Page 1

Official Gazette of RSM, no. 42 of 16.2.2020

20200420813
ASSEMBLY OF THE REPUBLIC OF NORTHERN MACEDONIA
Pursuant to Article 75, paragraphs 1 and 2 of the Constitution of the Republic of Northern Macedonia,
the President of the Republic of Northern Macedonia and the President of the Assembly of
Republic of Northern Macedonia issued
DECREE FOR DECLARATION OF THE LAW ON PROTECTION OF PERSONAL
DATA (*)
The Law on Personal Data Protection is proclaimed (*),
which the Assembly of the Republic of Northern Macedonia adopted at the session held on
February 16, 2020.
No. 08-1417 / 1
February 16, 2020
Skopje

President of the Republic
Northern Macedonia,
Stevo Pendarovski, s.r.
President
of the Assembly of the Republic
Northern Macedonia,
Mr. Talat Xhaferi, sr

LAW ON PERSONAL DATA PROTECTION ( * )
I. GENERAL PROVISIONS
Content of the law
Article 1
This law regulates the protection of personal data and the right to privacy in
regarding the processing of personal data, and in particular the principles related to the processing of
personal data, the rights of the personal data subject, the position of the controller and
the processor, the transfer of personal data to other countries, the establishment, the status and
competencies of the Agency for Personal Data Protection, special operations of
processing of personal data, legal remedies and responsibility in the processing of
personal data, supervision over personal data protection, as well as
misdemeanors and misdemeanor proceedings in this area.
Material application
Article 2
(1) This Law shall apply to fully or partially automated processing of
personal data and other processing of personal data that are part of the existing
collection of personal data or are intended to be part of a collection of personal data.
(2) The provisions of this Law shall not apply to the processing of personal
data performed by individuals, solely for personal activities
or activities at home.
This law harmonizes with the European regulations in the field of personal data protection.
namely: Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on
protection of natural persons with regard to the processing of personal data, for the free movement of such
repeal of Directive 95/46 / EC (General Data Protection Regulation) CELEX number
32016R0679.
*

Page 2
Official Gazette of RSM, no. 42 of 16.2.2020

Territorial application
Article 3
(1) The provisions of this Law shall apply to the processing of personal data if
the controller or processor is established on the territory of the Northern Republic
Macedonia, regardless of whether the processing of personal data is performed on the territory
of the Republic of Northern Macedonia or beyond its borders.
(2) The provisions of this Law shall apply to the processing of personal data of
personal data subjects from the Republic of Northern Macedonia, by a controller
or a processor not established in the Republic of Northern Macedonia, whereby
Personal data processing activities are related to:
- offer of goods or services, whether from the personal data subject of
The Republic of Northern Macedonia is required to make a payment or
- monitoring the behavior of personal data subjects, if any
behavior takes place in the Republic of Northern Macedonia.
(3) The provisions of this Law shall apply to the processing of personal data from
by a controller not established on the territory of the Republic of Northern Macedonia,
but is established on the territory where the law of the Republic of Northern Macedonia applies
according to international agreements ratified in accordance with the Constitution of the Northern Republic
Macedonia.
Definitions
Article 4
(1) Certain terms used in this Law have the following meaning:
1. "Personal data" is any information that relates to an identified
natural person or natural person who can be identified (subject of personal
data), and an identifiable natural person is a person whose identity can be
determine directly or indirectly, specifically on the basis of an identifier such as name and
surname, ID number of the citizen, location data, identifier via
internet, or on the basis of one or more features specific to his physical,
physiological, genetic, mental, economic, cultural or social identity of it
natural person;
2. "Personal data processing" means any operation or set of operations that are
perform on personal data, or a set of personal data, automatically or on another
way, such as: collecting, recording, organizing, structuring, storing,
adjustment or change, withdrawal, consultation, inspection, use, disclosure
by transmitting, publishing or otherwise making available, harmonizing or
combining, restricting, deleting or destroying;
3. "Restriction of the processing of personal data" is the designation of personal data
data that is stored in order to limit their processing in the future;
4. "Profiling" is any form of automatic processing of personal data, which are
consists of using personal data to assess certain personal aspects
related to the natural person, and in particular for the analysis or prediction of aspects that are
relate to the performance of the professional duties of that natural person, his
economic status, health, personal preferences, interests, confidentiality, behavior,
location or movement;
5. "Pseudonymization" is the processing of personal data in such a way that personal
data can no longer be linked to a particular personal data entity without being
use additional information, provided that such additional information is

2 of 70

Page 3
Official Gazette of RSM, no. 42 of 16.2.2020

kept separately and subject to the technical and organizational measures to be provided
that the personal data is not related to an identified natural person or natural person
an identifiable person;
6. "Personal data collection" is a structured group of personal data that is
available according to specific criteria, whether centralized,
decentralized or distributed on a functional or geographical basis;
7. "Controller" is a natural or legal person, a body of state power, a state body
or a legal entity established by the state to exercise public authority, an agency or
another body, which independently or together with others determines the goals and the manner of
processing of personal data, and when the purposes and manner of processing of personal data
data are determined by law, the controller is determined by the same law or
the special criteria for its determination;
8. "Personal data collection processor" is a natural or legal person, body of
state government, state body or legal entity established by the state to perform
public authority, agency or other body that processes personal data on behalf of
the controller;
9. "User" is a natural or legal person, a body of state power, a state body
or a legal entity established by the state to exercise public authority, an agency or
another body to whom personal data is disclosed whether it is a third party or
no. However, the bodies of state power and the state bodies to which they are disclosed
personal data within a special investigation in accordance with the law, are not considered
users, whereby the processing of this data by these authorities must be in
compliance with the applicable rules for personal data protection according to its purposes
processing;
10. "Third party" is any natural or legal person, body of state power, state
body or legal entity established by the state to exercise public authority, agency
or another body, which is not a personal data subject, controller, processor or person, which
under the direct authorization of the controller or processor is authorized to
processes data;
11. "Consent" of the personal data subject is any freely given, specific,
informed and unequivocal declared will of the personal data subject, through
a statement or clearly confirmed action, expressing consent to the processing of
his personal data;
12. "Violation of personal data security" is any violation of
security, leading to accidental or unlawful destruction, loss, alteration,
unauthorized disclosure or access to personal data transmitted, stored or
otherwise processed;
13 . "Special categories of personal data" are personal data that reveal racially
or ethnic origin, political views, religious or philosophical beliefs or membership
in trade unions, as well as genetic data, biometric data, data
relating to health or data on sex life or sexual
orientation of the natural person;
14. "Genetic data" is personal data related to genetic characteristics
of the natural person who are inherited or acquired, and who reveal a unique
information about his physiology or health, which is especially obtained by analysis of
a biological sample of that natural person;
15. "Biometric data" are personal data obtained through a specific
technical processing of the physical and physiological characteristics of the natural person or
characteristics of his behavior, and through which it is enabled or confirmed
the unique identification of the natural person;

3 of 70

Page 4
Official Gazette of RSM, no. 42 of 16.2.2020

16. "Health data" are personal data related to
physical or mental health of the individual, including data on
received health care that reveals information about his health;
17. "Representative" is a natural or legal person established in the Northern Republic
Macedonia, which is determined by the controller or processor who is not
established in the Republic of Northern Macedonia in order to represent the controller, ie
the processor in relation to his obligations arising from this law, whereby
the representative is appointed in writing in accordance with Article 31 of this Law;
18 . "Mandatory corporate rules" are policies to protect personal
data that is complied with by the controller or processor based on
the territory of the Republic of Northern Macedonia, during a transfer or a series of transfers to
personal data from the Republic of Macedonia to a controller or processor in one or
more third countries within a group of companies (affiliated companies) or a group of
legal entities that perform joint economic activity;
19. "Information society services " are services defined in
e-commerce regulations;
20. "International Organization" means an organization and its organs governed by
international public law or any other body established by or on the basis of
an agreement between two or more states;
21. "Direct marketing" is any type of communication achieved in any way
according to the latest technological advances, and in order to send advertising,
marketing or propaganda content that is aimed directly at a particular entity
personal data as well as personal data processing which includes profiling up to
the extent to which it relates to this type of communication;
22. "Supervisory body" is the Agency for personal data protection which has the status of
an independent and sovereign state body established in accordance with this Law (hereinafter
text: Agency);
23. "Research" in the sense of this Law is a procedure of examination and verification
to a particular controller or processor regarding the legality of the downloads
activities by him in the processing of personal data and their protection
the implementation of this Law and the regulations adopted on the basis of this Law;
24. "Body of state power" in the sense of this law are other state bodies and
institutions established in accordance with the Constitution of the Republic of Northern Macedonia or
in accordance with another law;
25. "Icon" in the sense of this law is a visual representation of an already installed application
or software program in the information - communication system that uses it
the subject of personal data and is understandable to the user of the system.
(2) The terms used in this Law, the meaning of which is not defined in the paragraph
(1) of this Article, have a meaning determined by another law.
Prohibition of discrimination
Article 5
The protection of personal data is guaranteed to any individual without
discrimination based on his nationality, race, skin color, religion
beliefs, ethnicity, gender, language, political or other beliefs, material
position, birth origin, education, social origin, citizenship, place or
type of residence or any other personal characteristics.

4 of 70

Page 5
Official Gazette of RSM, no. 42 of 16.2.2020

Application of the Law on General Administrative Procedure
Article 6
(1) The procedures provided by this Law shall be conducted in accordance with the provisions of the Law
for the general administrative procedure, unless otherwise regulated by this Law.
(2) The communication regarding the procedures referred to in paragraph (1) of this Article, between
The Agency and the parties take place in writing, orally or electronically,
in accordance with this Law and the Law on General Administrative Procedure.
Data submission
Article 7
(1) Every body of the state government, public institution, institution and other legal entity
maintaining official registers, publicly available data collections or other collections of
data is obliged, free of charge at the request of the Agency, to submit data from
registers and data collections for the needs of the procedures conducted in accordance with
this law.
(2) The communication between the Agency and the bodies of the state government, the public
institutions, institutions and other legal entities referred to in paragraph (1) of this Article shall take place in writing
form, orally or electronically in accordance with law.
Giving help
Article 8
(1) The Agency may request assistance from the state administration body
responsible for performing the activities in the field of internal affairs during the implementation of
a decision that is enforceable in accordance with the Law on General Administrative Procedure and this Law, if
encountered physical resistance or such resistance can justifiably be expected, as in others
cases determined by law.
(2) In the cases referred to in paragraph (1) of this Article, the body of the state administration responsible for
performing the activities in the field of internal affairs is obliged to provide assistance
in accordance with the law.
II. PRINCIPLES
Principles related to the processing of personal data
Article 9
(1) The personal data are:
- process in accordance with the law, to a sufficient extent and in a transparent manner in relation to
of the personal data subject ("legality, fairness and transparency"),
- are collected for specific, clear and legitimate purposes and will not be processed in any way
which is not in line with those goals. Further processing for archiving purposes by
public interest, for scientific or historical research or for statistical purposes, in
in accordance with Article 86 paragraph (1) of this Law, will not be considered in accordance with
the initial purposes for which the personal data were collected ("limitation of the purposes"),
- appropriate, relevant and limited to what is necessary in relation to the objectives
due to which they are processed ("minimum data volume"),

5 of 70

Page 6
Official Gazette of RSM, no. 42 of 16.2.2020

- accurate and where necessary updated, where all appropriate will be taken
measures for timely deletion or correction of inaccurate data or
incomplete, having regard to the purposes for which they were processed ("accuracy"),
- kept in a form that enables identification of personal data subjects,
no longer than is necessary for the purposes for which the personal are processed
data. Personal data can be stored longer than their shelf life if they are
process only for the purposes of archiving of public interest, for scientific or historical purposes
surveys or for statistical purposes in accordance with Article 86 paragraph (1) of this Law, a
by applying appropriate technical and organizational measures in accordance with this Law,
for the protection of the rights and freedoms of the personal data subject ("restriction
the shelf life "),
- processed in a way that provides an appropriate level of personal safety
data, including protection against unauthorized or illegal processing, as well as their
accidental loss, destruction or damage, by applying appropriate technical or
organizational measures ("integrity and confidentiality").
(2) The controller is responsible for the compliance with paragraph (1) of this Article, whereby
obliged to demonstrate compliance (accountability).
Legality of personal data processing
Article 10
(1) The processing of personal data is legal, only if and to the extent that it is
at least one of the following conditions is met:
- the personal data subject has given consent for processing of his personal data
for one or more specific purposes,
- processing is required to fulfill the contract where the personal data subject
is a contracting party, or to take action at the request of the entity of personal
data before its accession to the contract,
- the processing is necessary for fulfilling the legal obligation of the controller,
- the processing is necessary for the protection of the essential interests of the subject of personal
data or to another natural person,
- the processing is necessary for performing works of public interest or when performing
public authorization of the controller determined by law,
- processing is required for the purposes of the controller 's legitimate interests or
third party, unless such interests take precedence over interests or fundamental interests
rights and freedoms of the personal data subject seeking protection of personal
data, especially when the personal data subject is a child.
(2) The provisions of paragraph (1) line 6 of this Article shall not be applied for processing
of personal data by state authorities during the implementation of
their competencies.
(3) The legal basis for personal data processing referred to in paragraph (1) indents 3 and
5 of this article is determined by law. The law obligatorily provides provisions for:
the conditions that determine the legality of the processing by the controller, the objectives
of processing, the categories of personal data that are subject to processing,
the categories of personal data subjects; entities to which they may be detected
personal data, as well as the purposes for which personal data are disclosed, restrictions
in terms of processing purposes, storage period, operations and procedures for
processing, including measures to ensure legal and equitable processing, and with

6 of 70

Page 7
Official Gazette of RSM, no. 42 of 16.2.2020

in order to meet the objective of public interest and to be proportionate to the performance of
legitimate purpose. The law must also contain an assessment of the impact of the protection of
personal data for the cases provided in Article 39 of this Law.
(4) If the personal data are processed for a purpose other than the purpose for which
were originally collected, where processing is not carried out with the consent of
the subject of personal data or on the basis of law, which is necessary and
proportionate measure for protection of the goals determined in Article 27 paragraph (1) of this Law
then the controller to determine if the processing for other purposes is in accordance with
the initial purpose for which the personal data were collected, he is obliged to take, among other things
consideration:
- any connection between the purposes for which the personal data are collected and the purposes for
envisaged further processing,
- the context in which personal data were collected, especially with regard to relationships
between personal data subjects and the controller,
- the nature of the personal data, and in particular whether special categories of
personal data in accordance with Article 13 of this Law or personal data are processed
which refer to criminal convictions and criminal offenses in accordance with Article 14 of this Law,
- the possible consequences of the envisaged further processing for the subjects of personal
data,
the existence of appropriate safeguards that may include encryption or
pseudonymization.
Conditions of consent
Article 11
(1) When the processing is performed on the basis of consent, the controller is obliged to
demonstrates that the personal data subject has given consent for the processing of his
personal data in terms of Article 4 paragraph (1) item 11 of this Law.
(2) If the consent of the personal data subject is given in written form
a statement that addresses other issues, the request for consent must be presented
in a way that can be clearly distinguished from other issues, in an understandable and easy way
available form, using clear and simple means. Every part of such a statement who
is a violation of the provisions of this law, it is not binding.
(3) The personal data subject has the right to withdraw the consent at any time.
Withdrawal of consent does not affect the legality of the processing, based on
consent given before its withdrawal. Before giving consent, the subject of
personal data is informed of this, and the withdrawal of consent must be
as simple as giving it.
(4) When assessing whether consent is given voluntarily, to the greatest extent possible
it takes into account, inter alia, whether the performance of the contract in which it is involved
a certain service is conditioned by giving consent for processing of personal data, a
which is not required to fulfill the contract.
Conditions applicable to the consent of the child with respect to the services of
information society
Article 12
(1) In case when the personal data subject has given consent for processing of
his personal data for one or more specific purposes, in connection with the direct
offering information society services to children, personal processing

7 of 70

Page 8
Official Gazette of RSM, no. 42 of 16.2.2020

Child data is legal if the child is at least 14 years old. If the child is old
under 14 years of age, such processing is legal only if and if such consent is
given or allowed by the child's legal representative.
(2) In the cases referred to in paragraph (1) of this Article, the controller is obliged to invest reasonably
an effort to verify that consent has been given by the child's legal representative,
taking into account the available technology.
Processing of special categories of personal
data
Article 13
(1) It is prohibited to process the special categories of personal data determined in
Article 4 paragraph (1) item 13 of this Law.
(2) As an exception to paragraph (1) of this Article, processing of special categories of personal
data can be performed if:
1) the personal data subject has given explicit consent for processing that personal data
data for one or more specific purposes, unless the law provides that
the prohibition from paragraph (1) of this article for processing such data cannot be
recalled from the personal data subject;
2) the processing is necessary for the purposes of performing the obligations and achieving
the special rights of the controller or the personal data subject in the area of
employment and social security and in social protection regulations, if any
is permitted by law or collective agreement, which provide for appropriate measures for
protection of the fundamental rights and interests of the personal data subject;
3) the processing is necessary for the protection of the essential interests of the subject of
personal data or to another natural person, when the personal data subject
physically or legally unable to give his consent;
4) the processing is performed within the legitimate activities with appropriate
safeguards from a particular foundation, association or other non-profit
organization with a political, philosophical, religious or trade union purpose and provided
processing to apply only to members of these organizations or their former
members or persons who have regular contact with them regarding their purposes and sub
provided that personal data are not disclosed outside that organization without the consent of
personal data subjects;
5) the processing refers to personal data, which are obviously made public by
the subject of personal data;
6) the processing is necessary for the establishment, practice or defense of legal
requests or whenever the courts act within their jurisdiction;
7) the processing is necessary due to reasons of public interest based on law
in proportion to the purpose and respect for the essence of the right to personal protection
data, as well as providing appropriate and specific measures to protect
the fundamental rights and interests of the personal data subject;
8) processing is necessary for the purposes of preventive or occupational medicine, for
assessment of the employee's ability to work, medical diagnosis, provision of
health or social care or treatment or for the purposes of managing services and
health or social care systems, based on law or in accordance with
agreement with the health worker in which the conditions and protective measures are subject
referred to in paragraph (3) of this Article;

8 of 70

Page 9
Official Gazette of RSM, no. 42 of 16.2.2020

9) the processing is necessary for the purposes of public interest in the field of public health,
such as protection against serious cross-border health threats or
ensuring high standards for quality and safety of health care and
medicines or medical devices, based on the law, in which they are provided
appropriate and concrete measures for protection of the rights and freedoms of the personal subject
data, in particular business secret protection;
10) the processing is necessary for the purposes of archiving of public interest, for the purposes of
scientific and historical research or statistical purposes in accordance with Article 86 para
(1) of this Act, on the basis of law, which is proportionate to the objective in accordance with
respect for the essence of the right to personal data protection and security
appropriate and concrete measures for protection of the fundamental rights and interests of the subject of
personal data.
(3) The personal data referred to in paragraph (1) of this Article may be processed
for the purposes stated in paragraph (2) item 8) of this Article, when these data are
processed by, or under the responsibility of, a professional subject to an obligation
for keeping a business secret in accordance with the law or the rules established by the authorities
bodies in the Republic of Northern Macedonia or by another person who is also subject to
obligation to keep a business secret in accordance with the law or the rules established by
competent bodies in the Republic of Northern Macedonia.
Processing of personal data related to convictions for criminal offenses
Article 14
Processing of personal data related to convictions for crimes or what is
related to protective measures based on Article 10 paragraph (1) of this Law, is performed only
under the control of a competent authority of the state government or when the processing is allowed with
a law that sets out appropriate protection measures in accordance with rights and freedoms
of personal data subjects. Any comprehensive register of criminal convictions
is conducted under the control of a competent body of the state government, in accordance with the law.
Processing for which no identification is required
Article 15
(1) If the purposes for which the controller processes personal data do not require either
the need for further identification of the personal data subject from
by the controller, the controller is not obliged to maintain, acquire or process
additional information to identify the personal data subject only
for the purpose of harmonization with this law.
(2) In the cases referred to in paragraph (1) of this Article, when the controller is not able
to identify the personal data subject, to inform the subject accordingly,
if possible. In such cases, Articles 19 to 24 of this Law shall not apply,
except when the personal data subject, in order to exercise his right to these
members, provides additional information, enabling its identification.

