The primary legislation governing the collection, use, and disclosure of personal data is the LPDP. 

Additionally, other laws contain relevant provisions on this subject, notably:

• Law on the Central Population Register (Official Gazette of the Republic of North Macedonia, Nos. 98/19 and 275/19).
• Law on Records in the Field of Healthcare (Official Gazette of the Republic of Macedonia, Nos. 20/09, 53/11, 164/13; 50/15).
• Law on Free Access to Public Information (Official Gazette of the Republic of North Macedonia, No. 101/19).
• Law on the Prevention of Money Laundering and the Financing of Terrorism (Official Gazette of the Republic of North Macedonia, No. 151/22).
• The Law on Labour Relations (Official Gazette of the Republic of Macedonia, Nos. 62/05, 106/08, 161/08, 114/09, 130/09, 50/10, 52/10, 124/10, 47/11, 11/12, 39/12, 13/13, 25/13, 170/13, 187/13, 113/14, 20/15, 33/15, 72/15, 129/15, 27/16, 120/18, and Official Gazette of the Republic of North Macedonia Nos. 110/19, 267/20, 151/21, 288/21 and 111/23).
• The Law on Consumer Protection (Official Gazette of the Republic of North Macedonia, No. 236/22).
• The Law on Electronic Communications (Official Gazette of the Republic of Macedonia, Nos. 39/14, 188/14, 44/15, 193/15, 11/18, 21/18, and Official Gazette of the Republic of North Macedonia Nos. 98/19, 153/19 and 92/21).
• Law on Criminal Procedure (Official Gazette of the Republic of Macedonia, Nos. 150/10, 100/12, 142/16 and 198/18).

The LPDP is applied to data controllers, data processors, data subjects, data recipients and third parties.

A controller is a natural or legal person, an organ of state authority, a state body or a legal entity established by the state to perform public functions, or an agency or another body that, independently or together with others, determines the purposes and methods of processing personal data. 

A processor is a natural or legal person, an organ of state authority, a state body or a legal entity established by the state to perform public functions, or an agency or another body that processes personal data on behalf of the controller.

A data subject is an identified or identifiable natural person, i.e., is someone who can be identified, directly or indirectly, by reference to their personal data.

A recipient is a natural or legal person, an organ of state authority, a state body or a legal entity established by the state to perform public functions, or an agency or another body to which personal data is disclosed, regardless of whether it is a third party or not. However, state authorities and state bodies to which personal data is disclosed within the framework of a special investigation in accordance with the law are not considered recipients, provided that the processing of this data by these bodies is in compliance with the applicable rules for the protection of personal data according to the purposes of that processing.

A third party is any natural or legal person, an organ of state authority, a state body or a legal entity established by the state to perform public functions, or an agency or another body that is not the data subject, controller, processor, or a person who, under the direct authorisation of the controller or processor, is authorised to process the data.

The provisions of the LPDP apply in the following cases:

• Processing of personal data if the controller or processor is established in the territory of the Republic of North Macedonia, regardless of whether the processing of personal data takes place within the territory of the Republic of North Macedonia or outside its borders.
• Processing of personal data of data subjects from the Republic of North Macedonia by a controller or processor not established in the Republic of North Macedonia, provided that the data processing activities are related to:
  • the offering of goods or services, whether or not payment is required from the data subject from the Republic of North Macedonia; or
  • monitoring the behaviour of data subjects, if that behaviour takes place in the Republic of North Macedonia.
• Processing of personal data by a controller not established in the territory of the Republic of North Macedonia but established in a territory where the law of the Republic of North Macedonia applies according to international agreements ratified in accordance with the Constitution of the Republic of North Macedonia.

Processing of personal data in accordance with the LPDP includes any operation or set of operations performed on personal data, or sets of personal data, whether automated or not, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.

Personal data under the LPDP is defined as any information relating to an identified or identifiable natural person (data subject). An identifiable natural person is someone whose identity can be determined directly or indirectly, particularly based on identifiers such as name, personal identification number, location data, online identifier, or one or more factors specific to their physical, physiological, genetic, mental, economic, cultural, or social identity.

Types of personal data subject to higher protection according to the LPDP are the following:

• race, ethnicity, sexual orientation, sex life; 
• medical data; 
• biometric data and genetic data;
• political, religious or philosophical beliefs; 
• trade union membership; 
• children’s data; 
• criminal offence and conviction data;
• PIN — personal identification number; and
• personal data of deceased persons.

