The Law on Personal Data Protectionof the Republic of North Macedonia

What is the Law on Personal Data Protection of the Republic of North Macedonia?

The Law on Personal Data Protection of North Macedonia (LPDP, or ZZLP, according to the local abbreviation for Zakon za Zastita na Licnite Podatoci) is the Macedonian national legislation on data protection. In 2020, North Macedonia passed the Law on Personal Data Protection, which became enforceable in 2022.

North Macedonia is a candidate for EU membership and is currently aligning its national legislation with the EU's legislation. For this reason, the country's data protection law fully aligns with the EU's GDPR.

Is the Macedonian ZZLP applicable to my business?

The Law on Personal Data Protection adheres to GDPR's material and territorial principles, meaning it applies to your business if

• Operate as a data controller or processor from North Macedonia
• Process the personal data of Macedonian residents while operating from abroad

What is personal data under the Macedonian LPDP?

Personal data in ZZLP is defined as any information that could identify an individual, directly or indirectly.

This is fully in line with how the GDPR defines personal data. So, everything from personal names and unique government-issued ID numbers to browsing history and health issues is considered personal data under the ZZLP.

What are the duties of data controllers and data processors?

Data controllers and data processors are responsible for the following tasks:

• Process only the minimum data necessary for the purposes of data minimization
• Delete the data that is not needed anymore (data retention)
• Not process the data for purposes other than the purposes it has been initially collected for
• Not transfer personal data to third countries without prior approval by the personal data protection agency
• Ensure the security of personal data
• Not use cookies without the data subject's explicit consent
• Serve data subjects with a privacy notice
• Inform data subjects of data breaches when the freedoms of the data subject are at risk
• Comply with data subject requests
• Have written data processing agreements between controllers and processors
• Process the data only upon written instructions from the controller

Do we need consent to process personal data?

Yes, in most cases, you need to obtain explicit user consent to process personal data.

The opt-in principle underpins Macedonian law, which prohibits data processing without a legal basis, typically involving the user's consent.

The consent must be freely given, specific to the processing purpose, unambiguous, and informed. As a result, data controllers and processors must not process personal data without explicit consent.

This means informing users what you'll use their data for, letting them decline, and not forcing consent. If they consent to processing, you must use the data solely for that purpose.

Do we need a privacy policy?

You need to show users a privacy policy to comply with the Macedonian ZZLP. In fact, before collecting their data, you must show users a privacy notice that informs them about data processing. Privacy policy is the most common way of providing data subjects with information about data processing activities.

Every privacy policy should include at least the following:

• Details about the data controller
• The purposes of the processing of personal data
• The categories of personal data processed
• Details on international data transfers
• Third parties with whom data is shared
• Data retention period
• Details on the data protection officer
• Data subject rights and how to exercise them

What are the data subject rights under the ZZLP?

Every data subject in North Macedonia has the same rights as EU users when it comes to the protection of personal data. These include:

• Right to know
• Right to access
• Right to correction of data
• Right to the erasure of data
• Right to data portability
• Right to know about profiling and automated decision-making
• Right to withdraw consent
• Right to restriction of processing
• Right to objection to processing

How to respond to data subject requests

If a data subject submits a data subject request, you have 30 days to comply with it. For more complex requests, the deadline is 60 days.

Users can use whatever submission methods they want. Keep in mind that not responding to these requests appropriately is one of the most common reasons to have issues with the data protection authority anywhere in Europe.

What are the international data transfer requirements?

The only real difference between the two laws, despite the law's full alignment with the GDPR, is international data transfers. In short, the rules for transfers are as follows:

• Data transfers within the country are free
• Prior to the transfer, the supervisory authority must receive a report on data transfers to European Union countries
• Data transfers to third countries, including the United States, require approval by the supervisory authorities

What are the data breach requirements?

You must report data breaches to the agency within 72 hours. You must also inform data subjects if the breach impacts their rights and freedoms.

You must provide the information in a separate piece of communication. You cannot bundle the breach notification with the marketing emails, for example. It has to be separate.

Do we need to conduct DPIA?

Some processing activities necessitate conducting a Data Protection Impact Assessment before processing data. It is obligatory for:

• When there is a systematic and comprehensive evaluation of personal aspects related to individuals based on automated processing, including profiling, it can lead to decisions that have significant legal effects on the individual.
• When there is extensive processing of special categories of personal data or personal data associated with criminal convictions and offenses, as outlined in Article 14 of the law,
• When there is systematic monitoring of publicly accessible areas on a large scale

Who enforces the ZZLP, and what are the penalties?

The Agency for Personal Data Protection enforces the ZZLP. It investigates data protection violations and imposes penalties.

The penalties can go as high as 2% or 4% of the annual turnover of the violator, depending on the severity of the violation. On certain occasions, companies can also impose fines of a few hundred euros on responsible individuals.