9 of 70

Page 10
Official Gazette of RSM, no. 42 of 16.2.2020

III. RIGHTS OF THE PERSONAL SUBJECT
DATA
1. Transparency
Transparent information, communication and ways of exercising the rights of
the subject of personal data
Article 16
(1) The controller is obliged to take appropriate measures for securing all
information referred to in Articles 17 and 18 of this Law and any communication on
on the basis of Articles 19 to 26, as well as Article 38 of this Law, related to the processing
which refers to the subject of personal data as concise, transparent, comprehensible
way and in easily accessible form, using clear simple language, especially for
information specifically intended for the child. The information should be given in
in writing or by other means, including where applicable electronically
way. At the request of the personal data subject, the information may be provided orally,
provided that the identity of the personal data subject is proven by other means.
(2) The controller is obliged to facilitate the realization of the rights of the subject of
personal data based on Articles 19 to 26 of this Law. In cases that are
referring to Article 15 paragraph (2) of this Law, the controller shall not refuse to act on
request of the personal data subject for exercising his rights on the basis of
Articles 19 to 26 of this Law, unless the controller proves that he is unable
to identify the subject of personal data.
(3) The controller for the request of the personal data subject is obliged to submit
information on the undertaken activities based on Articles 19 to 26 of this Law
to the personal data subject without undue delay and in any case in a period
from one month from the day of receipt of the request. If necessary this deadline can
be extended for another two months taking into account the complexity and number of requests.
The controller shall inform the personal data subject of any extension in
within one month from the date of receipt of the request, together with the reason for
the delay. When the personal data subject submits a request in electronic
form, the information is provided using electronic means where possible,
unless the personal data subject requests otherwise.
(4) If the controller does not undertake activities upon the request of the personal entity
data, the controller informs the personal data subject without delay and
no later than one month from the date of receipt of the request, for the reasons of
non-undertaken activities and the possibility of submitting a request to the Agency, as well as
for the possibility of using judicial protection in accordance with the law.
(5) The information provided on the basis of Articles 17 and 18 of this Law and each
communication and all activities undertaken on the basis of Articles 19 to 26 as well
Article 38 of this Law are provided free of charge. In the event that the requirements of
the subject of personal data are obviously unfounded or excessive, especially in
in relation to their repetitive nature, the controller may:
- charge a fee taking into account the volume, complexity and time required for
providing information or communication or acting on the request or
- refuses to act upon the request.
Proof of the unfoundedness or excessive nature of the request falls on the burden
of the controller.

10 of 70

Page 11
Official Gazette of RSM, no. 42 of 16.2.2020

(6) As an exception to Article 15 of this Law, where the controller has established
suspicion regarding the identity of the natural person submitting the request according to
Articles 19 to 25 of this Law, the controller may request the submission of
additional information needed to establish the identity of the subject of
personal data.
(7) The information submitted to the personal data subjects in accordance
with Articles 17 and 18 of this Law may be provided in combination with
standardized icons in order to give them an easily visible, understandable and clearly legible way
to provide a clear overview of the purpose of the processing. If the standardized icons are
presented in electronic form they should be machine readable.
(8) The manner of determining the information to be presented in
form of standardized icons, as well as procedures for securing
standardized icons are prescribed by the Director of the Agency.
2. Information and access to personal data
Information that is submitted when collecting personal data from the entity
of personal data
Article 17
(1) When the personal data are collected from the personal data subject, the controller
at the moment of collecting the personal data, to the personal data subject
provides the following information:
1) the identity and contact data of the controller and data on his authorized
representative in the Republic of Northern Macedonia;
2) contact details for the personal data protection officer;
3) the purposes of the processing for which the personal data are intended, as well as the legal one
basis for processing;
4) the legitimate interests pursued by the controller or a third party, when
the processing is performed on the basis of Article 10 paragraph (1) line 6 of this Law;
5) users or categories of users of personal data, if any;
6) where applicable, the fact that the controller intends to transfer personal
data in a third country or international organization, as well as in case of transfer of
personal data in accordance with Article 50 or Article 51 or Article 53 paragraph (1) second subparagraph
of this Law, reference to the appropriate or accepted protective measures and the manner of
obtaining a copy of them or information where available.
(2) In addition to the information referred to in paragraph (1) of this Article, the controller at the moment of
the collection of personal data gives the following to the personal data subject
additional information necessary to ensure fair and
transparent processing:
1) the time period for which the personal data will be stored, and if that is impossible,
the criteria used to determine that period;
2) the existence of the right to request access, correction or
deletion of personal data or restriction of the processing of personal data which
refer to the personal data subject, or the right to object to the processing,
as well as the right to data portability;
3) the existence of the right to withdraw the consent at any time, without being
affects the legality of the processing which was based on the consent before it yes
be withdrawn, when the processing is performed on the basis of Article 10 paragraph (1) line 1 of
this Law or on the basis of Article 13 paragraph (2) item 1) of this Law;

11 of 70

Page 12
Official Gazette of RSM, no. 42 of 16.2.2020

4) the right to submit a request to the Agency in accordance with this Law;
5) information whether the provision of personal data is a legal or contractual obligation
or the condition required for concluding a contract, as well as whether the subject of the personal
data has an obligation to provide personal data and possible consequences if these
data not to be provided;
6) the existence of an automated decision-making process, including
profiling as stated in Article 26 paragraphs (1) and (4) of this Law and
at least in those cases where significant logically related information is included
processing processes, as well as the significance and predicted consequences of such processing
for the personal data subject.
(3) When the controller intends to further process personal data for a purpose

different from that for which personal data is collected, the controller before further
processing, provides the data subject with information about the other purpose and
all other necessary information, as stated in paragraph (2) of this Article.
(4) Paragraphs (1), (2) and (3) of this Article shall not apply only if and to the extent
when the personal data subject already has the information.
Information that is provided when personal information is not obtained from
the subject of personal data
Article 18
(1) When the personal data are not obtained from the personal data subject,
the controller of the personal data subject provides the following information:
1) the identity and contact data of the controller and data on his authorized
representative in the Republic of Northern Macedonia;
2) contact details for the personal data protection officer;
3) the purposes of the processing for which the personal data are intended, as well as the legal one
basis for processing;
4) the categories of personal data that are processed;
5) users or categories of users of personal data, if any;
6) where applicable, the controller's intention to transfer personal data to a third party
country or international organization, as well as in the case of the transfer of personal data
in accordance with Article 50 or Article 51 or Article 53 paragraph (1) second subparagraph of this Law,
reference to the appropriate or accepted safeguards and how to obtain
a copy of them or information where they are available.
(2) In addition to the information referred to in paragraph (1) of this Article, the controller of the subject of
personal data provides the following additional information that is necessary for
ensuring fair and transparent processing of his personal data, as follows:
1) the time period for which the personal data will be stored, and if that is not possible,
the criteria used to determine that period;
2) the legitimate interests pursued by the controller or a third party, when
the processing is performed on the basis of Article 10 paragraph (1) line 6 of this Law;
3) the existence of the right to request access, correction or
deletion of personal data or restriction of the processing of personal data which
refer to the personal data subject, or the right to object to the processing,
as well as the right to data portability;
4) the existence of the right to withdraw the consent at any time, without being
affects the legality of the processing which was based on the consent before it yes
be withdrawn, when the processing is performed on the basis of Article 10 paragraph (1) line 1 of
this Law or on the basis of Article 13 paragraph (2) item 1) of this Law;

12 of 70

Page 13
Official Gazette of RSM, no. 42 of 16.2.2020

5) the right to submit a request to the Agency in accordance with this Law;
6) the source of the personal data and if applicable, whether the data are public
available sources;
7) the existence of an automated decision-making process, including
profiling as stated in Article 26 paragraphs (1) and (4) of this Law and
at least in those cases where significant information about the logic of
processing, as well as the significance and intended consequences of such processing for
the subject of personal data.
(3) The controller shall provide the information referred to in paragraphs (1) and (2) of this
member:
1) within a reasonable time after receiving the personal data, but at the latest within one
month, taking into account the special circumstances under which the personal data are
process;
2) if the personal data are used for communication with the personal entity
data, at the latest upon making the first contact with the personal data subject
or
3) if the detection of another recipient is foreseen, no later than the moment when the personal
data is discovered for the first time.
(4) When the controller intends to further process personal data for the purpose
different from that for which personal data is collected, the controller before further
processing, provides the data subject with information about the other purpose and
all other necessary information as stated in paragraph (2) of this Article.
(5) Paragraphs (1) to (4) of this Article shall not apply if and to the extent that:
1) the personal data subject already has the information;
2) the provision of such information is impossible or requires disproportionately large
efforts, in particular to process data for the purposes of public interest archiving, for
scientific or historical research or for statistical purposes, which are subject to conditions and
protective measures in accordance with Article 86 paragraph (1) of this Law or if any
probability that the obligation referred to in paragraph (1) of this Article will make it impossible
or it will seriously complicate the achievement of the objectives of that processing. In these cases,
the controller shall take appropriate measures to protect the rights, freedoms and legitimate
interests of the personal data subject, including the provision of public access
to the information;
3) the receipt or disclosure is clearly permitted by the law in which they are provided
appropriate measures to protect the legitimate interests of the personal data subject
or
4) personal data must remain confidential in accordance with the obligation for business
secret, regulated by law, including a legal obligation of confidentiality.
Right of access of the personal data subject
Article 19
(1) The personal data subject has the right to receive a confirmation from the controller whether they are
process his personal data or personal data about him and if they are
process, gain access to personal data and the following information:
1) the goals of the processing;
2) the categories of personal data that are processed;

13 of 70

Page 14
Official Gazette of RSM, no. 42 of 16.2.2020

3) the users or categories of users to which they have been or will be identified
disclosed personal data, especially users in third countries or internationally
organizations;
4) the envisaged deadline for which the personal data will be stored, and if that is not possible,
the criteria used to determine that period;
5) the existence of the right to request by the controller correction or deletion of
personal data or restriction on the processing of personal data related to
the subject of personal data, or the right to object to such processing;
6) the right to submit a request to the Agency in accordance with Article 97 of this
law;
7) when personal data are not collected by the personal data subject, all
available information about their source;
8) the existence of an automated decision-making process, including
profiling as stated in accordance with Article 26 paragraphs (1) and (4) of this Law
and at least in those cases where significant information on the logic of
processing, as well as the significance and anticipated consequences of such processing for
the subject of personal data.
(2) When personal data are transferred to a third country or international organization,
the personal data subject has the right to be informed about the relevant protection
measures related to the transfer in accordance with Article 50 of this Law.
(3) The controller is obliged to provide a copy of the personal data that are
process. For all additional copies requested by the personal data subject,
the controller decides whether to charge a fee. If the controller charges
fee, the amount of the same depends on the volume, complexity and time required for
providing copies. If the personal data subject submits a request for
electronically, the information will be provided to the personal data subject
in the usual way used in the case of electronic form, unless the subject of
personal data requested otherwise.
(4) The right to obtain a copy of paragraph (3) of this Article must not be adversely affected
on the rights and freedoms of other natural persons.
3. Correction and deletion
Right to correction
Article 20
The personal data subject has the right to request and receive from the controller within the deadline
from 15 days from the date of submission of the request, correction of his incorrect personal
data. Taking into account the purposes of processing, the personal data subject has
the right to supplement incomplete personal data by giving an additional statement.
Right to be deleted ("right to be forgotten")
Article 21
(1) The personal data subject has the right to ask the controller to delete them
his personal data and the controller has the obligation to delete the personal ones
data within 30 days from the date of submission of the request for deletion, if any
one of the following conditions is met:

14 of 70

Page 15
Official Gazette of RSM, no. 42 of 16.2.2020

1) personal data are no longer needed for the purposes for which they were collected or
processed in another way;
2) the personal data subject withdraws his / her consent on which it is based
data processing in accordance with Articles 10 paragraph (1) item 1) and 13 paragraph (2) of this
law and if there is no other legal basis for processing;
3) the personal data subject has submitted an objection to the processing in accordance with the article
25 paragraph (1) of this Law, where there are no prevailing legitimate goals for
processing, or the personal data subject filed an objection to the processing
in accordance with Article 25 paragraph (2) of this Law;
4) personal data were illegally processed;
5) personal data should be deleted in order to comply with an established obligation
by law concerning the controller;
6) personal data were collected in connection with the offer of IT services
society, in accordance with Article 12 paragraph (1) of this Law.
(2) When the controller has made public the personal data and is obliged in accordance with
paragraph (1) of this Article to delete personal data, then the controller takes over
actions, including technical measures to notify other controllers that
process personal data that the personal data subject has requested the deletion of
any links or copies or reproductions of personal data by them
controllers, taking into account available technology and implementation costs.
(3) Paragraphs (1) and (2) of this Article shall not apply to the extent that the processing
is necessary:
a) for the exercise of the right to freedom of expression and information;
b) for compliance with a legal obligation that requires processing according to the law that are
applied in relation to the controller, or for the performance of works of public interest or
when performing a public authorization determined by law assigned to the controller;
c) for reasons of public interest in the field of public health in accordance with Article 13
paragraph (2) items 8) and 9) and paragraph (3) of this Law;
d) for the purposes of archiving in the public interest, for scientific or historical purposes
surveys or for statistical purposes, in accordance with Article 86 paragraph (1) of this Law,
if there is a probability that the right determined in paragraph (1) of this Article will be exercised
impossible or seriously complicate the achievement of the objectives of that processing or
e) for the establishment, realization or defense of claims based on law.
Right to restrict processing
Article 22
(1) The personal data subject has the right to request a restriction on the processing
from the controller, if one of the following conditions is met:
a) the accuracy of the personal data is disputed by the personal data subject, for
period that allows the controller to check the accuracy of personal data;
b) the processing is illegal and the personal data subject objects to
deletion of personal data, which instead requires restriction of theirs
use;
c) for processing purposes, the controller no longer needs personal data, but
the subject of personal data requests them for the establishment, realization or defense of
its legal requirements;
d) the personal data subject opposes the processing in accordance with the article
25 paragraph (1) of this Law pending verification whether the legitimate interests of
the controller prevails over the interests of the personal data subject.

15 of 70

Page 16
Official Gazette of RSM, no. 42 of 16.2.2020

(2) When the processing is limited according to paragraph (1) of this Article, such personal
data may be processed only with the consent of the personal data subject
with the exception of their custody, or for the establishment, realization or defense of
its legal requirements or for the protection of the rights of another natural or legal person or
for important reasons of public interest.
(3) When the personal data subject has exercised the right to restrict
the processing in accordance with paragraph (1) of this Article, then the controller informs him before
stop processing restrictions.
Obligation to report when correcting or deleting personal data or
processing restriction
Article 23
The controller is obliged to report any corrections or deletions to the personal ones
data or processing restrictions performed in accordance with Articles 20, 21 paragraph (1)
and 22 of this law, for each user to whom personal data were disclosed, unless
it is impossible or requires disproportionately large efforts. If the subject of personal
data requested, then the controller informs the personal data subject about them
users.
Right to data portability
Article 24
(1) The personal data subject has the right to obtain his personal data, a
which he has given to the controller in a structured, commonly used, machine
readable format in which it has the right to transfer that data to another controller without
obstruction by the controller to whom the personal data is given, if:
a) the processing is based on consent according to Article 10 paragraph (1) line 1
or Article 13 paragraph (2) item 1) of this Law, or on the basis of a contractual obligation according to
Article 10 paragraph (1) line 2 of this Law and
b) the processing is done in an automated way.
(2) When exercising the right to portability of the data referred to in paragraph (1) of this Article
member, the personal data subject has the right to receive a direct transfer of personal data
data from one controller to another, if technically possible.
(3) The realization of the right referred to in paragraph (1) of this Article does not exclude the realization
of the right determined in Article 21 of this Law. The right from paragraph (1) of this article are not
refers to the processing required to perform works of public interest or at
performing the official authority assigned to the controller.
(4) The right to transferability of the data referred to in paragraph (1) of this Article may not
to adversely affect the rights and freedoms of other individuals.
4. Right to object and automated decision making
Right to object
Article 25
(1) The personal data subject based on a specific situation related to him
has the right to file a complaint to the controller at any time, against the processing of
his personal data, based on Article 10 paragraph (1) lines 5 or 6 of this Law,

16 of 70

Page 17
Official Gazette of RSM, no. 42 of 16.2.2020

including profiling based on these provisions. The controller can no longer
processes personal data, unless it proves that there are relevant
legitimate processing interests, which prevail over interests, rights and freedoms
of the personal data subject, or for the establishment, realization or defense of
its legal requirements.
(2) If the personal data are processed for direct marketing purposes,
the personal data subject has the right to file a complaint at any time
processing of his personal data related to this type of marketing, which includes
and profiling to the extent that it is related to direct marketing.
(3) When the personal data subject objects to the processing of his / her personal data
data for direct marketing purposes, the controller stops further processing
of personal data for those purposes.
(4) At the latest until the moment of the first communication with the personal data subject,
the subject of personal data must be explicitly notified of his right established
in paragraphs (1) and (2) of this Article, where the notification must be made clear
way and separately from any other information.
(5) In the context of using the services of the information society and independently
from the regulations on electronic communications, the personal data subject may
uses the right to object through automatic means using technical
specifications.
(6) When personal data are processed for scientific or historical purposes
surveys or for statistical purposes in accordance with Article 86 paragraph (1) of this Law,
the subject of personal data is entitled, based on the specific situation related
to file a complaint with him against the processing of his personal data, unless
processing is necessary for the realization of works of public interest.
Automatic individual decision making, including profiling
Article 26
(1) The personal data subject has the right not to be subject to a decision based on
only on automated processing, including profiling what
causes legal consequences for him or in a similar way significantly affects him.
(2) Paragraph (1) of this Article shall not apply if the decision:
a) is required for concluding or executing an agreement between the personal entity
data and controller;
b) is permitted by law applicable to the controller, and in which also
appropriate measures are provided to protect the rights and freedoms and the legitimate ones
interests of the personal data subject or
c) is based on the explicit consent of the personal data subject.
(3) In the cases referred to in paragraph (2) items (a) and (c) of this Article, the controller is
obliged to apply appropriate measures for protection of rights and freedoms, as well as on
the legitimate interests of the personal data subject, and at least the right to
providing human intervention by the controller, the right to express
personal position and the right to challenge such a decision.
(4) The decisions referred to in paragraph (2) of this Article may not be based on special categories
of personal data, unless Article 13 paragraph (2) item 1) or 7) of this Article applies
law, whereby appropriate measures for protection of rights and freedoms are established and
the legitimate interests of the personal data subject.

