The challenges related to the transfer of personal data from the perspective of the new Law on Personal Data Protection
With digitalization and rapid development of Information and Communication Technologies, personal data emerged as a valuable asset for Companies, at the same time increasing the risk for data security and imposing the need for strict legal regulations for processing as well as transfer of personal data.
The new Law on Personal Data Protection of the Republic of North Macedonia (hereinafter referred to as “Law”) was adopted on February 16th 2020, in order to harmonize the national legislation with the Regulation of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter referred to as “GDPR”), thus providing normative compliance with the legal instruments and standards for personal data protection of the European Union.
The Rulebook for Transfer of Personal Data adopted by the Personal Data Protection Agency of the Republic of North Macedonia (hereinafter referred to as “Agency”) on May 12th, 2020, specifies the manner and the content of the forms that should be used by the controllers or processors in order to notify or to request approval from the Agency, for cases provided by the Law.
Pursuant to the Annual report 2020 of the Agency, the most common purposes for transfer of personal data are: support of the human resource management processes of companies that are part of international corporations, maintenance and technical support of information systems, making backup copy and cloud services, usually involving data subjects such as: employees, job candidates, external collaborators, clients, suppliers etc.
Transfer of personal data to a member state of the EU, i.e. a member of the EEA
North Macedonia is aspiring to be a member of the European Union, awaiting to start the negotiation process for the EU accession. In case of transfer of personal data to a member state of the European Union, as well as a member of the European Economic Area, the assumption that an adequate level of personal data protection applies and the controller or the processor is obliged only to notify the Agency using the prescribed form, within 15 days prior to the start of the transfer of personal data.
Transfer of personal data to a third country or international organisation
Any transfer of personal data to a third country or to an international organisation is subject to prior approval by the Agency. Such transfer may be performed only if the conditions set out in the Law are met and applied by the controller and the processor. The same conditions apply to direct and indirect, i.e. onward transfers.
I. Transfer of personal data based on an adequacy decision
Transfer of personal data to a third country or an international organisation may be performed on the basis of adequacy decision by the Agency confirming that a third country or international organisation provides an adequate level of protection.
When assessing the adequacy of the level of protection, the Agency, in particular, takes account of the different types of criteria such as: the rule of law, respect for human rights and fundamental freedoms, relevant legislation, international commitments, the existence and effective functioning of one or more independent data protection supervisory authorities etc.
When assessing the adequacy of the level of protection, the Agency takes into consideration the adequacy decisions adopted by the European Commission, as well as whether the third countries are signatories to Convention 108 of the Council of Europe.
II. Transfer of personal data subject to appropriate safeguards
When an adequacy decision is not adopted, the Law enables data transfers if the controller or processor has provided appropriate safeguards, as well as provided that the data subjects have applicable and available judicial protection.
When an adequacy decision is not adopted, the appropriate safeguards may be provided for, without requiring any specific approval from the Agency, by:
- legally binding and enforceable instruments between public authorities or bodies;
- binding corporate rules in accordance with the Law;
- standard personal data protection clauses established by the Agency or approved by the European Commission;
- an approved code of conduct in accordance with the Law together with the binding and enforceable obligations of the controller or processor in the third country to apply appropriate safeguards, including as regards to the data subjects rights;
- approved certification mechanism in accordance with the Law together with binding and enforceable obligations of the controller or processor in the third country to apply appropriate safeguards, including as regards to the data subjects rights;
Subject to the approval from the Agency, the appropriate safeguards referred may also be provided for, in particular, by:
- contractual clauses between the controller or processor and the controller, processor or the recipient of the personal data in the third country or international organisation; or
- provisions to be inserted into administrative arrangements between public authorities or bodies which include enforceable and effective data subject rights.
III. Transfer of personal data on the basis of binding corporate rules
In case of transfer of personal data on the basis of binding corporate rules, the controller or processor is required to submit a prior request to the Agency for approval of those rules. The conditions to obtain such approval are in great extent harmonized with the GDPR.
IV. Transfer of personal data on the basis of international agreement
Regardless of the provisions for data transfers set out in the Law, transfers based on court decisions or other decision taken by an administrative body of a third country whereas the controller or processor is required to transfer or disclose personal data may be recognized or enforceable if they are based on an international agreement, such as a mutual legal assistance treaty, in force between the third country and the Republic of North Macedonia.
V. Exemptions for specific situations
If there is no adequacy decision or appropriate safeguards in accordance with the Law, which include mandatory corporate rules, the transfer or set of transfers to personal data to a third country or in an international organisation can only be executed if one of the following conditions is met:
- the personal data subject has given the express consent of the controller to the proposed transfer, after being informed of the possible risks of such transfer for the subject of personal data, and due to the absence of adequacy decision and appropriate safeguards;
- the transfer is necessary for the performance of a contract between the data subject and the controller or to implement the precontractual measures taken at the request of the personal data subject;
- the transfer is necessary for the conclusion or performance of a contract entered into between the controller or another natural or legal person, and in the interest of the data subject;
- the transfer is necessary for important reasons of public interest;
- the transfer is necessary for the establishment, exercise or defense of legal claims;
- the transfer is necessary in order to protect the vital interests of the data subject or of other persons, where the personal data subject is physically or legally incapable of giving consent;
- the transfer is made from a register which by law is intended to provide information to the public and who is open to public consultation or to any person who may demonstrate a legitimate interest, but only to the extent that the conditions laid down by law are fulfilled for consultation in a special case.
In case of absence of other legal basis or exemptions, the Law introduces a limited exemption, for non-repetitive transfers involving a limited number of data subjects for the purpose of compelling legitimate interests of the controller which are not overridden by those of the data subject and where the controller has assessed the circumstances of the transfer and provided adequate safeguards with regard to the protection of personal data. The controller should inform the Agency and the data subject about the transfer.
The novelties introduced by the Law gain in importance from the perspective of the private sector, considering the significant increase of the potential fines for incompliance. While based on the previous law fines for incompliance could reach up to EUR 2,000, now based on the Law the Agency can impose a fine of up to 4% of the total annual income of the controller or the processor-legal entity, (expressed in absolute amount) realized in the business year which precedes the year when the misdemeanor was committed (or of the total income realized for a shorter period of the year preceding the misdemeanor, if the legal entity was established in that year).
Article provided by: Katerina Rumenova and Jasmina Brezovska (Bona Fide Law Firm, North Macedonia)
Dr. Tobias Höllwarth (Managing Director INPLP)