Leonora Kadriji, Secretary-General of the Agency for Personal Data Protection
About 60 percent of all complaints received by the Personal Data Protection Agency (hereinafter the Agency) are from citizens seeking protection because someone illegally posted their personal information, videos, photos, audio recordings on social networks or other Internet sites (Facebook, Instagram, YouTube, Twitter, Pornhub, Snapchat, Tinder, Xhamster, etc.) without their knowledge and consent, which violates their right to privacy, said in an interview Leonora Kadriji, Secretary-General of the Agency for Personal Data Protection.
What are the negative consequences of misuse of citizens’ personal data?
Kadriji: Violation of the Law on Personal Data Protection may result in material or non-pecuniary damage to citizens, such as loss of control over their personal data or restriction of their rights, discrimination, identity theft or fraud, financial loss, damage to property, reputation damage, loss of confidentiality of personal data or any other significant economic or social disadvantage for the person concerned.
In particular, the advancement of information technology has created great advantages, but, on the other hand, its misuse or abuse can have negative consequences for citizens in the economic, social and cultural environment. The potential of information and communication technology for the storage and processing of personal data increases the problem of their protection. It is, therefore, necessary to ensure the security of the entire system, to raise the awareness of Internet users about the many dangers that arise when using it, as well as to teach them not to believe the large number of scams that lurk every day.
In this context, we emphasize that in such cases of abuse, computer-based social engineering techniques such as “phishing” and “pharming” are most often used. Phishing is a form of fraud that involves a set of activities of unauthorized users by using fake emails and fake websites, trying to obtain personal information from users such as personal identification number, username, passwords, PIN numbers, etc. Unfortunately, there are a large number of users who are not familiar with this type of fraud. Once their personal data is found, malicious senders either use it or sell it.
The Agency for Personal Data Protection acts if personal data are illegally processed by controllers of personal data collections, but only if they are part of an existing collection of personal data or are intended to be part of a collection of personal data, such as provided in the Law on Personal Data Protection. Therefore, in some cases of prevention, detection and prosecution of perpetrators of crimes committed online, the reports are forwarded to the Ministry of Interior and the Public Prosecutor’s Office so that the perpetrator can be investigated and identified.
At the same time, we urge the citizens to timely request assistance and report such cases to the competent institutions so that appropriate measures can be taken, in order not to suffer further damage, not only financially but also to their private life, their integrity, honor and reputation.
What rights do the citizens of RNM have regarding the protection of personal data?
Kadriji: The Law on Personal Data Protection gives the citizen the right to know which personal data the controllers collect, process and store for them and whether they process them legally. The rights that refer to the citizens are: Right to be informed, right to access, right to correction, right to erasure (“right to be forgotten”), right to restrict processing, right to data transfer, right to object, the right not to be subject to a decision based solely on automated processing, including profiling.
These rights are very important for the citizens because they should be aware that they have the right, for example, to be informed about the processing of their personal data. Then, they have the right to receive confirmation from the controllers whether their personal data is processed and to receive information for what purposes their data is processed, they have the right to correct their personal data, they have the right to delete their data if not needed anymore, then citizens can restrict the ways in which controllers use their personal data in certain circumstances, the right to object, and so on.
Citizens should be aware that, for example, when processing their data, if there is no legal basis for collecting their personal data, if the requested personal data is too large and inappropriate for the purpose for which it is collected if the controller does not inform them clearly and a transparent way of collecting and processing their personal data, they may refuse to provide their personal data.
Citizens also have the right to submit a request to the Agency, if they consider that the processing of their personal data violates the provisions set by the Law on Personal Data Protection, without questioning any other administrative or judicial remedies. For the submitted request, the Agency, as a supervisory body, conducts ad-hock supervision in accordance with the Law on Personal Data Protection.
Also, without prejudice to any available administrative or out-of-court remedies for legal protection, including the right to file a claim with the Agency, every citizen has the right to effective judicial protection when they believe that their rights have been misused under the Law on the protection of personal data, by filing a lawsuit to the competent court in accordance with the law.
At the same time, every citizen who has suffered material or non-material damage as a result of the violation of the Law on Personal Data Protection has the right to receive compensation from the controller or processor for the damage, a right which is also exercised before a competent court in accordance with the law.
What do citizens most often report to the Agency for Personal Data Protection?
