Annual Report - Вести од ДЗЛП Report 2015 - English... · 2015 ANNUAL REPORT ... Rules...
Transcript of Annual Report - Вести од ДЗЛП Report 2015 - English... · 2015 ANNUAL REPORT ... Rules...
2015 ANNUAL REPORT of the DIRECTORATE FOR PERSONAL DATA PROTECTION
www.privacy.mk „Everyone has a right to privacy“
1
Annual Report 2015
2015 ANNUAL REPORT of the DIRECTORATE FOR PERSONAL DATA PROTECTION
www.privacy.mk „Everyone has a right to privacy“
2
Contents GLOSSARY OF MOST OFTEN USED TERMS ......................................................................................... 4
1. INTRODUCTION .......................................................................................................................................... 7
1.1 Legal framework, status and location ..................................................................................................... 7
1.2. Competences .............................................................................................................................................. 9
2. MANAGEMENT POLICIES AND STRATEGIC PLANNING .............................................................. 11
2.1 Operations Strategy .................................................................................................................................. 11
2.2 Analysis of operations .............................................................................................................................. 11
2.3 Human Rerources and Administration .................................................................................................. 12
3. FINANCIAL OPERATIONS ....................................................................................................................... 16
3.1. Implemenation of the budget in 2015 – ACCOUNT TYPE 637 ....................................................... 16
3.2. Implementaion of the budget for 2015 – ACCOUNT TYPE 631 ................................................... 19
3.3 Implementation of the budget – ACCOUNT TYPE 785 .................................................................... 23
4. Inspection ...................................................................................................................................................... 23
4.1 Preformed inspections .............................................................................................................................. 23
4.2. Administrative disputes and infringement procedures ..................................................................... 28
4.3. Ascertaining the conditions of inspections oversight in certain areas: ......................................... 29
5. COMPLAINTS .............................................................................................................................................. 36
5.1. Acting on received complaints............................................................................................................... 36
5.2 Issuing permits for data transfer ............................................................................................................ 40
5.3 Approvals for processing biometric data .............................................................................................. 42
5.4 Access regarding the request for free access to public information .............................................. 42
5.5 Opinions and suggestions ....................................................................................................................... 43
5.6. Expert opinions on materials, draft laws, by-laws, and other draft regulations under the Rules of the Government of the Republic of Macedonia......................................................................... 43
2015 ANNUAL REPORT of the DIRECTORATE FOR PERSONAL DATA PROTECTION
www.privacy.mk „Everyone has a right to privacy“
3
5.7. Opinions of the compliance of the documentation of the controllers with the provisions of the Law on Personal Data Protection .......................................................................................................... 45
5.8. Opinion regarding the implementation of regulations on protection of personal data (at the request of the controllers of different grounds) .......................................................................................... 46
6. CENTRAL REGISTER OF COLLECTIONS OF PERSONAL DATA ............................................... 46
6.1. Registered controllers and personal data collections ...................................................................... 46
6.2 Personal data protection officer ............................................................................................................. 50
7. TRAINING ..................................................................................................................................................... 52
8. COMMUNICATION AND PUBLIC RELATIONS .................................................................................. 58
8.1. Increasing public awareness ................................................................................................................. 58
8.2. Cooperation with media .......................................................................................................................... 58
8.3. „28 January“– Celebrating the European Day for Data Protection ............................................... 59
8.4. 10 year anniversiary – Directorate for personal data protection! .................................................. 63
8.5 Initiatives ...................................................................................................................................................... 64
8.6 Cooperation with civil society and NGOs ............................................................................................. 66
8.7 Signed Memorandums ............................................................................................................................. 70
9. INTERNATIONAL COOPERATION ........................................................................................................ 71
9.1. Activities related to the process of European integration ................................................................ 71
9.2. Following the European legislation on protection of personal data .............................................. 73
9.3. Participation in the EU bodies for the protection of personal data ................................................ 73
9.4. Use of EU funds........................................................................................................................................ 81
9.5 Bilateral and multilateral cooperation .................................................................................................... 83
10. PRIORITIES FOR 2016 ........................................................................................................................... 85
2015 ANNUAL REPORT of the DIRECTORATE FOR PERSONAL DATA PROTECTION
www.privacy.mk „Everyone has a right to privacy“
4
GLOSSARY OF MOST OFTEN USED TERMS Article 2 of the Law for protection of personal Data ("Official Gazette of the Republic of Macedonia" No.7/2005) and the amendments to the Act ("Official Gazette" No. 103/08, 124/10, 135/11 defines the meaning of the following terms: 1. “Personal data” shall be any information pertaining to an identified natural person or person that can be identifiable, the identifiable entity being an entity whose identity can be determined
directly or indirectly, especially as according to the personal identification number of the citizen or on the basis of one or more characteristics, specific for his/her physical, mental, economic, cultural or social identity; 2. “Personal data processing” shall be every operation or a sum of operations performed on personal data, automatically or otherwise, such as: collection, recording, organizing, storing, adjusting, or altering, withdrawing, consulting, using, revealing through transmitting, publishing or making them otherwise available, aligning, combining, blocking, deleting or destroying; 3. “Personal Data Collection” shall be a structured group of personal data available in accordance to specific criteria, regardless whether it is centralized, decentralized or dispersed on a functional or a geographical basis.
4. “Personal Data Subject” shall be any natural person to whom the processed data refer to; 5. “Controller of the Personal Data Collection” shall be any natural person or legal entity, a state administration authority or other authority, who independently or together with others
determines the purposes and the ways of personal data processing (hereinafter: the controller).
When the purposes and the ways of personal data processing are determined by law or any other
regulation, the same law, i.e. regulation determines the controller or the special criteria for his/her
selection; 6. “Personal Data Collection Processor” shall be a natural person or a legal entity or a legally authorized state administration authority processing the personal data on the behalf of the controller;
2015 ANNUAL REPORT of the DIRECTORATE FOR PERSONAL DATA PROTECTION
www.privacy.mk „Everyone has a right to privacy“
5
7. “Third Party”, shall be any natural person or legal entity, a state administration authority or other authority, which is not a personal data subject, a controller, a Personal Data Collection Processor or any person who, under a direct authorization by the controller or by the Personal Data collection processor is authorized to process the data; 8. “User” shall be any natural person or a legal entity, a state administration authority or other authority, to whom the data are disclosed. 9. “Consent of the personal data subject” shall be freely and explicitly given statement of will, of the personal data subject whereby (s)he agrees to the processing of his/her personal data for previously determined purposes; 10. “Special categories of personal data” shall be personal data revealing the racial or ethnic origin, the political views, religious, philosophical or other beliefs, membership in a trade union and data relating to the health condition of the people, including genetic data, biometric data or data referring to the sexual life; 11. “Third country” shall be a country not being a European Union member or not being a member of the European Economic Community. Other terms used in this Report 12. The most important international laws governing the right to privacy: the Universal Declaration of Human Rights, the European Convention on Human Rights and the International Covenant on Civil and Political Rights. 13. The right to privacy in the Constitution of the Republic of Macedonia: encompasses some basic rights: to every citizen is guaranteed the respect and protection of the privacy of
his/hers personal and family life, dignity and reputation, every citizen is guaranteed the
inviolability of the home, thus, right to inviolability of the home may be restricted only by a court
order when the detection or prevention of crime or the protection of human health; security and
confidentiality of personal data are guaranteed; freedom and secrecy of correspondence and
other forms of communication are guaranteed, there can be a restriction from this right only by
virtue of a court decision and the appropriate legal action.
2015 ANNUAL REPORT
of the DIRECTORATE FOR PERSONAL DATA PROTECTION
www.privacy.mk „Everyone has a right to privacy“
6
LIST OF ABBREVIATIONS
EDPS European Data Protection Supervisor
DPDP Directorate for Personal Data Protection
EC European Commission
ЕU European Union
MOI Ministry of Internal Affairs
MES Ministry of Education and Science MF Ministry of Finance
МЕ Ministry of Economy
МAFW Ministry for Agriculture, Forestry and Water economy МJ Ministry for Justice
HIFM Health Insurance Fund of Macedonia RM Repubic of Macedonia
BED Bureau for Education Development
NGO Non-Governmental Organization NERR National Electronic Regulations Registry
MISA Ministry for Information Society and Administration МLSP Ministry for Labor and Social Policy
2015 ANNUAL REPORT
of the DIRECTORATE FOR PERSONAL DATA PROTECTION
www.privacy.mk „Everyone has a right to privacy“
7
1. INTRODUCTION
1.1 Legal framework, status and location
The Law on Personal Data Protection from 2005 ("Official Gazette of the Republic of Macedonia" no. 7/2005) provides for the establishment of the Directorate for Personal Data Protection, which will be responsible for supervising the legality of actions taken for processing of personal data and its protection on the territory of the Republic of Macedonia.
