In the period from the 18th to 22nd October experts from AZOP and data protection experts from Germany have conducted five expert missions in Personal Data Protection Agency (PDPA) in Skopje, North Macedonia, within the EU-funded Twinning project “Support to the Implementation of the Modernised Data Protection Legal Framework”, within Component 1, Component 2 and Component 3.
COMPONENT 1 (Result 1)
Legal and institutional framework for implementation of the novelties of the new Law for Personal Data Protection strengthened
Component 1 is the backbone of the project since it will provide a legal, institutional and methodological framework for implementing all the other project activities. The expert missions aim to provide the PDPA staff with insight on respective solutions in Member State(s) and provide tailor-made solutions. It is expected that the activities under this Component will be implemented by both Croatian and German experts, who will, in collaboration with the Beneficiary, produce all required outputs and achieve the prescribed mandatory result.
Bernhard Bannasch, Deputy Saxon Commissioner for Data Protection; Head of Division 4 (Justice, security authorities, tax administration, basic and international affairs) from the Saxon Commissioner for Data Protection, within Activity 1.2. Enhance the Standard Operating Procedures (SOPs) and other administrative documents for implementing new tasks and powers of PDPA has developed administrative document regarding prior consultation and authorisation.
According to Article 40 of the Law on Personal Data Protection (LPDP), the controller shall consult the Agency prior to processing where a data protection impact assessment under Article 39 of this Law indicates that the processing would result in a high risk in the absence of measures taken by the controller to mitigate the risk. State administration bodies shall consult the Agency during the preparation of a proposal for a legislative measure to be adopted by the Parliament of the Republic of North Macedonia, or of a regulatory measure based on such a legislative measure, which relates to processing. Furthermore, during the consultation process of controllers with the PDPA, controllers shall seek prior authorisation from the PDPA concerning the processing by a controller for the performance of tasks in the public interest, including processing in relation to social protection and public health.
Data protection legal framework of the Republic of North Macedonia recognises the importance and the increased risk to personal data relating to the transfers to the third countries and international organisations and therefore it contains specific requirements that aim to offer the same level of protection to the data being transferred outside the territory of the Republic of North Macedonia.
According to Article 48 of the national Law on Personal Data Protection (LDPD) the data exporter transferring personal data to third countries or international organisations must, in addition to complying with Chapter V. of the Law, also meet the conditions of the other provisions of the Law. Basically, a two-step test must be applied, first, a legal basis must apply to the data processing as such together with all relevant provisions of the Law, in particular, each processing activity must comply with the data protection principles in Article 9, be lawful in accordance with Article 10 and comply with Article 13 in case of processing of special categories of data, and as a second step, the provisions of Chapter V of the Law must be complied with.
Dr. Jens Ambrock, Deputy head of division from the Hamburg Commission for Data Protection and Freedom of Information, shared with PDPA staff his vast experience gained in investigations of international data transfers and developed instructions for checking the requests of controllers/processors in cases when they transfer personal data to EU and non- EU countries. In cooperation with PDPA experts, Dr. Ambrock developed questionnaires that will help PDPA staff to conduct investigations as well as criteria in which cases the intervention of PDPA is needed. It is important to emphasize that according to the Law on Personal Data Protection, the controller or processor shall notify the PDPA in case of transfer of personal data to a Member State or member of the European Economic Area.
COMPONENT 2 (Result 2)
Enhanced capacity of PDPA’s staff and relevant institutions to implement the new data protection framework according to European best practices
Component 2 focuses on expanding the already-proven capacities of PDPA staff, aiming towards further harmonisation of the current practices with EU best practices. Towards this goal, the expertise selected to be part of the project team was carefully curated in order to include experts who comprise both, a deep understanding of data protection law as well as a long-standing experience as data protection practitioners working with current best practices in Europe. The aim is to enhance the capacity of advanced and experienced staff. This requires close integration and consideration of the results of component 1 with respect to the content of the trainings and an advanced trainings plan closely related the novelties of the GDPR and EU Directive 2016/680 as well as technical training related to data protection. The aim is also to use case studies in workshops where selected issues can be discussed in detail.
Within component 2, short-term expert Susan Gonscherowski from the Ministry of Energy, Agriculture, the Environment, Nature and Digitalisation of Schleswig-Holsteins, has developed a methodology for conducting data protection trainings for data controllers and teaching methods for PDPA staff, in order to strengthen and enhance their knowledge transfer capacities.
COMPONENT 3 (Result 3)
Awareness about the rights and obligations of the new data protection framework improved
Component 3 started with conducting a needs assessment in order to define the needs of the target groups: data controllers/processors from public and private sector, SMEs, DPOs, representatives of public authorities, Parliament and Government, NGOs, citizens and media.
The survey has been conducted in the period from August-September 2021 among data controllers/processors to determine their level of data protection awareness and understanding of obligations arising from the Law on Personal Data Protection. Based on the survey results and in-depth interviews, practical information and documentation toolkit (templates, model documents, guides, infographics, factsheets, self-assessment checklists) will be developed to help data controllers/processors demonstrate compliance with the Law on Personal Data Protection.
During the expert missions in the period from the 18th to 22nd October 2021, a short-term expert Anamarija Mladinić, senior adviser specialist in AZOP, developed Guide on data subject rights, Guide on data protection principles and frequently asked questions for citizens. Furthermore, a short-term expert Nikolina Novaković, GDPR trainer and adviser in AZOP, developed a Guide on the concepts of the data controller, data processor and joint controllership in Law on Personal Data Protection (LPDP) and a Guide on personal data protection of employees.
All short-term experts held meetings with data controllers and DPOs both from private and public sectors, in order to get deeper insights into their needs in relation to data protection trainings provided by the PDPA, then into their difficulties while complying with the Law on Personal Data Protection, especially in relation to data subject rights, understanding data protection principles and concept of joint controllership, international data transfers, deeper understanding of the rights of employees in relation to personal data protection. The feedback from data controllers and DPOs was of utmost importance in the sense that enabled experts to develop a methodology for data protection trainings and guidelines for the implementation of the LPDP that meet the needs of these target groups.