Answer ... The processing of personal data is regulated by the Data Protection Act 2020, which entered into force on 25 February 2020. The act is harmonised with the General Data Protection Regulation and applies to all entities that process personal data of individuals residing in North Macedonia, including foreign entities that offer goods or services to individuals in North Macedonia or monitor the behaviour of individuals in North Macedonia. The enforcement of the Data Protection Act is overseen by the Agency for Personal Data Protection (ADP).
To ensure compliance with the Data Protection Act, fintech companies must consider the following:
- They must determine whether they process personal data in the capacity of a controller or a processor. Under the act, controllers and processors have different statutory obligations. However, they are jointly liable before individuals and the ADP if they fail to comply with their specific obligations.
- Fintech companies must have adequate policies and procedures in place, and maintain accurate records of processing activities.
- The consent of individuals to the collection and processing of their data must be specific, informed, unambiguous, verifiable and given freely. Fintech companies cannot infer consent from silence or inactivity. They must separate the consent from other terms and conditions, and provide individuals with simple ways to withdraw their consent. Fintech companies relying on individuals’ consent to process their data must ensure that the consent meets the standards of being specific, granular, clear, prominent, opt-in, properly documented and easily withdrawn.
- Fintech companies must revise existing personal data protection policies and procedures to reflect the new requirement to provide individuals with the right to data portability. The right to data portability applies only to personal data that an individual has provided to a controller, when the processing is based on the individual’s consent or for the performance of a contract and when processing is carried out by automated means.
Fintech companies must also revise how they communicate their privacy policies and ensure that they contain concise, easy to understand and precise information on:
- the lawful basis for the processing of personal data;
- the data retention periods; and
- the right of data subjects to complain to the ADP if they feel that their data has been mishandled.
The ADP is empowered to impose administrative penalties on a controller/processor in breach of the Data Protection Act of up to 4% of its annual worldwide turnover in the preceding financial year. Additionally, an individual who has suffered harm as a result of the unlawful processing of his or her personal data has the right to seek compensation from the controller or processor for the harm suffered.
Answer ... Fintech companies must implement and maintain data security measures that meet the standards required by the financial services regulation and data protection regulation. The financial services regulators (the National Bank of the Republic of North Macedonia (NBRM)) and the data protection regulator (the ADP) have the power to take action in relation to cybersecurity breaches. In broad terms, fintech companies must:
- have appropriate data security measures in place, including (where necessary) in relation to the back-up of data and regular testing of security;
- assess security risks relating to the processing or control of data;
- adhere to the requirements and standards of the NBRM and the ADP relating to the management of risks and controls, business continuity, outsourcing and notification of material events; and
- depending on the materiality and nature of a breach, notify the ADP and individuals when a cyber breach occurs.
Non-compliance with the cybersecurity requirements of the DPA may result in the imposition of penalties of up to 2% of an undertaking’s total worldwide annual turnover.