The GDPR, which entered into force in the EU on May 25, 2018, will also have implications for Macedonia-based companies. The GDPR substantially expands the territorial reach of the EU data protection regime and will also apply to non-EU companies if they are selling products or services within the EU or if they are obtaining personal data in the EU and transferring it outside the EU. Hence, Macedonia-based companies which do business in the EU will be required to ensure compliance with the GDPR to avoid hefty fines for non-compliance amounting up to 4% of annual global turnover.
It is important to note that many of the GDPR’s concepts and principles are much the same as those in Macedonia’s current Personal Data Protection Act (PDPA). Consequently, the general approach to compliance under the PDPA will remain valid under the GDPR. However, companies will be required to make some substantial adjustments to the way they collect and process personal data. While the exact structure of the compliance program of Macedonia-based companies will, in part, be unique to their business, companies can take many actions to ensure compliance with the GDPR.
Initially, companies are well-advised to carry out a personal data audit to establish whether they will be caught by the GDPR. For example, online businesses which directly offer goods or services to individuals within the EU through websites and apps or employ cookies or other tracking tools on such websites and apps to monitor the behavior of individuals within the EU will be caught by the GDPR. The personal data audit should identify what personal data is collected, how the company uses the personal data, who they share it with, and what security measures are being applied to it. Using the information from the data audit, companies should be able to perform a gap analysis to identify areas where changes are required to ensure compliance with the GDPR.
The GDPR requires companies to be able to show how they comply with the data protection principles, for example by having adequate policies and procedures in place and by maintaining accurate records of processing activities. Existing personal data protection policies and procedures of companies should be revised to reflect the new requirement for providing individuals with the right to data portability. The right to data portability applies only to personal data that an individual has provided to a controller, when the processing is based on the individual’s consent or for the performance of a contract and when processing is carried out by automated means. Additionally, companies are also required to revise the way they communicate their privacy policies and make sure that they contain concise, easy to understand, and precise information on the lawful basis for processing of the personal data and the data retention periods and state that individuals have a right to complain to the regulator if they feel that their data has been mishandled. Any commercial contracts entered into by companies must be reviewed to ensure that the provisions reflect that data processors have direct obligations under the GDPR and include the revised mandatory provisions for contracts with processors as well as the new breach notification requirements.
Companies should also review how they seek, record, and manage the consent of individuals to having their data collected and processed. The consent of individuals must be specific, informed, unambiguous, verifiable, and given freely. Companies cannot infer consent from silence or inactivity and must separate the consent from other terms and conditions, as well as provide individuals with simple ways to withdraw their consent. Companies relying on individuals’ consent to process their data are required to make sure that the consent will meet the GDPR standard of being specific, granular, clear, prominent, opt-in, properly documented, and easily withdrawn. Otherwise, companies will be required to revise their consent mechanisms and obtain a new GDPR-compliant consent from individuals or find an alternative to consent. Companies offering information society services to children are required to verify individuals’ ages and to obtain parental or guardian consent for any data processing activity. The GDPR sets the age when a child can give his or her consent to this processing at 16, and companies are required to obtain consent for children younger than that age from a person holding “parental responsibility.”
Macedonia companies which are doing business in the EU are well-advised to prepare for the GPDR to avoid sanctions and other repercussions under the new data protection regime.
By Gjorgji Georgievski, Partner
This Article was originally published in Issue 5.5 of the CEE Legal Matters Magazine.