17 of 70

Page 18
Official Gazette of RSM, no. 42 of 16.2.2020

5. Restrictions
Limits
Article 27
(1) The law applicable to the controller or processor may:
limit the scope of obligations and rights set forth in Articles 16 to 26 of this Law
and Article 38 of this Law, as well as in Article 9 of this Law, if those provisions are in
in accordance with the rights and obligations determined in Articles 16 to 26 of this Law and when
such restriction is in accordance with the essence of fundamental rights and freedoms and
is a necessary and proportionate measure in order to ensure:
1) national security;
2) the defense;
3) public safety;
4) prevention, investigation, detection or prosecution of perpetrators of crimes or
execution of the imposed punitive sanctions, including prevention and prevention of
threats to public safety;
5) other important goals of general public interest for the Republic of Northern Macedonia, a
particularly important economic or financial interest of the Republic of Northern Macedonia,
including monetary, budgetary and tax issues, public health and social protection;
6) protection of the independence of the courts and court proceedings;
7) prevention, investigation, detection and prosecution of violations of ethical rules for
regulated professions;
8) monitoring, inspection or regulatory functions which are at least occasional
related to the fulfillment of the competencies of the state authorities in the cases
referred to in items 1) to 5) and item 7) of this paragraph;
9) protection of the personal data subject or of the rights and freedoms of others
natural persons;
10) implementation of the requirements in civil proceedings.
(2) Each legal measure referred to in paragraph (1) of this Article, in particular, shall contain special provisions,
if necessary at least for:
1) the objectives of the processing or the categories of processing;
2) categories of personal data;
3) the scope of the introduced restrictions;
4) protective measures to prevent abuse or illegal access or
transmission;
5) the specification of the controller or the categories of controllers;
6) shelf life and applicable protection measures, taking into account the nature;
the scope and objectives of the processing or the categories of processing;
7) the risks for the rights and freedoms of the personal data subjects and
8) the right of the personal data subjects to be informed about
the restriction, unless it would be contrary to the purpose of
the constraint.

18 of 70

Page 19
Official Gazette of RSM, no. 42 of 16.2.2020

IV. CONTROLLER AND PROCESSOR
1. General obligations
Responsibility of the controller
Article 28
(1) Taking into account the nature, scope, context and objectives of the processing, as well as
risks of varying probability and severity to the rights and freedoms of the physical
persons, the controller is obliged to apply appropriate technical and organizational measures to
provide and be able to prove that the processing is performed in accordance with this law.
Technical and organizational measures are reviewed and updated as needed.
(2) If it is proportional to the processing activities, then the measures referred to in paragraph (1) of
this article also includes the application of appropriate policies for the protection of personal data
by the controller.
(3) The observance of the approved codes of conduct, referred to in Article 44 of this Article
law or the approved certification mechanisms referred to in Article 46 of this
law, can be used as an element to prove compliance with the obligations of
side of the controller.
Technical and integrated personal protection
data
(Data protection by design and by default)
Article 29
(1) According to the latest technological advances, implementation costs,
the nature, scope, context and objectives of the processing, as well as the risks with different
probability and seriousness of the rights and freedoms of natural persons arising from
processing, the controller at the time of defining the means of processing, as well as
at the time of processing, is obliged to apply appropriate technical and
organizational measures such as pseudonymization, which are designed to be effective
implementation of the principles of personal data protection, such as the reduction of
minimum data volume and inclusion of necessary protection measures in the process
of processing, in order to meet the requirements of this law and to ensure the protection of
the rights of personal data subjects.
(2) The controller is obliged to apply appropriate technical and organizational measures in order to
ensure that only those necessary personal data are processed in an integrated manner
for each specific purpose of processing. This obligation refers to the amount of
collected personal data, the scope of their processing, the shelf life and their
availability. Such measures in particular should ensure that personal data without
consent of the personal data subject are not automatically available for unlimited
number of natural persons.
(3) The approved certification mechanism in accordance with Article 46 of this Law may
be used as an element to demonstrate compliance with the requirements set out in
paragraphs (1) and (2) of this Article.

19 of 70

Page 20
Official Gazette of RSM, no. 42 of 16.2.2020

Common controllers
Article 30
(1) If two or more controllers jointly determine the purposes and methods of processing,
then they are joint controllers. The common controllers are transparent
obliged to determine their proper responsibility for fulfilling the obligations of
this law, especially regarding the realization of the rights of the personal entity
data and their obligations to provide the information referred to in Articles 17
and 18 of this law, by their mutual agreement, except in cases when the responsibilities of
the controllers are determined by the law that applies to those controllers. In the contract
a person who will be the contact point with the personal data subjects can also be identified.
(2) The agreement referred to in paragraph (1) of this Article should consistently reflect the individual
roles and relations of the joint controllers in relation to the personal data subjects.
The basic characteristics of the contract should be available to the personal entity
data.
(3) Regardless of the conditions of the contract referred to in paragraph (1) of this Article, the subject of the personal
data may exercise its rights in accordance with this law in relation to each of
controllers and against each of them.
Representatives of controllers or processors not established in the Republic
Northern Macedonia
Article 31
(1) When applying Article 3 paragraph (2) of this Law, the controller or processor is
obliged to appoint an authorized representative in the Republic of Northern Macedonia in writing
form.
(2) The obligation determined in paragraph (1) of this Article does not refer to:
(a) processing that is intermittent and does not involve much processing of special
categories of personal data, or processing of personal data related to criminal
convictions and criminal offenses under Article 14 of this Law for which there is no probability that
cause a risk to the rights and freedoms of individuals, taking into account
the nature, context, scope and objectives of the processing or
(b) state authorities or another body.
(3) The subjects of personal data and the Agency may in addition to or instead of
the controller or processor, to contact the authorized representative for all
issues related to the processing of personal data, and for the purposes of compliance with
this law.
(4) The appointment of the authorized representative by the controller or
the processor should not influence the legal actions that could be
initiated against the controller or processor itself.
Processor
Article 32
(1) If the processing is performed on behalf of the controller, then the controller uses only
processors that provide a sufficient guarantee for the application of appropriate technical and
organizational measures in such a way that the processing will take place in accordance with
requirements of this law and will provide protection of the rights of the subject to personal
data.

20 of 70

Page 21
Official Gazette of RSM, no. 42 of 16.2.2020

(2) The processor may not hire another processor without prior special or
general written authorization by the controller. In the case of generally
written authorization by the controller, the processor informs him
the controller for any planned changes to hire or replace others
processors, enabling the controller to counter those changes.
(3) The processing by the processor is regulated by a contract or another legal one
act in accordance with the law, which is binding on the processor in relation to
the controller, and which regulates the subject and duration of the processing, the nature and
the purpose of the processing, the type of personal data and the categories of personal entities
data, as well as the obligations and rights of the controller. In this agreement or other legal
act regulates in particular that the processor:
(a) process personal data only in accordance with documented instructions from
controller, including the transfer of personal data to a third country or international
organization, except when required to do so as required by law
applied in relation to the processor, in which case the processor informs him
the controller for that legal requirement before processing, unless that law prohibits such
informing for important reasons of public interest;
(b) ensure that the persons authorized to process personal data are obliged to
respect confidentiality or are subject to a legal obligation to comply with
confidentiality;
(c) take all necessary measures in accordance with Article 36 of this Law;
(d) comply with the conditions referred to in paragraphs (2) and (4) of this Article for the engagement of
another processor;
(e) taking into account the nature of the processing, assist the controller, through
application of appropriate technical and organizational measures, as far as possible
fulfill the obligations of the controller to respond to the requests for exercising the rights of
the subject of the personal data determined in Chapter III of this Law;
(f) assist the controller in ensuring compliance with the obligations under
Articles 36 to 40 of this Law, taking into account the nature of the processing and
the information available to the processor;
(g) at the discretion of the controller, delete or return all personal data to
the controller after the completion of the services related to the processing of personal data
and deletes existing copies, unless there is a legal obligation to keep personal copies
data;
(h) provide the controller with access to all information necessary for
proving the fulfillment of the obligations determined in this article, as well as enables and
contributes to the performance of audits, including inspections by the controller
or another auditor authorized by the controller.
With respect to point (h) of this paragraph, the processor shall immediately notify the controller,
if in his opinion certain instructions given by the controller him
violate this law or other regulations relating to the protection of personal property
data.
(4) If the processor hires another processor to perform specific
processing activities on behalf of the controller, then the same obligations to protect
personal data such as the obligations provided in the contract or other legal act
between the controller and the processor referred to in paragraph (3) of this Article, shall be imposed on
the other processor through a contract or other legal act in accordance with the law, and in particular
obligation to provide a sufficient guarantee for the application of appropriate technical and

21 of 70

Page 22
Official Gazette of RSM, no. 42 of 16.2.2020

organizational measures, in order for the processing to meet the requirements of this law. If
the hired processor does not fulfill his obligation for personal protection
data, the initial processor remains fully responsible to the controller for
fulfillment of the obligations of the hired processor.
(5) Compliance by the processor with the approved codes of conduct,
referred to in Article 44 of this Law or the approved certification mechanisms
referred to in Article 46 of this Law, may be used as an element to prove
the fulfillment of the obligations from paragraphs (1) and (4) of this article.
(6) The agreement or other legal act referred to in paragraphs (3) and (4) of this Article may
to be based in whole or in part on standard contractual clauses referred to in paragraph (7) of
this Article, including when part of a certification granted to the controller or
the processor in accordance with Articles 46 and 47 of this Law, without bringing it
in question the individual agreement between the controller and the processor.
(7) The Agency may establish standard contractual clauses for the issues listed
in paragraphs (3) and (4) of this Article.
(8) The agreement or other legal act referred to in paragraphs (3) and (4) of this Article should be
in written form, ie in electronic form, in accordance with law.
(9) If the processor violates it by determining the goals and the manner of processing
this law, then the processor is considered a controller in relation to that processing, thereby
without prejudice to Article 101 and the provisions of Chapter IX of this Law.
Authorized processing by the controller or processor
Article 33
The processor and any person acting under the authority of the controller
or the processor, who has access to personal data, should not process it
that data unless instructed by the controller, unless processing is required
by this or another law.
Records of processing activities
Article 34
(1) Each controller and his authorized representative shall keep records of the operations
for processing, for which he is responsible. This record especially contains the following
information:
(a) the name, ie the name and surname and contact details of the controller and all
joint controllers, the authorized representative of the controller and the officer for
personal data protection;
(b) the purposes of the processing;
(c) a description of the categories of personal data subjects and of the categories of personal data
data;
(d) the categories of users to whom personal information has been or will be disclosed
data, including users in third countries or international organizations;
(e) the transfer of personal data to a third country or international organization;
including the identification of that third country or international organization, and in the case
of transfer of personal data, from Article 53 paragraph (1) second subparagraph of this Law,
documentation for appropriate protective measures;
(f) the deadlines for deleting the various categories of personal data;
(g) a general description of the technical and organizational security measures referred to in Article 36.
(1) of this Law.

22 of 70

Page 23
Official Gazette of RSM, no. 42 of 16.2.2020

(2) Each processor and his authorized representative shall keep records of all
categories of processing operations performed on behalf of the controller, in which are
contained:
(a) the name, ie the name and surname and contact details of the processor; or
processors and to each controller on whose behalf the processor acts, to the authorized
representatives of the controller or processor and the personal protection officer
data;
(b) the processing categories performed on behalf of each controller;
(c) the transfer of personal data to a third country or international organization;
including the identification of that third country or international organization, and in the case
of transfer of personal data, from Article 53 paragraph (1) second subparagraph of this Law,
documentation for appropriate protective measures;
(d) a general description of the technical and organizational security measures referred to in Article 36.
(1) of this Law.
(3) The records referred to in paragraphs (1) and (2) of this Article shall be kept in writing,
ie in electronic form, in accordance with the law.
(4) The controller or processor and, where applicable, their authorized
representatives, at the request of the Agency and provide access to records from
paragraphs (1) and (2) of this Article.
(5) The obligations referred to in paragraphs (1) and (2) of this Article shall not apply to trade
a company or organization with less than 50 employees, unless likely
the processing they perform poses a risk to the rights and freedoms of the subjects
of personal data, if the processing is not occasional or the processing includes special
categories of personal data or personal data related to criminal convictions and penalties
acts referred to in Article 14 of this Law.
Cooperation with the Agency
Article 35
The controller and the processor and their authorized representatives are obliged upon request
of the Agency to cooperate with it, in fulfilling its tasks.
2. Security of personal data
Processing safety

Article 36
(1) According to the latest technological advances, implementation costs and
the nature, scope, context and objectives of the processing, as well as the risks with different
degree of probability and seriousness of the rights and freedoms of natural persons,
the controller and the processor are obliged to apply appropriate technical and
organizational measures to ensure a level of security appropriate to the risk,
including, as appropriate:
(a) pseudonymization and encryption of personal data;
(b) ability to ensure continued confidentiality, integrity, availability
and resistance to processing systems and services;
(c) the ability to timely, re-establish access to personal information
data and access to them in the event of a physical or technical incident;

23 of 70

Page 24
Official Gazette of RSM, no. 42 of 16.2.2020

(d) a process of regular testing, evaluation and evaluation of the effectiveness of
technical and organizational measures in order to guarantee the safety of processing.
(2) In assessing the appropriate level of safety, special consideration shall be given
processing-related risks, in particular from accidental or unlawful
destruction, loss, alteration, unauthorized disclosure of personal data or
unauthorized access to transferred, stored or otherwise processed personal
data.
(3) The observance of the approved codes of conduct, referred to in Article 44 of this Article
law or the approved certification mechanisms referred to in Article 46 of this
law, can be used as an element to prove compliance with the requirements
determined in paragraph (1) of this Article.
(4) The controller and the processor shall take measures to ensure that each physical
a person acting under the authority of the controller or processor, who has
access to personal data, will not process this data if it is not provided to him
instructions from the controller, unless obliged to process them by law.
(5) The controller and the processor are obliged to demonstrate the application of the measures
according to the requirements set out in paragraph (1) of this Article.
Reporting to the Agency for Violation of
security of personal data
Article 37
(1) In case of violation of the security of personal data, the controller
immediately and not later than 72 hours after learning about it, he is obliged to inform the Agency
for breach of personal data security, unless there is a likelihood
breach of personal data security to create a risk to the rights and
freedoms of individuals. When the notification to the Agency is not submitted within
72 hours, along with the notification, an explanation of the reasons for
the delay.
(2) The processor is obliged to inform the controller immediately, after finding out about
breach of personal data security.
(3) The notification referred to in paragraph (1) of this Article must contain at least the following:
(a) a description of the nature of the breach of personal data security;
including the categories and approximate number of personal data subjects,
as well as the categories and approximate number of affected recorded personal data;
(b) the name, surname and contact details of the protection officer
personal data or to another contact person, from whom more can be obtained
information;
(c) a description of the possible consequences of the breach of personal data security;
(d) a description of the measures taken or proposed by the controller for
dealing with breaches of personal data security, including appropriate
measures to reduce possible adverse effects.
(4) The information may be provided gradually without further unnecessary
delay, only if it was not possible to submit all or part of the information
at the same time.
(5) The controller shall document all violations of personal data security,
including facts related to breaches of personal data security,
their consequences and the actions taken to deal with the disorder, and in order to
and enable the Agency to verify compliance with this Article.

24 of 70

Page 25
Official Gazette of RSM, no. 42 of 16.2.2020

Reporting to the subject of personal data for breach of security of
personal data
Article 38
(1) In case of violation of the security of personal data, for which it exists
likely to pose a high risk to the rights and freedoms of individuals,
the controller, immediately informs the personal data subject about the violation of
security of personal data.
(2) In the notification to the subject of the personal data referred to in paragraph (1) of this Article, on
clear and simple language describes the nature of the security breach
personal data and state at least the information and measures listed in the article
37 paragraph (3) items (b), (c) and (d) of this Law.
(3) The notification to the personal data subject from paragraph (1) of this article is not
mandatory, if one of the following conditions is met:
(a) the controller has applied appropriate technical and organizational protection measures
measures were applied to the personal data affected by the breach of
security of personal data, especially measures that make personal data
incomprehensible to any person who has no authority to access them, such as
encryption;
(b) the controller has applied additional measures to ensure that it no longer exists
probability of occurrence of high risk for the rights and freedoms of personal entities
data from paragraph (1) of this article;
(c) if the reporting requires a disproportionate effort. In such a case, it is done publicly
reporting or other similar measure applied by personal data subjects
will be equally informed in an efficient manner.
(4) If the controller did not inform the personal data subject about the violation of
security of personal data, the Agency after concluding the probability that
breach of personal data security poses a high risk, may
ask the controller to report the violation or decide that someone has been met
from the conditions from paragraph (3) of this article.
3. Assessment of the impact of personal data protection and preliminary
consultation
Assessment of the impact of personal data protection
Article 39
(1) When using new technologies for some type of processing, according to
the nature, scope, context and purpose of the processing, it is likely to
cause a high risk to the rights and freedoms of individuals before it is committed
processing, the controller is obliged to assess the impact of the envisaged
processing operations in relation to personal data protection. An estimate
may refer to a series of similar processing operations, which are similar
high risks.
(2) When performing the impact assessment on the protection of personal data,
the controller is obliged to seek advice from the authorized person for personal protection
data, if specified.
(3) The assessment of the impact on the protection of personal data referred to in paragraph (1) of this Article
Article, is required especially in the case of:

25 of 70

Page 26
Official Gazette of RSM, no. 42 of 16.2.2020

(a) a systematic and comprehensive assessment of personal aspects related to the physical
persons, which is based on automatic processing, including profiling, and based
on which decisions are made that produce legal effect in relation to the physical
person or significantly affect the natural person;
(b) extensive processing of specific categories of personal or personal data
data related to criminal convictions and criminal offenses referred to in Article 14 of this Law; or
(c) systematic monitoring of large public spaces.
(4) The Agency shall establish and publicly publish a list of the types of processing operations,
for which an assessment of the impact on personal data protection is required in accordance with
paragraph (1) of this article.
(5) The Agency may establish and publicly publish a list of the types of operations of
processing, for which no impact assessment on personal data protection is required.
(6) The assessment referred to in paragraph (1) of this Article should contain at least:
a) systematic description of the operations for the planned processing and the purposes of the processing,
including, where applicable, the legitimate interests of the controller;
b) assessment of the necessity and proportionality of the processing operations in
relation to goals;
c) assessment of the risks to the rights and freedoms of the subjects of personal data from
paragraph (1) of this Article; and
d) measures provided for risk management, including safeguards, measures of
security and mechanisms to ensure the protection of personal data and to
demonstrates compliance with this law, taking into account the rights and legitimacy
interests of personal data subjects and other stakeholders.
(7) Compliance with the approved codes of conduct referred to in Article 44 of this Article
law by controllers or processors will be taken into account in
assessment of the impact of processing operations by those controllers or
processors, in particular for the purposes of assessing the impact of personal protection
data.
(8) The controller requests an opinion from the personal data subjects or theirs
representatives for the planned processing, without affecting the protection of commercial
or the public interest or the safety of processing operations.
(9) The controller performed a review to assess whether the processing is performed in
in accordance with the assessment of the impact of personal data protection at least in
cases where there is a change in risk caused by the operations of that processing.
Prior consultation
Article 40
(1) The controller is obliged to consult with the Agency before the processing, if
the assessment of the impact on the protection of personal data referred to in Article 39 of this Law
show that if the controller does not take risk mitigation measures, then
processing will cause high risk.
(2) When the Agency considers that the planned processing referred to in paragraph (1) of this
Article violates this law, especially when the controller has not identified either
reduced the risk sufficiently, then the Agency within a period not exceeding 60 days from the day
upon receipt of the request for consultation, give a written opinion to
the controller or when applicable to the processor, where it can use and which
any of its powers under Article 66 of this Law. This period may be extended
for an additional 40 days, given the complexity of the planned processing.