In the Republic of Macedonia the right to protection of personal data is regulated in Article 18 of the Constitutional Act of the Republic of Macedonia in 1991: "The safety and confidentiality of personal data are guaranteed. Citizens are guaranteed protection from
violation of their personal integrity resulting from the registration of information through their data processing", while the right to privacy is defined in Article 17, 25 and 26 from the Constitutional Act.
The Law on Protection of Personal Data ("Official Gazette of the Republic of Macedonia" no. 7/2005) and the amendments to the Act ("Official Gazette" No. 103/08, 124/10, 135/11) is completely in compliance with the Directive of the European Parliament and of the Council 95/46/EC.
The legal framework for the protection of personal data in the country complements
the Law on Ratification of the Convention of the Council of Europe br.108/81 for the
Protection of Individuals with regard to Automatic Processing of Personal Data ("Official
Gazette" No. 07/2005), ratified on 24.03.2006 and entered into force on 01.07.2006. The
Parliament of the RM in 2007 have ratified the Additional Protocol to the Convention
regarding supervisory authorities and transborder of data.
After the ratification of the Additional Protocol in 2008, the Law on Amendments to the Law on Protection of Personal Data ("Official Gazette" No. 103/09) is adopted in order to strengthen the supervisory role of the Directorate for Protection of Personal Data and harmonization of national legislation with the EU acquis.
In 2010 are the second made amendments to the Law on Protection of Personal Data ("Official Gazette" no. 124/10) that ensure compliance of legislation and rule of law, the transposition of the European Union acquis, the harmonization of the Law on protection
of personal data with the national legislation of the Republic of Macedonia and the establishment of a more efficient system of protection of personal data.
2015 ANNUAL REPORT
of the DIRECTORATE FOR PERSONAL DATA PROTECTION
www.privacy.mk „Everyone has a right to privacy“
8
The right of protection of personal data and the right to privacy are different human rights. Due to great importance of privacy for the individual, in most countries in the world this right is regulated by the Constitutional Act of the country as the highest constitutive act of the state, as is the case with the Republic of Macedonia.
In our Constitutional Act, in the section titled to Civil and Political Rights and Liberties, several human rights are included that are components of the right to privacy, since privacy is broad, complex concept or sublimate of few individual rights. In this sense, it is important to mention the following rights:
Every citizen is guaranteed the respect and protection of the privacy of his/hers personal and family life, the dignity and reputation (Article 25).
Every citizen is guaranteed the inviolability of the home. The right of inviolability of
the home may be restricted only by a court decision when detection or prevention of crime is an issue or the protection of citizens health (Article 26).
The freedom and confidentiality of correspondence and all other forms of
communication is guaranteed. This right may be restricted only based on a court decision and in an appropriate legal proceedings (Article 17).
The rise of the right to privacy to the level of constitutionally guaranteed human right
indicates the great importance of this right of the individual, which carries certain rights/powers and duties/responsibilities as for the individual holder of the right and the other individuals, but and the state and its institutions as well.
Privacy is one of the fundamental human rights established and governed by the
most important international legal documents including the Universal Declaration of Human
Rights, the European Convention on Human Rights and the International Covenant on Civil
and Political Rights. According to the Universal Declaration of Human Rights, an act of
largest global international organization - UN: "No one shall be subjected to arbitrary
interference with his pri-vate and family life, home or correspondence, nor to attacks upon
his/hers honor and reputation. Everyone is entitled to legal protection against such
interference or attacks."
A similar definition gives the Council of Europe, as the most important international
organization in the field of promotion and protection of human rights and freedoms in Article
8 of the European Convention on Human Rights, according to which: "Everyone has the
right to respect for his private and family life, home and correspondence. Public authorities
should not interfere in the exercise of this right except such as is in accordance with the law
and is neces-sarily needed in a democratic society, which is in the interests of public safety,
2015 ANNUAL REPORT
of the DIRECTORATE FOR PERSONAL DATA PROTECTION
www.privacy.mk „Everyone has a right to privacy“
9
the economic well-being of the country, for the prevention of public disorder or crime, for the
protection of health or morals, or for the protection of the rights and freedoms of others."
The Republic of Macedonia joined the Convention for the Protection of Human Rights and Fundamental Freedoms of the Council of Europe in 1995, ratified on 10 April 1997, which supplements the legal framework for the protection of human rights and fundamental freedoms.
1.2. Competences
The Directorate for Personal data protection is the creator of a policy for consistent implementation of regulations on protection of personal data at national level, in particular:
Preparing and adopting bylaws related to the implementation of regulations on
protection of personal data
Provides opinions of draft laws from different areas
Provides opinion on the laws of controllers in the field of personal data protection
Develops policies and provides guidance on protection of personal data on
national level
Provides opinion on draft codes of conduct relating to the protection of personal
data
Lawfulness and fairness of the processing of personal data
Supervise the lawfulness of the processing of personal data in accordance with
the provisions of the Law on protection on personal data
Issues prior approval to process personal data
Issues ban on further processing of personal data controller
Body responsible for keeping a register and records
Keeps a central register of collections of personal data controllers and processors
Keeps a record of the transfer of personal data to other states
Issues approval for transfer of personal data to other states
2015 ANNUAL REPORT
of the DIRECTORATE FOR PERSONAL DATA PROTECTION
www.privacy.mk „Everyone has a right to privacy“
10
Promoter/guardian to the right of personal data protection
Decides on iniatives from citizens to preform inspection
Decides on submitted requests for establishing an infrigement
of the right to protection og personal data
Acts upon complaints from individuals regarding the illegality in
the processing of their personal data
Conitnuial education of controllers and processors and
provides technical assistance upon request
Lead infringement proceedings by the Commission for
misdemeanor in accordance with Law
Single national authority responsible for implementing the legislation on
protection of personal data
Decides upon requirements of supervisory authorities in the
field of protection of personal data to other states in the
performance of their activities through legal assistance of the
Republic of Macedonia
Establishes cooperation with other international bodies for the
protection of personal data, participate in the work of
international committies and institutions.
Preforms other duties prescribed by law
2015 ANNUAL REPORT
of the DIRECTORATE FOR PERSONAL DATA PROTECTION
www.privacy.mk „Everyone has a right to privacy“
11
2. MANAGEMENT POLICIES AND STRATEGIC PLANNING
2.1 Operations Strategy Following the strategic goal and working priorities for 2015, annual documents were
adopted for the Directorate of Personal Data Protection and published on the web site of the
Directorate: Annual Work Program for 2015 and Annual program for inspection for 2015 and
monthly plans for preforming inspection during 2015. Thus, the Directorate is recognized as
an entity and subject in its work which manifests professionally organized and transparent
monitoring of performance by all involved parties and stakeholders in the implementation of
the strategic priorities and setting clear goals for work within an entire year.
In addition, all controllers are timely informed on the work plans of inspection, as
well as areas that are covered by the annual work program. The basic development policies
of the Directorate for Personal Data Protection were fully aimed toward implementation of
the strategic priorities for ensuring the legality and fairness of the processing of personal
data, as well as transparent and efficient system of exercising the right of personal data
protection of every citizen.
In this regard, special attention was paid to the realization of many forms of
cooperation, several initiatives to change the perception of privacy and the right to
protection of personal data.
2.2 Analysis of operations
Professional performance means setting a measuring mechanism to monitor and
assess the extent of organized activities during the reporting year. At the same time,
through the procedure of analysis of the performed activities after the lapse of a certain
period, the planning process is done properly, organized and on an quality manner, and
are subject of mechanism of continuous monitoring, measurement of efficiency and quality
management in accordance with ISO standards 9001: 2008. On this way, the Directorate for
Personal Data Protection is able to take into account the planned activities for the next
period, including the planned risks and challenges in the period 2015 – 2017.
