GDPR and its influence outside EU - Why, What, Who, When, How (Macedonia’s case study)
The simplest answer would be, to be aligned with EU acquis. But the true answer is far more complex and logical. Real answer is actually to "acknowledge" the fact that, unlike before, today the processing of personal data is increasingly being carried out in an automated manner, and consequently to establish the protection of personal data and setup a privacy law in connection with the personal data processing in the new era. Additionally, it’s because of the country’s citizens and all data subjects in broader sense that live, work, study or stay in that particular country. Namely, in case of a scandal that is related to personal data breach, in this modern digital world, from data subject’s point of view, there is not much of a difference whether you are coming from EU or non EU country. On the other hand, if the country wants to achieve adequacy level regarding personal data protection, and hence secure free (less administrative) flow of information that contains personal data, then aligning with, and transposing GDPR is a must.
GDPR is so powerful that even a narrow study will show that each and every non EU country from the Balkan Peninsula is preparing, or have prepared already, a law that will transpose it. Republic of Macedonia is not an exception. That is not on the occasion of GDPR only, but mainly because of the new and enhanced solutions in GDPR such are the new concepts (profiling, pseudonymization, genetic data, biometric data...); Principle of accountability; Right to be forgotten; Privacy by Design and by default; Data Privacy Impact Assessment; Data breach notification; Binding corporate rules…
Personal Data Protection Agency (PDPA), controllers and processors, all interested parties. PDPA will be the main locomotive that will pull in this process of aligning with GDPR. But locomotive without wagons could never be a train. Hence, all controllers, processors and other stakeholders will have to attach to the locomotive in order to have real personal data protection environment that secures privacy of all data subjects.
Macedonian law was submitted to the Delegation of EU to Skopje for an opinion, last January. We received expert opinion last march. It is expected that law will be adopted by the Parliament by the end of first half of this year (2018).
After the adoption of the Law during 2018, PDPA will harmonize its operations and legislation by: adoption of all by-laws, participation in the harmonization of sectoral legislation, controllers and processors shall be obliged to harmonize their operation with the provisions of this Law within the appropriate period from the day this Law enters into force.
Article provided by: Igor Kuzevski, Directorate for Personal Data Protection in Macedonia