26 of 70

Page 27
Official Gazette of RSM, no. 42 of 16.2.2020

The Agency within 30 days from the date of receipt of the request for consultation, the
inform the controller and processor of the extension, including
the reasons for the postponement of the deadline. These deadlines can be suspended for a while
The agency did not receive all the requested information for the purposes of the consultation.
(3) During the consultation with the Agency in accordance with paragraph (1) of this Article,
the controller of the Agency submits the following information:
(a) details of the specific responsibilities of the controller, the joint controllers; and
processors involved in processing, in particular processing within a group of
legal entities;
(b) the objectives and means of the planned processing;
(c) the envisaged safeguards and other measures to protect rights and freedoms
to personal data subjects in accordance with this Law;
(d) contact details of the personal data protection officer;
(e) the assessment of the impact of personal data protection, in accordance with Article 39 of
this law and
(f) any other information requested by the Agency.
(4) The bodies of the state government and the state bodies shall consult with the Agency for
time of drafting laws or bylaws that are adopted on
basis of those laws, which refer to the processing of personal data.
(5) As an exception to paragraph (1) of this Article, during the consultation process of
controllers with the Agency, the controller is obliged to request prior approval from
The processing agency to be performed by the controller for public purposes
interest, including processing for social protection and public health purposes.
(6) The approval referred to in paragraph (5) of this Article shall be required especially in case when:
(a) the basic activities of the controller consist of processing operations, which
due to their nature, scope and / or objectives, require largely regular and systematic
monitoring of personal data subjects;
(b) the basic activities of the controller consist of extensive processing of special
categories of personal data or personal data related to criminal convictions and penalties
acts from Article 14 of this Law; or
(c) systematic monitoring of areas or rooms in large areas will be carried out
scale.
4. Authorized person for personal data protection
Designation of an authorized person for personal data protection
Article 41
(1) The controller and the processor are obliged to appoint an authorized person for protection of
personal data (hereinafter: personal data protection officer) in
any case where:
(a) the processing is carried out by a State authority, except for the courts when
act within their competences, and who will appoint an officer for another
processing of personal data performed in accordance with law;
(b) the core business of the controller or processor consists of operations for
processing, which due to their nature, scope and / or purposes, require largely regular and
systematic monitoring of personal data subjects or
(c) the basic activities of the controller or processor consist of extensive
processing of special categories of personal data or personal data related to
criminal convictions and criminal offenses referred to in Article 14 of this Law.

27 of 70

Page 28
Official Gazette of RSM, no. 42 of 16.2.2020

(2) A group of legal entities may appoint one officer for personal protection
provided that the personal data protection officer is readily available for
any legal entity within the group, the Agency and personal data entities.
(3) When the controller or processor is a state administration body, one officer for
personal data protection may be assigned to several bodies,
taking into account their organizational structure and size.
(4) In addition to the cases referred to in paragraph (1) of this Article, the controller or
processor or associations and other bodies representing the categories of
controllers or processors, may appoint a personal protection officer
data. The personal data protection officer can perform the tasks for that
an association or other body representing the controllers and processors.
(5) The personal data protection officer is determined on the basis of his / her own
professional qualifications, and especially on the basis of professional knowledge of the legislation and
practices in the field of personal data protection, as well as its ability to
performs the activities stated in Article 43 of this Law.
A person is appointed as a personal data protection officer, who:
- meets the conditions for employment determined by this and other law,
- actively uses the Macedonian language,
- at the moment of determining with a final court verdict, he / she has not been sentenced
or misdemeanor sanction prohibition to perform a profession, activity or duty,
- has completed higher education and
- has acquired knowledge and skills regarding the practices and regulations for protection of
personal data, in accordance with the provisions of this Law.
(6) The personal data protection officer may be employed by the controller
or the processor or perform the work on the basis of a service contract.
(7) The controller or the processor shall publicly publish the contact data for the officer
for protection of personal data and informs the Agency.
Position of personal protection officer
data
Article 42
(1) The controller and the processor are obliged to ensure that the protection officer of
personal data in an appropriate manner and in a timely manner is included in all related matters
with the protection of personal data.
(2) The controller and the processor are obliged to provide support to the officer for
protection of personal data during the performance of the activities referred to in Article 43 of
this law, providing him with the resources necessary to carry out those tasks and access
to personal data and processing operations, as well as its professional maintenance
knowledge.
(3) The controller and the processor are obliged to guarantee that the protection officer
of personal data will not receive any instructions from the highest management level of
the controller or processor in relation to the performance of his work. The officer
for the protection of personal data may not be altered or penalized by the controller or
the processor to perform his work. Personal Protection Officer
data directly corresponds to the top management level of the controller or
processor.
(4) The subjects of personal data may contact the protection officer of
personal data on all issues related to the processing of their personal data and
for exercising their rights under this law.

28 of 70

Page 29
Official Gazette of RSM, no. 42 of 16.2.2020

(5) The personal data protection officer is obliged to respect the secrecy or
confidentiality in the performance of its duties, in accordance with the law.
(6) The personal data protection officer may perform other tasks and
duties. The controller or processor is obliged to ensure that such tasks and
duties do not lead to a conflict of interest.
Things performed by the personal data protection officer
Article 43
(1) The personal data protection officer shall perform at least the following activities:
(a) inform and advise the controller or processor and the staff performing
processing in accordance with their obligations according to the provisions of this Law;
(b) monitor compliance with this Law, with other relevant laws relating to
personal data protection in the Republic of Northern Macedonia, as well as policies
to the controller or processor regarding the protection of personal data,
including allocating responsibilities, raising awareness and training
employees who participate in processing operations as well as performing audits
for personal data protection;
(c) where necessary, provide advice on protection impact assessment
of personal data and monitors the execution of the assessment in accordance with Article 39 of
this law;
(d) cooperate with the Agency;
(e) act as a contact point for the Agency on matters relating to
processing, including the prior consultation referred to in Article 40 of this Law, as well as
counseling as needed on all other issues.
(2) When performing his / her duties, the personal data protection officer shall
takes into account the risks associated with processing operations, as well as the nature, scope,
the context and objectives of the processing.
5. Codes of conduct and certification
Codes of conduct
Article 44
(1) According to the specific characteristics of the different processing sectors of
personal data and specific needs of micro, small and medium commercial
companies, and in order to contribute to the proper application of this law, associations and
other bodies representing the categories of controllers or processors may
develop codes of conduct or amend such codes in order to
to specify the application of this law, in relation to:
(a) fair and transparent processing;
(b) the legitimate interests of controllers in specific contexts;
(c) the collection of personal data;
(d) the pseudonymization of personal data;
(e) informing the public and personal data subjects;
(f) the exercise of the rights of personal data subjects;
(g) informing and protecting children and how to obtain consent from
the child's legal representatives;

29 of 70

Page 30
Official Gazette of RSM, no. 42 of 16.2.2020

(h) the measures and procedures referred to in Articles 28 and 29 of this Law, as well as the measures
to guarantee the security during the processing of personal data specified in the article
36 of this law;
(i) notifying the Agency of breaches of personal data security
and informing the subjects of personal data about such disorders of
security of personal data;
(j) the transfer of personal data to third countries or international organizations; or
(i) out-of-court and other dispute resolution procedures between controllers
and personal data subjects in relation to the processing, without questioning them
the rights of the personal data subjects on the basis of Articles 97 and 99 of this Law.
(2) The Code of Conduct referred to in paragraph (1) of this Article shall contain mechanisms that will
enable the monitoring body referred to in Article 45 of this Law to
monitors compliance with its provisions by controllers
or processors who have committed to its application, without being excluded
the competencies and tasks of the Agency according to articles 64 or 65 of this law.
(3) The associations and other bodies referred to in paragraph (1) of this Article, which prepare a code of
conduct or amend the existing code, submit a proposal
the Code, its amendment to the Agency. The agency gives an opinion on
whether the draft code, its amendment is in compliance with this law
and also approves the draft code, its amendment, if it deems that
provides sufficient appropriate safeguards.
(4) When the draft code of conduct, its amendment is
approved in accordance with paragraph (3) of this Article, the Agency shall register and publish it
the codex.
(5) The Agency shall keep a register of all approved codes of conduct, amendments and
additions and provides public access to them in an appropriate manner.
(6) The form, the content and the manner of keeping the register referred to in paragraph (5) of this Article
prescribed by the Director of the Agency.
Monitoring of approved codes of conduct
Article 45
(1) Without excluding the tasks and authorities of the Agency referred to in Articles 65 and 66 of
this law, monitoring compliance with the Code of Conduct in accordance with
Article 44 of this Law, may be implemented by a body that has an appropriate level of
expertise in the subject matter of the Code and is accredited for that purpose by the Agency.
(2) The body referred to in paragraph (1) of this Article may be accredited for monitoring of
compliance with the code of conduct, if:
(a) has demonstrated to the Agency its independence and expertise in the matter
of the code;
(b) established procedures that enabled it to assess
the qualification of controllers and processors to apply the code, yes
monitors whether they comply with the provisions of the Code, as well as make periodic
review of their functioning;
(c) established procedures and structure for dealing with infringement complaints
of the Code or of the manner in which the Code was enforced or applied by
the controller or the processor and they are transparent in relation to the subjects of
personal data and the public; and

30 of 70

Page 31
Official Gazette of RSM, no. 42 of 16.2.2020

(d) to the Agency sufficiently demonstrated that its tasks and duties do not
lead to a conflict of interest.
(3) The closer standards and norms for accreditation of the body from paragraph (1) of this one
Article shall be prescribed by the Director General of the Agency.
(4) Without excluding the tasks and powers of the Agency and the provisions of Chapter
VIII and Chapter IX of this Law, in the presence of appropriate protective measures, the body of
paragraph (1) of this Article, undertakes appropriate actions in case of violation of the Code
of conduct by the controller or processor, including suspension or
disconnect the affected controller or processor from the code. The body from paragraph (1)
of this Article informs the Agency about these activities and the reasons for undertaking
the same.
(5) The Agency shall withdraw the accreditation of the body referred to in paragraph (1) of this Article within the deadline
from 15 days from the day of creating the conditions, ie the conditions for accreditation are not
complied with or no longer fulfilled or if the activities carried out by
side of the body violate this law.
(6) The provisions of this Article shall not apply in relation to the processing performed by
by state authorities and other state bodies.
Certification
Article 46
(1) According to the specific characteristics of the different processing sectors of
personal data and specific needs of micro, small and medium-sized companies,
to contribute to the proper implementation of this law, the Agency encourages
establishing certification for personal data protection, as well as seals and
personal data protection labels in order to demonstrate compliance with this
law on processing operations by controllers and processors.
(2) The certification is voluntary and is publicly available.
(3) The certification according to this article does not reduce the responsibility of the controller or
to the processor for compliance with this Law, as well as does not exclude the competencies and
the tasks of the Agency according to articles 64 or 65 of this law.
(4) The certification of this Article shall be performed by the Agency or by certification bodies
in accordance with Article 47 of this Law, and based on the standards and norms
prescribed by the Director of the Agency.
(5) For the processing that is subject to the certification mechanism, the controller
or the processor of the certification body referred to in Article 47 of this Law or on
The agency provides all information and access to its operations on
processing, which are necessary for conducting the certification procedure.
(6) The certificate is issued to the controller or processor for a period not longer than
three years and can be renewed under the same conditions, if the standards and
the norms referred to in paragraph (4) of this Article continue to be met. The certificate is
withdraws by the certification bodies referred to in Article 47 of this Law or by
Agency, when certification requirements are not met or are no longer met.
(7) The Agency shall keep a register of all certification mechanisms, as well as of all seals.
and personal data protection labels and provides public access to them at an appropriate level
way.
(8) The form, the content and the manner of keeping the register referred to in paragraph (7) of this Article
prescribed by the Director of the Agency.

31 of 70

Page 32
Official Gazette of RSM, no. 42 of 16.2.2020

Certification bodies
Article 47
(1) Without excluding the tasks and powers of the Agency in accordance with
Articles 65 and 66 of this Law, certification bodies that have an appropriate level of
expertise in the field of personal data protection, inform the Agency in order
to allow them to exercise their powers, and if necessary the Agency
issues them and renews certificates in accordance with Article 66 paragraph (2) item (h) of this
law.
(2) The certification bodies referred to in paragraph (1) of this Article that will perform certification
in accordance with the provisions of this Law, are accredited by the Institute for
accreditation of the Republic of Northern Macedonia (hereinafter: the Institute),
in accordance with the accreditation regulations. The certification bodies from this paragraph are
accredit only if:
(a) have demonstrated before the Institute their independence and expertise in relation to
the subject of certification;
(b) have undertaken to comply with the certification standards and norms of a Member
46 paragraph (4) of this Law;
(c) have established procedures for issuing, periodic reviews and withdrawals of
certificates, seals and marks for personal data protection;
(d) have established procedures and structure for dealing with complaints about
breach of certification or the manner in which the certification was carried out
or applied by the controller or processor and they are transparent
in relation to personal data subjects and the public;
(e) have sufficiently proved to the Institute that their tasks and duties are not
lead to a conflict of interest.
(3) The accreditation of the certification bodies referred to in paragraph (1) of this Article shall be performed on
based on standards and norms prescribed by the Director of the Agency.
(4) The certification bodies referred to in paragraph (1) of this Article shall be responsible for appropriate
assessment, which leads to certification or withdrawal of a issued certificate, without
exclude the responsibility of the controller or processor for compliance with this law.
The accreditation is issued for a period not exceeding five years and can be renewed under
the same conditions, if the certification body continues to meet the requirements set
in this article.
(5) The certification bodies referred to in paragraph (1) of this Article shall be submitted to the Agency
the requested data and / or documents together with the reasons for issuing or withdrawing
the required certificate.
(6) The Institute withdraws the accreditation of the certification body from paragraph (1) of
this Article, if the conditions for accreditation are not complied with or are no longer met, or
if the activities carried out by the body violate this law.
(7) Technical standards for certification mechanisms and for stamps and markings for
protection of personal data, as well as the mechanisms for their promotion and recognition
certification mechanisms, seals and markings are prescribed by the Director of the Agency.
(8) The provisions of this Article shall also apply to the certification of bodies for
conducting trainings in the field of personal data protection in accordance with
the provisions of this law.

32 of 70

Page 33
Official Gazette of RSM, no. 42 of 16.2.2020

V. TRANSFER OF PERSONAL DATA
General principle of transmission
Article 48
(1) Any transfer of personal data which has undergone processing or is intended for
processing after transfer to a third country or to an international organization may be performed
only if the conditions set out in this law are met and applied by
the controller and the processor, including the further transfer of personal
data from a third country or international organization in another third country or
international organization. The provisions of this chapter apply to ensure that
the level of protection of natural persons guaranteed by this law will not be endangered.
(2) The provisions of this Chapter shall not apply to the transfer of personal data from
paragraph (1) of this Article from the Republic of Northern Macedonia to a European member state
Union or in the European Economic Area.
(3) In case of transfer of personal data to a member state of the European Union,
ie a member of the European Economic Area, the controller or the processor
is obliged to inform the Agency.
Transfer of personal data based on a decision of suitability
Article 49
(1) Transfer of personal data to a third country or international organization may
performed when the Agency assesses that a third country or international organization
provides an adequate level of protection.
(2) When assessing the adequacy of the level of protection, the Agency shall take into account
especially the following elements:
(a) the rule of law, respect for human rights and fundamental freedoms;
relevant legislation, both general and sectoral, including public
security, defense, national security and criminal law and access to
public authorities to personal data, as well as the implementation of such
legislation, rules on personal data protection, professional rules and
security measures, including rules for further transfer of personal
data in another third country or international organization, which are respected in that
country or international organization, case law, as well as final and executive
decisions that apply to personal data subjects and effective administrative
and judicial protection for personal data subjects, whose personal data are transferred;
(b) the existence and effective functioning of one or more independent oversight bodies
personal data protection authorities in the third country concerned or bodies of which
subject to an international organization, which are responsible for security and enforcement
the rules on personal data protection, including the relevant powers of
implementation, for assisting and advising personal data subjects in
exercising their rights, as well as for cooperation with the Agency, and
(c) international obligations assumed by a third country or international
organization, or other obligations arising from legally binding conventions or
instruments, as well as its participation in multilateral or regional systems, in particular
in terms of personal data protection.

33 of 70

Page 34
Official Gazette of RSM, no. 42 of 16.2.2020

(3) If the third country or international organization to which they are to be transferred
personal data provides an appropriate degree of protection of personal data according to
paragraph (2) of this Article, then the controller or processor may transfer to
personal data based on an eligibility decision by the Agency.
(4) If the third country or international organization to which they are to be transferred
data does not provide an adequate degree of protection of personal data, the controller
or the processor will not transfer the personal data.
Transfer of personal data subject to appropriate safeguards
Article 50
(1) In the cases when a decision referred to in Article 49 paragraph (3) of this Law has not been adopted,
the controller or processor may transfer personal data to a third country or
international organization only if the controller or processor has provided
appropriate protective measures, as well as provided that the personal data subjects have
applicable and available judicial protection.
(2) When no decision referred to in Article 49 paragraph (3) of this Law has been made, appropriate protective measures
measures referred to in paragraph (1) of this Article, without seeking prior approval from the Agency
can be provided through:
(a) legally binding and enforceable instruments between public authorities or bodies;
(b) mandatory corporate rules in accordance with Article 51 of this Law;
(c) standard personal data protection clauses established by the Agency
or which have been approved by the European Commission;
(d) an approved code of conduct in accordance with Article 44 of this Law together with
binding and enforceable obligations of the controller or processor in the third country for
application of appropriate safeguards, including with respect to the rights of
personal data subjects; or
(e) an approved certification mechanism in accordance with Article 46 of this Law together with
binding and enforceable obligations of the controller or processor in the third country for
application of appropriate safeguards, including with respect to the rights of
personal data subjects.
(3) Provided that approval by the Agency is sought, appropriate safeguards
referred to in paragraph (1) of this Article may also be provided, in particular through:
(a) contractual clauses between the controller or processor and the controller;
the processor or user of personal data in the third country or in
international organization; or
(b) provisions to be laid down in administrative agreements between
public bodies or bodies, which contain applicable and effective rights of the subjects of
personal data.
Transfer of personal data based on mandatory corporate rules
Article 51
(1) The Agency shall approve mandatory corporate rules, provided that they:
(a) are legally binding and apply to any interested member of a particular
a group of legal entities or a group of legal entities that perform joint economic
activity, including their employees, which they carry out;
(b) clearly provide applicable rights to personal data subjects in relation to
processing of their personal data and

34 of 70

Page 35
Official Gazette of RSM, no. 42 of 16.2.2020

(c) meet the conditions laid down in paragraph (2) of this Article.
(2) The obligatory corporate rules referred to in paragraph (1) of this Article shall determine it
at least:
(a) the structure and contact details of the group of legal persons or of the group of
legal entities that perform joint economic activity, as well as each of their members;
(b) the transfer of personal data or a series of transfers, including the categories of
personal data, the type of processing and its purposes, the type of stakeholders
personal data, as well as identification of the third country or countries in which it will be performed
transmission;
(c) their legally binding nature, both internally and externally
level;
(d) the application of general principles to the protection of personal data, in particular
limitation of objectives, minimum data volume, limitation of
storage, data quality, technical and integrated personal protection
data, the legal basis for processing, the processing of special categories of personal
data, measures to ensure the security of personal data, as well as requirements
regarding the further transfer of personal data to other entities that are not
bound by mandatory corporate rules;
(e) the rights of personal data subjects with respect to the processing and means of
exercise of these rights, including the right of the personal data subject to
not be the subject of automatic decision-making alone, including
profiling in accordance with Article 26 of this Law, the right to submit a request
to the Agency and to the competent courts in accordance with the law, as well as the right to a court
protection and where applicable, the right to compensation for violation of
mandatory corporate rules;
(f) the acceptance of liability of the controller or processor established on
the territory of the Republic of Northern Macedonia for any violation of the mandatory
corporate rules by any member of the affected group not established in
Republic of Northern Macedonia. The controller or processor is complete or partial
exempt from this obligation only if he proves that the member of the affected group does not
liability for the event that led to the damage;
(g) the manner in which information on mandatory corporate rules is provided on
personal data subjects, in particular in relation to the provisions of points (d), (e) and (f) of
this paragraph, in addition to the information from Articles 17 and 18 of this Law;
(h) the affairs of any personal data protection officer designated in accordance with
Article 41 of this Law, or any other person or body responsible for monitoring
compliance with mandatory corporate rules within the legal group
persons or a group of legal entities that perform joint economic activity, as well as monitoring
on training and resolving complaints;
(i) grievance redressal procedures;
(j) mechanisms within the group of legal entities or the group of legal entities that
perform joint economic activity to ensure compliance verification with
mandatory corporate rules. These mechanisms include audits of protection
of personal data and methods for providing corrective actions to protect
the rights of the personal data subject. The results of this check should be
submit to the person or body referred to in point (h) of this paragraph and to the highest management
structures of the legal entity with a dominant position within the group of legal entities
persons or group of legal entities that perform joint economic activity, as well as be
available at the request of the Agency;

