The photo was taken from the Facebook page of the Agency for Personal Data Protection.
Representatives of the Metamorphosis Foundation followed the online debate on “Two years since the enactment of the Law on Personal Data Protection” organized by the Agency for Personal Data Protection on the occasion of Data Protection Day on 28 January 2022. Personal data protection is an area in which the Metamorphosis Foundation pays particular attention to within the Human Rights Online program, which aims to help communities cope with the enormous changes resulting from the growing impact of new technologies (including big data, artificial intelligence, robotics, nanotechnology and genetics). Metamorphosis focuses on protecting privacy and freedom of expression by strengthening the capacity of citizens and institutions (as well as by providing grants) for a digital society.
Representatives of the Personal Data Protection Agency, the EU Delegation in Skopje, as well as the Croatian partners of the Agency in the project “Support in the implementation of the modernized legal framework for personal data protection” supported by the European Union, addressed the debate.
In his introductory address, Mr Imer Aliu, Director of the Agency for Personal Data Protection, shared that in the past period, AZLP has worked hard to establish and implement a modern legal framework for personal data protection, but also based on the conclusions of The EU report on North Macedonia, as well as the comparative experiences of the project partners from Croatia and Germany, the Agency is already preparing proposals for changing the Law on Personal Data, in terms of the Agency’s status as an independent body, but also reducing the administrative obligations of personal data controllers to the Agency. He stressed that the Law on Personal Data Protection is in full implementation, and its non-compliance can lead to fines.
Mr Frick Janmat, representative of the EU Delegation to North Macedonia, gave examples of how harmful the misuse of personal data can be. Janmat stressed that at the level of the European Union GDPR (General Regulation on Personal Data Protection) is considered as the highest standard for personal data protection and stressed the need for independent functioning of the LPDP in terms of both financial and human resources.
Ms Sanja Silaj Zeman, Permanent Twinning Advisor, emphasized that the GDPR is a regulation on new technologies that focus on human rights and stressed that it is not enough just to pass a law, but it is necessary to enforce the law. According to her, it is necessary to strengthen the capacities of the LPDP for the implementation of the new legal framework. Silaj Zeman shared that the first step in overcoming the challenges related to the implementation of the Law on Personal Data Protection should be the appointment of a personal data protection officer with appropriate qualifications who will continuously upgrade their knowledge in the field.
Ms Iva Katikj from the Agency for Personal Data Protection of the Republic of Croatia clarified that due to the accelerated technological development, digitalization has penetrated into all spheres of business and that many companies work with data collection, processing and storage. She shared the experience of the Republic of Croatia with the adoption of the GDPR and stated that the Croatian ADP, in addition to monitoring compliance with the law, also works to promote the importance of personal data protection, with a special focus on preventing personal data abuse. Ms Katic also shared that the high fines for non-compliance with the provisions on personal data protection, caused great fear among citizens, but as a result of their educational activities, the panic caused by the GDPR has decreased. Iva Katic ended her address with the idea that fear is overcome with knowledge, and the GDPR exists to give power to citizens and make them stronger.
Slobodanka Slavkovska from the Agency for Personal Data Protection informed that in the past period the Agency, together with the partners from Croatia and Germany, prepared many materials, published several newsletters, guidelines, guides, forms and other documents related to personal data protection. She clarified that the goal is not only for the controllers to take the forms, but the protection of personal data should be implemented thoroughly and completely, i.e. the controllers must first know what data they collect and how they will store and process it. Slavkovska also announced that many other such documents will be published and that AZLP is developing a new website for the appearance and functionality for which ideas are welcome. She recommended that resources developed by AZLP are used and to keep in mind that the protection of personal data, in addition to being a legal obligation, is a cultural thing and awareness whose development we should all work on.
Sanja Nikolovska from the Agency for Personal Data Protection shared that a memorandum of cooperation has been signed which enables harmonization of sectoral legislation with the Law on Personal Data Protection. She shared that in practice, the proposers (ministries) have ambiguities on how to harmonize the laws with the Law on Personal Data Protection and what they should do beforehand to harmonize their actions with the Law. Therefore, the employees of AZLP have prepared a Methodology for harmonization of sectoral legislation, which contains guidelines on how proposers (ministries) should act to harmonize laws with the Law on Personal Data Protection, as well as guidelines regarding the assessment of the impact of laws on the protection of personal data. Nikolovska pointed out the need for the ministries to first identify the laws that need to be changed, amended or supplemented to be in accordance with the Law on Personal Data Protection and recommended the state authorities to use the opportunity for prior consultation with the Agency in the preparation process of the new legislation.
Valentin Fetadzokoski from the Agency for Personal Data Protection shared that the Agency is responsible for creating a culture of personal data protection, but in that culture, the legal rules should be applied. He stressed that the protection of personal data permeates all spheres of life, which means that it is a very complex matter, especially with the occurrence of the pandemic when the use of technology has increased further. With the onset of the pandemic, the focus shifted to controlling controllers’ websites, and over time, the practice has shown that controllers began publishing data on privacy officers, making and publishing privacy policies, and abandoning the established trend so-called “Cookie walls”, to publish information on how data is collected, processed and stored and to apply appropriate technical and organizational measures for the protection of personal data. Fetadzokoski emphasized the recommendation that controllers must try to reduce the data they collect, store and process.
Manuela Stanoevska Stojkovska from the Agency for Personal Data Protection referred to the obligation of the personal data controllers to report to the Agency when there is a high risk for the protection of personal data. She shared that the number of applications is much higher than the number of notifications received by AZLP. Stanoevska Stojkovska reminded that the notification for the violation of personal data security should be sent to the Agency within 72 hours from the moment when the controller found out about it, to email@example.com. She stressed that a distinction should be made between breaches of personal data security and incidents with personal data protection, and stressed that controllers have an obligation to establish a system for managing breaches of personal data security and appropriate steps to deal with, document and maintain a register of breaches of personal data security. Ms Stanoevska Stojkovska concluded that whether the controllers are afraid or not afraid to inform the Agency about the violation of personal data security, it is their legal obligation that they must respect and that fulfilling this obligation means the practical application of the legal principle of accountability.
Blerim Bajrami from the Agency for Personal Data Protection shared information about the adoption of mandatory corporate rules, mandatory codes of corporate conduct, as well as policies for the transfer of personal data in other countries.
Ms Leonora Kadriji, Secretary-General of the Agency for Personal Data Protection summarized the recommendations of the speakers and noted that:
- Personal data protection officers are the extended arm of the AZLP, and they need to take care of advancing the rights of users, and their capacity needs to be continuously upgraded.
- GDPR provides protection of citizens’ rights, and its implementation should not cause fear.
- Personal data protection is a cultural thing and a personal awareness, it is important that there is the interest of all stakeholders for its promotion.
- Ministries should use the opportunity to consult with the LPDP before adopting a draft law to ensure that the proposal is in line with the Law on Personal Data Protection.
- The controllers are obliged to inform the LPDP whenever there is a breach of personal data security.