection is available for the subjects of data. The protection measures include applying approved and mandatory corporative rules or approved clauses, having approved code of conduct (described in point j), etc.