A new Law on Personal Data Protection (“the Law”) was promulgated in the Official Gazette of the Republic of North Macedonia, issue no. 42 on 16 February 2020. The Law shall enter into force within eight days as of the date of its publishing in the Official Gazette, whereby the current Law on Personal Data Protection shall cease to apply.
The main purpose of the Law, among others, is the harmonization of the local legislation with EU legislation, i.e. Regulation (EU) 679/2016 of 27 April 2016, commonly known as the General Data Protection Regulation or ‘GDPR’, as well as the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (ETS No. 108) of the Council of Europe.
Pursuant to the Law, new standards related to the processing of personal data have been introduced. The Law is based on the following principles of personal data processing: (i) lawfulness, fairness and transparency; (ii) limitation of the purposes of personal data processing; (iii) minimum volume of data; (iv) data accuracy; (v) limitation of the retention period; (vi) integrity and confidentiality; and (vii) accountability.
As a result of the entry into force of the Law, the Directorate for Personal Data Protection shall be transformed into an Agency for Personal Data Protection, an independent body responsible for oversight of compliance with personal data protection legislation.
Data controllers and processors are granted with a transition period of eighteen months to align their activities with the Law. The relevant subordinate legislation shall be adopted by the Agency for Personal Data Protection within eighteen months as of the date of entry into force of the Law. In the meantime, the current subordinate legislation shall remain applicable unless it is in direct conflict with the Law.
The Law includes specific provisions regarding the rights of data subjects to seek administrative and judicial remedy against violations of their rights related to data protection. In case of a violation of the individual’s rights under the Law, the individual will be entitled to directly seek remedy before the court against data controllers and processors.
The Law provides for penalties ranging between 2%-4% of the total annual income of the legal entity - data controller or processor (in absolute terms), generated in the business year preceding the year when the infringement was committed or of the total income generated for a shorter period than the year preceding the infringement, if the legal entity started conducting business activities in that year.
We would be glad to help if additional questions or need for further assistance arise.
© 2021 KPMG North Macedonia DOO, a limited liability company registered in the Republic of North Macedonia and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.