2015 ANNUAL REPORT
of the DIRECTORATE FOR PERSONAL DATA PROTECTION
www.privacy.mk „Everyone has a right to privacy“
12
The policy of quality management means setting procedures both professionally and
properly. The Directorate for personal data protection works according to requirements of
the international standard EN ISO 9001: 2008 the working procedures in all segments were
revised and improved, mechanisms for measuring efficiency, and documentation which has
to be produced. Thus, the Directorate for personal data protection accomplished a
significant step forwad towards building a reputation of a credible and independent entity
concerned with quality strategic management as well as for professionalizing of the services
which provides. In this regard, the Report on the efficiency and effectiveness of the system
of financial management and control and internal audit of the Directorate for personal data
protection was published.
In accordance with the Report of Attendace of Facebook and information on the
most visited published documents/information on the web site on the Directorate it was
determined that the planned activities of the Communication Strategy for 2015 are fully met,
taking into account the increase of 30% of attendance on the Facebook profile of DPDP,
and 30% increase in visits on the web site of the Directorate in the last three months of
2015.
2.3 Human Rerources and Administration
Within the Rulebook for systematization of jobs in the Directorate for Personal Data
Protection no.01-981/1 from 31.03.2015, 43 positions of administrative officers (state)
distributed by units in accordance with the Rulebook for internal organization of the
Directorate for Personal Data Protection no. 01-980/1 from 31.03.2015 of which 24
positions are filled.
As of 31.12.2015 the number of filled jobs in the Directorate for personal data
protection is as follows:
- 23 positions of administrative officers (state)
- 2 positions of auxiliary technical staff
- 1 person for part time
During 2015 one employee was hired (one) 1 executor to carry out duties in the
Department of European integration, programming, implementation, monitoring, and
evaluation and international cooperation, because of temporarily increased workload to a
certain period of time until 31.12.2015.
Hence, the Directorate has 26 employees until 31.12.2015.
2015 ANNUAL REPORT
of the DIRECTORATE FOR PERSONAL DATA PROTECTION
www.privacy.mk „Everyone has a right to privacy“
13
Table No.1
Gender structure of employees
Table No.2
Age of employees
Speical attention was paid to implementation and and capacity management
workflows and adjustment of the internal organization according to the needs of the
established dynamics of operations. Professional development and training is conducted on
the basis of previously adopted Annual training program for civil servants of the Directorate.
In 2015, specialized trainings were organized financed from the project „Continued
support for the promotion of the protection of personal data” and on the following topics:
“Penetrations testing and vulnerability screening/Risk Management” (13.10.2015) and “Web
applications and mobile devices security” (27.10.2015) included 14 people in the training:
- Training for mentors – 14 people
- System for knowledge management – 14 people
- EU fundamentals, human resource management – 14 people
- Assitance to citizens who have certain type and degree of disability – 14 people
25-34
35-44
45-54
55-65
65% 35%
2015 ANNUAL REPORT
of the DIRECTORATE FOR PERSONAL DATA PROTECTION
www.privacy.mk „Everyone has a right to privacy“
14
Additionally, a generic training was conducted entitled “Art of communication” for all
administrative officers financed by the Directorate for personal data protection.
In 2015, employees attented on 10 trainings (generic and specialized)
Table No.3
Table No.4
Year Number of trainings
2010 7
2011 17
2012 19
2013 27
2014 28
2015 10
0
5
10
15
20
25
30
Training for employees
2010
2011
2012
2013
2014
2015
2015 ANNUAL REPORT
of the DIRECTORATE FOR PERSONAL DATA PROTECTION
www.privacy.mk „Everyone has a right to privacy“
16
3. FINANCIAL OPERATIONS
3.1. Implemenation of the budget in 2015 – ACCOUNT TYPE 637
Balance sheet account 2015 for account 637 accepted on 22.02.2016 with the
following indicators:
Table no.5
денари
Total budget for 2015 17.844.000,00
Realized income (transfers from the state budget) 17.143.170,00
Achieved total costs 17.143.170,00
Net surplus of income (profit before tax) 0
Tax from revenue excess – profit 0
Net surplus income – income transfer for the next year 0
Of the total approved budget of the Directorate for 2015 in the amount of 17,
844,000,00 denars, 96.07% were realized or 17.143.170,00 denars. Regarding the
structure of the entire approved budget allocations of funds during 2015, 14.074.000,00
denars or 78,87% of the assets relate to basic salaries and social security contributions,
where 3.770.000,00 or 21,13% from the assets relate to goods and services.
Structure of the improved budget for 2015
401 - Salaries
402 - Social secutiry
420 - Travel and daily expenditures
421 - utilities, heating, communication andtransport
423 - Materials and inventory
424 - Repairs and maintenace
425 - contracting services
426 - Other
2015 ANNUAL REPORT of the DIRECTORATE FOR PERSONAL DATA PROTECTION
www.privacy.mk „Everyone has a right to privacy“
17
Table no.6 – Review of the implementation of funds per items in 2015
Realization of financial means per items in 2015
401 - Salaries
402 - Social security
420 - Travel and daily expenditures
421 - utilities, heating, communicationand transport
423 - Мaterials and inventory
424 - Repairs and maintenace
425 - contracting services
426 - other
Item Budget 2015 Realization % of Realization
401 10.224.000 9.907.432 96,90
402 3.850.000 3.668.390 95,28
420 410.000 335.692 81,88
421 1.850.000 1.731.771 93,61
423 250.000 239.885 95,95
424 320.000 320.000 100
425 620.000 620.000 100
426 320.000 320.000 100
Total 17.844.000 17.143.170 96,07
2015 ANNUAL REPORT of the DIRECTORATE FOR PERSONAL DATA PROTECTION
www.privacy.mk „Everyone has a right to privacy“
18
Table no.7 Comparative overview of the implementation of funds per items in 2015
Item Realization 2014 Realization 2015 2015/2014 in %
401 9.097.844 9.907.432 108,90
402 3.364.970 3.668.390 109,02
420 290.000 335.692 115,76
421 1.616.478 1.731.771 107,13
423 150.000 239.885 159,92
424 190.000 320.000 168,42
425 590.000 620.000 105,08
426 425.000 320.000 75,29
464 15.000 0 /
485 0 0 /
Total 15.739.292 17.143.170 108,92
0
2.000.000
4.000.000
6.000.000
8.000.000
10.000.000
12.000.000
Comparative overview of the implementaion of funds per items in 2015 compared to 2014
2014
2015
2015 ANNUAL REPORT of the DIRECTORATE FOR PERSONAL DATA PROTECTION
www.privacy.mk „Everyone has a right to privacy“
19
3.2. Implementaion of the budget for 2015 – ACCOUNT TYPE 631
Balance sheet account 2015 for account 637 accepted on 22.02.2016 with the
following indicators:
Table No.8
денари
Total budget for 2015 5.300.000,00
Income trasfered from previous year 932.013,00
Achieved total income 1.141.418,00
Achieved total cost 1.482.153,00
Net revenue surplus (profit before tax) 591.278,00
Tax revenue surplus (profit) 0,00
Net revenue surplus (profit for transfer in next year) 591.278,00
The Directorate for personal data protection on the basis of training for the
protection of personal data to intersted controllers and processors of personal data, for
2015 generated revenue of 1.141.418,00 denars.
Of the total approved budget of the projected reveneues of the Directorate for 2015
in the amount of 5.300.000,00 denars, 27,97% were realized or 1.482.153,000 denars.
Regarding the structure of the approved budget, 96,23% or 5.100.000,00 denars from
assets are referreing on goods and services, where 3,77% or 200.000,00 denars from the
assets are referreing to capital expenditures.
2015 ANNUAL REPORT of the DIRECTORATE FOR PERSONAL DATA PROTECTION
www.privacy.mk „Everyone has a right to privacy“
20
Table no.9 Review of the implementation of funds at rates in 2015
Structure of the total approved budget for 2015
420 - Travel and daily expenses
421 - utilities, heating, communication andtransport
423 - Materials and inventory
424 - reparis and maintenance
425 - contracting services
426 - other
480 - buying equipment and machines
485 - investment and non financial assets
Item Budget 2015 Realization % of realization
420 1.650.000 667.886 40,48
421 1.050.000 0 0,00
423 500.000 80.259 16,05
424 300.000 271.477 90,49
425 800.000 333.894 41,74
426 800.000 48.449 6,06
480 100.000 80.188 80,19
485 100.000 0 0,00
Total 5.300.000 1.482.153 27,97
2015 ANNUAL REPORT of the DIRECTORATE FOR PERSONAL DATA PROTECTION
www.privacy.mk „Everyone has a right to privacy“
21
Table no.10 Comparative overview of implementation of funds in rates – 2015 compared to 2014.
