DLA Piper Intelligence

Data Protection
Laws of the World

Law

Macedonia
Macedonia

In Macedonia, the Law on Personal Data Protection ('Official Gazette of the Republic of Macedonia', nos. 7/2005, 103/2008, 124/2008, 124/2010, 135/2011 and 43/2014) ('DP Law') governs personal data protection issues. The DP Law is entirely harmonized with EC Directive 95/46/EC ('Data Protection Directive'). It entered into force on 8 February 2005 and its current version (following its amendments) is in force as of 11 March 2014.

Last modified 24 Jan 2017
Law
Macedonia

In Macedonia, the Law on Personal Data Protection ('Official Gazette of the Republic of Macedonia', nos. 7/2005, 103/2008, 124/2008, 124/2010, 135/2011 and 43/2014) ('DP Law') governs personal data protection issues. The DP Law is entirely harmonized with EC Directive 95/46/EC ('Data Protection Directive'). It entered into force on 8 February 2005 and its current version (following its amendments) is in force as of 11 March 2014.

Last modified 24 Jan 2017
Definitions

Defenition of personal data

The DP Law defines personal data as any information relating to an identified or identifiable natural entity, where an identifiable entity is an entity whose identity can be especially determined, directly or indirectly, on the basis of his/her personal identification number or on one or a combination of features that are specific for his/her physical, mental, economic, cultural or social identity.

Defenition of sensitive personal data

Under the DP Law, sensitive personal data is personal data related to:

  • the racial or ethnic origin
  • the political views, religious or other beliefs
  • membership in a trade union, and
  • data relating to the health condition of natural entities, including genetic data, biometric data or data referring to the sexual life.
Last modified 24 Jan 2017
Authority

The Macedonian data protection authority is the Directorate for Personal Data Protection ('DPA'). It was established in 2005 as an independent state agency with competence to oversee the implementation of the DP Law. The DPA’s registered seat is in 

Bulevar Goce Delcev 8
Skopje
www.dlzp.mk
Last modified 24 Jan 2017
Registration

Any natural or legal entity which intends to collect, process and/or maintain a database containing personal data ('Database') in Macedonia is required to notify the DPA prior to the commencement of any such activity. Exceptionally, entities which:

  • employ less than 10 employees
  • intend to process publicly available personal data, or
  • intend to process personal data of members of non-profit organisations that are established for political, philosophical, religious or trade-union purposes, are excluded from the notification requirements.

The notification requirements mean that entities are required to register both themselves as data controllers and the respective Databases with so-called Central Register of Databases - an electronic register of data controllers and Databases maintained and managed by the DPA. The registration process is carried out on-line by using the DPA’s web application at www.dzlp.mk. A data controller is required to provide all relevant information on particular data processing activities and on its role regarding the same such as: corporate details, purpose of the processing, time period for the retention of processed data, types of the respective data, legal ground for the Database’s establishment, transfer of personal data to other countries, security measures for protection of the respective data’s integrity, etc.

Following the successful registration, the DPA issues a letter to a data controller by which it confirms that the data controller has fulfilled the notification requirements under the DP Law. Any subsequent changes of the details in the registered Databases have to be reported to the DPA within thirty (30) days from the date when such changes took place.

Last modified 24 Jan 2017
Data Protection Officers

The DP Law requires data controllers (only those that are subject to the notification requirements set out in the section 'Registration' above) to appoint a data protection officer. The data protection officer has an overall responsibility to ensure compliance of the data controller with the DP Law and subordinate regulations, in particular the following:

  • to participate in the adoption of all decisions relating to the processing of personal data, as well as the exercise of the rights of the data subjects over their personal data

  • to draw up the corporate by-laws for personal data protection, including documents relating to the technical and organizational measures for ensuring confidentiality and protection of personal data

  • to monitor the compliance of the data controller with the DP Law and other related regulations, especially in relation to the corporate by-laws for protection of the personal data

  • to coordinate the internal procedures and guidelines for the personal data protection, and

  • ro prepare and deliver a training to the data controller’s employees regarding the personal data protection.
Last modified 24 Jan 2017
Collection & Processing

The DP Law sets out the main principles for the collection and processing of personal data, which require data controllers to collect and process personal data:

  • fairly and lawfully
  • for legitimate purposes
  • proportionally to the needs for the collection and processing,
  • accurately and completely, and
  • to ensure that the data is stored in a way which enables the identification of the data subjects.

Data controllers are required to obtain a data subject’s explicit consent for the collection and processing of his/her personal data (including his/her personal identification number and sensitive personal data). This has to be so-called informed consent which means that data controllers have to provide data subjects with all the relevant details about the particular collection and processing of their personal data (such as the processing's purpose, the data subjects' rights with respect to the same, retention policy, further transfers, etc). Exceptionally, the DP Law allows data controllers to collect and process personal data without a data subject’s consent (eg for the protection of the life or vital interests of the data subjects, protection of the public interest or the exercise of the data controllers' legitimate rights (unless this would jeopardize the fundamental rights and freedoms of the data subjects)).