35 of 70

Page 36
Official Gazette of RSM, no. 42 of 16.2.2020

(i) mechanisms for reporting and keeping track of changes to the rules, and
to notify the Agency of these changes;
(l) the mechanisms for cooperating with the Agency to ensure compliance by each member
to the group of legal entities or to the group of legal entities that perform joint economic
activity, in particular by providing the Agency with the results of the inspections of
the measures referred to in point (j) of this paragraph;
(k) the Agency's reporting mechanisms for all relevant legal requirements
to a member of a group of legal entities or to a group of legal entities acting jointly
economic activity, which are applied in a third country, and which are likely to lead to
significant adverse effects on the guaranteed measures provided by the mandatory
corporate rules and
(l) appropriate training in the protection of personal data of staff on an ongoing basis; or
has regular access to personal data.
Transfer or disclosure of personal data based on an international agreement
Article 52
Any court decision or any decision taken by an administrative body of a third party
country with which the controller or processor is required to transfer or disclose personal
data may be recognized or subject to execution in any way,
only if it is based on an international agreement, such as a mutual international agreement
legal aid, which is in force between the third country that submitted the request and the Republic
Northern Macedonia regardless of the provisions for the transfer of personal data set out in
this chapter.
Deviations for specific situations
Article 53
(1) If there is no decision for adequacy in accordance with Article 49 paragraph (3) of this
law or appropriate protective measures in accordance with Article 50 of this Law, which
include mandatory corporate rules, the transfer or series of transfers to
personal data in a third country or in an international organization can only be executed
if one of the following conditions is met:
(a) the personal data subject has given the express consent of the controller to
the proposed transfer, after being informed of the possible risks of such transfer for
the subject of personal data, and due to the lack of a decision on the suitability of and
appropriate safeguards;
(b) the transfer is necessary for the performance of an agreement between the personal entity
data and the controller or to implement the pre-contractual measures taken
at the request of the personal data subject;
(c) the transfer is necessary for the conclusion or performance of an agreement entered into between
the controller or another natural or legal person, and in the interest of the personal entity
data;
(d) the transfer is necessary for important reasons of public interest;
(e) the transfer is necessary for the establishment, exercise or defense of legal
requirements;
(f) the transfer is necessary in order to protect the essential interests of the entity of
personal data or to other persons, where the personal data subject is physically or
legally incapable of giving consent;

36 of 70

Page 37
Official Gazette of RSM, no. 42 of 16.2.2020

(g) the transfer is made from a register which by law is intended to provide information
to the public and who is open to public consultation or to any person who may
prove a legitimate interest, but only to the extent that the conditions laid down by law are
met for consultation in a special case.
When the transfer cannot be based on the provisions of Articles 49 or 50 of this Article
law, including the provisions of mandatory corporate rules and none of
deviations for a specific situation from the first subparagraph of this paragraph are not applicable,
the transfer to a third country or international organization can only take place if
the transmission is non-repetitive, and applies only to a limited number of personal entities
data, and it is needed to meet the legitimate interests of the controller
over which the interests or the rights and freedoms of the personal subject do not prevail
data, whereby the controller assessed all the circumstances related to the transmission of
personal data and on the basis of that assessment provided appropriate safeguards in
regarding the protection of personal data. The controller is obliged to inform her
Agency for the transfer of personal data. In addition to the information referred to in Articles 17 and 18 of
this law, the controller informs the subject of personal data about the transfer of
personal data and for the fulfillment of his legitimate interests.
(2) The transfer according to item (g) of the first subparagraph of paragraph (1) of this Article should not
includes all personal data or all categories of personal data contained in
the registry. In case the register is used for consultation by persons who have
legitimate interest, the transfer may be made only at the request of those persons or if they
would be users.
(3) Items (a), (b) and (c) of the first subparagraph of paragraph (1) of this Article and the second subparagraph
of paragraph (1) of this Article shall not apply to activities carried out by
state authorities and other state bodies in the performance of their public
powers established by law.
(4) The public interest stated in item (d) of the first subparagraph of paragraph (1) of this Article,
must be recognized by law, and which applies to the controller concerned.
(5) In case when there is no decision on suitability, for reasons of public interest, with
law may impose a restriction on the transfer of special categories of personal
data in a third country or in an international organization.
(6) The controller or the processor is obliged to document the assessment, as well as
the appropriate protective measures referred to in the second subparagraph of paragraph (1) of this Article in
the records determined in Article 34 of this Law.
International cooperation for personal protection
data
Article 54
With respect to third countries and international organizations, the Agency shall take appropriate action
measures for:
(a) developing mechanisms for international cooperation to facilitate efficiency
implementation of personal data protection legislation;
(b) the provision of international legal assistance in the implementation of
personal data protection legislation, which includes reporting,
filing complaints, assisting with investigations and exchanging information, and complying
with appropriate safeguards for the protection of personal data and others
fundamental rights and freedoms;

37 of 70

Page 38
Official Gazette of RSM, no. 42 of 16.2.2020

(c) Involvement of relevant stakeholders in targeted discussions and activities
to deepen international cooperation for the implementation of the legislation on
personal data protection;
(d) promoting the exchange and documentation of legislation and practices for
protection of personal data, including conflict of competences with third countries.
Decision of the Agency
Article 55
(1) For the cases referred to in Article 49 paragraph (3), Article 50 paragraph (3) and Article 51 of this Law,
The Agency decides with a decision within 90 days from the day of receipt of the request.
(2) A lawsuit may be filed against the decision of the Agency referred to in paragraph (1) of this Article
for initiating an administrative dispute to the competent court, within 30 days from the day of receipt
of the solution.
Bylaws of the Agency
Article 56
The method of reporting the transfer of personal data in the Member States of
The European Union and for the member states of the European Economic Area, the form and
the content of the application form for obtaining a transfer approval for the cases from
Article 49 paragraph (3), Article 50 paragraph (3) and Article 51 of this Law, as well as the form and
the content of the form for the records of the performed transfer of personal data in
third countries and international organizations, the European Union and the European Economic
space, as well as the manner of keeping records is prescribed by the director of
The agency.
VI. AGENCY FOR PROTECTION OF PERSONAL
DATA
1. Independent status
Supervisory body
Article 57
(1) The Agency is an independent and autonomous state body, competent to supervise
the legality of the activities undertaken in the processing of personal data of
the territory of the Republic of Northern Macedonia, as well as protection of fundamental rights and
freedoms of natural persons in relation to the processing of their personal data.
(2) The Agency shall be accountable for its work before the Assembly of the Republic of the North
Macedonia.
(3) The Agency has the capacity of a legal entity.
(4) The seat of the Agency is in Skopje.
(5) The Agency has a professional service that performs the professional, normative-legal,
administrative, administrative - supervisory, supervisory, material - financial,
accounting, information and other matters within the competence of the Agency (in
hereinafter: professional service).
(6) The professional service is managed by the Secretary General.

38 of 70

Page 39
Official Gazette of RSM, no. 42 of 16.2.2020

Independence
Article 58
(1) The Agency is fully politically, financially and functionally independent
performing their competencies, tasks and authorities in accordance with this Law.
(2) The Director, the Deputy Director and the employees of the Agency may not receive and
to seek instructions from state government bodies, municipal bodies, bodies
of the City of Skopje and any other legal and / or natural persons.
(3) The Director, the Deputy Director and the employees of the Agency in the performance of
their function and work duties are obliged to beware of possible collision of
interests and in the exercise of public powers and duties must not be
govern by personal, family, religious, party and ethnic interests, nor by pressures and
promises from a supervisor or other person.
(4) The independence of the Agency must be respected at all times and none of
the bodies and / or the persons referred to in paragraph (2) of this Article must not influence the director, deputy
the director and the employees of the Agency in the performance of their functions, ie
works, nor the powers of the Agency.
(5) The Director, the Deputy Director and the employees of the Agency during the execution of
their work responsibilities and / or when deciding are obliged to:
1) act professionally, impartially and objectively and without the influence of
controllers and processors, as well as any other interested party;
2) are not guided by personal, business and financial interests;
3) do not abuse the authorizations and status they have in the Agency or
as employees of the Agency and
4) protect the reputation of the Agency.
Director and Deputy Director
Article 59
(1) The Agency is managed by a director, who is elected and dismissed by the Assembly of
Republic of Northern Macedonia at the proposal of the Commission for Election Issues and
the names of the Assembly of the Republic of Northern Macedonia (hereinafter:
Commission).
(2) A public announcement for the election of a director shall be published in at least two daily newspapers, which are:
published on the entire territory of the Republic of Northern Macedonia, one of which is the newspaper
issued in the language spoken by at least 20% of the citizens who speak
official language different from the Macedonian language.
(3) The Director of the Agency shall be elected for a term of five years, with the right to another term
mandate.
(4) The Director of the Agency has a Deputy who is elected and dismissed by the Assembly of
Republic of Northern Macedonia at the proposal of the Commission for a period of five years, with
right to another term.
(5) A public announcement shall be published for the election of a Deputy Director in at least two daily ones
newspapers, which are published on the entire territory of the Republic of Northern Macedonia, of which
one of the newspapers published in the language spoken by at least 20% of the citizens
who speak an official language other than Macedonian.
(6) The commission is obliged to check whether the candidates who have applied to the public
announcement for director, ie deputy director meet the conditions for application of
the public announcement determined in this law.

39 of 70

Page 40
Official Gazette of RSM, no. 42 of 16.2.2020

(7) The commission is obliged within one month after the end of the public announcement to
organizes a public debate on the candidates for director or deputy director who
meet the conditions set out in this law.
(8) After the end of the public hearing, the Commission shall compile the draft list of
candidates for director or deputy director. For the final draft list of
candidates for director or deputy director, the Commission decides in accordance with
Rules of Procedure of the Assembly of the Republic of Northern Macedonia.
(9) The Deputy Director replaces the Director of the Agency in case he / she is
absent or when due to illness and other reasons is unable to perform his
function, with all its powers and responsibilities in management.
(10) The Deputy Director in cooperation with the Director of the Agency performs activities from
the scope of work of the director of the Agency that he will entrust to him.
(11) For its work and for the work of the Agency, the director and the deputy director
are accountable to the Assembly of the Republic of Northern Macedonia.
Conditions for selection and dismissal
Article 60
(1) A person who meets the following conditions may be elected director:
1) is a citizen of the Republic of Northern Macedonia;
2) at the moment of the election with a final court verdict he / she has not been sentenced or
misdemeanor sanction ban on performing a profession, activity or duty;
3) to have acquired at least 240 credits according to ECTS or completed VII / 1 degree
legal sciences;
4) is not a member of a body of a political party;
5) to have at least 10 years of work experience after graduation
education;
6) to have at least five years of work experience, as well as professional qualifications and
skills in the field of personal data protection;
7) has a certificate for knowledge of computer programs for office
operation and
8) holds one of the following internationally recognized certificates or certificates for
Active knowledge of English not older than five years:
- TOEFL IBT at least 74 points,
- IELTS at least 6 points,
- ILEC (Cambridge English: Legal) at least B2 (B2) level, - FCE
(Cambridge English: First) - passed,
- BULATS at least 60 points or
- APTIS at least B2 (B2) level.
(2) A person who fulfills them may be elected Deputy Director of the Agency
the conditions referred to in paragraph (1) of this Article.
(3) The function of the director, ie the deputy director, shall be terminated before
the expiration of the mandate, in the following cases:
- if he resigns,
- if he permanently loses the ability to perform the function, which he concludes
The Assembly of the Republic of Macedonia,
- if he / she meets the conditions for old-age pension,
- if his death occurs,
- if elected or appointed to another public office or

40 of 70

Page 41
Official Gazette of RSM, no. 42 of 16.2.2020

- if he / she is dismissed from the position before the expiration of the mandate.
(4) The director, ie the deputy director may be dismissed before the expiration of
the mandate only in the following cases:
- at his request,
- if he / she has been convicted with a final court verdict for a crime of unconditional punishment
imprisonment for a term of at least six months,
- due to misuse of personal data ascertained by the Assembly of the Republic
Northern Macedonia and
- when it ceases to meet any of the conditions referred to in paragraph (1) indents 1, 2
and 4 of this article as stated by the Assembly of the Republic of Northern Macedonia.
(5) The Assembly of the Republic of Northern Macedonia in the cases referred to in paragraphs (3) and (4) of
this article states termination of the function.
(6) The Assembly of the Republic of Northern Macedonia dismisses the director, ie
Deputy Director of the Agency on the proposal of the Commission, if one of
the following conditions:
- it is determined that it does not fulfill the conditions from paragraph (1) of this article,
- unjustifiably absent from work of the Agency for more than six months,
- due to misuse of personal data or
- obviously violated the rules for conflict of interest, ie exclusion in situations
in which the director, ie the deputy director knew or should have known about the existence of
any of the grounds for conflict of interest, ie exemption provided by law.
(7) In case of termination of the function or dismissal of the director of
The Agency, until the election of a new Director of the Agency, the position of Director of
The Agency is performed by the Deputy Director of the Agency, with all rights, duties and
powers that the director had.
(8) In case of dismissal, ie termination of the function of the director,
ie the Deputy Director of the Agency before the expiration of the mandate, the Assembly of
The Republic of Northern Macedonia shall start the selection procedure within ten days at the latest
to a new director, ie deputy director of the Agency.
Formal statement
Article 61
Before taking office, the director, ie the deputy director, before
the President of the Assembly of the Republic of Northern Macedonia gives and signs
solemn statement, which reads:
"I declare that I will perform the function of director, ie deputy director
conscientiously, impartially and responsibly, I will protect the right to personal protection
data and I will adhere to the Constitution and the laws of the Republic of Northern Macedonia ".
Function incompatibility and reliability
Article 62
(1) The function of director, ie the function of deputy director, is incompatible with
performing other public functions or professions, as well as by performing a function in politics
party or workplace.
(2) The director and the deputy director are obliged to keep as secret the data up to
who came to work, both during the term and after its completion, a
representing personal data or classified information in accordance with

41 of 70

Page 42
Official Gazette of RSM, no. 42 of 16.2.2020

law. The director and deputy director are obliged to keep them a secret in particular
notifications by individuals relating to violations of
the provisions of this law.
Scope of work of the Director of the Agency
Article 63
(1) The Director of the Agency:
- represents the Agency before the competent authorities, except for the property
rights and interests represented by the State before the courts and other bodies
Attorney General's Office of the Republic of Northern Macedonia,
- undertakes all legal actions in the name and on behalf of the Agency,
- organizes and ensures legal, effective and efficient performance of works and
tasks in the Agency,
- decides on the rights and obligations of the employees in the Agency in accordance with law,
- adopts the acts for internal organization and systematization of the jobs
of the Agency,
- adopts financial, ie strategic documents and annual work program of
The Agency, as well as organizes their implementation,
- makes decisions in accordance with law,
- adopts regulations and other acts for which it is authorized in accordance with law,
- takes care of the public of the work of the Agency and
- performs other activities within the competence of the Agency in accordance with law.
(2) The bylaws adopted by the Director of the Agency shall be published in
"Official Gazette of the Republic of Northern Macedonia".
2. Competencies, tasks and authorities of
The agency
Competence
Article 64
(1) The Agency is competent for the execution of the tasks and the authorizations assigned
in accordance with this law.
(2) The Agency is not competent to supervise the courts when acting within the framework
of their judicial functions, except for overseeing the legality of the activities undertaken
in the other processing of personal data carried out by the courts in accordance with
law.
Tasks
Article 65
(1) Without prejudice to the other tasks determined by this Law, on
the territory of the Republic of Northern Macedonia, the Agency:
(a) monitor and implement the application of this Law;
(b) promote public awareness and awareness of risks, rules, safeguards
measures and rights regarding the processing of personal data, and especially activities
aimed at children;

42 of 70

Page 43
Official Gazette of RSM, no. 42 of 16.2.2020

(c) in accordance with the law, give opinions to the Assembly of the Northern Republic
Macedonia, the Government of the Republic of Northern Macedonia and other institutions and bodies for
legislative and administrative measures to protect the rights and freedoms of
natural persons in relation to the processing of personal data;
(d) promote the awareness of controllers and processors of their responsibilities
according to this law;
(e) upon request, provide information to each subject of the personal data relating to
the exercise of his rights under this law and, if necessary, for that purpose
cooperates with other supervisory bodies for personal data protection;
(f) review requests submitted by the personal data subject or by
association in accordance with this law and investigates to an appropriate extent the subject of
the request, as well as within a reasonable time informs the applicant of the outcome of
the procedure, especially if further research or coordination with another is required
supervisory body for personal data protection;
(g) cooperate with other supervisory bodies for the protection of personal data, including
and through the exchange of information and mutual assistance, in order to ensure the protection of
the rights and freedoms of natural persons in relation to the processing of personal data;
(h) conduct research on the application of this Law, including
on the basis of information received from another supervisory body for personal data protection
or another public body;
(i) monitor appropriate developments, in particular in the field of information technology; and
communication technology and trade practices, if it affects the protection of
personal data;
(j) adopt the standard contractual clauses referred to in Article 32 (7) and Article 50
paragraph (2) item (c) of this Law;
(i) establish and maintain a list of the impact assessment requirements of
protection of personal data in accordance with Article 39 paragraph (4) of this Law;
(l) provide an opinion on the personal data processing operations referred to in Article
40 paragraph (2) of this Law;
(k) encourage the development of codes of conduct in accordance with Article 44 of
this law, as well as gives an opinion and approves codes of conduct that provide
appropriate protective measures in accordance with Article 44 paragraph (3) of this Law;
(l) encourage the establishment of certification mechanisms for personal protection
data and stamps and marks for personal data protection in accordance with Article 46 of
this law;
(o) where applicable, periodically review the certificates issued in
in accordance with Article 46 paragraph (6) of this Law;
(m) publish the accreditation standards and norms of the monitoring body
the approved codes of conduct in accordance with Article 45 of this Law and the
the certification body in accordance with Article 47 of this Law;
(n) accredit the body for monitoring approved codes of conduct
in accordance with Article 45 of this Law;
(r) issue an approval for the contractual clauses and provisions referred to in Article 50 paragraph (3)
of this law;
(o) approve mandatory corporate rules in accordance with Article 51 of
this law;
(o) establish and maintain records of violations of this law, as well as of
the measures taken in accordance with Article 66 paragraph (2) of this Law;

