You should designate a personal data protection officer in the following cases:
- if you are a state administration body;
- when your core business consists of extensive processing operations that require regular and systematic monitoring of natural persons (eg, a security company that has a video surveillance system in several shopping centers); and
- where your core business involves the extensive processing of special categories of personal data (e.g. biometric data, genetic data, health-related data) or personal data related to criminal convictions and criminal offenses (e.g. the processing activities of personal data in a hospital is considered extensive processing as opposed to processing carried out by a doctor, which is not considered extensive processing of personal data).
Important note! You must publish the contact details of the personal data protection officer on your website and submit them to the Personal Data Protection Agency .
The Personal Data Protection Law prescribes special conditions for the person who is designated as a personal data protection officer:
- to meet the employment conditions listed by the law on the protection of personal data and by another law;
- to actively use the Macedonian language;
- at the time of the determination, no penalty or misdemeanor sanction has been imposed on him by a final court judgment for banning him from performing a profession, activity or duty;
- to have acquired at least 240 credits according to the European Credit Transfer System (ECTS) or to have completed the VII/1 degree of higher education;
- to have acquired knowledge and skills in relation to practices and regulations in the area of personal data protection.
Example:
State administration bodies, such as ministries, institutes, institutions, etc., must designate a personal data protection officer.
Apart from the professional qualifications, what other conditions are prescribed for the personal data protection officer?
A group of companies may designate one officer for the protection of personal data, provided that he/she is equally and easily accessible to all legal entities of the group and to the subjects of personal data, while in the case of state administration bodies, one officer may decided on several bodies in the composition of the competent authority.
The personal data protection officer may be an employee or perform the tasks on the basis of a contract.
It should be noted that, although personal data protection officers may perform other tasks and duties, such engagement must not result in a conflict of interest because the absence of such a conflict is considered independent performance of tasks and duties.
For that reason, the officer must not be an employee who participates in the determination of the purposes and methods of personal data processing.
In addition, it is not advised that persons in certain positions within the company who may have a conflict of interest be designated as personal data protection officers, for example, persons holding senior management positions (executive director, chief operating officer), heads of marketing departments, heads of human resources management departments, information system administrator, etc., but also persons who hold lower positions within the company, if such a position entails determining the purposes and methods of personal data processing.
The tasks of the personal data protection officer include providing advice to the controller on all matters in the field of personal data protection.
The controller and the processor should ensure that the personal data protection officer is properly and timely involved in all personal data protection matters.
According to the law, the tasks and duties of the personal data protection officer include compliance monitoring and employee training.
For these reasons, a personal data protection officer is of great value to any organization, and therefore the Personal Data Protection Agency recommends that such officers be appointed even when legal entities do not have such an obligation.