On August 24, 2021, the full implementation of the new Law on Personal Data Protection began. With the adoption of the new Law, the Macedonian legislation is harmonized with the European regulations and it should respond to the new challenges regarding the right to privacy and personal data protection, which challenges primarily arise from the increased use of information technology and globalization in the processing of personal data.
Considering that the Law on Personal Data Protection has introduced numerous innovations in the procedure for personal data protection, the rights of the personal data subjects and the obligations of the controllers and personal data officers, and also created a number of dilemmas regarding its application to controllers and subjects, in order to facilitate its consistent application, the Law Office Pepeljugoski, singled out and provided answers to the most frequently asked questions regarding the application of the Law in practice.
- What is considered under personal data?
Personal data is any information that refers to an identified natural person or an identifiable natural person (personal data subject), and an identifiable natural person is a person whose identity can be determined directly or indirectly, separately on the basis of an identifier such as name, personal identification number of the citizen, location data, network identifier, or on the basis of one or more characteristics specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
2. What is the difference between a controller and an officer?
A controller is a natural or legal person who independently or together with others determines the goals and the manner of processing personal data. In addition to a natural and legal person, a controller can also be a state authority, a state body, a legal entity established by the state to exercise public authority, an agency or another body.
An officer is an authorized person for personal data protection who is appointed by the controller. An officer may be a person employed by the controller who meets the requirements provided by law or a person engaged on the basis of a service contract.
3. Who can be a personal data protection officer?
The personal data protection officer is determined on the basis of his / her professional qualifications, and especially on the basis of expert knowledge of the legislation and practices in the field of personal data protection, as well as his / her ability to perform the legal obligations.
Namely, as an officer for personal data protection can be appointed someone who:
– meets the conditions for employment determined by the Law on Labor Relations
– actively uses the Macedonian language,
– at the moment of its appointment, with a final court verdict, no punishment or misdemeanor sanction of prohibition to perform a profession, activity or duty has been pronounced,
– has completed higher education and
– has acquired knowledge and skills regarding the practices and regulations for personal data protection, in accordance with the provisions of this Law.
Nor the manager or director of the company, nor the president of the citizens’ association can be appointed as a personal data protection officer because there is a conflict of interest between the tasks and duties that the officer is obliged to perform and the tasks and duties that the authorized person in a legal entity performs.
The controller is obliged to publish the contact details of the personal data protection officer and to inform the Personal Data Protection Agency about his/her appointment.
4. What if the company has only one employee who is also the manager or the employees do not meet the legal requirements?
In cases when the company has only one employee and that is the authorized person in that company or when the employees in the company do not meet the legal requirements to be appointed as a personal data protection officer, the company can engage a person who is professional and trained in protection of personal data on the basis of a service contract and to perform the work of an officer.
5. Which companies have the obligation to adopt bylaws for personal data protection and to appoint an officer?
The obligation to adopt bylaws harmonized with the new Law on Personal Data Protection and the appointment of a personal data protection officer depends primarily on the type, scope and categories of personal data subjects that are processed, and not on the number of employees in the company.
However, the controller that processes personal data for less than 10 employees as a single collection of personal data, has no obligation to apply technical and organizational measures, unless it is likely that the processing it performs poses a risk to the rights and freedoms of personal data subjects or if the processing includes specific categories of personal data or personal data related to criminal convictions.
6. How can we change already an appointed personal data protection officer?
The officer can be changed in the same procedure as appointed, by decision of the controller. The change of the previous officer and the appointment of the new personal data protection officer should be immediately notified to the Personal Data Protection Agency, and at the same time the data of the new officer should be made public and available to all entities.
7. Is it necessary for the candidates for employment to give explicit consent for the processing of their personal data in the employment procedure?
During the employment procedure, the candidates do not need to give a special explicit consent for the processing of their data. They have given their personal data in order to be selected for employment, hence the same is the legal basis for processing their personal data. However, this only applies while the employment procedure is ongoing. It should be borne in mind that if the employer wants to create his own database in which he will store personal data of candidates for future, potential employment, then it is necessary to inform the candidates who will be included in the database and ask for their explicit consent whether they want to be included in it and whether he is allowed to keep their personal data. If consent is not obtained, then the personal data should be destroyed.
8. What is meant by “the right to be forgotten”?
The right to delete or “the right to be forgotten” means the right of the personal data subject to ask the controller to delete his personal data when the personal data are no longer needed for the purposes for which they were collected, when the subject withdraws his previously given consent for processing, when the entity submits an objection to the processing, when the personal data have been illegally processed, when they should be deleted in order to comply with a legal obligation or when they have been collected in connection with the offer of information society services.
In cases when the subject requests the controller to delete his data, the controller is obliged to delete the personal data within 30 days from the day of submitting the request for deletion, if the stated conditions are met.
9. What is meant by a personal data processor and which parties are considered processors?
A personal data collection processor is a natural or legal person, a state authority, a state body or legal entity established by the state to exercise public authority, an agency or another body that processes personal data on behalf of the controller.
The processing of personal data by the processor is performed on the basis of a previously concluded Agreement or other legal act in accordance with law and the processor is obliged to guarantee the application of appropriate technical and organizational measures to ensure protection of the rights of the personal data subject.
In practice, most often as processors are engaged accountants, lawyers, delivery services, persons who maintain the information system, etc. Persons who provide hygiene services, housekeeping services, etc., although in the course of their work may have access to certain data, are not required to sign a special contract because they do not process the data.
10. In case of data transfer, is it necessary to request permission from the Personal Data Protection Agency?
The transfer of personal data to a third country or international organization may take place when the Agency considers that a third country or international organization provides an appropriate level of protection.
The procedure depends primarily on the country where the transfer takes place. If it is a transfer that is made within the EU or EEA then it is enough to just inform the Agency that the transfer is made by filling out an application published by the Agency. If the transfer takes place in a country outside the EU or the EEA then it needs to be explicitly approved by the Agency.
11. Is the use of servers and cloud services located outside the territory of the Republic of North Macedonia considered as data transfer?
If a cloud service that is located on a server outside the territory of the country is used, then data is transferred to a third country. The procedure for this data transfer depends on the country in which the server where the data is stored, is hosted. If it is a country in the EU/EEA, because most often Microsoft has servers in the EU/EEA, then it is enough just to notify to the Agency. If the server is outside the EU/EEA, then approval from the Agency will be required.
12. When is it allowed to record official or business premises?
The controller may perform video surveillance in official or business premises only if it is necessary for protection of life or health of people, protection of property, protection of life and health of employees due to the nature of work or for providing control over entering and leaving official premises for security purposes. It is not allowed to record wardrobes, changing rooms, toilets and similar rooms.
It is necessary to inform the employees about the video surveillance, as well as to display in a visible place a notification that will contain information that video surveillance is performed, the name of the controller who performs the video surveillance and the way in which the subjects can obtain information on where and for how long the footage is stored.
Prepared by Attorney at Law Marika Trajkova and Attarney at Law Angela Jankoska.