Kadriji: The complaints we receive in the Agency for Personal Data Protection mainly refer to the violation of privacy and protection of personal data on social networks, then to unauthorized video surveillance in residential buildings/family houses, regarding the processing of personal identification numbers and/or ID card (copy), processing of personal data without the consent of the applicant, excessive processing of personal data, etc. Namely, about 60% of all complaints we receive are from citizens seeking protection because someone illegally posted their personal data, videos, photos, audio recordings on social networks or other websites on the Internet (Facebook, Instagram, YouTube, Twitter, Pornhub, Snapchat, Tinder, Xhamster, etc.), without their knowledge and consent, which violates their right to privacy, as well as cases involving insults, defamation and online blackmail. Some of the complaints we receive are from children.
In the past period, several cases of violation of personal data have attracted public attention, and probably the most exposed among them were several cases of “Public Room”. Can you tell us how this case was handled?
Kadriji: During 2020, when the scandal known as “Public Room” first appeared, the Agency received calls from citizens and at the same time meetings were held with citizens who wanted to be informed about the social platform “Telegram”. In this context, we emphasize that as for other social networks and platforms, as well as in the case of “Public Room” or the application Telegram, the Agency for Personal Data Protection can act only if there is an entity, which could be referred to as a controller in accordance with the Law on Personal Data Protection.
In the specific case “Public Room”, given that there are elements of reasonable suspicion of the existence of a crime, we inform that the only competent body that has the authority to act and perform activities in relation to the prevention of crimes, as well as detecting and apprehending their perpetrators and taking measures to prosecute the perpetrators of those acts is the Ministry of Interior in cooperation with the competent public prosecutor’s office.
For these reasons, in such cases, the Agency submits appropriate submissions to the Ministry of Interior, i.e. to the competent public prosecutor’s office.
What are the biggest risks and challenges regarding the protection of personal data in RNM?
Kadriji: The Law on Personal Data Protection fully transposes the European Data Protection Regulation (GDPR). Regarding the controllers, their biggest challenge regarding the harmonization of business processes with the Law is risk assessment in the processing of personal data, determining the legality of processing, ensuring compliance in performing direct marketing, keeping records of processing activities etc. Many controllers are unfamiliar with what exactly personal data processing is and think that they only “store” personal data from employees or “store” only the name and surname and personal identification numbers of clients. It is of great importance for the controllers to recognize that they are processing personal data and that the Law on Personal Data Protection is also applied.
In this context, the Agency has published on its website guidelines for the preparation of documentation for technical and organizational measures, guidelines regarding the reporting of personal data processing that will result in high risk and information for the appointment of a personal data protection officer. In doing so, we want to emphasize that the controllers should be transparent so that the citizens know who and why is processing their personal data.
Also, special emphasis should be placed on educating all employees with the controllers on the matter relating to personal data protection, as well as on the responsibilities and obligations arising from the Law on Personal Data Protection. Personal data protection is an opportunity for controllers to improve their own services, to improve their business and the reputation of citizens. If they invest in education for this type of protection, there will be an improvement in their business and in the quality of life of the citizens.
What can we do to improve the protection of our personal information?
Kadriji: In order for the citizens to more successfully protect their personal data and become aware of their rights in the digital society in which we live, the Agency has prepared a Newsletter that is published on our website which explains the rights of citizens, such as the right to access personal data, right to be informed, right to correction, right to object, right to erasure, etc.
Hence, we appeal to all citizens, including children, to act with due caution and to be careful not to submit their personal data, photos, videos via the Internet to unknown persons without checking with whom they communicate; make a full check before deciding to disclose their personal and other information to other persons; not to make payments to persons and companies unknown to them; to protect their profiles on social networks with settings that will protect their privacy, to use complex passwords and change from time to time, etc.
The work of the Agency will continue to focus on raising public awareness and informing citizens about the importance of the matter of privacy in the exercise of their basic human rights and freedoms.
Also, in 2021, the Agency launched the twinning project “Support for the implementation of the modernized legal framework for personal data protection”, funded by the EU, organized by the Agency for Personal Data Protection of North Macedonia, the Agency for Personal Data Protection of Croatia and the German Foundation for International Legal Cooperation (IRS). The project prepares guides, procedures, methodologies, trainings and various tools that will help all of us and will facilitate the transition to the novelties provided by the Law on Personal Data Protection. With the support of the Project, the Agency will make an effort to transmit the European practice for the implementation of the EU General Data Protection Regulation (GDPR) in the Republic of North Macedonia, says Leonora Kadriji, Director of the Agency for Personal Data Protection.