In EU member states

Directive 95/46/EC of the European Parliament and of the Council has so far been the basic binding framework that has been transposed into the national legislations of the EU member states.

With this Directive the position of personal data protection officer is not regulated , so in the absence of a regulation that would result in a unified approach to the regulation of this position, the national laws for the protection of personal data of the EU member states had their own approach in regulating it.

The following is a brief overview of how the OZLP function is currently regulated in the EU member states, until the start of the application of the regulation on May 25, 2018.

The national laws of some EU member states regulate the appointment of OZLP [1] , and the national laws of other EU member states do not regulate this function at all [2] . Some of them establish an obligation for the controllers to appoint OZLP [3] , and some set this function on a voluntary basis [4] . Some of them define the profile, position and responsibilities of OZLP. At the same time, it can be stated that each national law introduces its own specificities in their definition. However, despite the specificities introduced by national laws, to perform this function, it is basically required:

Ø the appropriate expertise and reliability in the performance of obligations,

Ø independence in the performance of obligations, [5]

Ø ensuring compliance of the operation of the controller with the national Law on the protection of personal data and with relevant provisions in other regulations.

In the Republic of Macedonia

The current Personal Data Protection Act (PDPA) is more advanced in regulating this function compared to the national laws of some EU member states. ZZLP regulates this function in Article 26a. In accordance with this legal provision, the rule is the mandatory determination of OZLP for controllers in the public and private sectors, and the exception is the exemption from this obligation for: the controller that processes personal data that are part of publicly available collections and the controller whose collection of personal data is concerns up to ten employees or the processing concerns personal data of members of associations established for political, philosophical, religious or trade union purposes. The exception applies to a controller that processes only publicly available collections, and does not process other collections of personal data, or a controller whose collection concerns up to ten employees, and does not have other collections of personal data, or an association founded for political, philosophical, religious purposes or trade union purposes, if it only processes the collection of its members. In practice, there are very few controllers that can be brought under the statutory exception, so the exception has almost no application.

Based on an interview/short survey conducted through a questionnaire and discussions with PWDs from the public and private sectors, distributed in nine focus groups, an analysis was made which identifies certain deviations between the legal provision regulating this function and its actual implementation, as well as deviations between the needs and requirements of OZLP and their actual functioning, which points to the conclusion that the controllers are more focused on satisfying the legal form, and not on the essential implementation of the provision, which would imply the effective realization of the right to the protection of personal data.

Namely, the analysis shows that the controllers in the public and private sectors have determined/appointed an OZLP, but in some controllers it is only appointed from a formal aspect to consider that the legal obligation has been fulfilled, and not to establish a real protection of personal data. . Very often, this function is formally assigned to employees who perform other full-time work tasks. Sometimes, those job duties conflict with the job duties arising from the OH&S function.

The applicable ZZLP determines the tasks[6] of OZLP, but it does not identify his profile, i.e. it does not prescribe his professional qualities and expert knowledge, nor how his position should be set, nor does it prescribe minimum standards regarding his status, which should be designed in a way that ensure its independence.

OZLP have established regular cooperation with DZLP which consists of providing support by DZLP for issues related to the performance of their function, exchange of information and other communication. Cooperation with DZLP allows them to more easily ensure compliance with regulations in this area. OZLP participate in the trainings organized by DZLP and consider them not only as a form of deepening and upgrading of expert knowledge, but also as another form through which cooperation with DZLP is strengthened, but also their mutual cooperation.


[1] Example: Federal Republic of Germany, Republic of France, Kingdom of the Netherlands, Hungary, Republic of Poland, Republic of Croatia

[2] Example: Czech Republic, Greece, Romania

[3] Example: Federal Republic of Germany, Republic of Croatia

[4] Example: Kingdom of the Netherlands. With the Personal Data Protection Act of Hungary, the appointment of the officer on a voluntary basis is set as the rule, and the mandatory appointment as the exception.

[5] The independence of the officer is achieved through the same parameters: providing the necessary resources for the performance of the function, preventing him from suffering any influence or consequences due to the performance of the function, and being directly accountable to the highest level of management at the controller where he is assigned.

[6] The tasks of OZLP are exhaustively enumerated in Article 26-a: it participates in making decisions related to the processing of personal data, as well as exercising the rights of the subjects of personal data; monitors compliance with the Law and with the regulations adopted on the basis of the Law, which refer to the processing of personal data, as well as with the internal regulations for the protection of personal data and with the documentation for technical and organizational measures to ensure secrecy and protection of the processing of personal data data; develops the internal regulations for the protection of personal data and the documentation for the technical and organizational measures to ensure secrecy and protection of the processing of personal data; coordinates the control of the procedures and instructions determined in the internal regulations for the protection of personal data and in the documentation for the technical and organizational measures to ensure secrecy and protection of the processing of personal data; proposes training of employees in connection with the protection of personal data and performs other tasks established by law and by the regulations adopted on the basis of the Law, as well as by the internal regulations for the protection of personal data and with the documentation for the technical and organizational measures to ensure secrecy and protection the processing of personal data.