43 of 70

Page 44
Official Gazette of RSM, no. 42 of 16.2.2020

(r) provide training in personal data protection; and
(c) perform other tasks related to the protection of personal data, in accordance with the law.
(2) The Agency shall facilitate the submission of the requests referred to in item (f) paragraph (1) of this
article, through measures such as: application form, which may be
filled in electronically in accordance with the law, without excluding other means
for communication.
(3) The performance of the tasks referred to in paragraph (1) of this Article is free of charge for the subject of
personal data and, where applicable, to the personal data protection officer.
(4) When the requests are obviously unfounded or excessive, especially due to their own
recurrence, the Agency may charge a fee based on real
administrative costs, or refuse to act upon the request. The burden of proof
for the obviously unfounded or excessive character of the request falls to the Agency.
The agency determines the fee with a decision based on the volume, time and
the complexity of providing information.
(5) In addition to the tasks referred to in paragraph (1) of this Article, the Agency may:
- initiates amendments to laws and other bylaws for their sake
compliance with the provisions of this Law, as well as with international agreements ratified
in accordance with the Constitution of the Republic of Northern Macedonia,
- submits proposals to the Constitutional Court of the Republic of Northern Macedonia for
assessing the constitutionality of laws and the constitutionality and legality of other regulations or
general acts related to the protection of personal data.
Powers
Article 66
(1) The Agency shall have the following powers of inquiry:
(a) order the controller and the processor and, where applicable, the authorized person
representative of the controller or processor, to provide all information
needed to perform their tasks;
(b) carry out supervision in accordance with this Law;
(c) carry out a review of the certificates issued in accordance with Article
46 paragraph (6) of this Law;
(d) notify the controller or processor in cases where it is suspected that they are
violated the provisions of this Law;
(e) obtain access to all personal data from the controller and the processor and to
all the information he needs to perform his tasks;
(f) gain access to all premises of the controller and processor, including
to any equipment and means for processing personal data in accordance with the law.
(2) The Agency has the following corrective powers:
(a) issue warnings to the controller or processor when available
likelihood that planned personal data processing operations will
violate the provisions of this law;
(b) issue instructions to the controller or processor when the operations of
processing of personal data violated the provisions of this Law;
(c) order the controller or processor to comply with the requirements of
the subject of personal data for exercising the rights of the subject in accordance with
this law;
(d) order the controller or processor to coordinate the operations of
processing of personal data with the provisions of this Law, as well as according to the needs of
in a specific way and in a specific time period;

44 of 70

Page 45
Official Gazette of RSM, no. 42 of 16.2.2020

(e) order the controller to notify the personal data subject of
violation of personal data security;
(f) impose a temporary or permanent restriction, including a ban on the processing of
personal data;
(g) order the correction or deletion of personal data or the restriction of
processing in accordance with Articles 20, 21 and 22 of this Law, as well as reporting on
such activities of users to whom personal data were disclosed in
in accordance with Article 21 paragraph (2) and Article 23 of this Law;
(h) withdraw the certificate or order the certification body to withdraw it
withdraw the certificate issued in accordance with Articles 46 and 47 of this Law, or to
order the certification body not to issue a certificate if the certification requirements
are not met or no longer respected;
(i) impose a misdemeanor sanction in accordance with this Law, together with the measures or
instead of the measures listed in this paragraph, and depending on the circumstances of each
individual case;
(j) order the cessation of the transfer of personal data of the user to another country
or in an international organization.
(3) The Agency has the following authorizations regarding the issuance of approvals and opinions:
(a) to give opinions to the controller in accordance with the prior procedure
consultation according to Article 40 of this Law;
(b) on its own initiative or upon request, issue opinions to the Assembly of
Republic of Northern Macedonia, the Government of the Republic of Northern Macedonia or accordingly
by law to other institutions and bodies, as well as to the public regarding all issues
related to personal data protection;
(c) to grant processing authorizations under Article 40 paragraph (5) of this Law;
(d) to give opinions and approve draft codes of conduct in accordance with
Article 40 paragraph (3) of this Law;
(e) issue certificates of certification in accordance with Article 46 paragraph (4) of this Regulation
law;
(f) give a positive or negative opinion on compliance with the standards; and
norms for issuing accreditation in accordance with Article 47 of this Law;
(g) to adopt the standard contractual clauses referred to in Article 32 (7) and Article
50 paragraph (2) item (c) of this Law;
(h) approve the contractual clauses referred to in Article 50 (3) (a);
of this law;
(i) approve the administrative (administrative) contracts referred to in Article
50 paragraph (3) item (b) of this Law;
(j) approve mandatory corporate rules in accordance with Article 51 of
this law.
(4) Execution of the authorizations by the Agency in accordance with this Article
subject to appropriate safeguards, including effective remedies and
appropriate procedure, in accordance with the law.
(5) The Agency has the authority to inform the courts about the violations of the provisions of
this law, as well as according to the needs to start or otherwise participate in court
procedures in order to implement the provisions of this Law.
(6) The Director of the Agency shall prescribe instructions for action of the controllers and
processors in the processing of personal data in accordance with this Law.

45 of 70

Page 46
Official Gazette of RSM, no. 42 of 16.2.2020

(7) When using technologies for some type of processing, taking into account
the nature, scope, context and purposes of personal data processing exist
likely to pose a high risk to the rights and freedoms of individuals,
The Agency may publish issued decisions, opinions and suggestions on its website.
page.
(8) The decisions, opinions and indications referred to in paragraph (7) of this Article shall be anonymized
or are pseudonymized.
Relations of the Agency with the state government bodies
Article 67
(1) The state authorities are obliged to inform the Agency about the taken over
measures for implementation of its requests, proposals, opinions, recommendations or
indications within the deadline determined by the Agency, and no later than 30 days from the day
upon receipt of the request submitted by the Agency.
(2) If the state authority body does not notify the Agency in accordance with paragraph (1) of
this article or its requests, suggestions, opinions, recommendations or suggestions only
partially accepted or did not act on them, the Agency with a special report on it
inform the immediate higher authority, the official managing the authority or
The Assembly of the Republic of Northern Macedonia, ie the Government of the Republic of Northern Macedonia
Macedonia.
(3) The Assembly of the Republic of Northern Macedonia, ie the Government of the Republic
Northern Macedonia after receiving the special report on non-compliance and

non-implementation of the requests, proposals, opinions, recommendations or indications of
The agency, at a session which must be attended by the official or official
a person managing the body of state authority to which the special report refers,
discusses and takes a position with a proposal - measures, and informs the Agency about the undertaken measures
within the period specified in the special report.
Records of personal protection officers
data
Article 68
(1) The Agency shall keep records of officers for personal data protection of the member
41 paragraph (7) of this Law and publishes it on its website.
(2) The records referred to in paragraph (1) of this Article shall contain:
- name and seat of the controller, ie processor,
- name and surname of the personal data protection officer,
contact details of the personal data protection officer (e - mail and
phone number).
Personal data protection training
Article 69
(1) The Agency prepares and conducts training for the employees in the controllers, ie
processors, as well as for personal data protection officers issuing
certificates, for which it keeps records.

46 of 70

Page 47
Official Gazette of RSM, no. 42 of 16.2.2020

(2) The trainings are organized for the purpose of the employees in the controllers, ie
processors to gain knowledge in the field of personal data protection,
as well as in order for personal data protection officers to acquire knowledge and
skills in relation to personal data protection practices and regulations and with
ability to perform the activities referred to in Article 43 of this Law.
(3) The schedule for conducting the trainings referred to in paragraph (1) of this Article shall be published on the web
the website of the Agency.
(4) The training costs referred to in paragraph (1) of this Article shall be borne by the controller,
the processor, ie the natural person, and refer to the coverage of the real
costs required for organizing and conducting the training.
(5) To the employee in the controller, the processor, ie the natural person, as well as for
the personal data protection officer who participated in the training is issued by the Agency
certificate valid for three years from the date of its issuance.
(6) The manner of conducting the training of this article, the training program for protection
of personal data, form and content of the certificate form, as well as
the manner of keeping records of the issued certificates is prescribed by the director
of the Agency.
(7) The training referred to in this Article shall be conducted by employees of the Agency determined by
by the Director of the Agency.
Annual report on the work of the Agency
Article 70
(1) The Agency shall prepare an annual report on its work, which may include a list
of the violations reported, as well as the types of measures taken in accordance with
Article 66 paragraph (2) of this Law.
(2) The Agency shall submit it to the Assembly of the Republic of Northern Macedonia for
introduction, the annual report referred to in paragraph (1) of this Article for the previous calendar
year, no later than the end of March in the current year.
(3) The annual report referred to in paragraph (1) of this Article shall be published by the Agency on its own
website.
(4) If necessary and at the request of the Assembly of the Republic of Northern Macedonia,
The agency also submits additional reports.
Notification for processing (of personal data) with high risk
Article 71
(1) When using technologies for some type of processing, taking into account
the nature, scope, context and purposes of personal data processing exist
likely to pose a high risk to the rights and freedoms of individuals, a
pursuant to Article 9 paragraph (2) of this Law, the controller shall inform the Agency.
(2) The notification referred to in paragraph (1) of this Article shall contain the following:
1) name of the personal data collection;
2) the name, ie the name and surname and contact data of the controller, if any
applicable to all joint controllers, to the authorized representative of the controller,
if any, as well as to the personal data protection officer;
3) purpose or purposes of processing;

47 of 70

Page 48
Official Gazette of RSM, no. 42 of 16.2.2020

4) legal basis for establishing a collection of personal data;
5) description of the categories of the personal data subjects and of the categories of the personal ones
data relating to them;
6) the categories of users to whom the personal data are, or will be disclosed,
including users in third countries or international organizations;
7) term of storage of personal data, ie the foreseen deadlines for deletion of
different categories of personal data;
8) transfer of personal data to a third country or international organization and
9) general description of the undertaken technical and organizational measures according to article 36 of this
law.
(3) The Agency shall keep electronic records of personal data collections whose
processing is high risk which contains the data from the notifications received in
in accordance with the provisions of this Article.
(4) The form and the content of the notification form, the manner of notification from
paragraph (1) of this Article, as well as the form and content of the records referred to in paragraph (3) of this Article
Article shall be prescribed by the Director General of the Agency.
3. Cooperation and international legal assistance
Cooperation
Article 72
(1) The Agency may cooperate with other supervisory bodies for personal protection
data in accordance with this law in order to ensure the protection of rights and
the freedoms of natural persons in relation to the processing of personal data. The agency and
the supervisory bodies concerned with personal data protection may exchange them
mutually all relevant information electronically, excluding others
means of correspondence, and by applying appropriate technical and organizational measures
to ensure confidentiality and protection of personal data processing.
(2) The Agency may request at any time from other supervisory bodies for protection of
personal data to provide mutual assistance in accordance with Article 73 of this Law,
as well as may conduct joint operations in accordance with Article 74 of this Law,
in particular to conduct research or monitor the implementation of measures related to
controller or processor, established outside the borders of the Northern Republic
Macedonia.
Mutual assistance
Article 73
(1) The Agency and other supervisory bodies for personal data protection may
provide each other with relevant information and mutual assistance in order to be consistent
application and enforcement of this law, as well as for the establishment of effective measures
mutual cooperation. Mutual assistance, in particular, includes requests for information and measures
for oversight, such as requests for prior approval and consultation,
supervisions and research.
(2) The Agency shall take all appropriate measures necessary to respond to
requests of another supervisory body for personal data protection, without unnecessary
delay and not longer than one month from the day of receipt of the request. Such measures,
in particular may include the transmission of relevant information for the implementation of
research.

48 of 70

Page 49
Official Gazette of RSM, no. 42 of 16.2.2020

(3) Mutual assistance requests shall contain all necessary information, including:
the purpose and reasons for the request. The information exchanged is used only for
the purposes for which they are requested.
(4) If the Agency receives a request for mutual assistance, it may not refuse to act upon it
the request, except in cases when:
(a) is not competent for the subject matter of the application or for the measures required to be taken
take or
(b) the fulfillment of the request would be contrary to law.
(5) The Agency shall inform the affected supervisory body for personal protection
data who applied for mutual assistance for the results or, depending on
the case, for the course of the measures taken to fulfill the request. The agency them
states the reasons in case of rejection of the request according to paragraph (4) of this Article.
(6) The Agency, as a rule, provides the information requested by the other supervisors
personal data protection authorities, electronically, excluding others
means of correspondence, and by applying appropriate technical and organizational measures
to ensure confidentiality and protection of personal data processing.
(7) The Agency shall not charge for the activities undertaken in response to
request for mutual assistance. The Agency with other supervisory bodies for the protection of
personal data can reach agreement on the rules for securing
mutual compensation for specific costs related to the provision of mutual assistance
in emergency circumstances.
Joint operations
Article 74
(1) The Agency may conduct joint operations with other supervisory bodies for
personal data protection, including joint investigations and joint measures for
action, in which members or employees of the supervisory bodies participate who
conduct a joint operation.
(2) The Agency may provide authorizations, including authorizations for
investigation, of members or employees of the supervisory body concerned
personal data involved in joint operations in accordance with the law. These powers
for research can be carried out only under the supervision and in the presence of employees in
The agency. Members or staff of the supervisory body concerned
personal data participating in joint operations are subject to the right of
Republic of Northern Macedonia.
(3) For conducting joint operations with other supervisory bodies for protection
of personal data The Agency may conclude memoranda of cooperation for
implementation of the provisions of this Law.
Urgent procedure
Article 75
In exceptional circumstances, when the Agency considers that there is an urgent need to
acts to protect the rights and freedoms of personal data subjects may
immediately adopt interim measures leading to legal consequences in the territory of
Republic of Northern Macedonia, with a validity period not exceeding three months,
counting from the day of adoption of the interim measures. The agency immediately
notify the other personal data protection supervisory authorities concerned
the measures taken and the reasons for their adoption.

49 of 70

Page 50
Official Gazette of RSM, no. 42 of 16.2.2020

4. Professional service
Article 76
(1) For performing the professional, normative-legal, administrative, administrative-supervisory,
supervisory, material-financial, accounting, IT and
other matters, an expert service of the Agency is established.
(2) The Director of the Agency shall adopt general acts for internal organization and
systematization of the jobs of the Professional Service in accordance with the regulations for
public sector employees, in which jobs are defined, job descriptions
and job assignments, total number of employees and conditions for each job.
(3) The Secretary General and the employees of the Professional Service, except auxiliary technical persons, have the status of administrative officers.
(4) The Professional Service is managed by the Secretary General of the Agency who is elected
in accordance with the regulations for administrative officials.
(5) For the issues that refer to the employment of the employees in the Agency
the provisions of the Law on Administrative Servants, General
labor regulations and this law.
(6) The professional service performs the activities within its scope of work independently and
impartially, adhering to the provisions of this law and the regulations adopted on
based on it.
(7) The procedures for filling the vacancies (employment, promotion and
mobility through deployment or download), are implemented in accordance with
regulations for administrative employees, regulations for public employees
sector and general labor regulations, within the provided financial
funds in the section of the Budget of the Republic of Northern Macedonia intended for the Agency.
Salary and salary supplements of the employees in the Professional Service of the Agency
Article 77
The employees in the Professional Service of the Agency are entitled to a salary, allowances of
salary and salary supplements in accordance with the regulations for administrative employees and
the provisions of this law.
Confidentiality
Article 78
The employees of the Agency are obliged to keep as secret the data they obtained
in his work, both during his employment in the Agency and after his
completion, which represent personal data or classified information in
in accordance with the law. The employees of the Agency are obliged to keep them a secret
especially notifications by individuals relating to violations of
the provisions of this law.
5. Funding of the Agency
Means of work
Article 79
(1) The funds for the work of the Agency shall be provided from the Budget of the Republic
Northern Macedonia, own revenues from fees, donations and other sources,
in accordance with the law.

50 of 70

Page 51
Official Gazette of RSM, no. 42 of 16.2.2020

(2) The fees charged by the Agency are for:
- accreditation of the body for monitoring the compliance with the code of conduct
according to article 45 of this law,
- issuance of certificates according to Article 46 of this Law,
- giving an opinion on the fulfillment of the standards and norms for issuing
accreditation according to Article 47 of this Law,
- organizing and conducting training according to Article 69 of this Law and
- other fees charged by the Agency from its operations in accordance with law.
(3) The Agency shall determine the fees referred to in paragraph (2) of this Article with a decision on
basis of the scope and complexity for exercising the authorizations determined by this Law.
(4) Own revenues referred to in paragraphs (1) and (2) of this Article shall be used to cover
the costs of investment and ongoing operations, professional development, training and
training of employees, as well as for performing other activities in accordance with
the provisions of this law. The distribution of own income is done through
financial plan adopted by the Director of the Agency.
(5) Audits the material and financial operations of the Agency
The State Audit Office in accordance with the law.
Budget
Article 80
(1) The funds for performing the function of the Agency shall be provided from the Budget
of the Republic of Northern Macedonia.
(2) For providing the funds for the work of the Agency from the Budget of the Republic
Northern Macedonia from Article 79 of this Law, the Agency prepares a proposal which
submitted to the Ministry of Finance in accordance with the Law on Budgets.
(3) The Director of the Agency, and in his absence the Deputy Director of the Agency,
participates in the sessions of the working bodies of the Assembly of the Republic of the North
Macedonia on which the draft budget of the Republic of Northern Macedonia is being considered,
to present and explain the needs for the funds referred to in paragraph (1) of this Article.
VII. SPECIAL PERSONAL DATA PROCESSING OPERATIONS
Processing and freedom of expression and information
Article 81
(1) Regarding the processing performed for journalistic purposes or for the purposes of academic,
artistic or literary expression, the provisions of Chapter II (Principles), Chapter III (Rights
of the personal data subject), Chapter IV (Controller and processor), Chapter V (Transfer
of personal data) and Chapter VI (Agency for Personal Data Protection), as well as
the provisions of this Chapter of this Law may be excluded or derogated from,
if it is necessary for balancing the right to personal data protection
with freedom of expression and information.
(2) The provision from paragraph (1) of this article, is especially applied in relation to the processing
personal data in the audiovisual field and in news archives,
as well as in press libraries.
(3) The provisions of this Law that refer to the rights of the personal entities
data will not apply to the processing of personal data performed for
journalistic purposes, only if the public interest prevails over the private interest
of the personal data subject.