Item Realization 2014 Realization 2015 2015/2014 in %
420 999.016 667.886 66,85
421 189.647 0 0,00
423 63.748 80.259 125,90
424 206.470 271.477 131,48
425 650.000 333.894 51,37
426 290.508 48.449 16,68
480 58.116 80.188 137,98
Total 2.457.505 1.482.153 60,31
0
200.000
400.000
600.000
800.000
1.000.000
1.200.000
Comparative review of realization of funds per items - 2014 compared to 2015
2014
2015
2015 ANNUAL REPORT of the DIRECTORATE FOR PERSONAL DATA PROTECTION
www.privacy.mk „Everyone has a right to privacy“
22
Balance sheet account 2015 for account 785 of the Directorate is accepted on
22.02.2016 with the following indicators:
Table No.11
денари
Earnings transfer from the previous year 17.180.941,00
Total income achieved 17.180.941,00
Total cost achieved 16.047.756,00
Net revenue surplus (profit before tax) 1.133.185,00
Tax revenue surplus (profit) 0,00
Net revenue surplus – profit for transfer in the next year 1.133.185,00
The Directorate for personal data protection, on the basis of donating contract with
the Norwegian Ministry of Foreign Affairs, during 2015 has realized a total income of
17.180.941,00 denars, as an inflow transferred from 2014 in respect of the contract MAK-
14-0014, for the implementation of the project „Continued support for the promotion of the
protection of personal data”. From the total revenues available on the basis of contracts for
donations for 2015, 93,40% were realized or 16.047.756,00 denars.
Regarding the structure of use of funds, 95,71% or 15.359.796,00 denars of the assets are
related with goods and services, and 4,29% or 687.960,00 denars are capital expenditures.
Structure of realized expenses in 2015
420 - Travel and daily
expenses
425 - Contract services
426 - Other ongoing expenses
480 - Purchasing of
equipment and machines
485 - Purchasing a furniture
2015 ANNUAL REPORT of the DIRECTORATE FOR PERSONAL DATA PROTECTION
www.privacy.mk „Everyone has a right to privacy“
23
3.3 Implementation of the budget – ACCOUNT TYPE 785 Table no.12 Overview of the implementation of funds at rates in 2015
4. Inspection
4.1 Preformed inspections
The main responsibility of the Directorate is supervising the legality of actions taken
in the processing of personal data and their protection in the Republic of Macedonia. The
main competence of the Directorate is supervising the legality of actions taken in the
processing of the personal data and their protection on the territory of the Republic of
Macedonia. The comptence of the Directorate arises from Article 37 of the Law on
Protection of Personal Data ("Official Gazette of the RM" No. 7/05, 103/08, 124/10 and
135/11) and implemented through inspectors for protection of personal data. In order to
implement the inspection given competence within the Directorate for Protection of
Personal Data there is a Sector for conduting inspection with two departments (Department
for inspection supervision in the public sector and the Department for inspection supervision
in the private sector). Inspections are planned on an annual basis, by sector based approach, with a
Program given at the end of the current year for the following year, and implemented
through monthly plans for inspection whereas the controllers are specified, the collections
that are inspected and the date of commencement of inspection supervision. The annual
programe for 2015 and the monthly plans for inspection (January – December 2015) is are
published on the web site of the Directorate www.dzlp.mk and www.privacy.mk
Item Realization
420 1.681.848,00
425 12.482.500,00
426 1.195.448,00
480 204.460,00
485 483.500,00
Total 16.047.756,00
2015 ANNUAL REPORT of the DIRECTORATE FOR PERSONAL DATA PROTECTION
www.privacy.mk „Everyone has a right to privacy“
24
Performance of regular inspections is carried out in precisely determined deadlines defined by law and through a procedure during the inspection supervision. Inspectors in the course of performing regular inspections perform education of the controllers and processors for the right to protection of personal data.
On the website of the Directorate basic information concerning the inspection
supervision (regular, irregular and control) is published, also forms for Initiative
commencing inspections and Requests to establish a violation of the right to protection of
personal data, with the aim of facilitating to the citizens to take action if they believe their
privacy rights have been violated. The Basic Checklist and Guidelines for its filling is
published as well, the controllers themselves can determine whether consistently comply
with the provisions of the Law on protection of personal data. The statistical summary for 2015 and the comparative review of inspection in the
last five years indicate continuity of effective implementation of inspection.
TABLE NO.13
TABLE NO.14
0
100
200
300
400
500
2010 2011 2012 2013 2014 2015
Year Number of preformed inspections
2010 117
2011 146
2012 368
2013 387
2014 404
2015 394
2015 ANNUAL REPORT of the DIRECTORATE FOR PERSONAL DATA PROTECTION
www.privacy.mk „Everyone has a right to privacy“
25
During the reporting period of 2015 a total of 394 inspections were prefromed out of
which 301 are regular inspections, 84 iregullar inspections, and 9 control inspections.
TABLE NO.15 Review of inspection by type of inspection supervision
Type of supervision
Number
Regular 301
Iregullar 84
Control 9
Total 394
2015 ANNUAL REPORT of the DIRECTORATE FOR PERSONAL DATA PROTECTION
www.privacy.mk „Everyone has a right to privacy“
26
Based on the analysis of preformed inspections from the inspectors and authorized
subjects of the Directorate for personal data protection, in the period from 01 January until
31 December, the following indicators were generated:
1. From 01.01.2015 to 31.12.2015 a total of 394 inspections were started and
preformed. During the year, inspections were carried out by 9 inspectors and 3 authorized subjects for preforming inspection.
Year 2015
Regular inspection
Iregullar inspection
Control inspection
Total
Month Number of supervision
Number of supervision
Number of supervision
Number of superivision
January / 5 / 5
February 33 7 / 40
March 37 5 2 45
April 27 8 / 35
May 55 6 / 61
June 36 4 / 40
July 22 12 1 35
Аugust / 5 / 5
Septrember 23 6 2 31
October 22 7 2 31
November 24 11 / 35
December 22 7 2 31
Total: 301 84 9 394
2015 ANNUAL REPORT of the DIRECTORATE FOR PERSONAL DATA PROTECTION
www.privacy.mk „Everyone has a right to privacy“
27
2. Out of 394 inspections, 301 were regular inspections, 84 iregullar, and 9 control
inspections.
3. Out of 301 regular inspections, 240 were preformed in the public sector and 61 in the
private sector.
4. Out of 84 preformed irregular inspections, 24 were in the public sector and 60 in the
private sector
5. Out of 9 preformed control inspections during 2015, 4 were in the public sector and 5 in the private sector.
- For 2 (two) irregular inspections, control inspections were preformed and in that
matter records were created.
6. In 2015 two infringement procedures were initiated.
Regular inspections during 2015 were conducted in the following areas: state
agencies, education, banks and saving houses, textile industry, telecommunication, child
protection, broadcasting, transport and other areas, according to the Annual program for
performing inspection. Emergency inspection preformed by an application, request or
review of the inspector were conducted in the fields of sports, security, video survelliance,
trade, telecommunication and education.
The presence of inspections by areas is given below
TABLE NO.17 – Review of preformed inspections by areas
Areas Total Private Sector
Public Sector
Physical person
Аrchive material 4 3 1 0
Banking 3 3 0 0
Librabrianship 15 0 15 0
Video survelliance 12 2 0 10
Child protection 42 6 36 0
Hosting 6 3 0 3
State agencie 9 0 9 0
Economics 3 3 0 0
Еlectronic trade 0 0 0 0
Health 15 11 3 1
Informatics 2 0 1 0
Public service 0 0 0 0
Public institutions 3 1 2 0
2015 ANNUAL REPORT of the DIRECTORATE FOR PERSONAL DATA PROTECTION
www.privacy.mk „Everyone has a right to privacy“
28
Communication services 6 0 6 0
Media 9 7 1 1
Education 145 2 143 0
Insurance 16 16 0 0
Pension and disability insurance 4 2 2 0
Judiciary 4 0 3 1
Labor relations 2 1 1 0
Energetics 4 3 1 0
Traffic 6 5 1 0
Social protection 22 0 22 0
Sport 6 3 3 0
Telecommunication 9 8 1 0
Тrade and services 15 12 3 0
Тourism and services 31 30 1 0
Finacne 1 1 0 0
TOTAL 394 122 255 16
According to legal provisions, but given priority to commitments stated in the
strategic documents of the Directorate, the main determination is emphasizing the
preventive role of inspection supervision, using the opportunity to train and educate
controllers for their obligations required by the protection of the right to privacy. The
education for the controllers is performed under the Rules on the form and content of the
call for education, the conduct of education and method of keeping records conducted
education, adopted by the Director of the Directorate.
