Law: Law on Personal Data Protection 2020 (only available in Macedonian here) (the Law)

Regulator: Personal Data Protection Agency (DZLP)

Summary: The Law on Personal Data Protection 2020 (only available in Macedonian here) (the Law) was adopted in February 2020 to align the national legislation with the GDPR, even though North Macedonia is not an EU Member State. Notable derogations from the GDPR include a lower threshold for the exemption from keeping records of processing activities, special requirements for data protection officers, including the requirement of fluency in Macedonian, and the stipulation that processing for direct marketing purposes can only be conducted based on the data subject's consent. Similar provision to the GDPR concern the obligation to conduct data protection impact assessments (DPIAs), notification to the Personal Data Protection Agency (DZLP) in case of a data breach, and data subject rights.

Furthermore, the Law has transformed the Directorate for Personal Data Protection into the DZLP, which has been given enhanced powers to authorize standard contractual clauses (SCCs) and Binding Corporate Rules (BCRs). In addition, the DZLP has issued rulebooks and signed Memoranda of Cooperation. Moreover, North Macedonia is a signatory to the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data 108/81 (the Convention 108).