51 of 70

Page 52
Official Gazette of RSM, no. 42 of 16.2.2020

(4) In the process of balancing the right to personal data protection with
freedom of expression and information the following criteria are taken into account:
- the nature of the personal data,
- circumstances under which the personal data were obtained,
- the impact of the published information on the discussion of the public interest,
- how well known is the natural person concerned and what is the subject of the information,
- previous behavior of the affected natural person,
- prior consent of the affected natural person,
- the content, the form and the consequences from the publication of the information.
Oh brabotka and public access to official documents
Article 82
State authority, state body or legal entity that performs public
powers established by law may disclose personal data from official documents
which it owns, in order to carry out activities of public interest in accordance with a special
law, which balances public access to official documents with the right to
protection of personal data in accordance with this law.
Processing of the citizen's social security number
Article 83
(1) The personal identification number of the citizen can be processed only:
- with the prior express consent of the personal data subject in accordance with the article
11 of this law,
- for exercising the rights or obligations of the legal entity determined by law
data or controller and
- in other cases determined by law.
(2) Only after previously obtained approval by the Agency can be performed
systematic and extensive processing of the personal identification number of the citizen according to line 1 paragraph (1)
of this article.
(3) For the cases from lines 2 and 3 from paragraph (1) of this article, in the law must be
contained protective measures and other measures for protection of the rights and freedoms of the subjects
of personal data in accordance with the provisions of this Law.
(4) For the cases from paragraph (2) of this article, the Agency decides with a decision within 90
days from the date of receipt of the application for approval.
(5) Against the decision of the Agency from paragraph (4) of this article can be submitted
lawsuit for initiating an administrative dispute to the competent court, within 30 days from the day of
receipt of the decision.
(6) The controller or the processor is obliged to take into account the personal identification number of
the citizen should not be unnecessarily visible, printed or downloaded from a collection of personal
data.
Prior approval
Article 84
(1) Only after previously obtained approval by the Agency is processing performed
the following personal information:
- data related to human health,

52 of 70

Page 53
Official Gazette of RSM, no. 42 of 16.2.2020

genetic data, unless the data processing is performed by
professionals for the needs of preventive medicine, medical diagnosis or care and
therapy of the personal data subject and
- biometric data.
(2) The approval referred to in paragraph (1) of this Article is required in case when the processing of
personal data is performed with the prior explicit consent of the personal entity
data provided in accordance with Article 13 paragraph (2) item 1) of this Law.
(3) The approval referred to in paragraph (1) of this Article is not required in case when the processing of
personal data is determined by law which contains protective measures and other measures
to protect the rights and freedoms of personal data subjects in accordance with
the provisions of this law.
(4) For the cases from paragraph (1) of this article, the Agency decides with a decision within 90
days from the date of receipt of the application for approval.
(5) Against the decision of the Agency from paragraph (4) of this article can be submitted
lawsuit for initiating an administrative dispute to the competent court, within 30 days from the day of
receipt of the decision.
Processing in the context of employment
Article 85
(1) By law or by collective agreements, more specific may be provided
rules to ensure the protection of rights and freedoms in relation to the processing of
personal data in the context of employment, in particular for employment purposes,
fulfillment of the employment contract, including performance of obligations
determined by law or collective agreements, management, planning and
work organization, equality and diversity in the workplace, health and
safety at work, protection of the property of the employer or consumers for
the goals of exercising and using the individual or collective basis of the rights and
employment benefits, and also for the purposes of termination of employment
relation.
(2) The rules referred to in paragraph (1) of this Article shall include appropriate and specific measures for
protection of human dignity, legitimate interests and fundamental rights of
the subject of personal data, in particular as regards the transparency of the processing,
the transfer of personal data within a group of legal entities or a group of legal entities
persons performing joint economic activity.
(3) The Agency shall give an opinion on whether the specific rules provided by law
or the collective agreements referred to in paragraph (1) of this Article are harmonized with this Law.
Safeguards and deviations related to processing for archiving purposes
of public interest, for scientific or historical research or for
statistical goals
Article 86
(1) When processing for archiving purposes of public interest, for scientific or historical purposes
surveys or for statistical purposes, the controller is obliged to apply appropriate
protective measures for the rights and freedoms of the personal data subject in accordance
with this law. These safeguards ensure the application of technical and
organizational measures, in particular as regards compliance with the principle of processing

53 of 70

Page 54
Official Gazette of RSM, no. 42 of 16.2.2020

minimum data volume. These measures may include pseudonymization under
provided that the stated objectives can be achieved in this way. When the stated goals can
to be achieved through further processing, which does not allow or no longer
allows the identification of personal data subjects, those goals are achieved on
this way.
(2) When personal data are processed for scientific or historical research or
for statistical purposes, the law may provide for deviations from the rights listed in
Articles 19, 20, 22 and 25 of this Law, in accordance with the conditions and protective measures
referred to in paragraph (1) of this Article, to the extent that these rights are likely to be exercised
make it impossible or serious to impede the achievement of specific goals, a
the stated deviations are necessary to achieve these objectives.
(3) When the personal data are processed for the purposes of archiving in the public interest,
deviations from the rights listed in Articles 19, 20, 22 may be provided by law.
23, 24 and 25 of this Law in accordance with the conditions and protective measures stated in
paragraph (1) of this Article, to the extent that these rights are likely to exercise it
impossible or seriously impede the achievement of specific goals, a
the stated deviations are necessary to achieve these objectives.
(4) When the processing referred to in paragraphs (2) and (3) of this Article is used
at the same time and for another purpose, the deviations apply only to the processing
performed for the purposes stated in paragraphs (2) and (3) of this Article.
Processing of personal data by churches, religious communities or religious
groups
Article 87
Churches, religious communities, or religious groups apply the rules to
protection of personal data during the processing of personal data of natural persons,
in accordance with the provisions of this law.
Data processing for deceased persons
Article 88
(1) The controller can give personal data about the deceased only to those
users who are legally authorized to process this personal data.
(2) As an exception to paragraph (1) of this Article, the controller is obliged to provide the data
for the deceased person of a person who is the legal heir of the deceased, and because
fulfillment of legitimate interests in accordance with the law and if the deceased does not in writing
prohibited the disclosure of such personal information.
(3) The controller may give the data referred to in paragraph (2) of this Article to any of them
another person who will process this data for scientific or historical research or
for statistical purposes unless the deceased has in writing prohibited the giving of personal
data, unless otherwise provided by law.
(4) If the deceased has not given a ban in accordance with paragraph (3) of this Article, the persons
who by law are his legal heirs, may prohibit giving in writing
of his data, unless otherwise provided by law.

54 of 70

Page 55
Official Gazette of RSM, no. 42 of 16.2.2020

Video surveillance
Article 89
(1) The provisions of this Law shall also apply to the processing of personal data
by performing video surveillance, unless otherwise provided by another law.
(2) The provisions of this Law shall not apply to the processing of personal data
by performing video surveillance by individuals solely for the purpose of activities in
home.
(3) The controller that performs video surveillance is obliged to display a notification.
The notice must be clear, visible and prominent in a way that allows
to acquaint personal data subjects with the performance of video surveillance.
(4) The notification referred to in paragraph (3) of this Article shall contain information:
- that video surveillance is performed,
- for the name of the controller performing the video surveillance and
- how information can be obtained about where and for how long they are stored
video surveillance system footage.
(5) The personal data subject is informed about the processing of the personal data
in accordance with Articles 17 and 18 of this Law, if a notification in accordance with
paragraphs (3) and (4) of this Article.
(6) The controller can perform video surveillance only on the space that is sufficient for
fulfilling the goals for which it is set.
(7) The controller shall obligatorily inform the employees for performing video surveillance in
office or business premises.
(8) The recordings made during the video surveillance shall be kept until the fulfillment of
the purposes for which it is performed, but not longer than 30 days, unless otherwise provided by law
longer period containing protective measures and other measures for protection of rights and
the freedoms of the personal data subjects in accordance with the provisions of this Law.
(9) In case of installation of cameras contrary to the provisions of this Law,
the owner of the video surveillance system takes measures for them
removal at his own expense.
Processing of personal data through a video surveillance system
Article 90
(1) The controller may perform video surveillance in official or business premises if
it is necessary for:
- protection of human life or health,
- protection of property,
- protection of the life and health of the employees due to the nature of the work or
- providing control over the entry and exit of the official or
business premises for security purposes only.
(2) The controller is obliged to regulate the manner of performing video surveillance with a special one
act
(3) It is prohibited to perform video surveillance in wardrobes, locker rooms, toilets and
other similar premises.
(4) The content and the form of the act referred to in paragraph (2) of this Article shall be prescribed by the director
of the Agency.

55 of 70

Page 56
Official Gazette of RSM, no. 42 of 16.2.2020

Performing video surveillance in simple and multiresidential buildings
Article 91
(1) For performing video surveillance in simple and multi-apartment buildings
a written statement of consent of at least 70% of the total number is required
of owners, tenants, ie tenants of apartments.
(2) After securing the consent referred to in paragraph (1) of this Article, it is necessary
the owners, tenants, ie tenants of the apartments must
inform about the start of the functioning of the video playback system
supervision.
(3) It is prohibited to transfer the recordings from the video surveillance to the simple and
multi-apartment buildings via cable television (public or internal network), via
Internet or other electronic means of data transmission.
(4) It is prohibited to record the entrances of individual apartments of other owners,
tenants.
Analysis and periodic evaluation
Article 92
(1) The controller is obliged to perform an analysis of the goal, ie the goals for which they are
sets up video surveillance before starting the system setup process
performing video surveillance, unless otherwise provided by this Law.
(2) The analysis referred to in paragraph (1) of this Article shall contain the reasons for posting the video
supervision with an explanation of the need to fulfill the goal, ie the goals in
in accordance with the provisions of Article 90 paragraph (1) of this Law, as well as a description of the real estate and
movable items, ie space that will be protected by video placement
supervision.
(3) The controller is obliged to perform periodic evaluation of the achieved results from
the system for performing video surveillance every two years, and especially for:
- the further need to use the video surveillance system,
the purpose, ie the objectives for performing video surveillance and
- possible technical solutions for replacement of the video surveillance system.
(4) From the performed assessment referred to in paragraph (3) of this Article, the controller is obliged to prepare
report as an integral part of the documentation for the establishment of the performance system
of video surveillance.
(5) In the report referred to in paragraph (4) of this Article, the controller shall obligatorily enter and
statistical indicators of access to video recordings
surveillance, as well as how to use the recordings.
(6) The content of the analysis referred to in paragraph (1) of this Article and the report from the performed
periodic evaluation of the achieved results from the video surveillance system
prescribed by the Director of the Agency.
Request for determination of violation of the right to personal data protection that are
refers to the processing of personal data through video surveillance
Article 93
(1) In case when a natural person submits a request for determining a violation of
the right to personal data protection which refers to the processing of personal data
by performing video surveillance in simple or multi-apartment buildings,

56 of 70

Page 57
Official Gazette of RSM, no. 42 of 16.2.2020

the applicant is obliged to state the data on the physical, ie
the legal entity against which the request is submitted, in particular: name and surname, address of
residence, ie name and seat of the legal entity.
(2) In case when the request does not contain the data stated in paragraph (1) of this
Article, the submitter is obliged to submit them at the request of the supervisor within
eight days from the date of receipt of the request.
(3) If the submitter does not submit the data referred to in paragraph (1) of this Article, ie
does not complete the request within the set deadline, therefore it cannot be requested
acts will be considered that the request has not even been submitted, for which the supervisor will bring
decision to reject the request that does not contain legal advice.
(4) In case when a request is submitted in accordance with paragraph (1) of this Article, the natural,
that is, the legal entity against which the request is filed is obliged at the request of
the supervisor to provide evidence regarding the request, in particular:
- image of the monitor on which the video surveillance cameras (print screen) are viewed,
as well as a photograph of the location of the cameras through which the video surveillance is performed
that is,
- notarized statement that it does not perform video surveillance on a space that is owned,
ie possession of the submitter of the request, in relation to which the request has been submitted
or
- statement that he does not perform video surveillance of a space that is owned, ie occupied
of the applicant, and in connection with which the application has been submitted, given orally to
minutes drawn up by the supervisor.
(5) After submitting the evidence referred to in paragraph (4) of this Article, the supervisor shall perform
supervision in accordance with this law.
Providing personal data to users
Article 94
(1) The controller will give the personal data for use to a specific user
case, when applicable, and based on a written request from the user, if he
user is legally authorized to process that personal data.
(2) If the obligation to provide personal data to a user is determined by law and
it is performed with the provided dynamics, the user does not submit a written request to
the controller in accordance with the provisions of this Article.
(3) The written request referred to in paragraph (1) of this Article must contain reasons, legal
basis for use of personal data, category of personal data subjects and
category of personal data required.
(4) The request referred to in paragraph (1) of this Article may also be submitted electronically
in accordance with the law.
(5) It is prohibited to provide personal data for use to a user whose processing,
that is, use may not be made in accordance with the provisions of Articles 10 and 13 of
this law and if the purpose for which the personal data is requested is contrary to
Article 9 paragraph (1) line 2 of this Law.
(6) Personal data processed for the purposes of archiving in the public interest, for
scientific or historical research or for statistical purposes may not be given to
use of a user in a form that allows the identification of the natural person of

relating to personal data.

57 of 70

Page 58
Official Gazette of RSM, no. 42 of 16.2.2020

(7) In the cases referred to in paragraphs (1) and (2) of this Article, the controller is obliged to lead
separate records for the categories of personal data given for use,
the user of personal data, the category of personal data subjects, the legal
basis and reason why this personal data is provided to the user.
(8) The personal data of this Article can be used only in the time that is necessary
for the achievement of the specific goal provided by law.
(9) After the expiration of the time referred to in paragraph (8) of this Article, the personal data must be
delete, unless otherwise provided by law.
Exchange of personal data
Article 95
The provisions of Article 94 of this Law for providing personal data for use are
also refer to the exchange of personal data between state authorities and
state bodies, unless otherwise provided by law.
Direct marketing
Article 96
The processing of personal data for the purposes of direct marketing which includes
profiling to the extent that it is related to direct marketing is
allowed only if personal data are processed after a previous explicit
consent of the personal data subject in accordance with Article 11 of this Law.
VIII. LEGAL REMEDIES AND LIABILITY
Right to submit a request to the Agency
Article 97
(1) Every personal data subject has the right to submit a request to the Agency,
if he considers that the processing of his personal data violates the provisions of
this law, without prejudice to any other administrative or judicial
remedies.
(2) The Agency shall inform the applicant of the course and outcome of
the procedure, including the possibility of judicial protection in accordance with Article 98 of this
law.
(3) The form and the content of the form of the request referred to in paragraph (1) of this Article
prescribed by the Director of the Agency.
(4) The Agency shall decide whether during the procedure the opposite party will
disclose the personal data of the applicant as well as the witness.
(5) The Agency shall implement the submitted request referred to in paragraph (1) of this Article
supervision in accordance with this law.
Right to effective judicial protection against the decisions of the Agency
Article 98
(1) Every natural or legal person has the right to effective judicial protection against
legally binding decision of the Agency that applies to him, but no
questioning any other administrative or extrajudicial legal remedies
protection.

58 of 70

Page 59
Official Gazette of RSM, no. 42 of 16.2.2020

(2) Without prejudice to any other administrative or extrajudicial means of
legal protection, every personal data subject has the right to effective judicial protection,
when the Agency in accordance with the competencies determined in Articles 65 and 66 of this Law
did not act upon the request or did not inform the personal data subject within
three months for the outcome of the procedure upon the submitted request according to Article 97 of this
law.
Right to effective judicial protection against a controller or processor
Article 99
(1) Without questioning any available administrative or extrajudicial means
for legal protection, including the right to apply to the Agency in
in accordance with Article 97 of this Law, every personal data subject has the right to
effective judicial protection when he considers that his rights under this law have been violated
law, as a result of the processing of his personal data contrary to this law.
(2) The personal data subject exercises the right referred to in paragraph (1) of this Article with
filing a lawsuit to the competent court in accordance with law.
Representation of personal data subjects
Article 100
(1) The personal data subject has the right to authorize an association, to submit a request
on his behalf in relation to the protection of his personal data and to exercise them
the rights referred to in Articles 97, 98 and 99 of this Law, as well as when it is provided in the law to
exercises the right to compensation referred to in Article 101 of this Law.
(2) In the statute of the association referred to in paragraph (1) of this Article, established in accordance with law,
Obligations that are in the public interest must be stated, his
non-profit character, as well as the same should actively act in the field of protection of
personal data and in the protection of the rights and freedoms of personal entities
data.
Right to compensation and liability
Article 101
(1) Any person who has suffered material or non-material damage as a result of
violation of this law, is entitled to receive compensation from the controller or
the processor for the damage suffered.
(2) Each controller involved in the processing of personal data is responsible for
the damage caused by that processing which violates the provisions of this Law.
The processor is only responsible for the damage caused by the processing
has not complied with the obligations of this law which are specifically intended for processors or
when he acted outside or contrary to the legal instructions of the controller.
(3) The controller or the processor is exempted from responsibility on the basis of paragraph (2)
of this article, if he proves that he is in no way responsible for the event that
caused the damage.
(4) When more than one controller or processor is involved in the same processing
or the controller and the processor participate in the same processing, and when in accordance with
paragraphs (2) and (3) of this Article, they are liable for any damage caused by

59 of 70

Page 60
Official Gazette of RSM, no. 42 of 16.2.2020

processing, then each controller or processor is considered responsible for the whole
damages in order to provide effective compensation for the personal entity
data (joint and several liability).
(5) When the controller or the processor in accordance with paragraph (4) of this Article has paid
full compensation for the damage caused, the controller or processor have
the right to request from other controllers or processors involved in it
processing of personal data, a fee corresponding to their share of
liability for the caused damage, in accordance with the conditions determined in paragraph (2)
of this article.
(6) The procedure for exercising the right to compensation of damage of this article is conducted
before a competent court in accordance with law.
IX. SUPERVISION OF PERSONAL DATA PROTECTION
Scope and authority to implement
supervision
Article 102
(1) The supervision over the protection of personal data in the sense of this Law is
systematic and independent control over the legality of the undertaken activities at
the processing of personal data and their protection in the implementation of this law and
regulations adopted on the basis of this law, which in particular covers research, inspection,
giving guidance and prevention to controllers and processors (hereinafter:
supervision).
(2) Supervision shall be performed by the Agency through supervisors for personal data protection
(hereinafter: supervisors).
(3) The supervisors who perform supervision, in addition to the general conditions determined for
employment in accordance with the regulations for administrative staff, it is necessary to have and
higher education in the field of law or information sciences.
(4) Supervisors are administrative officers.
Official identification card
Article 103
(1) The Agency shall issue an official identification card to the supervisor which serves him / her
proving his official capacity and which he is obliged to show when performing
supervision.
(2) The form and the content of the official identification card from paragraph (2) of this article and
the manner of issuance and confiscation shall be prescribed by the Director of the Agency.
Types of supervision
Article 104
(1) Supervision, the supervisor performs through:
- regular supervision,
- extraordinary supervision and
- control supervision.
(2) The regular supervision is an announced supervision which is performed on an annual basis
supervision program that the Director of the Agency adopts by the end of the current one
for next year.

60 of 70

Page 61
Official Gazette of RSM, no. 42 of 16.2.2020

(3) The extraordinary supervision, as a rule, is an unannounced supervision and is performed in case of
submitted request in accordance with the provisions of Articles 93, 97 and 100 of this Law, after
initiative submitted by a state authority, legal or natural person, ex officio
duty or in case of suspicion of the supervisor for violations of the provisions of this
law.
(4) Control supervision, the supervisor may perform within six months after
the expiration of the last deadline determined for elimination of the ascertained violations with
the decision referred to in Article 107 paragraph (4) of this Law.
(5) The supervision referred to in paragraph (1) of this Article according to the method and means that are
use can also be done electronically.
(6) The supervision referred to in paragraph (1) of this Article shall be performed in the premises of the controller,
ie the processor where the personal data are processed and / or on the premises
of the Agency.
(7) The manner of performing the supervision referred to in paragraph (1) of this Article, as well as the form,
the content and the manner of keeping records of the performed supervisions
prescribed by the Director of the Agency.
Supervisor rights
Article 105
In performing the supervision, the supervisor may:
- checks general and individual acts, files, documents, computer files,
information and other evidence in scope according to the subject of supervision, as well as to request
and keep copies thereof in paper or electronic form free of charge,
- controls the business or office premises and other facilities where they are
processes personal data and requests insight into their processing,
- inspects documents for personal identification of persons due to confirmation of
their identity in accordance with the law,
- requests a written or oral explanation from the controller, ie the processor
with questions from the scope of supervision,
- requires expert analysis and opinion when necessary for supervision,
- uses technical means for photography as well as provides videos that
can be used in supervision,
- examines the equipment with which the personal data is processed and the equipment where
what personal data is stored, as well as examination of the information system and
information infrastructure within which personal processing is performed
data, with an authorized representative of the controller, ie the processor,
- uses the communication devices of the controller, ie the processor for
meeting the objectives of supervision and
- provides other necessary evidence according to the subject of supervision.
Obligations of the controller and processor at
supervision
Article 106
The controller, ie the processor is obliged to provide the supervisor
smooth supervision, and in particular to:
- make available all documents, data and information (in paper or electronic
form) required to perform the supervision, as well as to provide a copy of the same
if necessary,

61 of 70

Page 62
Official Gazette of RSM, no. 42 of 16.2.2020

- ensure the presence of all responsible, ie authorized persons required for
performing supervision,
- provide him with the conditions necessary for smooth operation and determination of the factual
condition and
- provide access to the premises and equipment where personal processing is performed
data, ie are related to the processing of personal data and are subject to
supervision.
Minutes and measures in case of violation of
regulations
Article 107
(1) For the performed regular or extraordinary supervision, the supervisor within 30 days from
the day of completion of the supervision compiles a report with a finding of the condition and
identified violations, whereby it is submitted to the controller, ie
processor.
(2) If during the supervision no violations of the regulations for personal protection have been determined
data or identified violations are removed during the implementation of
supervision, ie until the decision to remove the established ones is made
violations during the implementation of the supervision, the supervisor makes a decision for
termination of the procedure, against which the dissatisfied party has the right to file a lawsuit for
initiating an administrative dispute to the competent court within 30 days from the day of receipt of
the solution.
(3) As an exception to paragraph (2) of this Article, if during the implementation of the supervision
which is performed on the basis of a request in accordance with Articles 97 and 100 of this Law, are determined
violations of personal data protection regulations that have been removed during
the implementation of the supervision, ie until the decision for removal is made
of the identified violations, the supervisor instead of a decision to stop the procedure from
paragraph (2) of this Article, adopts a decision approving the request from Articles 97 and
100 of this Law and determines a violation of personal data protection, against which
the dissatisfied party has the right to file a lawsuit for initiating an administrative dispute to
the competent court within 30 days from the day of receipt of the decision.
(4) For the elimination of the determined violations, the supervisor shall make a decision, by which
in particular determines the following corrective measures:
- completing, updating, correcting, disclosing or securing
personal data,
- implementation of additional technical and organizational security measures
confidentiality and protection of personal data processing,
- prohibition of further processing of personal data,
- stopping the transfer of personal data to another country or international
organization,
- providing data or their transfer to other entities,
- blocking, deleting or destroying personal data,
- dismantling, moving or removing equipment, devices, installations and
systems that process personal data,
- deadline for adoption of documentation, ie regulations in accordance with the provisions of this
law,
- deadline for elimination of injuries or
- other measures in accordance with Article 66 paragraph 2 of this Law.

