The Law on Personal Data Protection of the Republic of North Macedonia | Secure Privacy Blog | Secure Privacy Blog

What is the Law on Personal Data Protection of the Republic of North Macedonia?

The Law on Personal Data Protection of North Macedonia (LPDP, or ZZLP, according to the local abbreviation for Zakon za Zastita na Licnite Podatoci) is the Macedonian national legislation on data protection. In 2020, North Macedonia passed the Law on Personal Data Protection, which became enforceable in 2022.

North Macedonia is a candidate for EU membership and is currently aligning its national legislation with the EU's legislation. For this reason, the country's data protection law fully aligns with the EU's GDPR.

Is the Macedonian ZZLP applicable to my business?

The Law on Personal Data Protection adheres to GDPR's material and territorial principles, meaning it applies to your business if

Operate as a data controller or processor from North Macedonia

Process the personal data of Macedonian residents while operating from abroad

What is personal data under the Macedonian LPDP?

Personal data in ZZLP is defined as any information that could identify an individual, directly or indirectly.

This is fully in line with how the GDPR defines personal data. So, everything from personal names and unique government-issued ID numbers to browsing history and health issues is considered personal data under the ZZLP.

What are the duties of data controllers and data processors?

Data controllers and data processors are responsible for the following tasks:

Process only the minimum data necessary for the purposes of data minimization

Delete the data that is not needed anymore (data retention)

Not process the data for purposes other than the purposes it has been initially collected for

Not transfer personal data to third countries without prior approval by the personal data protection agency

Ensure the security of personal data

Not use cookies without the data subject's explicit consent

Serve data subjects with a privacy notice

Inform data subjects of data breaches when the freedoms of the data subject are at risk

Comply with data subject requests

Have written data processing agreements between controllers and processors

Process the data only upon written instructions from the controller

Yes, in most cases, you need to obtain explicit user consent to process personal data.

The opt-in principle underpins Macedonian law, which prohibits data processing without a legal basis, typically involving the user's consent.

The consent must be freely given, specific to the processing purpose, unambiguous, and informed. As a result, data controllers and processors must not process personal data without explicit consent.

This means informing users what you'll use their data for, letting them decline, and not forcing consent. If they consent to processing, you must use the data solely for that purpose.

Do we need a privacy policy?

You need to show users a privacy policy to comply with the Macedonian ZZLP. In fact, before collecting their data, you must show users a privacy notice that informs them about data processing. Privacy policy is the most common way of providing data subjects with information about data processing activities.

Every privacy policy should include at least the following:

Details about the data controller

The purposes of the processing of personal data

The categories of personal data processed

Details on international data transfers

Third parties with whom data is shared

Data retention period

Details on the data protection officer

Data subject rights and how to exercise them

What are the data subject rights under the ZZLP?

Every data subject in North Macedonia has the same rights as EU users when it comes to the protection of personal data. These include:

Right to know

Right to access

Right to correction of data

Right to the erasure of data

Right to data portability

Right to know about profiling and automated decision-making

Right to withdraw consent

Right to restriction of processing

Right to objection to processing

How to respond to data subject requests

If a data subject submits a data subject request, you have 30 days to comply with it. For more complex requests, the deadline is 60 days.

Users can use whatever submission methods they want. Keep in mind that not responding to these requests appropriately is one of the most common reasons to have issues with the data protection authority anywhere in Europe.

What are the international data transfer requirements?

The only real difference between the two laws, despite the law's full alignment with the GDPR, is international data transfers. In short, the rules for transfers are as follows:

Data transfers within the country are free

Prior to the transfer, the supervisory authority must receive a report on data transfers to European Union countries

Data transfers to third countries, including the United States, require approval by the supervisory authorities

What are the data breach requirements?

You must report data breaches to the agency within 72 hours. You must also inform data subjects if the breach impacts their rights and freedoms.

You must provide the information in a separate piece of communication. You cannot bundle the breach notification with the marketing emails, for example. It has to be separate.

Do we need to conduct DPIA?

Some processing activities necessitate conducting a Data Protection Impact Assessment before processing data. It is obligatory for:

When there is a systematic and comprehensive evaluation of personal aspects related to individuals based on automated processing, including profiling, it can lead to decisions that have significant legal effects on the individual.

When there is extensive processing of special categories of personal data or personal data associated with criminal convictions and offenses, as outlined in Article 14 of the law,

When there is systematic monitoring of publicly accessible areas on a large scale

Who enforces the ZZLP, and what are the penalties?

The Agency for Personal Data Protection enforces the ZZLP. It investigates data protection violations and imposes penalties.

The penalties can go as high as 2% or 4% of the annual turnover of the violator, depending on the severity of the violation. On certain occasions, companies can also impose fines of a few hundred euros on responsible individuals.

The Law on Personal Data Protection of the Republic of North Macedonia

Continue Reading

CCPA vs. GDPR: What Businesses Need to Know

How GDPR Consent Management Tools Empower Commercial Real Estate Companies

Complete Certification Course on GDPR for HR Professionals: Learn How to Protect Staff Information

What is the Law on Personal Data Protection of the Republic of North Macedonia?

Is the Macedonian ZZLP applicable to my business?

What is personal data under the Macedonian LPDP?

What are the duties of data controllers and data processors?

Do we need a privacy policy?

What are the data subject rights under the ZZLP?

How to respond to data subject requests

What are the international data transfer requirements?

What are the data breach requirements?

Do we need to conduct DPIA?

Who enforces the ZZLP, and what are the penalties?

Continue Reading

CCPA vs. GDPR: What Businesses Need to Know

How GDPR Consent Management Tools Empower Commercial Real Estate Companies

Complete Certification Course on GDPR for HR Professionals: Learn How to Protect Staff Information

What is the Law on Personal Data Protection of the Republic of North Macedonia?

Is the Macedonian ZZLP applicable to my business?

What is personal data under the Macedonian LPDP?

What are the duties of data controllers and data processors?

Do we need consent to process personal data?

Do we need a privacy policy?

What are the data subject rights under the ZZLP?

How to respond to data subject requests

What are the international data transfer requirements?

What are the data breach requirements?

Do we need to conduct DPIA?

Who enforces the ZZLP, and what are the penalties?