When you must appoint a personal data protection officer:
If you are a public authority, with the exception if you are a court and act within your jurisdiction.
All private companies with public powers or companies that perform activities of public interest should also be considered public bodies .
If your primary activity consists of operations for the processing of personal data which, due to their nature, scope and/or purpose, require regular and systematic monitoring of the subjects of the personal data on a large scale .
The primary activity is considered to be the key operations that are needed to achieve the objectives of the controller, while the primary activity does not have to be only that which refers to the processing of personal data, but also other activities that result in the processing of personal data.
Example: the primary activity of the hospital is to provide health care, but this is not possible without processing health data for patients, the so-called health card.
Regular and systematic tracking of personal data subjects includes all forms of online tracking and profiling, taking into account the fact that the term tracking is not limited to the online environment.
Example: provision of services in the field of electronic communications, profiling, location tracking via mobile applications, monitoring of fitness and health data via mobile applications, etc.
To determine whether it is large scale processing, you should consider the following factors:
- the number of personal data subjects, as an absolute number or as part of the relevant population;
- the amount of personal data being processed and/or the coverage of different parts of the personal data;
- the duration, or permanence, of the processing of personal data;
- the geographical distribution of the processing of personal data.
If you process special categories of personal data or personal data related to criminal convictions and criminal offences.
The obligation to appoint a personal data protection officer applies to both controllers and processors .
You must make a decision for a personal data protection officer and notify us.
Even when the Personal Data Protection Law does not mandate the mandatory designation of a personal data protection officer, it is useful to have a designated officer.
When you decide to voluntarily appoint a personal data protection officer, you should fulfill the conditions of the Personal Data Protection Law, that is, in this case the same rules will apply when the appointment of a personal data protection officer would be mandatory.
If you do not have a legal obligation to appoint an officer for the protection of personal data and do not wish to appoint an officer voluntarily, you can assign one of the employees or hire an external consultant to perform the tasks related to the protection of personal data. All communication within the organization, as well as communication with us, with the subjects of personal data, and with the public, should clearly refer to the fact that the job position of the person or consultant is not a personal data protection officer.
Regardless of whether you have designated the officer voluntarily or you are legally obligated, the personal data protection officer is in charge of all processing operations.
When you are under no legal obligation to appoint a personal data protection officer and do not wish to voluntarily appoint an officer, you should make a decision with a more detailed rationale for not appointing a personal data protection officer.
The personal data protection officer may be your employee (internal officer) or such tasks may be carried out by a person you have hired on a contract basis. The contract should be concluded by the controller with the external person.
The external person you hired as a personal data protection officer should meet the conditions prescribed in the Personal Data Protection Law.
You can designate an external person serving multiple controllers/processors as a personal data protection officer in the following cases:
- Private sector : smaller companies working together as a group may appoint a single data protection officer.
- Public sector : state and public authorities may designate a personal data protection officer on the basis of a deed contract for the provision of such services.
The personal data protection officer should be available to the subjects of personal data, AZLP and your employees.
The contact details of your personal data protection officer should be publicly published on your website or notice board if you do not have a website however you notify us.
In this way, you will ensure direct contact between the officer and the subjects of personal data and AZLP. Mandatory contact details to post for the officer are phone number and email address (it is desirable to have a separate e-mail address that will refer to the officer, for example ozlp@…..mk or licnipodatoci@….mk, etc.). If you have the opportunity, you can also set up a special contact form on your website. It is not mandatory to publish the name and surname of the personal data protection officer on your website, but it is recommended. This obligation does not apply to reporting to us.
NOTICE
for the determination of a personal data protection officer
in accordance with Article 41 of the Law on the Protection of Personal Data (“Official Gazette of the Republic of North Macedonia” no. 42/20 and 294/21)