The North Macedonia Government violated the Law on PDP publishing personal data of awarded applicants in front of the European Court of Human Rights

22.08.2024

This resolution includes data for 519 applicants i.e. their names and surnames, personal identification numbers (PIN), bank accounts with data in which bank the bank accounts are maintained

In February 2024 the Government of the Republic of North Macedonia (hereinafter only “The Government”) has adopted a Resolution on the payment of funds from the Budget of the Republic of North Macedonia no. 14-1501/4 dated February 13th, 2024, related to awarded amounts to the applicants on the basis of final decisions of the European Court of Human Rights (hereinafter only “The Resolution”). This resolution includes data for 519 applicants i.e. their names and surnames, personal identification numbers (PIN), bank accounts with data in which bank the bank accounts are maintained. On February 15th 2024 the Government has published the Resolution in the Official Gazette of Republic of North Macedonia no. 39/24 in its original form with all data included. The publication was made as a part of the obligation for the Government to publish its resolutions in accordance with the Law on the Publication of Laws and other Regulations and Acts ("Official Gazette of Republic of North Macedonia" No. 56/99, 43/02 and 21/21).

Immediately after the publication, there was a huge reaction by the public and experts that the Government has made several violation during the process of publication of the Resolution in the Official Gazette. At first, it was obviously that the Government did not take all necessary technical measures in order to protect the personal data, such as anonymization of personal data for the purpose of publishing the resolution, but also the Official Gazette did not pay any attention as well when publishing the resolution. In addition, the Government did not follow the obligation to assure that when processing citizen’s personal identification numbers of citizens the controller is obliged to take care that personal identification number shall not to be unnecessarily visible.

Another problem was that the Official Gazette is distributed in electronic form but also in hard copy, which bring us to the question if the Government takes corrective measures such as withdrawal of the electronic edition as well as the written edition, will those measures will be enough, taking into consideration that the electronic version is already downloaded by many online users and if it is possible to withdraw the written edition if it is already distributed.

Following the massive reaction of the public and concerned individuals, on February 16th 2024, the Agency for the Protection of Personal Data (hereinafter only “The Agency”) carried out an extraordinary supervision conducted ex officio over the legality of the activities undertaken during the processing of personal data and their protection by the Government related to the resolution and its publication. At the end of the supervision, the Agency established that, by publishing the personal identification numbers, bank account numbers and names of the banks of a total of 519 applicants in the Resolution, the Government  acted contrary to the principles of "legality, fairness and transparency", "limitation of objectives", "minimum amount of data" and "integrity and confidentiality", while allowing the personal identification numbers of applicants to be unnecessarily visible, which violated the provisions of Article 9 paragraph (1) paragraphs 1, 2, 3 and 6, Article 10 and Article 83 paragraph (6) of the Law on Personal Data Protection.

In addition, the Agency ordered the Government to amend the Resolution in a manner that the citizen’s personal identification numbers, transaction accounts and bank names of 519 applicants will be deleted, to withdraw the Resolution from the "Official Gazette of the Republic of North Macedonia" 39/24 and to notify the Agency in writing along with a written proof for the corrective measures taken.

 

Article provided by INPLP member: Jasmina Brezovska (Bona Fide, Macedonia)

 

 

Discover more about the INPLP and the INPLP-Members

Dr. Tobias Höllwarth (Managing Director INPLP)

What is the INPLP?

INPLP is a not-for-profit international network of qualified professionals providing expert counsel on legal and compliance issues relating to data privacy and associated matters. INPLP provides targeted and concise guidance, multi-jurisdictional views and practical information to address the ever-increasing and intensifying field of data protection challenges. INPLP fulfils its mission by sharing know-how, conducting joint research into data processing practices and engaging proactively in international cooperation in both the private and public sectors.