“Transfers of data from North Macedonia to third countries may be based on various grounds, derived from either the local framework or the adequacy decisions of the European Commission”

Under the Law on Personal Data Protection 2020 (‘the Data Protection Act’), transfers of personal data to non-EU/EEA countries are largely restricted. The Personal Data Protection Agency (‘DZLP’) has the power to determine if certain countries, territories, or international organisations offer an adequate level of protection for data transfers, as well as to issue individual approvals to transfers of personal data to non-EU/EEA countries. When determining adequacy, the DZLP must especially consider if the third country offers levels of protection that are substantially equivalent to that ensured in North Macedonia, and that it provides data subjects with effective and enforceable rights and means of redress. The DZLP also has the power to repeal, amend, or suspend any adequacy decisions.

An adequacy decision from the DZLP is not required for transfers of personal data to EU/EEA countries or countries which are ‘white-listed’ by the European Commission, i.e. have been assessed to provide an adequate level of personal data protection. The white-listed countries include Andorra, Argentina, Canada (where the Personal Information Protection and Electronic Documents Act 2000 applies), the Faroe Islands, Guernsey, the Isle of Man, Israel, Jersey, New Zealand, Switzerland, Uruguay, and the US (only for companies which are operating in compliance with the EU-US Privacy Shield). However, data controllers and data processors must give notice to the DZLP of transfers of personal data to EU/EEA and ‘white-listed’ countries at least 15 days before the commencement of such transfers. The notice must be submitted either via email or via the electronic system of the DZLP.

In the absence of an adequacy decision, the Data Protection Act does allow a transfer if the controller or processor has provided ‘appropriate safeguards.’ These various safeguards are discussed in the following.

Standard Contractual Clauses (‘SCC’)
SCC are model data protection clauses either adopted by the DZLP or approved by the European Commission. The clauses contain contractual obligations on the data exporter and the data importer, and rights for the data subjects whose personal data is transferred. Data subjects can directly enforce those rights against the data importer and the data exporter.

Binding Corporate Rules (‘BCRs’)
BCRs form a legally binding internal code of conduct operating within a multinational group, which applies to transfers of personal data from the group’s EU/EEA entities to the group’s non-EU/EEA entities. BCRs are legally binding data protection rules with enforceable data subject rights contained in them, which are approved by the DZLP.

Approved codes of conduct
Codes of conduct are voluntary and set out specific data protection rules for categories of controllers and processors. They can be a useful and effective accountability tool, providing a detailed description of what is the most appropriate, legal, and ethical behaviour within a sector. Codes of conduct that relate to personal data processing activities by controllers and processors in more than one EU Member State, and for which the European Commission has adopted an implementing act, together with binding and enforceable commitments of the controller or processor in the third country, could be used as a transfer tool in the future.

Approved certification mechanisms
The Data Protection Act defines certification as ‘the provision by an independent body of written assurance (a certificate) that the product, service or system in question meets specific requirements.’ Therefore, certification mechanisms may be developed to demonstrate the existence of appropriate safeguards provided by controllers and processors in third countries. These controllers and processors would also make binding and enforceable commitments to apply the safeguards including provisions for data subject rights.

Legally binding and enforceable instruments between public authorities
An organisation can make a restricted transfer if it is a public authority or body and is transferring to another public authority or organisation, with both public authorities having signed a contract or another instrument that is legally binding and enforceable. This contract or instrument must include enforceable rights and effective remedies for data subjects whose personal data is transferred. This is not an appropriate safeguard if either the transferring organisation or the receiver is a private body or an individual. If a public authority or organisation does not have the power to enter into legally binding and enforceable arrangements, it may consider an administrative arrangement that includes enforceable and effective individual rights instead.

Data controllers or processors must apply to the DZLP, either via email or via the electronic system of the DZLP, seeking approval for transfers of personal data based on the above safeguards. The DZLP must adopt a decision on the application within 90 days from receipt.

Other derogations
Under the Data Protection Act, there are many derogations permitting transfers of personal data in limited circumstances, which include: explicit consent, contractual necessity, significant reasons of public interest, legal claims, vital interests, and public register data. There is also a new derogation for non-repetitive transfers involving a limited number of data subjects where the transfer is necessary for compelling legitimate interests of the controllers (which are not overridden by the interests or rights of the data subject) and where the controller has assessed and documented all the circumstances surrounding the data transfer and concluded there is adequacy. The controller must inform the DZLP and the data subjects when relying on this derogation.

Breach of the Data Protection Act’s data transfer provisions may yield fines of up to 4% of the worldwide annual turnover of controllers and/or processors.

Gjorgji Georgievski, Partner
gjorgji.georgievski@odilaw.com