As technologies develop with an enormous speed in today’s business environment, our office implements a tailor made approach concerning data protection. You can contact our attorneys to get started with your data protection compliance.

On 24 February 2020, the new Law for protection of personal data has entered into force in North Macedonia.

The Law is fully harmonized with GDPR (Regulation 2016/679) of the European Union. Furthermore, the Law is also harmonized with the data protection Convention of Council of Europe (Convention 108+) which regulates matters concerning automated processing of personal data.

Territorial applicability

The provisions of the Law apply on processing of personal data if the Data Controller or Processor are founded on the territory of North Macedonia, irrespective if the processing of personal data is made within North Macedonia or abroad.

Furthermore, the provisions also apply on a foreign Data Controller or Processor if their activities for processing of personal data consist of:

• offering of goods or services, irrespective of who is required to make payment; or
• observing of the behavior of data protection subjects, if the said observation is done in North Macedonia.

What has changed?

The Law has brought many changes referring to the data protection and is fully harmonized with GDPR. The principle of consent is strengthened as opposed to the previous data protection Law, and paramount importance is given to the rights of the data protection subjects.

There are also new principles regulated in the Law such as the principles of accountability and responsibility, additional obligations are imposed on the Controllers and/or Processors of personal data for implementation of the institutes of privacy when designing the information systems and assessment of the impact of the intended processes for personal data processing.

Furthermore, the institute of Data Protection Officer (DPO) has been implemented as well. This means that each personal data Controller and Processor must have an appointed DPO which will report to the high management of a company, while working independently and without any instructions by the high management.

A group of legal entities can appoint a joint DPO under the condition that the said DPO is easily available for each legal entity. within the group.

New authority

The existing Directorate for personal data protection will be transformed into an Agency for data protection. The Agency will closely monitor the compliance with the Law, support the implementation of the law, conduct training etc.

The Data Controller and Processors and their respective representatives are obliged to cooperate with the Agency within the carrying out of the Agency’s duties.

Challenges for the companies

Every company must be compliant with the Law at the latest by 24.08.2021.

This period should be used in order to draft any legal texts, rulebooks, procedures, appointment of DPO and any other requirements.

In addition, there are categories of personal data that are prohibited for processing. Any video surveillance will also have to be regulated.

The period that follows will be of great importance for the companies, since non-compliance with the Law imposes significant amount of fines in the range of 2%-4% of the annual turnover.