On 24 February 2020, the new Law on Personal Data Protection (“Law”) entered into force. With it, North Macedonia largely harmonized its data protection legislation with the General Data Protection Regulation (GDPR), however, certain differences do exist. Data subjects have more control over their personal data which is subject to processing, and many obligations are now imposed to controllers and processors who process personal data to which they must abide.

Due to the wide scope and complexity of the Law, controllers and processors must align and ensure compliance of their businesses with the Law until 24 August 2021, or face the new and severe penalty policy. This includes adoption of all-new and/or amendment of existing internal data protection acts, implementing data protection by design and by default, keeping internal records of processing activities, carrying out an assessment of the impact of the envisaged processing operations on the protection of personal data etc.

Stiff penalties and fines are envisioned for non – compliance with the Law. Controllers and processors (legal entities) can be fined with up to 2% and up to 4% of the total annual income from the previous financial year per misdemeanor. For non – compliance with the provisions for video surveillance, controllers (legal entities) can be fined ranging between EUR 1,000 and 10,000. Smaller fines are prescribed for natural persons – controllers or processors, or responsible persons within controllers or processors, in the amount of several hundreds of EUR.

While 18 months may seem like a long time for ensuring compliance, six of those have already passed. Companies now have a little under a year to harmonize their operations with the Law. Initiating this process sooner rather than later is recommendable to ensure timely compliance with the data protection regulations.