In the period from 26 to 30 July 2021, short term experts from the Croatian Personal Data Protection Agency completed the first expert mission within the Twinning project “Support to the Implementation of the Modernised Data Protection Legal Framework in North Macedonia”.
Twinning is a European Union instrument for institutional cooperation between Public Administrations of EU Member States and of beneficiary or partner countries. Twinning projects bring together public sector expertise from EU Member States and beneficiary countries with the aim of achieving concrete mandatory operational results through peer to peer activities.
GDPR is considered the most progressive and highest legal standard for personal data processing that has global impact.
For this reason, implementation of a modernized national data protection framework in North Macedonia aligned with European standards is necessary to address the risks for privacy and personal data protection posed by the digital era.
Therefore, in February 2020, the new Law on Personal Data Protection (Official Gazette of Republic of North Macedonia n.42/20), that transposes the General Data Protection Regulation 2016/679 (GDPR) was adopted. Unofficial translation available at: https://www.dzlp.mk/sites/default/files/u4/lpdp_2020.pdf . The new Law on Personal Data Protection (as GDPR does) introduces significant changes: it introduces new definitions and concepts, imposes new obligations for data controllers and processors and enhances data subject’s rights.
This will be a significant challenge for data controllers because they need to be proactive and improve their transparency mechanisms, implementing the new concepts of privacy impact assessments, privacy by design and privacy by default and mandatory notification of data breaches. Additional pressure on data controllers are the high fines if they don’t comply with the law that go up to 4% of the annual turnover.
Current overall assessment is that implementation of the data protection regulations even in high risk sectors like the judiciary, elections, education, law enforcement, telecommunications, health and finance sector, as well as small and medium enterprise need to be improved.
Therefore, supporting compliance of data controllers and processors of personal data and raising public awareness of data subjects of their rights is essential in building a sustainable national data protection system in accordance with the new European and international standards.
In their first project mission, the AZOP team, composed of Deputy Director Igor Vulje, Senior Advisor Specialist AnamarijaMladinić, Senior Advisor Dijana Cepic and Senior Advisor Iva Ivankovic, was in charge of implementing activities under Components 1, 2 and 3.
Namely, this Twinning project comprises 3 components:
COMPONENT 1 (Result 1) Legal and institutional framework for implementation of the novelties of the new Law for Personal Data Protection strengthened
Igor Vulje,Deputy Director, was in charge of drafting methodology for the implementation of monthly supervisory activities, which includes creating forms for the implementation of supervision and creation of records and creating questionnaires for self-assessment related to risk assessment in personal data processing procedures. Indeed, when processing personal data, each controller must take into account the nature, scope, context and purposes of the processing, as well as the risks of different levels of probability and seriousness for the rights and freedoms of individuals. Furthermore, Law on Personal Data Protecion of the Republic of Macedonia, as well as the General Data Protection Regulation, stipulates that each controller must take appropriate technical and organisational measures to ensure that the processing of personal data is carried out in accordance with the Law on Personal Data Protection.
COMPONENT 2 (Result 2) Enhanced capacity of PDPA’s staff and relevant institutions to implement the new data protection framework according to European best practices
Dijana Cepic, Senior Adviser, conducted an analysis of existing capacities through in-depth interviews with the Agency employees with the aim of assessing and identifying the level of experience and knowledge of the General Data Protection Regulation and revised legislation regarding transparency, data subjects’ rights, reporting of personal data breaches, data protection impact assessment, privacy by design and by default, pseudonymisation and anonymisation, responsibilities of controllers, transfer of personal data to third countries or international organisations, accreditation and certification procedures and new enforcement powers. The result of this activity is a good understanding of the specific needs of the employees for training on the basis of which the experts will develop a training programme, concerning especially:
- material regulations with respect to the GDPR and its impact on the national law
- supervision and investigative powers with respect to the PDPA and government institutions and law enforcement
- issuing approvals and
- enforcement and imposing administrative fines.
COMPONENT 3 (Result 3) Awareness about the rights and obligations of the new data protection framework improved
Anamarija Mladinic, Senior Adviser Specialist, conducted an analysis of needs of different target groups through interviews with employees of the Agency: data controllers and processors in the private and public sector, data protection officers, small and medium-sized enterprises, non-governmental organizations, parents, media, children and the general public regarding activities to raise awareness of personal data protection. It has been established that the Agency already carries out numerous educational activities with the aim of informing controllers about their new obligations arising from the Law on Personal Data Protection, and citizens about their new rights and the importance of self-protective behaviour. In addition to activities already implemented by the Agency, the Twinning project will include activities aimed at micro, small and medium-sized enterprises, children and parents and 2 events aimed at controllers and processors and the general public. Also, a questionnaire has been created that will be distributed to controllers in North Macedonia to determine the level of knowledge concerning their obligations arising from Personal Data Protection. Based on the results of the questionnaire, Croatian and German data protection experts, in cooperation with their Macedonian counterparts, will develop a series of manuals and guidelines that will facilitate their harmonisation with the provisions of the Law. Furthermore, the Raising Awareness Plan has been developed which envisages the implementation of various activities tailor made for different target groups and a self-assessment checklist regarding compliance with the Law on Personal Data Protection.
Our goal is to increase availability of tools and resources (templates, model documents, privacy notices, cookies policies) for data controllers/processors to comply with the new data protection framework on PDPA’s web page and social media.
To reach that goal, practical information and documentation toolkit (e.g. templates, model documents, privacy notices) to help data controllers/processors demonstrate accountability according to the new Law on personal data protection will be produced and published on PDPA’s web site https://www.dzlp.mk/en/node/46.