4.2. Administrative disputes and infringement procedures
In 2015, 2 (two) infirgement procedures were initiated.
- In the period from 01.01 until 31.12.2015, 5 administrative disputes were initiated
with ongoing court proceedings.
- Administrative disputes with confirmed decision in favor of the Directorate for
Personal data protection for which the judgement is final are 2 (two).
- For 3 (three) administrative disputes there is an ongoing appeal before the
administrative court and the higher administrative court.
2015 ANNUAL REPORT of the DIRECTORATE FOR PERSONAL DATA PROTECTION
www.privacy.mk „Everyone has a right to privacy“
29
4.3. Ascertaining the conditions of inspections oversight in certain areas:
From the preformed analysis of the results from the preformed inspections during
2015, the following conditions and most frequent inconsistiencies in the application of the
regulations of data protection have been identified:
I. Most frequent irregularities and violations committed by the controllers detected during regular inspections of the controllers in the country in 2015
A. In the area of tourism and hospitality the following irregularities were identified: Irregularities:
- The controllers have not submitted a notification on the processing of data
protection to the Directorate and the Central register of collections has not
registered collections of personal data; The controllers have not appointed an
officer for personal data protection; The controllers have not delivered an
authorization for the persons preforming the processing of personal data and do not
keep records of all persons authorized to preform the processing of personal data.
Violations:
- Controllers‟ employees have not signed Statements of confidentiality and protection
of personal data; controllers have not adopted procedures for the right of access
and correction of personal data on the subjects of personal data and they do not
have created a special form of the right to access and correction of personal data,
which will be an integral part of this procedure; they have not adopted and applied a
documentation for technical and organizational measures to ensure confidentiality
and protection of personal data; the controllers have not established a separate
records on personal data provided for use; the controllers retain the documents for
personal identification (passport) to guests during their stay in a hotel and keep their
identity card to domestic guests checking out checking out from the hotel; they do
not have fixed deadlines for storage of documents containing personal data and
they have not preformed a destruction of documents containing personal data after
the deadline for storage, with commission creating a records.
2015 ANNUAL REPORT of the DIRECTORATE FOR PERSONAL DATA PROTECTION
www.privacy.mk „Everyone has a right to privacy“
30
- Controllers keep work files of its employees in cabinets that are not locked or lack
adequate physical protection; controllers have not applied adequate technical
measures for access on computers on which personal data are being processed;
controllers do not preformed periodical audits for following the compliance of the
controller with the regulations of personal data protection and the adopted
documents on technical and organizational measures and the measures to be taken
when using media, periodic controls of the work of the administrator of information
system as well as the periodic inspection of the recording of authorized access;
- Controllers have not preformed internal control of the information system and
information infrastructure as well as the manual processing of personal data in order
to check whether the procedures and guidelines contained in the documentation of
technical and organizational measures shall be applied in accordance with the
regulations on protection of personal data.
- In terms of video survelliance, most frequent violations determined by the controllers
are: no analysis done on the purpose for which the video survelliance was set; the
already established video survelliance frequently includes the space which is not
related with the purpose of meeting the objectives for which the survelliance was
initially set; notice that video survelliance is being preformed is often not fully
complied with the regulations on personal data protection and does not contain the
necessary information about the name of the controller and the means of how you
can get informations on where and how long to keep the videos from the video
survelliance. Controllers have not adopted a law that would regulate the manner of
preforming video suvelliance; Controllers have not provided authorization for
processing personal data and have not personally signed Statements of
confidentiality and protection of processing of personal data through the video
survelliance system for the authorized persons that have access to the video
survelliance system; Controllers do not keep records of access and insight of
personal data processed through the system of preforming video survelliance;
Controllers have not signed contracts with processors (the legal entity which
maintaince the video survelliance system, the legal entity that calculates salaries of
the controller) which will contain contractual clauses on the rules for personal data
processing.
2015 ANNUAL REPORT of the DIRECTORATE FOR PERSONAL DATA PROTECTION
www.privacy.mk „Everyone has a right to privacy“
31
B. In the area of child protection the following violations were identified:
Iregullarities:
- Controllers have not submitted a notification for processing of personal data to the
Directorate before they start with processing of personal data; all persons
processing personal data have not received authorization from the controllers to
process personal data and does not keep records of the persons authorized to carry
out the processing of personal data.
Violations:
- Controllors have no legal basis to process personal data for parents and they are
excessive in relation to the purposes for which the data are being collected and
processed; personal data of children are kept upon fulfilling the objectives for which
data are collected for further processing; Controllers do not have a legal grounds to
process the personal identification number of the child; Controllers do not inform
data subjects about the identity of the controller, the purpose of the processing, the
recepients or categories of recepients of personal data, obligations of issuing
answers to questions, possible consequences of not providing answers and the
existence of a right to access and the right of correction of personal data;
Controllers not fully apply appropriate technical and organizational measures to
ensure confidentiality and protection of personal data; Controllers have not adopted
and do not apply documentation describing the technical and organizatina measures
to ensure confidentiality and protection of personal data; The mutual rights and
obligations of the controllers and processors have been settled with writting
contracts which not contain: obligations of processors to act only in accordance with
instructions from the controller, obligations for the processors to undertake technical
and organizational measures to ensure confidentiality and protection of personal
data and clause with which will be determined the way of checking the actions of the
processors when processing personal data; controllers have not preformed periodic
audits to monitor compliance of the regulations on protection of personal data and
documentation of technical and organizational measures as well as for measures
when using media, periodic controls over manual processing of personal data and
the work of the administrator of the information system; controllers have not
preformed control of the information system and information infrastructure in order
to check whether the procedures contained in the technical and organizational
2015 ANNUAL REPORT of the DIRECTORATE FOR PERSONAL DATA PROTECTION
www.privacy.mk „Everyone has a right to privacy“
32
meaures documentation are applicable and are in compliance with the regulations
on protection of personal data.
- Regarding video survelliance, most frequent viaolations are: preform video
survelliance outside the area which is sufficient for fulfilling the purpose for which
the video survelliance was initially placed (cameras placed in study halls and
dinning room); controllers have not preformed analysis of the goals for which the
video survelliance is initially placed; controllers do not have a notification for video
survelliance; controllers have not adopted an act which regulates the manner of
preforming video survelliance.
- Individuals who process personal data through the system for video survelliance
have not signed separate statement of confidentiality and protection of personal
data through the system of video survelliance and fail to apply technical measures
for access to video survelliance; controllers do not keep records of access and
insight of personal data through the system of video survelliance and do not keep
separate records on personal data provided on use, the user of personal data and
the reason for disclosing personal data to the user.
C. In the area of social security the following ireguallarities were identified: Iregullarities:
- Controllers have notified that Directorate for the collections of personal data and
they have not registered the collections in the central register of personal data
protections;
- Controllers have not appointed an officer for personal data protection and they don‟t
keep records of the individuals authorized to carry out the processing of personal
data.
Violations:
- Controllers do not inform subjects of personal data about the identity of the
controller, goals of processing, users or category of users of personal data,
obligations of giving answers to questions, possible consequences of not providing
an answer, and the existence of the right of access and the right to correction of
personal data; controllors do not keep separate records on personal data provided
for use, the user of personal data, and the reason for disclosing personal data to the
user, controllers have not adopted and applied the necessary documentation for
technical and organizational measures to ensure confidentiality and protection of
personal data; Controllers do not fully apply appropriate technical and organizational
2015 ANNUAL REPORT of the DIRECTORATE FOR PERSONAL DATA PROTECTION
www.privacy.mk „Everyone has a right to privacy“
33
measures to ensure confidentiality and protection of personal data; controllers do
not apply measures to lock in closets with documents which contain personal data
for which the term of storage has expired; controllers do not apply measures to lock
in closets with documents which contain documents for users of social protection
rights (beneficiaries of the financial assistance for social protection and beneficiaries
of the social care services; transfer of personal data (defined in article 8 and 9 of the
Law on Personal Data Protection) through electronic communication network is
preformed without being specially protected by adequate methods so that they are
not readable during the transfer. The mutual rights and obiigations of the Center for
Social Work (as controller) and processor (MSP) have not regulated by writing
agreement, which comprises an obligation on the processor to act only in
accordance with the instructions received from the controller; an obligation for the
processor to undertake technical and organizational measures to ensure
confidentiality and protection of personal data and a clause will be determined on
checking the actions of the processor when processing personal data; Controllers
do not prefom periodic audits to monitor compliance of the controller with the
regulations on protection of personal data and the adopted documents on technical
and organizational measures as well as the measures that have to be undertaken
when using media, periodic controls over the work ot the administrator of the
information system, periodic verification of the recording of authorized access and
periodic controls during manual processing of personal data; controllers have not
preformed control of the information system and information infrastructure in order
to check whether the procedures contained in the technical and organizational
meaures documentation are applicable and are in compliance with the regulations
on protection of personal data.
