On February 16, 2020, the new Law on Personal Data Protection was published in the Official Gazette of RSM 42/20, , where 18-month period was envisaged for its harmonization. The purpose of this law is to harmonize the Macedonian legislation within the EU law, more precisely with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data, on the free movement of such data and repealing Directive 95/46/EC (General data protection regulation) CELEX number 32016R0679.By the adoption of the Law on Personal Data Protection, a process of serious reform of the Macedonian law in this area has been initiated.
However, despite the fact that the 18-month period for its compliance with the law has passed on 24th August 2021, its implementation is still not completely clear, and the companies are facing difficulties in compliance. During this period there were no clear instructions by the Agency for Personal Data Protection what steps should controllers take, which was the main reason why they did not take serious the whole process of the implementation of the new Law on Personal Data Protection. The closer the expiration of the deadline for harmonization was approaching, which was accompanied also with a public campaign, the more interest grew and on August 24th the Agency for Personal Data Protection published Directions for preparation of the documents for technical and organizational measures.
Facing the fact that the compliance with the new Law on Personal Data Protection was not in line with the planned dynamics, the Ministry of justice announced that in the next 6-six months the Agency for Personal Data Protection while supervising, will not issue fines for noncompliance, but will take steps to educate the controllers and at the same time will assist them in preparing the necessary documentation.
Unlike the previous Law on personal data protection, which provided either a certain range of the amount of the misdemeanor or its fixed amount, the new law provides for two categories of misdemeanors according to gravity. In addition, it increases the fine for misdemeanors. If the controller/processor does not harmonize its operation within 18 months, i.e. until August 24th 2021, as provided by the new law, it may face a penalty in the amount of 2% -4% of the annual income from the previous year.
Another novelty provided by the Law on Personal Data Protection is the introduction of the institutes of data protection by design and by default, as well as the institutes of accountability and certification. Furthermore, not only does the law requires mandatory obligation for the Controller to inform the Agency for Personal Data Protection in case of impaired security, but it strengthens the role of the officer, thus provides an opportunity for his/her selection based on his/her professional qualifications and includes the possibility to conclude a service agreement between the officer and the controller.
Certainly , the law on Personal Data Protection is quite detailed and complex to interpret. In order to comply with its provisions the controller must perform an in-depth analysis of the personal data protection system. Moreover, the law allows developing codes of conduct by associations representing the categories of controllers/processors which will specify the application of the law.
The whole process of ensuring compliance with the new Law on Personal Data protection is a quite challenge for the controllers, especially for the small companies, but also for the IT Companies who are now much more involved in the process of implementation of the technical measures for the controllers.
Article provided by INPLP member: Jasmina Brezovska (Bona Fide, North Macedonia)
Dr. Tobias Höllwarth (Managing Director INPLP)