Inspection

The Directorate for Personal Data Protection as an independent authority in the Republic of Macedonia is responsible for supervising the legality of personal data protection in the country. One of the main instruments for achieving this competence is the inspection that the Directorate for Personal Data Protection has implemented in accordance with the Law on Personal Data Protection (“Official Gazette of the Republic of Macedonia” No. 7/05, 103/08, 124/010 and 135/011).

The Directorate for Personal Data Protection plans inspections on an annual basis. The program for inspections in the following year is adopted at the end of the current year. The annual inspection program is published on the website of the Directorate for Personal Data Protection www.privacy.mk and the operationalization of the program is done through monthly inspection plans which are published on the website.

In addition to the regular inspection program in accordance with the Annual Program of the Directorate for Personal Data Protection, an emergency inspection may be conducted after a proposal/initiative that may be filed by a government authority, legal and natural entity, in case the inspector doubts that there has been a violation of the Law on Personal Data Protection. Emergency inspection is also done in case of an application submitted by an individual or an association of which the individual is a member; if he thinks that some right guaranteed by the Law on Personal Data Protection has been violated.

The Directorate has a mandate to conduct supervision and control only in cases after an inspection has been conducted, violations have been established and after the time period for removing the violations by the controller have passed.

Nine inspectors work in the Directorate for Personal Data Protection organized in the Inspection Sector.

An ongoing report on various grounds is prepared for the inspections conducted and has a very important place in the Annual Report of the Directorate for Personal Data Protection with data on multiple parameters. The implementation of the inspection is part of the regular reports of the Republic of Macedonia for the country’s progress in preparing for membership in the EU.

In order to improve the supervision and personal data protection in the country, the Directorate for Personal Data Protection realizes international cooperation on a regular basis.

The Director issues an official identification to the inspectors.

During the inspection the authorized person has the right to:

  1. Enter any premises where personal data is processed and monitor the processing;
  2. Require written or oral explanation, to call and examine people in relation to personal data processing;
  3. Require to inspect the documents and other data related to the controller or processor and its copies;
  4. To inspect the equipment that performs the processing of personal data and equipment where personal data is stored with an authorized representative of the controller/processor
  5. Require an expert analysis to be prepared and opinion regarding the inspection and
  6. To use the communication devices of the controller or processor to meet its objectives.

Flow of the inspection

The inspectors for personal data protection during the inspection establish if the controller:

  1. Has a legal basis to process personal data

In exception, the controller can process personal data in the following cases:

● if it has previously obtained approval from the data subject;

● Execution of a contract in which the data subject is party or on request of the data subject before his accession to the treaty;

● Necessary to meet the legal obligation of the controller;

● Protection of life or vital interest of the data subject;

● Performance of activities of public interest or official authorization of the controller or a third party to whom the data are disclosed;

● meeting the legal interests of the controller, third party or person to whom the data are disclosed, unless the rights and freedoms of the data subject prevail over such interests.

2. Applies technical and organizational measures to ensure confidentiality and personal data protection.

Pursuant to the provisions of the Regulation for Technical and Organizational Measures to Ensure Confidentiality and Personal Data Protection (“Official Gazette” No. 38/09 and 158/10), the controller during automatic processing of personal data should provide technical measures for personal data protection, including:

● Unique username;

● Password created by every user, comprising a combination of at least 8 alphanumeric characters (at least one capital letter) and special characters;

● Username and password that allow access to the user information system as a whole, for individual applications and/or individual collections of personal data necessary to carry out its work;

● automated information system quitting after the expiration of a specified period of inactivity (no longer than 15 minutes) and re-activate the system requires re-entering the username and password;

● Automatic rejection from the information system after three unsuccessful login attempts (entering the wrong username or password) and automated notification to the user that they should seek instruction from the information system administrator;

● install hardware/software safety net barrier (“firewall”) or router between information systems and internet or any other form of external network as a protective measure against unauthorized or malicious attempts to join or penetrate the system;

● Effective and reliable anti-virus anti-spyware protection information system, which will be constantly updated for the prevention of unplanned and unknown threats of new viruses and spyware;

● Effective and reliable anti-spam protection, which will be constantly updated for preventive protection against spam and

● Connection of the information systems (computers and servers) on an energy grid through an uninterruptible power supply.

The controller during the automatic processing of personal data should provide organizational measures for protection of the processing of personal data:

● limited access or identification for access to personal data;

● organizational rules for user access to the Internet pertaining the downloading and recording of documents taken from email or other sources;

● physical security measures of the office premises and communications equipment where information is collected, processed and personal data is stored

● respect the technical instructions for installation and use of information and communication equipment that processes personal data.

Any right to external access by an employee or user outside the local computer or network controller will be separately controlled and recorded.

The controller should perform regular backup and archiving of data in the system to prevent their loss or destruction. The controller of the processing of “special categories of personal data” at each stage of processing (collection, transfer, data entry, storage, destruction, etc.) marks that the processing is for the listed data categories.

  1. The processing of personal data is in accordance with the Law on Personal Data Protection.

Personal data that is processed by the controllers should be:

● collected for specific, clear and legally defined purposes and in a manner that is consistent with those goals;

● Adequate, relevant and not excessive in relation to the purposes for which they are collected and processed;

● accurate, complete and where necessary updated,  and data that is inaccurate or incomplete should  be deleted or corrected with regard to the purposes for which they were collected or processed and

● kept in a form which permits identification of the data subject no longer than necessary to fulfill the purposes for which the data are collected for further processing.

After the deadline for storage of personal data, they can only be processed for historical, statistical or scientific purposes. The right to privacy, personal and family life of the data subject must be protected from unauthorized use and made anonymous as soon as possible.

Report Writing

After the inspection, the inspector authorized to conduct the supervision prepares a report which will refer to the identified violations of the Law on Personal Data Protection, noted during the inspection. The report shall be signed by the inspector from the Directorate which carried out the supervision and submitted to the controller who was the subject of the supervision within 30 days of completing the supervision.

The controller has 3 days from the receipt of the report to submit comments on the report.

Resolution

After the deadline for the submission of comments on the report, the inspector who carried out the inspection shall make a decision which obliges the controller within a certain period since the day when the violations were reported, to coordinate its work with the Law on Personal Data Protection.

With the resolution the inspector may order the controller to:

● Remove the violation within a specific period;

● complete, update, correct, disclose or provide confidentiality of personal data;

● adopt additional measures to protect personal data;

● stop further processing of personal data;

● stop the transfer of personal data to other countries;

● provide data or their transfer to other entities;

● Block, erase or destroy personal data.

Administrative dispute

The controller can appeal to the Administrative Court of the Republic of Macedonia within 15 days of receiving the resolution.

Violation of the provisions of the Law on Personal Data Protection

For violation of the law provisions of the Law on Personal Data Protection, a fine is estimated for an offense whose height is different depending on whether it is a natural or legal entity (controller or processor of collections of personal data). Requirements for the initiation or infringement proceedings to the Commission on Offense may be submitted by the authorized person (inspector) of the Directorate. For the offences listed in the the Law on Personal Data Protection, a settlement procedure is conducted in accordance with the provisions of the Penalty Code.

Basic checklist for processing of personal data Download