Law on Personal Data Protection 2020
– GDPR in the Republic of North Macedonia –
GDPR has raised awareness in relation to the concept of privacy, and the draconic sanctions have pressured the companies to strive to achieve a new level of security in using and processing personal data.
In February 2020, the Republic of North Macedonia adopted the new Law on Personal Data Protection (Official Gazette of the Republic of North Macedonia No. 42/20) (hereinafter “LPDP”) in order to harmonize the existing legal framework in the field of protection of personal data with the GDPR standards.
The law prescribes a time period of 18 months in which the controllers and processors are obliged to comply their work with the provisions of the new law, that is, up to 24 August 2021.
LPDP imposes a more active role of the controller who will have to undertake measures for improvement, upgrade and adjustment of its established system for personal data protection, i.e. each controller will have to perform in-depth analysis and assessment to determine the level of compliance of the existing system with the new legal solution. The controller and the processor are also obliged to apply appropriate technical and organizational measures to ensure and be able to prove that the processing of personal data is carried out in accordance with the provisions of the law.
The Personal Data Protection Agency on its official website has published information for the controllers in regards to the application of the new law, related to the activities for improvement,. enhancement and adjustment with the established systems for data protection. These information can be found on the following LINK.
As a way to raise the level of personal data protection, the law also recommends the adoption of Code of Conduct and Certification that would be applied in the operations of controllers and processors.
LPDP envisages supervision regarding the application of the law, and depending on the severity of the misdemeanor, imposes fines in the amount of up to 2% -4% of the total annual income of the controller or processor-legal entity, (expressed in absolute amount) realized in the business year preceding the year when the misdemeanor was committed or of the total income earned for a shorter period of the year preceding the misdemeanor, if in that year the legal entity has started working, as well as fines in the amount of 300 to 500 euros in Macedonian denars for the responsible person at the legal entity.
Therefore, taking into account that the new law provides many amendments and new activities for the controllers and the processors, as well as that the subjects of personal data gain more rights, the companies must use the legally provided period of 18 months reasonably in order to harmonize their work with the new regulations.