On the 24 February 2020, the new Law on Personal Data Protection ("LPDP") entered into force in North Macedonia. This new piece of legislation represents an important step for North Macedonia in modernizing its data privacy framework and aligning it with European law. The entry into force of the LPDP triggers a transitional period of 18 months for all affected parties to bring their operations into compliance with the new provisions.
AFFECTED PARTIES
The new LDPD applies to all data controllers and processors established in North Macedonia, regardless of whether the data processing is carried out within the country or outside its borders. Foreign controllers and processors could also be subject to the LPDP, if their data processing activities are related to the offering of goods and services to North Macedonian data subjects or to the monitoring of their behavior in the country. Hence, in practice, all businesses targeting their services at the North Macedonian market or that have a corporate presence within the country will be required to abide by the new rules.
The state body responsible for monitoring and control of the LPDP is the North Macedonian Data Protection Agency ("Agency"), formerly known as the Directorate for Personal Data Protection.
"ALMOST" COMPLIANT WITH THE GDPR
The LPDP is to a large extent harmonized with the GDPR. However, in certain aspects North Macedonia has adopted a more stringent approach than the EU regulation and has introduced increased requirements for lawful data processing. These include:
Additional Consent Requirements
Approval by the Agency
Requirements to notify the Agency
Special Requirements for Data Protection Officers ("DPO")
Increased burden for SMEs
EXTENDED POWERS OF THE AGENCY
With the adoption of the LPDP, the Agency is granted the full scope of powers of a national supervisory authority as under the GDPR. The Agency further enjoys certain additional competences provided by local legislation – most notably, to make requests, suggestions, recommendations, etc. to other state authorities in North Macedonia, which in turn are obliged to notify the Agency on their implementation within 30 days. In the event of partial or a complete lack of implementation by the respective authority, as well as in the case of non-compliance with the notification requirement, the Agency is empowered to raise the issue before the competent higher authority and even take the matter before the National Assembly or the Ministry of Councils of North Macedonia.
FINES
The fines which the Agency is able to impose are aligned with the GDPR, reaching a maximum amount of 4% of the worldwide annual turnover of a business. In addition, the LPDP envisages special fines for breaches of the rules for video surveillance, at an amount of EUR 1,000 – EUR 10,000.
IMPACT
The new legislation will have a significant impact on the data protection landscape in North Macedonia. In order to achieve a satisfactory level of compliance by the time of the expiry of the 18-month transitional period, companies based in North Macedonia must go through the same process as EU/EEA based-companies went through in order to comply with the GDPR. The affected data controllers and processors should take immediate measures and conduct the necessary gap analysis and internal audits to ensure the timely execution of the full GDPR implementation pack.