The requirements that must be met in order to process personal data in accordance with the LPDP are the following: 

• consent of the data subject; 
• necessity for the purposes of entering into or performing obligations under a contract; 
• necessity to comply with a legal, non-contractual obligation; 
• necessity to protect the essential interests of the data subject or another natural person; 
• necessity to perform a task in the public interest; or 
• necessity for a party’s legitimate interests. 

According to the LPDP, consent is defined as any freely given, specific, informed, and unambiguous indication of the data subject’s wishes, through a statement or a clear affirmative action, by which the data subject signifies consent to the processing of their personal data.

If the consent of the data subject is given in the form of a written statement that also pertains to other issues, the request for consent must be presented in a manner that is clearly distinguishable from other issues, in an understandable and easily accessible form, using clear and simple means.

When assessing whether consent is freely given, it must be considered whether the performance of a contract that includes a certain service is conditional upon giving consent for the processing of personal data, which is not necessary for the fulfilment of the contract.

The data subject has the right to withdraw consent at any time without affecting the lawfulness of processing based on consent before its withdrawal and must be informed of this right.

The LPDP expressly requires consent as a basis for processing personal data for:

• marketing purposes;
• establishing video surveillance in single-family and multi-family buildings, in which case consent from at least 70% of the total number of owners, tenants, or renters of the apartments is required; and
• processing personal data of children under the age of 14, which can be processed only if consent by the legal representative is provided.

Moreover, consent may be relied upon for processing special categories of personal data (mostly included in Question 6, above) and PIN of the data subject, although this data can be processed based on other grounds as well. 

Finally, processing related to criminal convictions and offences, or processing related to security measures including on consent shall be carried out only under the control of official authority or when the processing is authorised by a law providing for appropriate safeguards for the rights and freedoms of data subjects.

The main obligations of the data controllers considering the LPDP are the following:

• Processing the data in accordance with the law, to a sufficient extent and in a transparent manner regarding the data subject.
• Collecting for specific, clear, and legitimate purposes and not processing in a manner that is incompatible with those purposes.
• Minimising the data, so that it is adequate, relevant, and limited to what is necessary in relation to the purposes for which the data is processed.
• Ensuring the data is accurate and, where necessary, updated, with all appropriate measures taken to ensure that data which is inaccurate or incomplete is erased or rectified in a timely manner, considering the purposes for which it was processed.
• Keeping the data in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed.
• Processing the data in a manner that ensures appropriate security of personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organisational measures.
• Notifying the data subjects and the data protection authority in case of data breaches.
• Ensuring exercise of the rights of the data subjects as provided by the law (See below, Question 9).

Data subjects have the following rights:

• right to information about how and why their personal data is being processed and by whom; 
• right to access, rectify, or request erasure or deletion of their personal data, under certain conditions; 
• right to restrict or object to the processing, under certain conditions; 
• right with respect to automated decision-making and profiling; 
• right to data portability, under certain conditions; 
• right to file a complaint before the Agency; and
• right to nominate a third party to exercise these rights on their behalf.

Exceptions to these rights can be made in cases of:

• national security;
• defence;
• public safety;
• prevention, investigation, detection, or prosecution of criminal offenders or enforcement of imposed criminal sanctions, including prevention and deterrence of threats to public safety;
• other important objectives in the public interest for North Macedonia, particularly important economic or financial interests including monetary, budgetary, and tax matters, public health, and social protection;
• protection of the independence of courts and judicial proceedings;
• prevention, investigation, detection, and prosecution of violations of ethical rules for regulated professions;
• monitoring, inspection or regulatory functions that are at least occasionally related to the fulfilment of the authorities’ responsibilities in certain cases mentioned;
• protection of the data subject or the rights and freedoms of other individuals; and
• enforcement of requests in civil proceedings.

The LPDP provides that processing of personal data for direct marketing purposes, which includes profiling to the extent related to direct marketing, is only allowed with prior explicit consent of the data subject.

Also, data subjects have the right to object to the processing.

Other laws also address the regulation of sending commercial or direct marketing communications, mainly:

• the Law on Consumer Protection;
• the Law on Electronic Communications; and
• the Law on Electronic Trade.

