Law Office Badeva

Personal Data Protection

HomePractice AreasPersonal Data Protection

In the era of digital transformation, protecting personal data is not only a legal obligation but also a foundation for building trust with your clients and business partners. The Republic of North Macedonia, through its Personal Data Protection Law (PDPL), fully aligned with the European GDPR, imposes strict requirements on every company. Non-compliance carries not only financial penalties but also significant reputational risk.

Our team of Macedonian law experts possesses deep expertise in this complex field. We guide you through the regulatory maze while actively protecting you from legal risks, leveraging comprehensive analysis of case law to ensure flawless compliance and effective safeguarding of your interests.

We offer full legal support covering all aspects of personal data protection, turning legal complexity into a competitive advantage.

Full Compliance with PDPL and GDPR

All processing of personal data must be lawful, fair, and transparent, with a clearly defined purpose and legal basis, in accordance with the Personal Data Protection Law. Courts are strict in applying these principles, and the most common violations include:

  • Lack of valid consent or legal basis: Processing personal data is lawful only if at least one condition under the PDPL is met, including obtaining the data subject’s consent. This is particularly critical for national ID numbers and special categories of personal data (e.g., health data, ethnicity, political opinions), which require explicit consent or another legal basis.
  • Excessive or irrelevant processing (principle of data minimization): Data must be adequate, relevant, and limited to what is necessary for the intended purposes. Excessive collection or disclosure constitutes a violation.
  • Non-compliant internal acts and policies: Absence of clear internal procedures for data quality checks, updates, deletion, or security measures may result in penalties. The data controller is responsible for ensuring compliance with processing principles and must demonstrate accountability under the PDPL.

Our team conducts detailed audits of your data processing activities, drafts internal policies, privacy policies, and procedures fully aligned with the PDPL and the latest interpretations from the Agency for Personal Data Protection (APDP). This includes implementing appropriate technical and organizational measures to ensure and demonstrate compliance.

Video Surveillance: Clear Privacy Guidelines

The use of video surveillance is strictly regulated and must comply with principles of proportionality and purpose under the PDPL. A controller may conduct surveillance in office or business premises only if necessary to protect life or health, safeguard property, ensure employee safety due to the nature of work, or monitor entry and exit solely for security purposes.

We advise on proper implementation of video surveillance, including clear policies, signage, and limitations to prevent misuse and penalties.

Managing Personal Data Security Breaches

In the event of a personal data breach, the controller must notify the APDP immediately, and no later than 72 hours after becoming aware of the breach.

Effective Representation before the APDP and Courts

When facing inspections or decisions by the APDP, prompt and expert legal response is critical. Every data subject has the right to submit a complaint to the Agency if they believe their personal data has been processed in violation of the PDPL. Additionally, any individual or legal entity has the right to effective judicial protection against binding decisions of the Agency.

  • Defense during inspections: We represent you during inspections, prepare comments on inspection reports, and provide arguments against identified violations.
  • Administrative disputes: If you are dissatisfied with APDP decisions, we initiate administrative disputes before the Administrative Court and Higher Administrative Court.
  • Compensation claims: Anyone who suffers material or non-material damage due to a PDPL violation has the right to claim compensation from the controller or processor.
  • Administrative fines: Violations of PDPL provisions carry fines of up to 2% of the controller’s or processor’s total annual turnover.
Data Protection Impact Assessment (DPIA) and Prior Consultation

When new technologies are used for processing that may pose a high risk to individuals’ rights and freedoms, the controller must conduct a Data Protection Impact Assessment (DPIA) regarding the planned processing operations.

Our team guides you through the entire DPIA and prior consultation process, ensuring all requirements are met and that your operations are fully compliant.

Get In Touch:

    Contact Us:
    • bul. Mitropolit Teodosij Gologanov No. 39/1-1, 1000, Skopje