The controller and the processor must determine the OZLP when:

  • the processing of personal data is carried out by the bodies of the state government ,
  • the basic activities of the processing due to their nature, scope and/or purposes, require to a large extent regular and systematic monitoring of the subjects of personal data, or
  • the basic activities consist of extensive processing of special categories of personal data or the personal data are related to criminal convictions and criminal acts .

In certain cases the controller or processor or associations and other bodies representing categories of controllers or processors may also designate a personal data protection officer.

The controller may determine the OZLP, even if it is not required by the ZZLP. In such a case, it should be understood that the same requirements for the position, status and tasks apply as in the case where the determination of OZLP is mandatory.

If the controller decides that he should not determine OZLP, due to failure to meet the criteria explained above, the decision not to determine OZLP should be documented (elaborated) to demonstrate the principle of accountability.

This includes state and local government bodies and other state bodies established in accordance with the Constitution and the law, institutions that perform activities in the fields of education, science, health, culture, labor, social protection and child protection, sports, as well as in other activities of public interest established by law, and organized as agencies, funds, public institutions and public enterprises founded by the Republic of North Macedonia or by the municipalities, from the city of Skopje, as well as by the municipalities in the city of Skopje.

Basic activities are the primary business activities of the controller, that is, the processor. This means that, if in its operation the controller needs to process personal data in order to achieve the key objectives, then such activity falls under the concept of basic activity. It should be understood that this is different from processing personal data for other secondary purposes, which may also be something that controllers do on a daily basis but is not part of the pursuit of their primary purposes. For example: for most organisations, the processing of personal data for human resources will be a secondary function to their main (core) business activities and therefore will not be part of their core activities.

In doing so, the regular and systematic monitoring of personal data subjects includes all forms of monitoring and profiling, regardless of whether it is “online” or “offline” monitoring, and when determining whether the processing is on a large scale, should be taken into account several factors, and in particular the number of affected subjects of personal data, the volume and categories of personal data being processed, duration of data processing, geographical spread of processing.

For example : this practically means that if the analysis “shows” that the controller, i.e. the processor, in its operations only processes personal data only for its employees , which is not its core activity (commercial company or organization, for example, up to 50 employees) and does not process personal data for other categories of personal data subjects (for example, for customers, natural persons) and/or does not process personal data through a video surveillance system, does not is subject to the obligation to determine OZLP .

This analysis process should be documented, bearing in mind that each controller is obliged to demonstrate compliance with the principles related to the processing of personal data.

The main role of the OZLP is to help monitor the internal compliance of the controller, i.e. the processor, with the regulations for the protection of personal data, as well as to inform and advise regarding the fulfillment of obligations for the protection of personal data, to give advice regarding the assessment of the impact on the protection of personal data and to act as a contact point for the subjects of personal data and AZLP.

The DPO must be a person/s who has qualifications and expert knowledge of the legislation and practices in the field of personal data protection, as well as the ability, position and status that enable him to perform his duties completely independently without receiving any instructions from the highest management in relation to the execution of his work and at the same time to be timely and fully involved in all issues related to the protection of personal data, as well as to have the resources necessary for the execution of the work, access to personal data and processing operations and a guaranteed opportunity to maintains his professional knowledge.

Regarding its position, it is important to understand that the OZLP is directly responsible for its affairs to the highest management level of the controller, that is, the processor. Considering that OZLP can perform other tasks and duties, when determining it, it is important to ensure that such tasks and duties will not lead to a conflict of interests in the performance of its work.

For example : the manager of the controller/processor, nor the authorized person for security of the information system (the administrator of the information system) cannot be defined for OZLP.

The OZLP can be an employee or perform work on the basis of a service contract (existing employee or externally appointed), and its appointment is a good example of demonstrating compliance with the OZLP, as well as demonstrating accountability.

Contact data for OZLP is published publicly on the website of the controller, that is, the processor

The controller, i.e. the processor, notifies the Agency with an appropriate letter, which should contain:

  • name and headquarters of the controller, i.e. the processor,
  • name and surname of OZLP,
  • contact details for OZLP (e-mail and telephone number).

OZLP is not personally responsible for compliance with regulations on personal data protection. The responsibility for compliance with the GDPR rests with the controller or processor. OZLP has a key role in fulfilling the obligations for the protection of personal data at the controller or processor.