In the period from 13th to 17th December 2021, AZOP experts Marko Šijan and Mario Milner have conducted two expert missions within EU funded Twinning project “Support to the Implementation of the Modernised Data Protection Legal Framework”.
The first expert mission within Component 3, dedicated to the development of practical information and documentation toolkit on the implementation of the Law on Personal Data Protection aimed at data controllers and citizens, was focused on how to prepare and perform internal controls regarding technical and organizational measures, processing of personal data by the Police and the second one on the processing of personal data by means of video surveillance.
Marko Šijan, Senior Adviser Specialist in the Supervision and Central Register Department, developed Guide on data breach to help data controllers in North Macedonia to understand one of the new requirements introduced by the Law on Personal Data Protection. Namely, in certain cases, data controllers need to notify about the breach the Personal Data Protection Agency and individuals whose personal data have been affected by the breach.
The Law makes notification mandatory for all controllers unless a breach is unlikely to result in a risk to the rights and freedoms of individuals. Processors also have an important role to play, and they must notify any breach to their controller.
It is considered that the notification requirement has several benefits. When notifying the Agency, controllers can obtain advice on whether the affected individuals need to be informed. Indeed, the Agency may order the controller to inform those individuals about the breach. Communicating a breach to individuals allows the controller to provide information on the risks presented as a result of the breach and the steps those individuals can take to protect themselves from its potential consequences. The focus of any breach response plan should be on protecting individuals and their personal data. Consequently, breach notification should be seen as a tool enhancing compliance in relation to the protection of personal data. At the same time, it should be noted that failure to report a breach to either an individual or an Agency may mean that under Art. 110 (11) (12) a possible sanction is applicable to the controller and processor.
Controllers and processors are therefore encouraged to plan and put in place processes to be able to detect and promptly contain a breach, to assess the risk to individuals, and then to determine whether it is necessary to notify the Agency, and to communicate the breach to the individuals concerned when necessary. Notification to the Agency should form a part of that incident response plan.
Furthermore, Marko Šijan developed Guide on how to prepare and perform internal controls regarding technical and organizational measures with case studies aimed and controllers and processors and a Factsheet on processing of personal data by the police for citizens. The aim of the guide is to help data controllers to understand and implement Article 36 of the Law on Data Protection related to the security of processing, among other things, stipulates that the data controller and processor, taking into account the scope of processing, cost of implementation, as well as risks to the rights and freedoms of natural persons, should implement appropriate technical and organizational measures. The same article further states that it is necessary to define a process for regular testing, assessing, and evaluating the effectiveness of technical and organizational measures for ensuring the security of processing.
Rulebook on Data Processing Security (Official Gazette no 120/20) stipulates the guidelines for actions to be taken by controllers in respect to implementing technical and organisational measures to ensure data processing security. Its provisions also stipulate regular testing, reviewing and evaluation of technical and organisational measures’ effectiveness, in order to guarantee security of data processing.
The third output is focused on giving the citizens practical information on how their personal data is processed by the Police. The police process personal data of citizens based on the law and for the purpose of keeping records of citizens of the Republic of Northern Macedonia and issuing identification documents: identity card, driver’s license, passport.
The police have the authority to request access to a personal identification document from each natural person and to apply other prescribed measures to establish the identity of the person. The authority of the police for the above actions is regulated by the Rulebook on the manner of police performance (Official Gazette 149/2007).
For the purpose of exercising rights on access and correction of personal data there is available procedure for citizens on web site of Ministry of the Interior: https://mvr.gov.mk/Upload/Editor_Upload/procedura-LP-ispravka%20(1).pdf
Mario Milner, Senior Adviser Specialist in the Supervision and Central Register Department, developed Guide on use of video surveillance in vehicles and other applications of such technologies, Guide on the use of video surveillance and Factsheet on Police Directive.
The aim and purpose of the guides is to provide controllers and processors with additional information about their obligations when processing personal data through video surveillance, as well as to raise awareness on data subjects’ rights regarding processing their personal data through video surveillance.
The guides address issues of video surveillance systems on/in objects, the collection of personal data via cameras, and also use of mobile cameras – whether persons handling them participating in traffic or recording various sports or other activities. It is important to emphasize that this kind of data processing is not regulated separately within the data protection legislative framework nor in video surveillance provisions in the Law of personal data protection.
This guide is intended to assist the users of these recording devices in determining whether they are a ‘controller’ with obligations under data protection law, or whether their actions fall within the personal or household exemption, as well as what those obligations are and what steps users can take to ensure that they use these technologies in compliance with data protection law.
In order to maintain a balance between the right to security (protection of persons and property) and the right to privacy (as well as protection of personal data), before considering implementing video surveillance it is necessary to consider whether there are other effective means to achieve the fundamental goal of increasing security or video surveillance (this decision should be continuously reviewed). In case of necessity of video surveillance, it should be used only for the purposes and in a manner prescribed by Law because wide application of video surveillance without limitation of the purpose of application, as without the need for continuous assessment of further purpose of application, could lead to lack of privacy and to violation of data protection rights of individuals.
German experts, Mario Osswald, Head of IT, Media, Accreditation/Certification of the Saxon Commissioner for Data Protection, and Martin Eßer, Head of Unit – Senior Director of the Federal Financial Supervisory Authority, developed teaching materials and design for workshops and teaching instruments for the qualification of the PDPA’s staff & representatives from government institutions with regard of the novelties of GDPR and EU Police Directive.
All the experts have conducted meetings with data controllers from the public and private sectors, with the goal to get deeper insights into the main problems they are facing and to develop guides that meet their needs.
We are very pleased because we received positive feedback from the stakeholders, who find the project very useful, especially the possibility to share with North Macedonian, Croatian and German experts their experiences and difficulties in implementation of the Law on Personal Data Protection.