62 of 70

Page 63
Official Gazette of RSM, no. 42 of 16.2.2020

(5) If with the decision referred to in paragraph (4) of this Article to the controller, ie the processor
he has been set a deadline for acting in accordance with this Law, he is obliged after the expiration of this deadline
to inform the Agency whether it has acted accordingly, as well as to submit appropriate evidence.
(6) A lawsuit may be filed against the decision referred to in paragraph (4) of this Article
initiating an administrative dispute to the competent court within 30 days from the day of receipt of
the solution.
(7) The provisions of this Article shall also apply to a submitted request in accordance with
Article 93 of this Law.
Minutes for control supervision
Article 108
(1) Minutes shall be compiled for the performed control supervision in which the supervisor will
concludes that the controller, ie the processor acted completely, partially
acted or did not act upon the decision from the performed regular or extraordinary
supervision.
(2) In case of inaction, ie partial action upon the decision,
the supervisor initiates a misdemeanor procedure in accordance with this Law and the Law on
offenses.
Initiation of misdemeanor procedure
Article 109
(1) If during the implementation of the supervision, the supervisor determines a violation of this
law, submits a request for initiating a misdemeanor procedure to the Misdemeanor
commission in accordance with the provisions of this Law and the Law on Misdemeanors.
(2) In case of performing regular supervision, if the supervisor determines a violation of
this or another law, with the decision from article 107 paragraph (4) of this law determines the deadlines
to remove the identified injuries. After the expiration of the deadlines determined by the decision,
the supervisor may conduct control supervision in accordance with this Law.
X. MISDEMEANOR PROVISIONS
Category I offenses
Article 110
(1) Fine in the amount of up to 2% of the total annual income of the controller or
the processor-legal entity, (expressed in absolute amount) realized in the business year
which precedes the year when the offense was committed or of the total income earned
for a shorter period of the year preceding the offense, if in that year
the legal entity, started working, will be sentenced for a misdemeanor to a legal entity, if:
1) does not provide conditions for verification that the consent is given by the legal one
representative of the child in relation to the services of the information society according to
the provisions of Article 12 of this Law;
2) performs processing for which no identification of the personal entity is required
data contrary to the provisions of Article 15 of this Law;
3) does not apply technical and integrated protection of personal data according to
the provisions of Article 29 of this Law;

63 of 70

Page 64
Official Gazette of RSM, no. 42 of 16.2.2020

4) does not fulfill the obligations regarding the action of joint controllers according to
the provisions of Article 30 of this Law;
5) does not appoint an authorized representative of a controller or processor who is not established
in the Republic of Northern Macedonia according to the provisions of Article 31 of this Law;
6) when hiring processors, acts in a manner contrary to the provisions of
Article 32 of this Law;
7) performs processing without given instructions by the controller contrary to
the provisions of Article 33 of this Law;
8) does not keep records of the processing activities according to the provisions of Article 34 of
this law;
9) does not cooperate with the Agency at its request according to the provisions of Article 35 of
this law;
10) does not fulfill the obligation for safety of the processing according to the provisions of the article
36 of this law;
11) does not fulfill the obligation to report for violation of personal safety
data according to the provisions of Article 37 of this Law;
12) does not fulfill the obligations for informing the personal data subject about
violation of personal data security according to the provisions of Article 38 of this
law;
13) does not assess the impact of personal data protection according to
the provisions of Article 39 of this Law;
14) does not perform prior consultation according to the provisions of Article 40 of this Law;
15) does not fulfill the obligation to appoint a personal data protection officer
according to the provisions of Article 41 of this Law;
16) does not fulfill the obligations for securing the position of the protection officer
on personal data according to the provisions of Article 42 of this Law;
17) does not provide conditions for performing the activities of the personal protection officer
data according to the provisions of Article 43 of this Law;
18) does not fulfill the obligation regarding the provision of personal data to users
in accordance with the provisions of Article 94 of this Law;
19) processes personal data for direct marketing purposes contrary to
the provisions of Article 96 of this Law and
20) does not enable supervision according to the provisions of Article 106 of this Article
law.
(2) A fine in the amount of 300 to 500 euros in denar counter value shall be imposed on
the responsible person in the legal entity for the misdemeanor referred to in paragraph (1) of this Article.
(3) A fine in the amount of 100 to 500 euros in denar counter value shall be imposed on
misdemeanor of an official in the state authorities for a committed misdemeanor referred to in paragraph
(1) of this Article.
(4) A fine in the amount of 100 to 250 euros in denar counter value shall be imposed for
misdemeanor of a natural person-controller or processor for a committed misdemeanor referred to in paragraph (1)
of this article.
(5) Fine in the amount of up to 2% of the total annual income of the implementing body
monitoring the compliance with the code of conduct (expressed in absolute terms)
realized in the business year preceding the year when the misdemeanor was committed or
of the total income realized for a shorter period of the year preceding
the offense, if in that year the body started working, will be pronounced for
misdemeanor if he acts in a manner contrary to the provisions of Article 45 paragraph (4) of this Article
law.

64 of 70

Page 65
Official Gazette of RSM, no. 42 of 16.2.2020

(6) Fine in the amount of up to 2% of the total annual income of the certification body
(expressed in absolute amount) realized in the business year preceding the year
when the offense was committed or from the total income realized for a shorter period of
the year preceding the misdemeanor, if in that year the certification body
started working, he will be sentenced for a misdemeanor if he acts in a manner contrary to
the provisions of Articles 46 and 47 of this Law.
(7) A fine in the amount of 300 to 500 euros in denar counter value shall be imposed on
the responsible person in the body that monitors the compliance with the Code of
conduct, ie to the responsible person in the certification body for the offenses of
paragraphs (5) and (6) of this Article.
Category II offenses
Article 111
(1) Fine in the amount of up to 4% of the total annual income of the controller or
the processor-legal entity, (expressed in absolute amount) realized in the business year
which precedes the year when the offense was committed or of the total income earned
for a shorter period of the year preceding the offense, if in that year
the legal entity, started working, will be sentenced for a misdemeanor to a legal entity, if:
1) does not act according to the principles related to the processing of personal data
provided in the provisions of Article 9 of this Law;
2) does not perform legal processing according to the provisions of Article 10 of this Law;
3) does not provide the conditions for consent according to the provisions of Article 11 of this Article
law;
4) performs processing of special categories of personal data contrary to the provisions of
Article 13 of this Law;
5) does not fulfill the obligations for exercising the rights of the personal entity
data according to the provisions of Article 16 of this Law;
6) does not submit information to the personal data subject when collecting
his personal data according to the provisions of Article 17 of this Law;
7) does not submit information to the personal data subject when the personal data
are not obtained from it according to the provisions of Article 18 of this Law;
8) does not allow access to the personal data subject according to the provisions of
Article 19 of this Law;
9) does not correct personal data according to the provisions of Article 20 of this Law;
10) does not fulfill the obligations for the right of deletion (right to be forgotten)
according to the provisions of Article 21 of this Law;
11) does not allow restriction of the processing of personal data according to
the provisions of Article 22 of this Law;
12) does not fulfill the obligation for reporting when correcting or deleting the personal ones
data or restriction of processing according to the provisions of Article 23 of this Law;
13) does not enable portability of the data according to the provisions of Article 24 of this Article
law;
14) does not act upon a submitted complaint according to the provisions of Article 25 of this Law;
15) does not fulfill the obligations for regulating the automatic adoption of
individual decisions, including profiling under the provisions of Article 26 of
this law;
16) does not apply appropriate technical and organizational measures according to the provisions of
Article 28 of this Law;

65 of 70

Page 66
Official Gazette of RSM, no. 42 of 16.2.2020

17) does not act according to the general principle for transfer of personal data provided in
the provisions of Article 48 of this Law;
18) transfers personal data on the basis of a decision on suitability contrary to
the provisions of Article 49 of this Law;
19) transfers personal data which is subject to appropriate protective measures
contrary to the provisions of Article 50 of this Law;
20) transfers personal data on the basis of mandatory corporate
rules contrary to the provisions of Article 51 of this Law;
21) transfers or discloses personal data contrary to the provisions of the article
52 of this law;
22) transfers personal data in specific situations contrary to the provisions
on Article 53 of this Law;
23) does not enable the performance of the investigative authorizations of the Agency according to the provisions
on Article 66 paragraph (1) of this Law;
24) does not act upon the corrective authorizations of the Agency according to the provisions of
Article 66 paragraph (2) of this Law;
25) processes the personal identification number of the citizen contrary to the provisions of the article
83 of this law;
26) performs processing of personal data without previously obtained approval from
The Agency according to the provisions of Article 84 paragraph (1) of this Law;
27) does not apply protective measures according to the provisions of Article 86 paragraph (1) of this Law
and
28) processes data on deceased persons contrary to the provisions of Article 88
of this law.
(2) A fine in the amount of 300 to 500 euros in denar counter value shall be imposed on
the responsible person in the legal entity for the misdemeanor referred to in paragraph (1) of this Article.
(3) A fine in the amount of 100 to 500 euros in denar counter value shall be imposed on
misdemeanor of an official in the state authorities for a committed misdemeanor referred to in paragraph
(1) of this Article.
(4) A fine in the amount of 100 to 250 euros in denar counter value shall be imposed for
misdemeanor of a natural person-controller or processor for a committed misdemeanor referred to in paragraph (1)
of this article.
Offenses - video surveillance
Article 112
(1) A fine in the amount of 1,000 to 10,000 euros in denar counter value shall be imposed.
for a misdemeanor of a legal entity-controller, if:
1) performs video surveillance contrary to the provisions of Article 89 of this Law;
2) performs processing of personal data through a system for performing video surveillance
contrary to the provisions of Article 90 of this Law;
3) performs video surveillance in simple and multi-apartment buildings as opposed to
the provisions of Article 91 of this Law; and
4) does not perform analysis and periodic assessment according to the provisions of Article 92 of this Law.
(2) A fine in the amount of 100 to 500 euros in denar counter value shall be imposed on
the responsible person in the legal entity for a misdemeanor referred to in paragraph (1) of this Article.
(3) A fine in the amount of 100 to 500 euros in denar counter value shall be imposed on
misdemeanor of an official in the bodies of the state government for a committed misdemeanor from paragraph
(1) of this Article.

66 of 70

Page 67
Official Gazette of RSM, no. 42 of 16.2.2020

(4) A fine in the amount of 100 to 250 euros in denar counter value shall be imposed for
misdemeanor of a natural person-controller or processor for a committed misdemeanor referred to in paragraph (1) of
this article.
Measurement of fines
Article 113
(1) When measuring the fine in each specific case, they shall be duly considered
the following elements:
a) the nature, severity and duration of the injury, taking into account the nature;
the scope or purpose of the appropriate processing, as well as the number of personal entities affected
data and the degree of their damage;
b) whether the violation was committed intentionally or through negligence;
c) any action taken by the controller or processor to mitigate
the consequences of the damages suffered by the personal data subjects;
d) the degree of responsibility of the controller or processor, taking into account
technical and organizational measures applied in accordance with Articles 29 and
36 of this law;
e) any relevant prior offenses committed by the controller; or
the processor;
f) the degree of cooperation with the Agency in order to eliminate the violation and
mitigation of possible adverse effects from that injury;
g) the categories of personal data affected by the injury;
h) the manner in which the Agency learned of the violation, in particular whether and to what extent
the controller or processor reported the violation;
i) if against the controller or processor concerned in relation to the same subject matter of
processing, the measures referred to in Article 66 paragraph (2) of this Law, his
compliance with those measures;
j) compliance with the approved codes of conduct in accordance with Article 44 of
this Law or the approved certification mechanisms in accordance with Article 46 of this
law and
k) any other aggravating or mitigating factors applicable to
the circumstances of the case, such as directly or indirectly realized financially
gains or avoided losses due to injury.
(2) If the controller or processor for the same or related processing operations
intentionally or negligently violated several provisions of this law, the total amount of
the fine may not exceed the amount determined for the most serious offense.
Jurisdiction for a misdemeanor
Article 114
(1) For the misdemeanors determined in Articles 110, 111 and 112 of this Law, misdemeanor
procedure is conducted and a misdemeanor sanction is imposed by the Agency (hereinafter:
Misdemeanor authority).
(2) The misdemeanor procedure referred to in paragraph (1) of this Article shall be conducted by the Commission for decision-making
by misdemeanor (hereinafter: Misdemeanor Commission) formed by
the director of the Agency.
(3) The Misdemeanor Commission is composed of two members and a President of the Commission with
their deputies.

67 of 70

Page 68
Official Gazette of RSM, no. 42 of 16.2.2020

(4) The members of the commission and their deputies should have higher education and
work experience of at least one year in the subject matter, of which at least one
is a law graduate with a bar exam.
(5) The mandate of the members of the Misdemeanor Commission and their deputies is with
duration of two years with the right of re-election.
(6) In addition to the members of the Misdemeanor Commission and their deputies, the director of
The agency may appoint a secretary of the Misdemeanor Commission to perform
administrative matters for the Commission.
(7) The misdemeanor commission shall adopt rules of procedure for its work.
(8) The misdemeanor commission has the right to present evidence and collect data that are
necessary to determine the misdemeanor, as well as to perform other activities and take actions
determined by this Law, the Law on Misdemeanors and / or another law.
Judicial protection in misdemeanor proceedings
Article 115
(1) Legal use is allowed against the decision of the Misdemeanor Commission
means in accordance with the Law on Misdemeanors.
Obsolescence
Article 116
(1) The misdemeanor procedure cannot be initiated or conducted if two pass
years from the day when the violation of a right guaranteed by this law is committed.
(2) The statute of limitations for the misdemeanor prosecution starts from the day when it was committed
violation of a right guaranteed by this law.
(3) The statute of limitations does not run for the time for which according to the law the prosecution cannot start
or continue.
(4) The statute of limitations shall be terminated with every procedural action undertaken for the purpose
prosecuting the perpetrator of the injury.
(5) The statute of limitations shall be terminated even when the perpetrator in the time while the term of
obsolescence also committed a serious or more serious offense.
(6) After each interruption the obsolescence starts to flow again.
(7) Obsolescence of the misdemeanor prosecution occurs in every case when two have passed
times as much time as required by this law for the obsolescence of the misdemeanor
prosecution.
XI. TRANSITIONAL AND FINAL PROVISIONS
Proceedings initiated
Article 117
(1) The initiated procedures for inspection supervision, ie the misdemeanor procedures before
the day of entry into force of this law, will be completed in accordance with the provisions of this law
law, if they are more favorable to the controller, ie the processor.
(2) The initiated administrative procedures before the day of entry into force of this Law shall
are completed in accordance with the provisions of the Law on General Administrative Procedure (“Official Gazette
of the Republic of Macedonia ”No. 124/15) and the Law on Personal Data Protection
("Official Gazette of the Republic of Macedonia" No. 7/2005, 103/2008, 124/10, 135/11, 43/14,
153/15, 99/16 and 64/18), if they are more favorable for the parties.

68 of 70

Page 69
Official Gazette of RSM, no. 42 of 16.2.2020

(3) The actions taken in relation to the inspections that have been initiated before
the day of entry into force of this Law, will be completed in accordance with the provisions of the Law
for protection of personal data ("Official Gazette of the Republic of Macedonia" No. 7/2005,
103/2008, 124/10, 135/11, 43/14, 153/15, 99/16 and 64/18) and the regulations adopted on the basis of
that law.
Transition regime for the Agency
Article 118
(1) The Directorate for Personal Data Protection on the day of entry into force of
this law continues to operate as an Agency for Personal Data Protection.
(2) The employees of the Directorate for Personal Data Protection on the day of

the entry into force of this law continue to operate in the Agency.
(3) On the day this Law enters into force, the Agency shall take over the cases,
archive, material, technical, spatial and other means of work
necessary for the implementation of this law by the Directorate for Personal Data Protection.
(4) The Agency shall harmonize its operations in accordance with the provisions of this Law
within 18 months from the day this law enters into force.
(5) The Central Register of Personal Data Collections established by the Law on
personal data protection ("Official Gazette of the Republic of Macedonia" No. 7/2005,
103/2008, 124/10, 135/11, 43/14, 153/15, 99/16 and 64/18) will continue to function as
records of personal data collections with high risk in accordance with the provisions of this Law,
whereas the controllers are obliged within 18 months from the day of entry into force of
this law to submit a notification for the reported collections of personal data, according to
the provisions of Article 71 of this Law. After the accession of the Northern Republic
Macedonia in the European Union, the provisions of Article 71 of this Law that apply
the record keeping of high risk personal data collections will cease to be
apply, where the data contained in the records are kept permanently in accordance
regulations on archival material.
(6) The Director and the Deputy Director of the Directorate, on the day of entry into force of
this law, will perform their function as director and deputy director of
The Agency for Personal Data Protection, until the day of expiration of their mandate
according to the Law on Personal Data Protection (“Official Gazette of the Republic
Macedonia ”No. 7/2005, 103/2008, 124/10, 135/11, 43/14, 153/15, 99/16 and 64/18).
(7) The Agency is the legal successor of all rights and obligations of the Directorate for Protection
of personal data.
Alignment period
Article 119
Controllers and processors are required to coordinate their operations with
the provisions of this Law within 18 months from the date of entry into force of this
law.
Compliance with the regulations governing collection, processing, storage,
the use and submission of personal data
Article 120
Laws and other regulations governing collection, processing, storage,
the use and submission of personal data will comply with the provisions of this
law within 18 months from the date of entry into force of this law.

69 of 70

Page 70
Official Gazette of RSM, no. 42 of 16.2.2020

Period of adoption of bylaws
Article 121
(1) The bylaws provided by this Law shall be adopted by the Director of the Agency
adopted within 18 months from the date of entry into force of this law.
(2) Until the day of starting the application of the regulations referred to in paragraph (1) of this Article,
Existing regulations apply if they do not conflict with the provisions of this
law.
Termination of application
Article 122
The provisions of Chapter II (except Article 12), III, IV (except Articles 46 and 47), V and VIII of this
law shall cease to apply until the accession of the Northern Republic
Macedonia in the European Union.
Termination
Article 123
The Law on Protection shall cease to be valid on the day this Law enters into force
of personal data ("Official Gazette of the Republic of Macedonia" No. 7/2005, 103/2008,
124/10, 135/11, 43/14, 153/15, 99/16 and 64/18).
Entry into force
Article 124
This Law shall enter into force on the eighth day from the day of its publication in the "Official Gazette of
Republic of Northern Macedonia ".

70 of 70

