On December 25, 2024, the Personal Data Protection Agency of the Republic of North Macedonia adopted a new Rulebook regarding the security of personal data processing. This regulation replaces the earlier 2020 legislative act and aims to enhance personal data protection while aligning the country’s practices with European standards, particularly the GDPR. As a result, businesses must adapt to the updated framework.
Key Guidelines for Data Controllers
The new Rulebook provides clear guidelines for data controllers and outlines their responsibilities in safeguarding personal data. It emphasises the need to plan, implement, review, and update both technical and organisational measures. These actions reduce risks associated with data processing and ensure compliance with personal data protection laws. Therefore, data controllers must prioritise these tasks to avoid potential violations.
Glossary of Key Terms
The Rulebook introduces important terms that data controllers must understand:
- Protection Goals: These include confidentiality, integrity, availability, and transparency, all aimed at safeguarding personal data.
- Data Minimisation: This principle limits the collection and processing of personal data to only what is strictly necessary for specific purposes.
- Risk Management: The process involves identifying, assessing, and mitigating risks related to personal data processing to protect individuals’ rights and freedoms.
Obligations for Data Controllers
Data controllers must establish a functional, sustainable information system that complies with the Rulebook’s guidelines. This includes:
- Preparing System Documentation: Controllers must document the purpose of data processing, the types of data involved, and the technical components used.
- Conducting Risk Assessments: Data controllers must evaluate potential risks to personal data and implement appropriate mitigation measures.
- Ongoing System Maintenance: Controllers must regularly review and update their information systems to ensure compliance with the technical and organisational measures required by the Rulebook.
Ensuring Compliance by July 2025
The Rulebook will come into effect on July 1, 2025, giving data controllers a transition period to align their practices with the updated requirements. During this period, organisations must review and update their systems, conduct risk assessments, and implement the necessary measures to comply with the new guidelines. Organisations must act promptly to avoid delays.
Risk Management and System Security
The Rulebook focuses heavily on risk management. Data controllers must assess the potential impact of data processing activities on individuals’ rights and freedoms. They must take proactive steps to reduce these risks. Additionally, controllers must regularly test information systems to ensure they function as intended and maintain the required level of security. Testing and ongoing improvements are essential for maintaining data protection standards.
Transfer of Personal Data to Third Countries
The Rulebook also addresses the conditions under which personal data may be transferred to third countries. Controllers must ensure that such transfers comply with local data protection laws and international standards to protect personal data throughout its lifecycle. Organisations must handle cross-border transfers in compliance with the applicable legal framework.
A Step Towards EU Alignment
Although North Macedonia is not yet an EU member, its data protection laws align closely with the EU’s GDPR. This alignment ensures that businesses operating in North Macedonia meet similar standards to those in the EU, particularly regarding data processing, security measures, and penalties for non-compliance. Businesses in North Macedonia effectively prepare for the possibility of future EU membership.
Conclusion
The new Rulebook on personal data processing introduces significant changes to how personal data must be handled in North Macedonia. Data controllers must ensure full compliance by July 2025 and align their practices with international standards. This regulation strengthens data protection in North Macedonia and facilitates the country’s progress toward greater alignment with the EU’s data protection framework.
360 Business Law helps businesses navigate complex legal frameworks, including data protection and security. With the new Rulebook in place, organisations must act quickly to ensure compliance and protect personal data. 360 Business Law provides expert legal guidance, helping businesses in North Macedonia and beyond align with international standards like the EU’s GDPR.