D. In the area of education the following irregularities were identified: Irregularities:
- Controllers have not notified the Directorate for the personal data collections and
they have not registered with the Central Register of personal data collections;
Controllers have not appointed an officer for personal data protection, they have not
adopted individual authorization for all employees who preform personal data
processing and do not keep records of all individuals authorized to preform the
processing of personal data.
2015 ANNUAL REPORT of the DIRECTORATE FOR PERSONAL DATA PROTECTION
www.privacy.mk „Everyone has a right to privacy“
34
Violations:
- Employees of the controller have not personally signed statement of confidentiality
and protection of personal data; controllers have not adopted or applied
documentation of technical and organizational measures to ensure confidentiality
and protection of personal data; Controllers have not regulated the mutual rights
and obligations between controllers and processors with contractual clauses on the
rules of processing personal data; Controllers have not legal grounds for collecting
and storing a copy of the identity card of parents for the purpose of the students
enrollement if for such treatment there is not prior consent from the parents;
conrtollers do not have legal basis and no prior consent from parents for the
collection and processing of personal data on whether the parent is employed,
where does the parent work, do both parents live togerther and are divorced,
number of family members, material and housing conditions of the family, and
information whether they are recepients of social aid; controllers do not have legal
grounds in the personal files of employees to carry out processing of personal data
by keeping labor booklets, copies of identity cards, birth and death certificates,
controllers have no legal basis to collect, process and keep a copy of birth
certificate for students; controllers do not apply measures to lock the closet in which
files of employees are stored and wages of classes; controllers do not destroy
documents that contain personal data for which the term for storage has expired;
controllers do not inform parents upon enrollement for the purpose of processing of
personal data, users of such personal information, obligation of providing answers
to questions, the consequences of not responding and the right of access and
correction of personal data; controllers do not inform the personal data subjects for
the right of access and correction of their personal data; controllers do not keep
separate records on personal data provided for usage, the user of personal data,
and the reason for disclosing the personal data to the user; controllers do not apply
appropriate technical and organizational measures to ensure confidentiality and
protection of personal data for the access to all personal comptuters and application
software to which the personal data is being processed; controllers do not make
back up copies in relation to data processed automatically in software for wages on
a way which will guarantee the reconstruction of personal data in the state they
were before they lost or destroyed; controllers do not preformed periodic audits to
monitor compliance of the controller with the regulations of protection of personal
2015 ANNUAL REPORT of the DIRECTORATE FOR PERSONAL DATA PROTECTION
www.privacy.mk „Everyone has a right to privacy“
35
data and the adopted documents on technical and organizational measures as well
as measures that have to be undertaken when using media, periodic controls of the
work of the administrator of the information system and periodic controls during
manual processing of personal data; controllers have not preformed control of the
information system and information infrastructure in order to check whether the
procedures contained in the technical and organizational meaures documentation
are applicable and are in compliance with the regulations on protection of personal
data; in terms of video survelliance, most frequent violations are the following: there
is no law that will regulate the manner of preforming video survelliance; they have
not set notification about the video survelliance which contains the necessary
information and notification are not displayed elsewhere that shall enable data
subjects to get inform about the performance of video survelliance; notice that video
survelliance is preformed does not contain the required information; they do not
provide images taken through the system for video survelliance to be held upon
fulfilling the the goals, but no longer than 30 days; they have not done an analysis
of the purposes for which the video survelliance is preformed, which will specifically
contain: elaboration of the purpose why video survelliance is needed, especially
within the official premises during class; video survelliance is preformed out of the
premises which are sufficient for fulfilling the goals for which the video survelliance
is initialy set (sports field, teachers office); do not use adequate technical measures
for the access to the system of preforming video survelliance; do not keep records
of access and insight to personal data processed through the system for conducting
video survelliance.
II. Video survelliance as an activity preformed by the controllers who were subject to inspection by the Directorate during 2015, the following irreguralities and mulfucntions were identified:
Irregularities:
Controllers have not registered the collection they manage with the performance of
the video survelliance, in the Central Register for collections of personal data on the
Directorate for personal data protection
2015 ANNUAL REPORT of the DIRECTORATE FOR PERSONAL DATA PROTECTION
www.privacy.mk „Everyone has a right to privacy“
36
Violations:
Controllers do not apply appropriate technical and organizational measures and measures
of physical security for the system of video survelliance; there has been no act that would
define the manner of preforming video survelliance; overall they have not harmonized the
Rulebook of preforming video survelliance; they have not preformed an analysis of the
goals for which the video survelliance is set; they do not have a notice containing
information on the controller preforming video survelliance and the way you can get
information on where and how long photos are being stored and they do not fully
harmonized the notice that video survelliance is been preformed; the content of the
approval for processing of personal data received by the person who processes personal
data through video survelliance system; the have not informed employees for preforming
video survelliance in business offices; all individuals who have access to the video
survelliance have not signed a Statement of confidentiality and protection of personal data
through video survelliance system and have not received authorization to process
personal data through video survelliance system; have not signed an aggrement with legal
entities who have installed the system for video survelliance (processor) which will contain
provisions of personal data protection; do not keep records for inspection and access to
personal data processed to the system for preforming video survelliance; preform video
survelliance outside the area which is sufficient to fulfill the purpose for which the video
survelliance was initially set; the access to the room for video survelliance (monitoring) is
not regulated and restricted only to authorized individuals.
5. COMPLAINTS
5.1. Acting on received complaints
According to Article 19, paragraph 2 on the Law on petitions and proposal (“Official
Gazette “, No. 82/08 and 13/13), the Directorate for Personal data Protection as an
independent state authority, within its competence under Article 41 of the Law on Personal
Data Protection (“Official Gazette”, No.7/05, 103/08, 124/10, 135/11, 43/14 and 153/15)
handles the complaints and suggestions submitted to the Directorate for Personal Data
Protection by Macedonian citizens. In the period from 01 January do 31 December, 2015,
the Directorate for Personal Data received a total of 393 complaints.
2015 ANNUAL REPORT of the DIRECTORATE FOR PERSONAL DATA PROTECTION
www.privacy.mk „Everyone has a right to privacy“
37
TABLE NO.18
Year 2009 2010 2011 2012 2013 2014 2015
No. of received complaints 95 192 363 385 404 371 393
However, from a total of 393 complaints, 317 were received from physical entities,
72 complaints from legal entities, and 4 complaints anonimously.
The development of program activities and initiatives, and in general the work of the
Directorate for personal data protection, is headed towards increasing the awareness of the
citizens for personal data protection. The results derived from the number of complaints
received from physical entities only proves the fact of successful implemented campaigns,
distribution of information materials and various promotion initiatives in the previous period
in 2015.
Simultaneosly, the table below indicates a decrease in the number of received
complaints received by legal entities, as an indicator of the state of the controllers and
processors of personal data collections. The positive application of regulation for data
protection of controllers is due to the fact of increased number of trainings and education
conducted by the Directorate.
0
100
200
300
400
500
2009 2010 2011 2012 2013 2014 2015
number of received complaintsper year
2015 ANNUAL REPORT of the DIRECTORATE FOR PERSONAL DATA PROTECTION
www.privacy.mk „Everyone has a right to privacy“
38
TABLE NO.19
Year 2012 2013 2014 2015
Number of submitted by legal entities 66 51 36 72
Number of submitted by physical entities 316 353 331 317
Also, (117) complaints were submitted in written form, and (276) complaints were
submitted electronically.
Of the total number of complaints, 65% are aimed toward the application of misuse
of personal data on social networks or a total of 254 complaints.
TABLE NO.20
In terms of the number of received complaints of abuse of personal data on social
networks, 111 requests were submitted for deleting fake profiles on Facebook, and 13
requests for a fake profile of a minor.
