Fines for unsolicited (spam) messages ranging from 500 to 2.000 Euros.

According to the amended Law on personal data protection, the sending of spam messages to mobile phones and e-mail addresses will be fined with up to 2.000 Euros if done without the citizens’ consent. The law was enforced on August 27, but the fines for violating the right to personal data protection, ranging from 500 to 4.000 Euros in Denar equivalent value, will only be issued after the following six months.

The companies, political parties and everyone else performing direct marketing through the email addresses, mobile and fixed phones and citizens’ mailboxes, will have to pay a fine of 500 to 2.000 Euros. If the direct marketing is performed by a citizen, he would have to pay 500 Euros, whereas the legal entities will be fined with 2.000 euros, and management personnel with 700 Euros.

We have had complaints from high school graduates in Strumica and Kumanovo about messages received from a political party and complaints about letters sent by the “Sun” coalition – wishing a happy birthday to some citizens. The political marketing is also a direct marketing, so an inspection was involved but the procedure is still ongoing – says Zoran Pandev, deputy director of the Directorate for personal data protection.

The citizens have submitted several data protection requests to the Directorate, mostly due to violations done through the electronic communications: identity theft, receiving spam-messages on their mobile phones etc. Because of this, the Directorate has filed three notifications of violation against two telecommunication operators.

With the amendments to the Law, the Directorate will not be filing notifications of violation anymore, but will instead be able to issue fines for violations of the right to personal data protection, with an appeal procedure before the Administrative court.
If it is proven that there was indeed a personal data breach, the citizens will be able to sue for damages. In the case of abusing someone else’s personal data, including the personal identification number, addresses, telephone numbers and e-mail addresses, religious and philosophic convictions, as well as medical records and biometric data, citizens will pay from 500 to 900 euros. If these violations are done by legal entities (companies, political parties, associations…) the fines will be ranging from 2.000 to 4.000 Euros. Except these fines, people who have abused someone else’s personal data could also be criminally prosecuted and convicted to a prison sentence of up to one year.

Same as the personal identification number is a person’s identity on a national level, the biometric data such as fingerprints and retina scan are a universal identifier worldwide. This kind of data is already being used in some states, and these technology innovations will soon be here, so we decided to get prepared for this and protect the citizens’ biometric data – says Pandev. The camera surveillance of public places is treated as personal data processing; therefore the citizens must be informed whether there are surveillance cameras in a particular place.

There are special rules about where these cameras should be placed for safety reasons. For instance, there shouldn’t be any cameras at the workspace. Video surveillance is allowed only for the entrance and exit or for the safety of the workers, but it must not be used for evaluating their efficiency.

Cameras could be set up on the entrances of collective apartment buildings only with prior consent from all the tenants, and a camera must be placed in a position from which it will not be recording the neighbours when it’s in front of an individual apartment’s door. On the other hand, firms that have set up cameras in other premises within the building – must place a clearly visible notification about the video surveillance, whether it is 24 hour surveillance or during what time of the day are the cameras recording and who has set them up – says Marijana Marushik, the agency’s director.

According to her, this type of notifications should also be placed when the cameras are set up on crossroads and traffic lights in order to record possible traffic violations.

When these recordings are being used, only the license plates should be visible instead of the whole vehicle. In most cases, audio surveillance is not allowed. It can be used in call centres, for recording telephone conversations of the emergency medical service, police, fire service, in some bank services, but not for wiretapping employees’ phones, she said.

Until now, the directorate was not able to perform controls of the personal data collections of the citizens in the Ministry of Interior and the Ministry of Defense. With these amendments, the Directorate is now entitled to perform such controls when it comes to criminal procedures, even in the cases conducted by the Security and Counter – Intelligence Directorate for data that is not classified as confidential. But, when it comes to security and state defense, the Directorate would be able to “take a peak” only at part of them.

Source: Dnevnik "Amendments to the Law on Personal Data Protection" 29 August, 2008