 |
|
|
Data protection law - An Introduction
Handbook Resources About the author
|
Macedonia
Objects of and constitutional grounds for data protection legislation
PARLIAMENT OF THE REPUBLIC OF MACEDONIA Pursuant to Article 75, Paragraphs 1 and 2 of the Constitution of the Republic of Macedonia, the President of the Republic of Macedonia and the President of the Parliament of the Republic of Macedonia, herewith issue the following DECREE
We herewith proclaim the Law on Personal Data Protection which the Parliament of the Republic of Macedonia passed on it’s session held on January 25, 2005.
President
President
LAW ON PERSONAL DATA PROTECTION 1. GENERAL PROVISIONS This Law regulates the protection of personal data as fundamental freedoms and rights of the citizens, and especially the rights to privacy as related to the personal data procession. Certain terms used in this Law shall have the following meanings:
Article 3 This law shall be applied:
When the controller is located in the Republic of Macedonia and branch offices abroad, he/she must take all the necessary measures to guarantee that each of these branch offices respects the provisions of this law. The provisions of this law shall be applied in cases when the controller is not located in the Republic of Macedonia, if the equipment which he/she uses for personal data processing is in the Republic of Macedonia, unless the equipment is used solely for transit across the territory of the Republic of Macedonia. In the cases referred to in Paragraph 3 of this Article, the controller is obliged to appoint representative located in the Republic of Macedonia, responsible to apply the provisions of this law. Article 4 The provisions of this law shall not apply :
PERSONAL DATA PROCESSING Personal data shall be:
The controller shall be responsible for the quality of the personal data in accordance with paragraph 1 of this Article. The personal data processing may be performed out upon previously obtained written consent by the personal data subject. The personal data processing may be also performed without the consent referred to Paragraph 1 of this Article, when the processing is necessary for:
Article 7 Personal data processing that refer to criminal acts, pronounced sentences and security measures for committed criminal acts may be performed by the competent state bodies according to the law. III PROCESSING OF SPECIAL CATEGORIES OF PERSONAL DATA Article 8 Processing of special categories of personal data is forbidden. As an exception to Paragraph 1 of this Article the processing of special categories of personal data may be performed:
The processing of special personal data categories referred to in Paragraph 2 of this Article should be specially marked and protected. The special categories of personal data referred to in Paragraph 2 of this Article may be transmitted through a telecommunication network only if they are specially protected by cryptographic methods, in a way in which they are not readable when transmitted. Article 9 The unique birth registration number of the citizen may be processed only upon a prior written consent by the personal data subject or under conditions determined by the law. The unique birth registration number of the citizen may be processed for the purposes of identification of the personal data subject, namely for:
The unique birth registration number of the citizen may be processed while carrying out activities which refer to the acquisition of credit or for debt payment, insurance, renting or establishing a trading company, in credit related matters, health and social protection, employment and other services in favour of the personal data subject. The controller shall ensure that the unique birth registration number of the citizen is not unnecessarily visible, printed or taken from the personal data collection. IV.RIGHTS OF THE PERSONAL DATA SUBJECT When the data are collected from the personal data subject, the latter must be informed on the identity of the controller and of its representative in the Republic of Macedonia, if any, as well as on the purposes of the processing, unless he/she is already aware of them. In the cases under Paragraph 1 of this Article, when the data are collected by means of a questionnaire, the latter should state whether the answers to the questions are compulsory or voluntary, the possible consequences if not answered, data on the users or categories of users of the data as well as the right not to agree that the data shall be used in commercial purposes. The controller shall inform the personal data subject on the right of access and correction of the data, if this is necessary, taking into account the special circumstances under which the personal data are collected and with the purpose to ensure the fair processing of his/her personal data. Article 11 When the data are not collected from the personal data subject, the controller shall at the time of the recording of the personal data or if disclosure of the personal data to a third party is envisaged, no later than the time when the data are firstly disclosed, inform the personal data subject on his/her identity and that of his/her representative in the Republic of Macedonia, if any, of the purposes for the processing, the data categories, the users or categories of users of the data, the right to oppose to any use of such data for commercial purposes or their transmission to third parties for such purposes, unless he/she is already aware thereof. The controller shall inform the personal data subject on the right of access and correction of the data, if necessary, taking into account the special circumstances under which the personal data are collected in order to ensure the fair processing of his/her personal data. As an exception to Paragraph 1 of this Article, the controller shall not inform the personal data subject about the processing of personal data for the purposes of historical and scientific researches or statistical purposes, if it is impossible or if the collection or disclosure of personal data is explicitly stipulated by the law. The personal data subject may realize his/her right to insight into the Personal Data Collection by means of a written request upon a prior stating the data from the Collection which are required to be seen. The controller should, in the course of thirty days from the day of the submission of the written request by the personal data subject, inform in writing the latter on the following:
Article 13 When the controller has responded to the request of the personal data subject for insight into his/her personal data, the controller has no obligation to respond again to the same or similar request submitted by that subject, if, the personal data have not been changed in the meantime, unless six months have passed from the day of the submission of the previous request until the submission of the new one. Article 14 Upon the request of the personal data subject, the controller is obliged to supplement, amend, delete or prevent the use of the personal data, if they are incomplete, incorrect or not updated and if their processing is not in conformity with the provisions of this Law. In cases when the controller determines that the personal data are incomplete, incorrect or not updated, he is obliged to supplement, amend or delete them, regardless of whether the personal data subject has submitted a request for their supplement or amendment. For the performed supplement, amendment or deletion of personal data, as pursuant to the Paragraph 2 of this Article, the controller is obliged within 30 days from the day of submission of the request to inform in written the personal data subject, the personal data users or third parties to whom the personal data have been disclosed to unless when it is not possible. Article 15 The rights and the obligations, defined in the provisions of Articles 10, 11, 12 and 14 of this Law may be restricted in the way and under the conditions determined by a law to the extent which is necessary for the realization of the purposes due to which this restriction has been determined, and if necessary:
Article 16 The controller shall not act in accordance with the request of the personal data subject as pursuant to Article 12 of this Law, when authorized as according to a law and if the personal data are processed exclusively for the scientific research purposes, or if they have been collected exclusively for defined statistical purposes and are kept for a period not exceeding the one necessary for the sole purpose of creating statistical data. The personal data subject shall be entitled, at any time, to request in writing from the controller, not to use the data from the collection for the purposes of advertising material referring to this subject. The controller shall be obliged to previously inform the personal data subject, in written, about the intention and the legal basis of the personal data processing for advertising purposes. Any natural person who considers that his/her right, guaranteed by this law, is violated may submit a request for determining the violation of the right to the Commission of the Directorate for Personal Data Protection (hereinafter referred to as: the Commission). The Commission, referred to in the Paragraph 1 of this Article consists of a President and two members nominated by the Directorate Director. The Commission shall decide upon violation of the right referred to in Paragraph 1 of this Article. The Decision referred to in the Paragraph 3 of this Article is an administrative act. The complaint against the decision from Paragraph 3 of this Article shall be submitted to the Director of the Directorate. An administrative dispute may be initiated against the decision of the Director of the Directorate taken upon the complaint. Article 19 The Commission, acting upon the request by a natural person for determining a violation of a right may prohibit, by a temporary decision, the further personal data processing to which the request refers, until the valid completion of the procedure. A complaint against the Decision mentioned in Paragraph 1 of this Article shall be submitted to the Director. An administrative dispute may be initiated against the decision of the Director of the Directorate taken upon the complaint. Article 20 The expenses from the Articles 10, 11 and 12 of this Law shall be born by the controller, unless otherwise stipulated by a Law. Article 21 The controller shall be liable for any damage caused to the personal data subject by the personal data processing or by other activity, carried out contrary to the provisions of this Law, unless he/she proves that the damage did not arise due to his/her fault. The right of compensation for damage by the controller may be also requested in the case of unauthorized use i.e. unauthorized permission to use personal data to other users or natural and legal entities. The Court decision which contains an estimation of a person’s behaviour can not be based solely on automatic data processing intended for an estimation of certain aspects of the person’s character. Any other decision producing legal effects against a person or affecting him/her significantly, can not be based solely on an automatic data processing, intended to define his/her profile or to estimate certain aspects of the person’s character. The Paragraph 2 of this Article shall not apply, if the decision has been taken:
V. SECRECY AND PROTECTION OF PERSONAL DATA PROCESSING Article 23 Any person having access to the personal data collection on behalf of the Controller or the Handler of the personal data collection, including the Handler of a personal data collection himself/herself shall be obliged to maintain the secrecy and protection of the personal data and to process them according to the authorizations and the instructions received by the controller, unless otherwise stipulated by separate law. Article 24 In order to ensure secrecy and protection of the subject’s personal data processing the controller must apply adequate technical and organizational measures which correspond to the equipment and expenses necessary for their implementation and refer to:
The measures under Paragraph 1 of this Article should provide a level of personal data protection corresponding to the risk arising from the processing and the nature of the data subject to processing. The Director of the Directorate shall prescribe the application of the adequate technical and organizational measures referred to in the Paragraph 1 of this Article. Article 25 The controller may delegate certain matters under his/her competence in relation to the personal data processing to the Handler of the personal data collection, on the basis of a signed contract, provided that the Handler will guarantee that he/she shall undertake technical and organisational measures referred to in Article 24, Paragraph 1 of this law on the protection and processing of personal data and shall respect them in full. While processing personal data, the Handler of the personal data collection shall be obliged to act according to the authorizations and the instructions received by the controller and with the provisions set forth by this Law. Article 26 The controller and the Handler of the personal data collection are obliged to keep records of the undertaken technical and organizational measures, under Article 24 of this Law, as well as records on signed contracts according to Article 25 of this law. VI. RECORDS ON PERSONAL DATA COLLECTIONS AND A CENTRAL REGISTER Article 27 The controller shall keep records of each personal data collection which shall contain:
Article 28 The way of keeping records under Article 27 of this Law and the form of the records shall be prescribed by the Director of the Directorate by a sub-legal act. The controller shall be obliged to submit notification to the Directorate, containing the data in accordance with the Article 27 of this Law, before performing the process of a complete or partial automated personal data processing, when the data processing should accomplish one or more similar purposes. The controller is also obliged to notify the Directorate for each change of data contained in the notification. The obligation from the Paragraph 1 of this Article shall not be applied to the already established personal data Collection for which a separate law shall define the purpose of processing, the data and the category of processed data, the categories of the personal data subjects, the users or the categories of users to whom the data shall be disclosed as well as the period during which these data shall be stored. In the cases referred to in Paragraph 2 of this Article, the controller is obliged to submit the data on the newly opened personal data Collection and the change of the data from the existing personal data Collections to the Directorate no later than fifteen days from the day of opening or change of the Collection. Article 30 The records from Article 27 of this Law are united into a Central Register, kept by the Directorate. The records from the Central Register shall be available to the public. The Directorate shall publish the records from the Central Register in the “Official Gazette of the Republic of Macedonia” or shall make them otherwise available to the public. VII. TRANSFER OF PERSONAL DATA TO OTHER STATES Article 31 The personal data transfer to other countries may be carried out only if the other state provides adequate degree of personal data protection. During the evaluation of degree of appropriateness of the personal data protection, all circumstances will be separately addressed which refer to the operation or operations for personal data transmitted, especially the nature and the origin of personal data which are transmitted, the goals and duration of operational processing, the state where they are transmitted, the rules regulating for personal data protection in that state and regulations regulating the rules of the profession and the security measures. The degree of appropriateness of the personal data protection of other state is estimated by the Directorate. Article 32 If the state where the data are to be transmitted does not provide appropriate degree of personal data protection, the Directorate shall not allow transmission of personal data. Article 33 As an exception to the Article 31 of this Law, the transmission of personal data transfer may be realized in the following cases:
VIII REVEALING PERSONAL DATA TO USERS Article 34 The controller shall reveal the personal data to a user upon the user’s written request if needed for performing matters within legally determined competency of the user. The written request from paragraph 1 of this Article must contain the reasons, legal basis for usage of the personal data and personal data category which are requested. It is forbidden to reveal personal data for usage to a user the processing of which or usage of which cannot be performed according to the provisions from Article 6 and Article 8 paragraph 2 of this Law and if the purpose for which the personal data are requested is opposite to Article 5 paragraph 1 line 2 of this Law. The personal data processed in scientific researches and statistical purposes shall not be revealed to the user in a form which enables identification of the person to whom the personal data refer. The mutual rights and obligations of the subjects under paragraph1 of this Article are regulated by contract. In cases under paragraph 1 of this Article, the Controller keeps separate records on the personal data which are revealed for usage, for the user of personal data and the reason for the revealing of these personal data to the user. Article 35 The personal data under Article 34 of this Law may be used solely for the period necessary for the realization of the specified purpose. After the expiration of the period under paragraph 1 of this Article the personal data must be deleted, unless otherwise regulated by a law. Article 36 The provisions of this Law for revealing personal data for usage refer to the personal data exchange between the state bodies unless otherwise regulated by a law. IX. ESTABLISHMENT AND COMPETENCIES OF THE DIRECTORATE FOR THE PERSONAL DATA PROTECTION Article 37 For the purpose of supervision over the legality of the undertaken activities while personal data procession and their protection, on the territory of the Republic of Macedonia a Directorate for personal data protection is established as an independent state body acting as legal person. The Directorate is managed by Director which is appointed and dismissed by the Parliament of the Republic of Macedonia upon the proposal of the Government of the Republic of Macedonia. The Director is appointed for a period of five years with a right to be re-appointed, but no more than twice. The Director of the Directorate has his/her Deputy appointed and dismissed by the Parliament of the Republic of Macedonia upon the proposal of the Government of the Republic of Macedonia for a period of five years. For their work, for the work of the Directorate, both the Director and the Deputy Director of the Directorate report to the Parliament of the Republic of Macedonia. Article 38 A Director i.e. Deputy Director may be appointed if he/she fulfils the following conditions:
The Director’s or the Deputy Director’s function may be terminated by his/her dismissal or in case of death. The Director or the Deputy Director may be dismissed if:
Article 39 Prior taking the position, the Director i.e the Deputy Director declares and signs the following ceremonial statement before the President of the Parliament of the Republic of Macedonia, which states: “I hereby state that I shall perform the function of a Director diligently, impartially and responsibly, I shall protect the rights of the citizens relating to the protection of their personal data and I shall respect the Constitution and the Laws of the Republic of Macedonia.” Article 40 The function of a Director i.e. Deputy Director is incompatible with other public functions or professions. Article 41 The Directorate has the following competencies:
Beside the competencies under paragraph 1 of this Article, on the basis of a notification submitted by the Controller before he/she commences the operations for the personal data processing, the Directorate shall provide opinion whether certain operations of personal data processing present a special risk against the freedoms and rights of the personal data subject. The Director will prescribe the operations for personal data processing which present special risk against the freedoms and rights of the personal data subject. The Director shall prescribe the form, content and modality for running a Central Register under paragraph1 line 6 and 7 of this Article. Article 42 The Director submits annual report on the work of the Directorate to the Parliament of the Republic of Macedonia. When needed and upon a request of the Parliament of the Republic of Macedonia, the Director submits additional reports. The annual report on the work of the Directorate shall be published in the “Official Gazette of the Republic of Macedonia”. Article 43 The Director and the employees in the Directorate are obliged to keep as a secret the data which they came across during their work, as well as during their mandate, i.e. their employment in the Directorate and upon the termination of their mandate. Article 44 For the purpose of regular and efficient performance of the work within the competence of the Directorate, the Director and the employees in the Directorate are authorized:
Article 45 Upon the completion of the control under Article 44, a minutes is prepared a copy of which shall be submitted to the Controller who was the subject of the control. The minutes under paragraph 1 of this Article shall be signed by the employee of the Directorate who has performed the control and by the Controller who was the subject of the control If the controller refuses to sign the minutes, the employee of the Directorate includes that in the minutes and has a right within seven days from the day when the control was performed to submit the remarks in a written form to the Director. Article 46 In case the control determines violations of the provisions of this Law during the personal data processing, the employee of the Directorate who performed the control notifies the Director of the Directorate in order to initiate a procedure. Article 47 In case the control determines violations of the provisions of this Law during the personal data processing, by a decision of the Director of the Directorate, the controller is obliged within 30 days from the day when the violations were noted to harmonize his/her work according to the provisions of this law, and specially:
An administrative dispute may be initiated against the Director’s decision. Article 48 The financial means for the work of the Directorate shall be provided from the Budget of the Republic of Macedonia. Article 49 The natural person- the Controller will be fined for an offence with 40,000 to 50,000 Denars if he/she:
A natural person – the Controller will be fined for an offence of paragraph 1 of this Article with 200.000 to 300.000 Denars Article 50 A natural person – the Handler of the Personal Data Collection will be fined for an offence with 40,000 to 50,000 Denars, who:
A natural person- the Handler of Personal Data Collection will be fined for an offence from paragraph from this Article with 200,000 to 300,000 Denars. XI. TRANSITIONAL AND FINAL PROVISIONS Article 51 The Directorate starts the work on the day of the appointment of its Director. The Parliament of the Republic of Macedonia will appoint a Director in a period of six months after this Law enters into force. Within 30 days from the day of appointment of the Director of the Directorate, the Director will pass the acts for organization and systematization of the working positions of the Directorate. Other sub-legal acts foreseen with this law, the Director of the Directorate will pass within a period of six months from the day of his/her appointment. Article 52 The natural and legal persons who perform personal data processing shall harmonize their work according to the provisions of this law in a period of two years after the Director of the Directorate passes the sub-legal acts foreseen by this Law. Article 53 With the day of entry into force of this Law, the Law on Personal Data Protection ceases to be valid (Official Gazette of the Republic of Macedonia no.12/94 and 4/2002). Article 54 This law enters into force on the eighth day from the day of its publishing in the Official Gazette of the Republic of Macedonia. |