0
50
100
150
200
250
300
350
400
2012 2013 2014 2015
submitted by legal entities
submitted by physical entities
63
254
other areas
for social networks
2015 ANNUAL REPORT of the DIRECTORATE FOR PERSONAL DATA PROTECTION
www.privacy.mk „Everyone has a right to privacy“
39
In terms of the number of compalints by area, the table looks like this: TABLE NO.21
Area No. of received
complaints
1. Social networks – fake FB 111
2. Social networks – hacked FB 63
3. Social networks 65
4. State administration 86
5. Fake profile of a minor 13
6. Video survelliance 18
7. Employment 7
8. Education 4
9. Health 3
10. Journalist questions 6
11. Judiciary 2
12. Pension and disability insurance 2
13. Internet 2
14. Direct marketing 1
15. Parking 1
16. Retailers 1
17. Housing 1
18. Misuse of email 1
19. Banks and saving houses 1
20. Public transport of passengers 1
21. Postal services 1
22. Public services 1
23. Tourism and Hospitality 1
24. Isurance of individual and property 1
Total: 393
2015 ANNUAL REPORT of the DIRECTORATE FOR PERSONAL DATA PROTECTION
www.privacy.mk „Everyone has a right to privacy“
40
5.2 Issuing permits for data transfer
The Law on Personal Data Protection has special provisions for the transfer of
personal data to third countries. Transfer of personal data to European Union countries and
member states of the European Economic Area (EEA) is done only by notice to the
Directorate for the preformed transfer, without permission from the Directorate because it is
considered that national laws in these countries are fully in accordance with Directive
95/46/EC, and therefore the level of protection of personal data in these countries is
adequate.
Transfer of personal data to other countries outside the European Union are
permitted only if the Directorate for personal data protection issues a prior approval and if
provides an adequate safety measure for data protection and the protection of privacy and
the right of freedom of the data subjects.
During 2015 a total of 15 approvals were issued for confirmation for transfer of
personal data.
TABLE NO.22
Transfer of personal data in other countries
Sector Country Approved Rejected Stopped proceedings
Pending
Banking USA 8 / / 1
Production India and
Phillipines
1 / / /
Тelecommunication USA, New
Zealand,
Izrael and
Sinagapure
/ / / 1
Marketing USA / / / 1
Health Turkey / / 1 /
2015 ANNUAL REPORT of the DIRECTORATE FOR PERSONAL DATA PROTECTION
www.privacy.mk „Everyone has a right to privacy“
41
The transfer of personal data to countries of the European Union and European
Economic Area (EEA) is accounted by submitting an application for transfer to the
Directorate for personal data protection.
TABLE NO.23
Applications for transfer within EU member states
Sector Country Number of applications
Banking
Slovenia
Germany
Greece
3
Insurance Croatia
Austria
2
Telecommunication Аustria 1
Education Italy
Germany
2
Health Germany 1
Production Ireland
Great Britain
3
Trade Serbia / / 1 /
Religion USA / / / 1
TOTAL 15
2015 ANNUAL REPORT of the DIRECTORATE FOR PERSONAL DATA PROTECTION
www.privacy.mk „Everyone has a right to privacy“
42
Greece
Trade Austria 1
TOTAL 13
5.3 Approvals for processing biometric data
According to Article 29 of the Law on Personal Data Protection, processing of
biometric data necessary to confirm the identity of the data subject can be made only after
prior approval by the Directorate. During 2015 the Directorate for Personal Data Protection
received 4 requests for approval for processing of biometric data necessary to confirm the
identity of the data subject, with prior submitted request for approval from the controllers.
DPDP has received 2 approvals for processing of a personal identification number
of the personal data subject, with prior submitted request for approval from the controllers.
5.4 Access regarding the request for free access to public information During 2015, the Directorate has a received a total of two (2) requests for access to
public information. Within the legal timeframe, the Directorate, acted on all requests, by
which all requests were answered positively, the Directorate was an official holder of the
information. Besides requests for free access, the Directorate has also received a request for an
opinion regarding the application of the derogation from free access to public information,
confirmed in Article 6, paragraph 1, item 2 of the Law on free access to public information in
cases when information holders may reject a request for information in accordance with the
Law if the information relates to personal data which disclouse would mean violation of
personal data.
2015 ANNUAL REPORT of the DIRECTORATE FOR PERSONAL DATA PROTECTION
www.privacy.mk „Everyone has a right to privacy“
43
Table No.24
Number of received requests
Positively answered
Forwarded requests to the holders of public information
Rejected
2 2 / /
5.5 Opinions and suggestions
In the reporting year, in accordance with the obligation arising from the Rules of the
Government (Article 68, paragraph 1, item 9), the Directorate has act and fully answered in
a direction of providing expert opinions concerning materials, draft laws, by-laws and other
draft regulations which are in any way related to personal data protection.
Despite changes in Rule book of the work of the Government in 2011, ENER has
been in use, electronic register of regulations, an electronic tool designed to inform citizens,
NGOs, chambers of commerce, business associations and entitites, representatives of
government, separate ministries.
According to the Government and the methodology for assessing the impact of
regulations, ministries, suggestions for law adoption, drafts and proposals of law, except for
laws adopted by urgent procedure must be published on ENER and they have to accessible
for comments 10 days prior to publishing. Proposals for adoption of laws, drafts and
proposals of law, drafts and proposals of law and reports of paragraph 5 Article 71 shall
remain posted on the web site of the ministry, and within ENER one year after the adoption
of the law.1 During 2013, the Directorate was involved in providing opinions on the basis of
ENER.
5.6. Expert opinions on materials, draft laws, by-laws, and other draft regulations under the Rules of the Government of the Republic of Macedonia
A total of 26 expert opinions are issued on the basis of the following acts:
- Guidelines for the implementation of the Law on issuing vouchers
- Regulation to provide services in the postal traffic
- Draft amendments to the Law on Foreigners
1 “Official Gazzete of RM” No.36 from 17.03.2008, Article 71
2015 ANNUAL REPORT of the DIRECTORATE FOR PERSONAL DATA PROTECTION
www.privacy.mk „Everyone has a right to privacy“
44
- Draft amendements to the Inspection
- Guidelines for processing of personal data on deposits of social welfare and
permanent financial assistance MLSP and social work centers
- Protocol between the MIA of RM and MIA of R.Kosovo for cross border prosecution.
- Protocol between the MIA of RM and MIA of R. Albania for transboundary constant
pursuit
- Draft agreement between the Government of RM and the Government of R.Kosovo
for reciprocal recognition of driving licences
- Report on completed negotiations with the harmonized text of the Agreement
between the Government of RM and the Government of R. Slovenia for police
cooperation
- Agreement between the US Government and the Government of RM for
cooperation in order to facilitate the implementation of FATKA
- Regulation on the form, content and manner of keeping the registry of the staff in
aviation and police aviation
- Law on prevention on money laundering and terrorist financing in terms of storage
of personal data
- Law for amending the law of passports of citizens of the Republic of Macedonia
- Law for amending the law on prevention of corruption
- Law amending the law on vehicles,
- Regulations on the calculations canceling identification number to a stranger, the
form and content of the form, and the manner of keeping records of the identification
number of the foreigner.
- Rules for ensuring the safety of integrity of public electronic communications
networks and services and activities that operators should take the breach of
security of personal data
- Law amending the law on forests,
- Information of the safety of the project „Introducing the work of government
institutions in cloud technology (G Cloud)”
- Law for the national data base for individuals with disability,
- Proposed amendements of the Law on Police,
- Regulation on the form, content and manner of keeping registers of insurance
agents, insurance agencies, insurance brokers, insurance brokerage companies
and banks;
2015 ANNUAL REPORT of the DIRECTORATE FOR PERSONAL DATA PROTECTION
www.privacy.mk „Everyone has a right to privacy“
45
- Draft text of the Agreement between the Macedonian Government and the Spanish
Government on cooperation in the fight against crime,
- Text of the Agreement between the Government of the Republic of Macedonia and
the Government of Russian Federation to take persons residing illegially and
Protocol for implementing the Agreement between the Government of the Republic
of Macedonia and the Government of the Russian federation to take persons
residing illegially.
- Draft regulations for the preparation for a new legal solution for system of
institutional protection and provisions on the protection of personal data within the
existing law to prevent corruption.
TABLE NO.25 Number of issued expert opinions by years
5.7. Opinions of the compliance of the documentation of the controllers with the provisions of the Law on Personal Data Protection
In 2015 opinions were prepared on the compliance documentation for technical and
organizational measures to ensure confidentiality and protection of personal data of 163 controllers in several areas (centre for social work, health institutions, government
agencies, hotels, travel agencies, production companies for trade of oil and derivates,
notaries, education, childcare etc).
