In the event of a violation of the security of personal data, you must immediately, and no later than 72 hours after you learned about the violation, notify the Agency for the Protection of Personal Data at incident@privacy.mk or https://eprijavi.privacy.mk/ .
If you do not have the opportunity to notify the Personal Data Protection Agency within 72 hours, you can submit the notification gradually, without further unnecessary delay. This obligation does not apply in cases where there is no probability that the violation of the security of personal data will result in a high risk for the rights and freedoms of natural persons.
Example:
A municipality announces a call for support to associations that provide assistance to the elderly and infirm. Several associations applied for the call, and several of them managed to get financial support from the municipality for their activities.
When the municipality notified the associations that received support (via e-mail), it accidentally put the contacts of all associations in the carbon copy (cc:) section instead of the blind copy (bcc:) section, which would have prevented disclosure of personal information. data of unauthorized persons.
Although this represents an injury, there is no great risk for natural persons (several e-mail addresses contained the name of the contact person from the relevant association, but the content of the message was not confidential/sensitive), so this kind of incident should not be reported to the Agency for protection of personal data.
The municipality has documented this breach of personal data security, including the facts and effects of the event, as well as the corrective actions it has taken.