Last modified 24 Jan 2017
Transfer

Transfer of personal data out of Macedonia is allowed only if the third country in question provides an adequate level of personal data protection. The authority to assess whether a third country provides an adequate level of protection and to approve transfers of personal data out of Macedonia is vested with the DPA. However, an assessment and a subsequent approval from the DPA is not required for a transfer of personal data to the countries which are either:

  • members of the European Union ('EU') or the European Economic Area ('EEA'), or

  • are 'white-listed'1 (were assessed to provide an adequate level of the personal data protection) by the European Commission.

The legal assumption that the EU/EEA and 'white-listed' countries provide an adequate level of the personal data protection is enshrined in the DP Law. Moreover, the DP Law completely relies on the European Commission’s assessment of the adequacy of a level of protection in non-EU/EEA countries. Therefore, if any third country is assessed by the EC as a country that does not provide an adequate level of legal protection, the transfer of personal data from Macedonia to such country would not be allowed.

In the above context, a transfer of personal data to a country which is not a member of the EU/EEA or a 'white-listed' country is subject to an assessment and approval by the DPA. There is very little practice regarding the approach of the DPA in the process of the respective assessment and approval, nevertheless it is envisaged by the DP Law that the DPA assesses the personal data protection's adequacy in a third country by especially taking into account:

  • the nature of the data
  • the purpose and duration of the proposed processing
  • governing law in the country where the data is to be transferred, and
  • protective measures existing in the respective country.
1: Andorra, Argentina, Australia, Canada (commercial organisations), Switzerland, Faeroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Uruguay and the US (only companies that are compliant with the Department of Commerce's Safe Harbour Privacy Principles).
Last modified 24 Jan 2017
Security

The DP Law does not require data controllers and processors to implement security measures for the protection of personal data by using a particular technology. However, it does require data controllers and processors to undertake appropriate technical and organizational measures for the protection from accidental or illegal damaging of the personal data, or its accidental loss, change, unauthorized disclosing or access, especially when the processing includes a transmission of the data over a network, and for the protection from any kind of illegal processing.

The implemented technical and organisational measures should be proportional to the risk of the data integrity's breach during the processing and the nature of the data being processed. In this context, the DP Law provides guidance for establishing of three levels of personal data protection by using a combination of technical and organizational measures:

  1. basic
  2. medium 
  3. high

Both data controllers and processors are required to adopt internal regulations (ie corporate by-laws) containing a description of the technical and organizational measures for the protection of personal data.

Last modified 24 Jan 2017
Breach Notification

The DP Law does not require data controllers and processors to report data security breaches to the DPA. Accordingly, the DPA is able to trace data security breaches only if a data subject reports a breach of his/her rights or by performing random inspection of data controllers and processors.

Last modified 24 Jan 2017
Enforcement

The DPA has an exclusive duty to oversee the implementation and to enforce the DP Law. It has the authority to monitor data controllers and processors’ compliance with the DP Law by carrying out random inspections or upon receiving a complaint from a data subject.

If the DPA finds that a data controller and/or processor is in breach of the DP Law, depending on the seriousness of the offence, it may order the remedy of the irregularities within a certain period of time or impose a fine. The fines range from EUR 1,000 to EUR 2,000 (per irregularity) for a legal entity and from EUR 350 to EUR 650 for the responsible person at the legal entity. The DPA is also authorized to request from the data controller and/or processor which breached the DP Law to attend a mandatory training on data protection issues organized by the DPA itself. The only available legal remedy against DPA’s decisions for imposing fines on data controllers and/or processors is to initiate an administrative dispute proceeding before the Administrative Court.

Moreover, the Macedonian Criminal Code foresees criminal liability for the misuse of personal data. This criminal offence is punishable with a monetary fine (as determined by the court) or imprisonment for up to one (1) year.

Last modified 24 Jan 2017
Electronic Marketing

The DP Law allows the processing of personal data for the purposes of electronic marketing only if the data subject has explicitly consented to the respective processing provided that the data subject is entitled to withdraw his/her consent at any time free of charge.

Last modified 24 Jan 2017
Online Privacy

There are no specific regulations governing on-line privacy (including cookies). Accordingly, the general data protection rules prescribed by the DP Law apply, to the extent possible, to on-line privacy as well.

Last modified 24 Jan 2017
Contacts
Leonid Ristev
Leonid Ristev
Senior Associate
T office +389 2 3223 870, direct +389 2 3223 707
Last modified 24 Jan 2017