What does high risk processing cover?

According to the ZZLP, when when using technologies for a certain type of processing, taking into account the nature, scope, context and purposes of the processing of personal data, there is a possibility that it will cause a high risk to the rights and freedoms of natural persons, it is a question of processing with high risk and for such processing it is necessary to notify AZLP.

How to assess whether it is high risk processing?

First of all, you need to ascertain whether, in the processing of personal data, you apply technological solutions (e.g. a software solution) with which personal data are processed in order to make them available and usable for anyone who has the right and need to use them.

If you apply, then it is necessary to make an assessment of the nature of the personal data you are processing. For example, whether it is about personal data such as name, surname, telephone number, residential address, social security number, or about special categories of personal data that reveal religious, racial, ethnic origin, political views, data related to health, biometric data, data on sexual orientation of the natural person, etc.

Then you assess whether it is extensive processing, and in this assessment you take into account the following factors:

  • number of affected personal data subjects, be it a specific number or a percentage of the relevant population,
  • volume of data and/or coverage of different types of data being processed,
  • duration or continuity of personal data processing operations,
  • geographical scope of personal data processing activities.

What does the number of affected personal data subjects mean, be it a specific number or a percentage of the relevant population?

This implies for how many natural persons for a specific record/collection of personal data you will collect, process and store personal data. For example: with a collection of employees, you have the exact number of natural persons for whom you will process personal data, and with a collection of clients, you can be guided by the number of clients for whom you are already processing personal data (in the case of an already established collection /record) and express that number in percentages (0.001 % of the total population in Skopje or similar).

What does the volume of data and/or scope of different types of data being processed mean?

This implies which categories of personal data for the particular record/set of personal data you will collect, process and store for the natural person. For example: do you collect first name, last name and address, or first name, last name, address, social security number, or first name, last name, address, social security number, e-mail, contact number, etc. From here, you will be able to evaluate the extent, that is, the scope, ie. the set of personal data that you process, for example a set of three categories of personal data that do not contain special categories of personal data, a set of three categories of personal data that also contain special categories of personal data, etc.

What does duration or continuity of personal data processing operations mean?

This implies that you evaluate the time period (duration) of the personal data processing operations, i.e. whether you process the personal data of natural persons once, twice and/or three times in a period of one or three months and after that the personal data is deleted/destroyed (incident/occasional processing), or they are processed continuously, i.e. processing operations are undertaken with a certain dynamic according to your scope of work (continuous/systematic processing).

What does the geographical scope of personal data processing activities mean?

This implies whether the activities for processing the personal data of natural persons take place in one specific location/place/area (for example: at the headquarters of the controller), or whether they are processed at several addresses other than the headquarters within a certain municipality, city or on the entire territory of the Republic of North Macedonia, or are transferred to another country.

Then, after the evaluation of whether it is extensive processing, you evaluate the purpose and context of the processing, that is, you clearly determine the purpose and analyze whether the categories of subjects of personal data, the categories of personal data and the term of their storage are in operation of the fulfillment of the purpose, i.e. whether that specific purpose can be fulfilled only with the specified set of data and are needed for the specified storage period.

In the event that the purpose of processing personal data is already determined by law, then you only evaluate whether the categories of personal data and the term of their storage are in function of fulfilling that legal purpose.

After this step, you perform a risk analysis, that is, you identify threats (unwanted outcomes) and determine the probability and impact (consequence) of the realization of each risk. Risk is expressed as a function of the probability of the threat occurring and the impact of the unwanted threat if it occurs (risk=probability x impact).

WARNING

This way of assessing whether it is a matter of high-risk personal data processing refers to the already established collections/records of personal data, which you as controllers already manage within your scope of work.

For each new personal data processing process, and in particular when new personal data processing technologies are introduced, according to the nature, scope, context and purposes of the processing, as well as when the processing is included in the List of types of processing operations for which an assessment of the impact of the protection of personal data is requested (“Official Gazette of the Republic of North Macedonia” no. 122/20) established by AZLP published on our website www.azlp.mk , an assessment of the impact of personal data protection should be carried out according to the instructions prescribed in the Rulebook for the process of assessing the impact of personal data protection (“Official Gazette of the Republic of North Macedonia” no. 122/20) .

How and in what way is a notification for the processing of high-risk personal data submitted?

Any controller who assesses that the processing of personal data causes a high risk for the rights and freedoms of natural persons is obliged to submit a Notice on the processing of personal data that causes a high risk for the rights and freedoms of natural persons, which notification is submitted in electronic form through the website of AZLP for the purpose of recording in the records of high-risk personal data collections.

In order for the controller to deliver the Notification, it is necessary to electronically register in advance in the Record of high-risk personal data collections by independently determining a username and access password.

After registration, the controller enters the following data into the high-risk personal data record system:

  • name of the controller – legal entity, state authority, state body, legal entity established by the state for the exercise of public powers, agency or other body; tax number; predominant activity; organizational form; municipality; inhabited place; contact number; e-mail; fax; web page; responsible person; name and surname of the personal data protection officer; contact phone number of the personal data protection officer; e-mail of the personal data protection officer and position or number and date of the contract for hiring the personal data protection officer; title, i.e. name of the authorized representative if there is also the headquarters, i.e. residential address of the authorized representative and
  • controller – natural person: name and surname; place and address of residence; employment data (occupation or function performed); date of birth; place of birth and citizenship.

After the specified data is entered, the controller prints the confirmation letter. The confirmation letter filled in, certified with a seal and signed by the official or the responsible person is sent electronically to AZLP.

After printing the confirmation letter, the controller can continue with the electronic data entry for high-risk personal data collections by selecting the offered options or filling in the data for a category or categories of personal data subjects, i.e. categories of personal data relating to to them.

As an exception, controllers who are already registered in the Central Register of Personal Data Collections, do not need to be registered again as a controller in the Record of High Risk Personal Data Collections, but will only need to submit a Notification, in electronic form through the AZLP website for recording in the records of high-risk personal data collections.

The form and content of the notification form is prescribed in the provisions of the Regulation on notification of high-risk personal data processing (“Official Gazette of the Republic of North Macedonia” no. 122/20).

WARNING

This notification obligation applies only to those controllers who will assess that the processing of personal data causes a high risk for the rights and freedoms of natural persons.

Hence, not all controllers need to be recorded in this log as controllers.

All operations for which it is necessary to carry out an assessment of the impact on the protection of personal data , and at the same time represent high-risk operations according to the conditions stated above, will be subject to the obligation to report according to Article 71 of the ZZLP. This should also be understood in the way that if an assessment of the impact on the protection of personal data is carried out for a certain operation, but after the assessment it is determined that there is no possibility that it will cause a high risk for the rights and freedoms of natural persons before it is processing has been performed, then such processing is not subject to the obligation to report to AZLP.

It is good practice to try to always make an assessment as to whether it is a high risk operation regardless of whether such processing will actually result in a high risk.