LGP North Macedonia / News / Compliance with the Law on personal data protection

Compliance with the Law on personal data protection

Compliance with the Law on personal data protection

With the enactment of the EU GDPR regulations, that were put into effect on May 25, 2018, the perception of personal data protection has fundamentally changed for businesses. The new data privacy and security policy is regarded as the toughest law in the world and although it was passed by the EU, it imposes obligations onto all organizations, all over the world, that collect data related to the citizens of the EU region. The GDPR is ‘notorious’ for containing severe fines against those who violate its privacy and security standards, with penalties that max out at EUR 20 million or 4% of the global business last year’s revenue. It is safe to say that the meaning behind the GDPR regulations was to give individuals control over their personal data and the way that they are processed. 

Republic of North Macedonia brought its first Law on Personal Data Protection in 2005 and that law has undergone through six changes up until 2018. Bearing in mind North Macedonia’s eagerness to join the EU, the country enacted a brand-new Law on Personal Data Protection in 2020 which is completely harmonized with the EU regulative on General Data Protection Regulation. The Law states that Data Controllers and Processors must comply with the data protection requirements from the day that the Law is brought into power, i.e. until 24th of August 2021 the latest. For the businesses that do not comply in accordance to the Law, new severe penalty policy is foreseen in which fines for private entities can go from 2% up to 4% of the total annual income of the private entity per misdemeanor, in accordance to the total annual income of the company, from the previous fiscal year, while regarding the Law’s articles on non-compliance for video surveillance, the penalties for the private entities range between EUR 1.000 and EUR 10.000. The predicted fines for an individual (physical) person within the company (employees such as data controllers or data processors) are much lower than the above-mentioned penalties and are around several hundreds EUR. 

Even though Republic of North Macedonia is persistent on performing drastic legislative changes on the Law for it to be harmonized with the EU regulative and directives, unfortunately the path and steps of a Company to comply in accordance to the Law, is yet to be defined. Data Controllers and Data Processors are expected to assess their current data protection system individually and identify the additional instructions that need to be taken in compliance with the Law. The steps that are needed to be taken in compliance with data protection are as followed: 

  • Implementing data protection by design and/or by default; 
  • Keeping internal records for processing activities; 
  • Executing an internal assessment of the current data protection operation;
  • Other obligations according to the Law

Considering that private entities have less than 30 days left to comply in accordance to the Law for Personal Data Protection in NMK, all entities should start taking the needed steps in order for them to avoid the strict sanctions and penalties that are presented within the Law.