29
Fri, Mar
51 New Articles

Transfers of Personal Data Outside of Macedonia

Transfers of Personal Data Outside of Macedonia

North Macedonia
Tools
Typography
  • Smaller Small Medium Big Bigger
  • Default Helvetica Segoe Georgia Times

The Personal Data Protection Act 2005 (the “Act”) is the key legislative act that regulates personal data protection matters in Macedonia, including transfers of personal data outside of Macedonia. The Act is aligned with the EC Directive 95/46/EC (the “Data Protection Directive”). Macedonia’s obligation to align the Act with the Data Protection Directive derives from its status as a European Union candidate country, for which implementation of the EU legislation is mandatory. The Directorate for Personal Data Protection (the “Directorate”) is the Macedonian independent agency competent to oversee the Act’s implementation.

As a rule, the Act allows transfers of personal data outside of Macedonia only if the country where the personal data is being transferred to provides an adequate level of protection. The Directorate is empowered to make a general assessment as to whether other countries satisfy that requirement, based on a set of criteria including: (i) the nature of the personal data being transferred; (ii) the purpose and duration of the proposed processing of the personal data; (iii) the state of the rule of law in the country receiving the personal data; and (iv) the existing personal data safeguards in the country receiving the personal data. However, the Directorate has not made a general assessment of whether a particular country provides an adequate level of personal data protection to date. Hence, transfers of personal data to countries which are not subject to the exceptions discussed below are subject to the approval of the Directorate on a case-by-case basis.

An approval from the Directorate is not required for transfers of personal data to countries which are either members of the EU or the European Economic Area (EEA) or are “white-listed” – i.e., have already been determined to provide an adequate level of personal data protection by the European Commission. The white-listed countries to date include: Andorra, Argentina, Canada (commercial organizations), Faeroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland, Uruguay, and the US (only companies which are operating in compliance with the EU-U.S. Privacy Shield). The Act operates under the assumption that the EU/EEA and “white-listed” countries provide an adequate level of personal data protection. Furthermore, under the Act, the Directorate is required to rely on the assessment by the EC of the adequacy of the level of personal data protection available in non-EU/EEA countries. Thus, if the EC concludes that a certain country does not provide an adequate level of personal data protection, the Directorate shall issue a general order restricting all transfers of personal data from Macedonia to that country.

In specific cases, transfers of personal data from Macedonia into a particular country can be carried out without obtaining approval from the Directorate, even if that country has not been white-listed by the Directorate or the EC (or if it has never been subject to an assessment at all) if the transfer is made on the basis of the unambiguous consent of the owner of personal data or where it is necessary for the: (i) performance of a contract or the implementation of pre-contractual measures taken in response to the request of the owner of personal data; (ii) conclusion or performance of a contract concluded in the interest of the owner of the personal data between the controller and a third party; (iii) establishment, exercise, or defense of legal claims; (iv) protection of the vital interests of the owner of the personal data; or (v) is made from a register which is open to consultation either by the public in general or by any person who can demonstrate a legitimate interest.

Transfers of personal data to non-EU/EEA and non-white-listed countries not falling within the exceptions above are subject to individual approval by the Directorate. The Directorate is required to issue its approval within 30 days from the receipt of an application, assuming it is satisfied that adequate safeguards for the protection of personal data have been adduced by the applicant. To satisfy this requirement, a multinational company might provide the Directorate with Binding Corporate Rules which define its global policy with regard to the international transfers of personal data within the same corporate group to entities located in countries which do not provide an adequate level of protection or standard data protection contractual clauses issued by the EC.

By Gjorgji Georgievski, Partner, and Simona Kostovska, Associate, ODI Law  

This Article was originally published in Issue 4.2 of the CEE Legal Matters Magazine. If you would like to receive a hard copy of the magazine, you can subscribe here.

Our Latest Issue