Standard contractual clauses in accordance with the law on personal data protection

In an era of global digitalization and technology development, significant changes are taking place in the field of personal data protection both internationally and nationally, consequently, it requires continuous regulation of the legal issues arising from the development of the modern society, through necessary adjustment on the manner of collection, use, processing and transfer of personal data with rules, norms and guidelines that will ensure increased legal certainty in legal relations.

The Law on Personal Data Protection (Official Gazette of Republic of North Macedonia No. 42/20) envisages possibility for adoption of standard contractual clauses by the Personal Data Protection Agency, in order to elaborate certain issues in detail.

Based on that, the Personal Data Protection Agency adopted Decision on establishing standard contractual clauses between controllers and processors and Decision on establishing standard contractual clauses for transfer of personal data to third countries (Official Gazette of Republic of North Macedonia No. 280/21).

  1. Decision on establishing standard contractual clauses between controllers and processors

The Law on Personal Data Protection and bylaws set the Controller and the Processor as the main pillars of the obligations and responsibilities arising from the Law on Personal Data Protection, which is why the regulation of their mutual relationship is extremely important.

Pursuant to Article 32 of the Law on Personal Data Protection, the Personal Data Protection Agency brought the Decision on establishing standard contractual clauses between controllers and processors (Official Gazette of Republic of North Macedonia No. 280/21), which provide the legally required contractual relation between them

The standard contractual clauses between the controllers and the processors enable complete and detailed regulation of the issues for the mutual rights and obligations of the controller and the processor.

According to the Decision, the standard contractual clauses are not mandatory for use, i.e., they can be used. However, it is clearly stated that agreements between controllers and the processors, concluded before the decision, should be harmonized, within 6 months from the decision, with the law and the regulations adopted on the basis of the law, as the specific decision.

Therefore, even without the direct use of standard contractual clauses, it is necessary to harmonize the existing contracts with their content.

The standard contractual clauses stipulate that their content should not be changed, however they may be included in a wider agreement and/or supplemented by other contractual clauses and safeguards, provided that they are not directly and indirectly contrary to the clauses and that they don’t violate the fundamental rights or freedoms of the data subjects.

  • Decision on establishing standard contractual clauses for the transfer of personal data to third countries

The portability of personal data is a feature of the personal data that allows the movement of data from one entity to another in order to process them, which provides their widespread use and without proper mechanisms for protection of the personal data during the transfer – the privacy can be easily compromised.

Hence, based on Article 50 of the Law on Personal Data Protection, the Personal Data Protection Agency adopted a Decision on establishing standard contractual clauses for transfer of personal data to third countries (Official Gazette of Republic of North Macedonia No. 280/21).

With the standard contractual clauses for transfer of personal data to third countries, the Agency provides appropriate protection measures in accordance with Article 50 of the Law on Personal Data Protection, which enables the controller or processor to transfer personal data to a third country or international organization in cases when no adequacy decision has been made by the Agency in accordance with Article 49 of the Law on Personal Data Protection.

The content of the standard contract clauses should not be changed, except for the selection of the appropriate module, given the fact that the clauses include: module of transfer from controller to controller; module of transfer from controller to processor; module for transfer from processor to processor and module for transfer from processor to controller. In any case, they can be included in a wider agreement and / or supplemented by other clauses, as long as it does not interfere with the content of the contractual clauses. In conclusion, the above-mentioned decisions of the Personal data protection Agency, enable the national regulative to approach one step closer to European law and to harmonize with it and at the same time enable better protection of the personal data.