Clym Logo
MK flag

MK

Law on Personal Data Protection of the Republic of North Macedonia

Overview

The Law on Personal Data Protection of the Republic of North Macedonia establishes the national legal framework for the collection, use, storage, and other forms of processing of personal data. Closely aligned with the EU General Data Protection Regulation, it defines enforceable rights for individuals and sets clear obligations for controllers and processors operating in both the public and private sectors. Supervision and enforcement are carried out by the Agency for Personal Data Protection.

Adopted on 16 February 2020 and published in the Official Gazette on 24 February 2020, the law entered into force on 3 March 2020, with most provisions becoming applicable on 24 August 2021. It applies to both automated processing and non-automated processing where personal data forms part of a structured filing system.

Regulation Summary

  • 16 February 2020 – Law adopted.
  • 24 February 2020 – Published in the Official Gazette.
  • 3 March 2020 – Entered into force.
  • 24 August 2021 – Majority of provisions became applicable.

  • Public authorities and state bodies processing personal data.
  • Private companies and sole proprietors established in North Macedonia.
  • Foreign organizations offering goods or services to individuals in North Macedonia.
  • Entities monitoring the behavior of individuals within the country.
  • Controllers and processors.

  • Personal or household activities.
  • Processing related to national security and defense under separate legislation.
  • Certain law enforcement activities governed by specific laws.

Controllers must:

  • Establish a lawful basis for processing.
  • Limit processing to specific, explicit purposes.
  • Apply data minimization principles.
  • Implement appropriate technical and organizational safeguards.
  • Maintain records of processing activities.
  • Appoint a Data Protection Officer where required.

Processors must act on documented instructions from the controller and implement data protection measures.

Website owners that collect personal data online must:

  • Publish a clear and accessible privacy policy.
  • Obtain consent for cookies and tracking technologies where required.
  • Provide mechanisms for individuals to exercise their rights electronically.
  • Implement encryption or similar safeguards for online data transmission.

  • Data protection impact assessments are required for high-risk processing.
  • Cross-border transfers require adequacy decisions or appropriate safeguards.
  • Personal data breach notifications must be submitted to the supervisory authority within 72 hours where required.

Individuals have the right to:

  • Access their personal data.
  • Rectify inaccurate data.
  • Request erasure in certain circumstances.
  • Restrict processing.
  • Object to processing.
  • Data portability.

Requests must generally be answered within one month.

  • Supervisory authority: Agency for Personal Data Protection.
  • Administrative fines may reach up to 20,000,000 euros in denar equivalent (approximately 21,600,000 USD) or up to 4% of the total annual worldwide turnover of the preceding financial year, depending on the nature of the infringement.
  • Corrective measures may also include warnings, reprimands, and temporary or definitive processing limitations.
Book a demo