There is a variation in the rules pertaining to business-to-consumer and business-to-business marketing and the means of communication. With regards to business-to-business marketing, only marketing via email is prohibited unless explicit consent is provided. On the other hand, with regards to business-to-consumer relations, any marketing and unsolicited communication through any means of communication is prohibited without prior explicit consent of the consumer.

The LPDP distinguishes between two cases: the transfer of personal data to a Member State of the EU or the European Economic Area (EEA) and the transfer of personal data outside of an EU or EEA Member State (to a third country).

In the first case, the LPDP requires only that a notification be submitted to the Agency regarding the planned transfer, with no other requirements. 

For the second case, the transfer can be made only if certain conditions are met.

The transfer of personal data to a third country may be carried out when the Agency assesses that the third country provides an adequate level of protection. In assessing adequacy, the Agency takes into account the rule of law, respect for human rights, relevant legislation, and other factors.

If no adequacy decision has been made, the transfer may be carried out if the controller or processor has provided appropriate safeguards, such as legally binding instruments, mandatory corporate rules, standard data protection clauses, an approved code of conduct, or an approved certification mechanism.

Exemptions from the above-mentioned requirements apply in cases of explicit consent from the data subject, necessity for the performance of a contract, important reasons of public interest, protection of the essential interests of the data subject, and other similar circumstances.

The Agency has the following investigative powers:

• Examine general and individual acts, files, documents, computer records, information, and other evidence related to the subject of supervision, and may request and retain copies of these in paper or electronic form without compensation.
• Conduct inspections in business or office premises and other locations where personal data processing occurs, and request access to the processing activities.
• Review identification documents of individuals to confirm their identity in accordance with the law.
• Request written or oral explanations from the controller or processor regarding issues within the scope of supervision.
• Seek expert analysis and opinions when necessary for the supervision.
• Use technical means for photographing and video recordings, which may be used in the supervision process.
• Inspect equipment used for processing personal data and the equipment where personal data is stored, as well as examine the information system and IT infrastructure within which personal data processing occurs, with an authorised representative of the controller or processor.
• Utilise communication devices of the controller or processor to fulfil the objectives of the supervision.
• Obtain other necessary evidence related to the subject of supervision.

The Agency has the following corrective powers:

• Issue warnings to the controller or processor when there is a likelihood that the planned personal data processing operations will breach the provisions of the LPDP.
• Issue directives to the controller or processor when the personal data processing operations have breached the provisions of the LPDP.
• Order the controller or processor to comply with the data subject’s requests for exercising their rights in accordance with the LPDP.
• Order the controller or processor to align personal data processing operations with the provisions of this law, as well as according to specific requirements and within a specified timeframe.
• Order the controller to inform the data subject about a personal data breach.
• Impose temporary or permanent restrictions, including a ban on processing personal data.
• Order the correction or deletion of personal data or restriction of processing, and to notify users to whom personal data has been disclosed.
• Withdraw the certification or order the certification body to withdraw the certification issued in accordance the LPDP, or to instruct the certification body not to issue a certification if the certification requirements are not met or are no longer being adhered to.
• Impose a fine according to this law, together with or instead of the measures mentioned in this paragraph, depending on the circumstances of each individual case.
• Order the cessation of the transfer of personal data to a recipient in another country or to an international organisation.

According to Macedonian legislation, violations of personal data protection obligations are subject to administrative, criminal and civil sanctions.

• Administrative sanctions. Administrative sanctions for a legal entity-controller, i.e., fines for violations of the provisions of the LPDP, range from 2% to 4%, depending on the severity and type of the violation. An exception to this is fines for certain violations related to personal data processing through video surveillance, for which fines are set from EUR 1,000 to 10,000 for a legal entity-controller. Fines are also imposed on the responsible person within the legal entity-controller, as well as on an individual controller.
• Criminal sanctions. Abuse of personal data is listed as a criminal offence in the Macedonian Criminal Code. This offence includes collection, processing or using personal data without the consent of the individual, contrary to the conditions established by law, as well as entering a computer information system containing personal data with the intent to use it for personal gain or to cause harm to another.
• Civil remedies. Any person whose data protection-related rights have been violated can initiate a procedure for compensation of damages and seek other remedies before a civil court.