The Law on Personal Data Protection, Privacy Regulation, North Macedonia

The Law on Personal Data Protection, Privacy Regulation, North Macedonia

North Macedonia’s Law on Personal Data Protection is a data protection law that was recently passed in February of 2020. The Law on Personal Data Protection was to bring North Macedonia’s data protection legislation in alignment with the European Unions General Data Protection Regulation or GPDR, similar to other European nations that are not a part of the EU, such as Montenegro’s Personal Data Protection Law and the Belarusian PDP law. To this point, the Law on Personal Data Protection sets forth the legal requirements and responsibilities that data controllers and processors within North Macedonia must abide by when engaging in data processing activities.

How are data controllers and processors defined under the Law on Personal Data Protection?

Under the Law on Personal Data Protection data controllers are defined as “Any natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data”. Conversely, data processors are defined as “any natural person, legal entity, or authorized state administrative body, which process the personal data on behalf of the controller”. In terms of the scope of the law, the Law on Personal Data Protection applies to “identified or identifiable natural persons”. Moreover, the territorial scope of the law applies to both individuals within North Macedonia, as well as “foreign organizations if they offer goods or services to or monitor the behavior of individuals in North Macedonia”.

What are the requirements of data controllers and processors under the Law on Personal Data Protection?

Under the Law on Personal Data Protection, data controllers and processors within North Macedonia are required to collect and process personal data in accordance with the following principles:

  • Lawfulness, fairness, and transparency– Data controllers and processors are responsible for collecting and processing personal data in a manner that is lawful, fair, and transparent. This lawfulness is based upon retrieving consent from data subjects.
  • Purpose limitation– All personal data that is collected and processed must be used for explicit, specific, and legitimate purposes, and the use of personal data for any purpose outside of these parameters is prohibited.
  • Data minimization– The processing of personal data must be done in a manner that relevant, adequate, and limited to the purposes for which said data was collected for processing.
  • Accuracy– All personal data that is collected and processed must be accurate and kept up to date where necessary. Data controllers and processors are also responsible for taking steps to ensure that any personal data that is found to be inaccurate is either rectified or erased, without delay.
  • Storage limitation– All personal data that is collected and processed must be kept in a form that allows for the identification of applicable data subjects,
  • Integrity and confidentiality– Personal data must be processed in a manner that both promotes and ensures the security of said data. This includes protecting against unlawful or unauthorized processing, accidental loss or damage, as well as destruction.
  • Accountability– Data controllers and processors are responsible for holding themselves accountable, through the means of complying with the data principles stated above.

What are the rights of data subjects under the Law on Personal Data Protection?

Under the Law on Personal Data Protection, data have the following data protection and privacy rights:

  • The right to be informed– Data subjects have the right to be informed concerning the collection and use of their personal data.
  • The right to access– Data subjects have the right to access and personal concerning them that may be stored by a data controller or processor.
  • The right to rectification– Data subjects have the right to rectify their personal data if said data is found to be incomplete or inaccurate.
  • The right to erasure– Data subjects have the right to erase their personal data if said data is found to be incomplete or inaccurate.
  • The right to object or opt-out– Data subjects have the right to object or opt-out of the collection or processing of their personal data, at any time during.
  • The right to data portability– Data subjects have the right to receive a copy of the personal data that they have provided to a data controller or processor  “in a structured, commonly used and machine-readable format”.
  • The right not to be subject to automated decision making– Data subjects have the right to object to any decisions made regarding them as it relates to automated data processing.
  • The right of restriction and repression– Data subjects have the right to restrict and repress the processing of their personal data under certain circumstances, such as when a data subject is contesting the accuracy of their personal data.

In terms of the punishments that can be imposed against data controllers and processors who fail to comply with the law, the Law on Personal Data Protection is enforced by the Personal Data Protection Agency or DPA for short. To this extent, the DPA has the authority to level monetary fines ranging from €1,000 to €10,000 ($1,155-$11,558), as well “administrative fines ranging from 2% to 4% of their worldwide turnover in the preceding year for each incident of non-compliance with the core principles of the processing of personal data under the Law”.

As data privacy legislation grows more paramount due to the rise of internet communication, countries around the world are increasingly taking legislative measures to ensure that the personal data and privacy of their citizens are protected at all times. As such, North Macedonia passed to Law on Personal Data Protection in 2020 to put the country on par with other European nations as it relates to personal data and privacy, despite the fact that North Macedonia does not fall under the jurisdiction of the EU’s General Data Protection Regulation or GDPR.