Transfers of personal data outside of North Macedonia to third countries and international organizations (non-EU/EEA) (“Cross-Border Transfers”) have been under the watchful eye of the Agency for Personal Data Protection of North Macedonia (“DPA”) for a long time.
With the adoption of the new Law on Personal Data Protection in North Macedonia (“Law”) in 2020, the DPA’s position was strengthened. The Law transposes the GDPR to a great extent, and similarly as the GDPR, establishes the bases when Cross-Border Transfers will be considered to be in line with the Law. Among the most used safeguards for Cross-Border Transfers in practice are the standard contractual clauses (“SCCs”) adopted by the European Commission, which the Law recognizes as appropriate.
As an EU candidate country, North Macedonia strives to harmonize its legislation with the one of the EU, while authorities generally follow the practice of EU authorities in the application of such legislation. Thus, the DPA regularly observes developments in the EU related to the protection of personal data.
In 2020, the Court of Justice of the European Union (“CJEU”) annulled the EU-US Privacy Shield, the data transfer mechanism frequently used by EU companies for transferring data to the US. The CJEU confirmed that the SCCs generally remain valid but underlined the requirement to ensure in each case that data subject rights and effective legal remedies are available in the country there the data is imported. This opened the door for the need to carry out a transfer impact assessment, which will likely be reflected in the practice of the DPA.
Unofficially, in 2022, the DPA will require submission of a performed transfer impact assessment with each request for approval of a Cross-Border Transfer. For data exporters, this will represent a significant burden, additional delays impeding Cross-Border Transfers and potential rejection of the request for approval of the Cross-Border Transfer (e.g. if the transfer impact assessment has a negative conclusion or if the conclusion is positive, but the DPA disagrees with the findings therein).
It is yet to be seen how this unofficial requirement will unfold in practice, but data exporters should be wary of it and do their due diligence prior proceeding with a Cross-Border Transfer.
The information in this document does not constitute legal advice on any particular matter and is provided for general informational purposes only.