NORTH MACEDONIA IMPLEMENTS THE GDPR
On the 24 February 2020, the new Law on Personal Data Protection ("LPDP") entered into force in North Macedonia. This new piece of legislation represents an important step for North Macedonia in modernizing its data privacy framework and aligning it with European law. The entry into force of the LPDP triggers a transitional period of 18 months for all affected parties to bring their operations into compliance with the new provisions.
The new LDPD applies to all data controllers and processors established in North Macedonia, regardless of whether the data processing is carried out within the country or outside its borders. Foreign controllers and processors could also be subject to the LPDP, if their data processing activities are related to the offering of goods and services to North Macedonian data subjects or to the monitoring of their behavior in the country. Hence, in practice, all businesses targeting their services at the North Macedonian market or that have a corporate presence within the country will be required to abide by the new rules.
The state body responsible for monitoring and control of the LPDP is the North Macedonian Data Protection Agency ("Agency"), formerly known as the Directorate for Personal Data Protection.
"ALMOST" COMPLIANT WITH THE GDPR
The LPDP is to a large extent harmonized with the GDPR. However, in certain aspects North Macedonia has adopted a more stringent approach than the EU regulation and has introduced increased requirements for lawful data processing. These include:
Additional Consent Requirements
- Under the LPDP, the processing of an individual's personal identification number ("PIN") can only be based on his/her explicit consent, unless the processing of this personal data category is explicitly required by law. If the processing of PINs will be systematic and at a large scale, the data controller must also request the prior approval of the Agency.
- The LPDP further stipulates that processing for direct marketing purposes requires the data subject's consent in all cases.
Approval by the Agency
- The LPDP sets an obligation for data controllers to request the approval of the Agency for processing carried out for the purpose of serving public interest, including processing in relation to social protection and public health. This requirement is valid regardless of any prior consultations conducted with regulatory authorities.
- The prior approval of the Agency is also required for the processing of health, genetic and biometric data, even when it is based on consent, unless otherwise provided by law.
- Another data processing activity where the Agency's approval is required, is personal data transfers outside of North Macedonia to non-EU/EEA countries. The approval by the Agency should be obtained in addition to the application of one of the respective legal grounds for transfers as per the GDPR.
Requirements to notify the Agency
- Transfers of personal data to countries within the EU/EEA are subject to prior notification of the Agency. The scope and form of such notification are still unclear.
- Data controllers are further obliged to notify the Agency if the processing of personal data is likely to pose a high risk to the rights and freedoms of individuals (taking into account the nature, scope, context and purposes of the processing). The Agency would maintain a record of all such risk processing activities in the country.
Special Requirements for Data Protection Officers ("DPO")
- Only individuals who meet the locally set criteria can act as DPOs, in particular: the DPO shall be fluent in the North Macedonian language, shall have a completed higher educational degree and may not be impeded by a sentence, court order or administrative sanction from practicing a specific profession.
Increased burden for SMEs
- Under the GDPR, controllers/processors employing fewer than 250 employees are not obliged to keep records of the performed processing activities (with certain exceptions). While the same exemption is also provided under the LPDP, the scope of its applicability is significantly narrowed – only companies with less than 50 employees can benefit from this provision. Thus, a significant number of SMEs would be obliged to maintain records of processing activities, which could prove to be a considerable burden on their business.
EXTENDED POWERS OF THE AGENCY
With the adoption of the LPDP, the Agency is granted the full scope of powers of a national supervisory authority as under the GDPR. The Agency further enjoys certain additional competences provided by local legislation – most notably, to make requests, suggestions, recommendations, etc. to other state authorities in North Macedonia, which in turn are obliged to notify the Agency on their implementation within 30 days. In the event of partial or a complete lack of implementation by the respective authority, as well as in the case of non-compliance with the notification requirement, the Agency is empowered to raise the issue before the competent higher authority and even take the matter before the National Assembly or the Ministry of Councils of North Macedonia.
The fines which the Agency is able to impose are aligned with the GDPR, reaching a maximum amount of 4% of the worldwide annual turnover of a business. In addition, the LPDP envisages special fines for breaches of the rules for video surveillance, at an amount of EUR 1,000 – EUR 10,000.
The new legislation will have a significant impact on the data protection landscape in North Macedonia. In order to achieve a satisfactory level of compliance by the time of the expiry of the 18-month transitional period, companies based in North Macedonia must go through the same process as EU/EEA based-companies went through in order to comply with the GDPR. The affected data controllers and processors should take immediate measures and conduct the necessary gap analysis and internal audits to ensure the timely execution of the full GDPR implementation pack.