On April 1st 2022, the Macedonian Personal Data Protection Agency (hereinafter only “Agency”) has released its Annual report for 2021.
Having in concern the significant changes in the legal framework as a result of the adopting of the new Law on Personal Data Protection in 2020, and its entry into force in 2021, the Agency’s activities were focused on the implementation and harmonization of the new law by the controllers. Compared to the previous year, the number of inspection supervisions in 2021 is increased by 29 %.
Statistically, in all areas that were subject to supervision during 2021, a total of 304 supervisions were carried out, of which:
- 186 regular supervisions where due to Covid-19 pandemic 185 supervisions were carried out electronically through the web sites that provide e-commerce and 1 supervision was carried out on site. 19 supervisions were carried out in the public sector and the rest 167 in the private sector.
- 88 extraordinary supervisions of which 16 supervisions were carried out in the public sector, 47 supervisions in the private sector, 3 supervisions in the civil society sector and 22 supervisions at natural persons. These supervisions were carried out upon request under article 93, 97 and 100 of the Macedonian Data Protection Law i.e. for irregular processing of personal data by video surveillance system or by banks and financial companies that are providing fast crediting.
- 30 control supervisions related to the previously imposed measures in the previous regular supervisions. From the total of 30 control supervisions 27 were carried out in the public sector. The Agency conclusion is that the public sector does not implement consistently the imposed measures.
In 2021, one misdemeanor procedure was initiated where the Misdemeanor Commission imposed a penalty for the Controller and for Controller’s authorized person.
In the period from January 1 to December 31, nine (9) notifications for security breach of personal data were submitted before the agency, from which eight (8) coming from the private sector. As general conclusion, the Agency states that Controllers do not have a system for documenting and reporting security breaches of personal data security and generally do not distinguish between incident and breach, as well as between probable risk to the controller and probable risk to the rights and freedoms of the subject of data protection.
In 2021 the Agency, based on the findings received in irregular supervision, has filed a criminal charge with the Public Prosecutor's Office for abuse of personal data and unauthorized wiretapping and audio recording through audio and video surveillance in a residential building
Furthermore, in 2021, there were total 540 complaints submitted before the Agency, from which:
- 472 complaints were submitted by natural persons;
- 68 complaints were submitted by legal persons;
- 496 complaints were submitted electronically
- 44 complaints were submitted in writing.
45% or 247 complaints were submitted concerning social network, concerning fake profiles, hacking profiles, complaints for publishing personal photos and videos. Most of the complaints come from Facebook (126) and Instagram (103) and other (18) for TikTok, YouTube, Twitter, and Snapchat.
55% of the complaints were submitted concerning direct marketing, inability to withdraw a given consent, inability to exercise the rights of the personal data subject especially for the right of access, deletion and correction, prior lack of information on the collection, processing and storage of personal data, data processing through video surveillance etc.
The focus of the Agency in 2022 will stay on the supervison of the implementation and harmonization eith the new law by the controllers but also supervision of the controllers operating in accordance with the Law on interception of communications.
Article provided by INPLP member: Jasmina Brezovska (Bona Fide, North Macedonia)
Dr. Tobias Höllwarth (Managing Director INPLP)