0
5
10
15
20
25
30
35
40
2011 2012 2013 2014 2015
number of issuedopinions per year
Year No. of issued
opinions
2010 33
2011 16
2012 25
2013 38
2014 28
2015 26
2015 ANNUAL REPORT of the DIRECTORATE FOR PERSONAL DATA PROTECTION
www.privacy.mk „Everyone has a right to privacy“
46
5.8. Opinion regarding the implementation of regulations on protection of personal data (at the request of the controllers of different grounds)
During 2015, the Directorate for Personal Data Protection has received 90 requests
for opinion relating to the application of regulations on protection of personal data of the
controllers and processors and they were all answered according to the schedule. Most of
the required opinions are in the field of education, insurance, utilities, law firms and health.
In terms of it obligations defined by law, the Directorate develops politics of
education and provides guidance regarding personal data protection. For this aim, the
Directorate issued 17 decrees when the Directorate is informed for some irregularaties in
the processing of personal data or aware of complaints from citizens, media or otherwise in
the course of their work, in order to establish good practices in the operations of the
controllors, which are in accordance with the regulations of personal data protection.
During 2015, on the basis of various questions, 17 decrees were issued in
accordance with the requirements of the controllers, individuals, as well as ex officio in
certain sectors.
6. CENTRAL REGISTER OF COLLECTIONS OF PERSONAL DATA
6.1. Registered controllers and personal data collections
Central register of personal data collections illustrates the number of registered
collections by controllers and processors in a formed data base in the Directorate whose
reporting comes as a legal obligation for controllers.
During 2015 a registration of controllers and its collections was conducted within the
Central Register of personal data collections (hereinafter: Central Register).
The Central Register had significant contribution to the transparent functioning of
the Directorate as an instrument of excercising the right to inform citizens about the
collection of personal information maintained by controllers, and the opportunity for
application or request for deletion of unfounded data. The central registry also provides a
solid basis for internal reviews and analysis of situation with collections of personal data in
certain areas and the possibility for further targeted action.
In the period between 01.01.2015 to 31.12.2015 a total of 264 controllers and 827 collections of personal data were registered in the Central Register.
2015 ANNUAL REPORT of the DIRECTORATE FOR PERSONAL DATA PROTECTION
www.privacy.mk „Everyone has a right to privacy“
47
Submitted requests During 2015 there were 78 requests and 56 notifications for:
78 submitted requests to reset the parameters for login to the system.
26 submitted notices of change of officers on protection on personal data.
4 reporting notices of the processing of personal data
19 submitted notifications of transformation and change in the controllers.
7 submitted notifications of the need to update the collection of personal data.
TABLE NO.26 Tabulated by municipalities
Municipality No. of controllers No. of collections
Aerodrom 16 50
Berovo 2 /
Bitola 7 24
Bosilovo 1 2
Butel 8 17
Valandovo 2 /
Veles 7 22
Vinica 5 11
Vasilovo / 2
Gazi baba 12 38
Gevgelija 2 1
Gostivar 4 6
Gradsko / 4
Delcevo 1 5
Demir Hisar 2 2
Gjorce Petrov 5 18
Ilinden 2 6
2015 ANNUAL REPORT of the DIRECTORATE FOR PERSONAL DATA PROTECTION
www.privacy.mk „Everyone has a right to privacy“
48
Kavadarci 6 27
Karpos 28 91
Kisela voda 12 21
Kocani 5 19
Кriva Palanka 5 8
Krusevo 1 3
Кumanovo 9 19
Маkedonska Kamenica 1 5
Negotino 2 7
Ohrid 8 27
Pehcevo 2 9
Petrovec / 3
Prilep 6 21
Probistip 6 9
Radovis 16
Resen 2 5
Saraj 2 2
Sveti Nikole 1 3
Struga 2 2
Strumica 8 18
Centar 59 251
Cair 6 16
Cesinovo – Obelesevo 1 4
Stip 8 29
Suto orizari / 4
2015 ANNUAL REPORT of the DIRECTORATE FOR PERSONAL DATA PROTECTION
www.privacy.mk „Everyone has a right to privacy“
49
TABLE NO. 27 – Overview of registered controllers and data collections by year
Since the establishment of the Central Registry (2008) until now – 2015, the number
of total approved controllers is 1801 and 4226 collections of personal data. This indicates
an extremely large increase in reporting of controllers and their collections of personal data
in the central registry, measures of prevention, training and education conducted within the
training in the Directorate during 2015, as well as immediate information on supervision,
were more efficient compared to previous years.
Registering controllers is done within the organizational forms.
TABLE NO.28 Report of registered auditors and collections of personal data by organizationa forms from 01-01-2015 to 31-12-2015
0
200
400
600
800
1000
1200
2008 2009 2010 2011 2012 2013 2014 2015
Controllers
Data collections
Type of legal entity No. of conotrollers
No. of collections
Stock company (JSC) 11 101
Stock company with one shareholder 1 0
State authority 3 15
Limited liability company 27 78
Limited liability of an entity (LLC) 50 113
2015 ANNUAL REPORT of the DIRECTORATE FOR PERSONAL DATA PROTECTION
www.privacy.mk „Everyone has a right to privacy“
50
6.2 Personal data protection officer
With the
amendments to the
Law on Personal
data protection in
2010, Article 26, for
the first an
instrument was
established
„Personal data
protection officer‟ –
a person
responsible for data
protection.
The
Directorate for
personal data
protection pays
special attention to
the continuous informing of the officers for personal data protection, as one of the strategic
priorities and objectives, taking into account the important role they have in institutions,
companies, bodies etc. Thus building a network of officers for the protection of personal data,
the Directorate, directly, indirectly, and on a long term, provides educated staff beyond their
own institutional operations, a kind of „branches‟ that have an obligation to pay attention to
the legal process and the right to protection of personal data. During 2015, a total of 274
officers for data protection were reported.
Religious community 1 0
Health institution 17 31
Citizens association 1 5
Public prosecution 0 1
Public service 1 1
Public enterprise 38 125
Cultural institution 4 6
Education – upbringing institution 48 154
State administration body 0 3
Education – scientific institution 14 36
Person excersizing public authority established by law
6 16
Other chambers and business associations
1 0
Subsidiaries and representative offices of foreign companies
2 5
Court 1 6
Sole proprietor 4 3
Institution that preforms public activity
33 127
Fund 1 1
2015 ANNUAL REPORT of the DIRECTORATE FOR PERSONAL DATA PROTECTION
www.privacy.mk „Everyone has a right to privacy“
51
The reporting year has continued with intensified pace determination of officers for
data protection by controllers, whereby the central register of controllers of collections of
personal data in 2013 reporter 704 officers. Total reported officers for the protection of
personal data in the Central Regiser since its establishment (2008) until 2015, is 1870. The enoromous increase in the number of reported officers for the protection of
personal data which were reported in 2013, only 64.4% of the total number of applicants,
due to the number of completed training and increased perception and promotion of the
right to protection of personal data. Eversince, it has been in continuos growth coupled with
the number of reported controllers and their collections of personal data.
TABLE NO. 29 Reported officers for the protection of personal data given by years.
This statistical summary illustrates the increasing awareness of the controllers in the
implementation of regulations on protection of personal data. For this prupose, the
interpretation of the increase of the number of registered officers of the protection of
personal data is aimed at recognition of this entity by controllers and processors, of
personal data as a tool; resource that has an important role in institutuional terms for
controllers and processors. According to the legal regulations (Article 26 of the Law on
Personal Data Protection) the officer for personal data protection directly participates in
decision – making related to the processing of personal data and the exercise of the right of
subjects of personal data monitors the compliance with the law and regulations for the
protection of personal data and documentation for technical and organizational measures to
ensure confidentiality and protection of personal data etc.
0
500
1000
2010 2011 2012 2013 2014 2015
2015 ANNUAL REPORT of the DIRECTORATE FOR PERSONAL DATA PROTECTION
www.privacy.mk „Everyone has a right to privacy“
52
Obviuosly, the need for further education of officers for the protection of personal
data is more than needed and necessary, and as an activity, the Directorate for Personal
Data Protection plans and implements continuously.
7. TRAINING
In order to further raise the quality of enforcement for the protection of personal
data by controllers and processors of personal data collections, and in order to increase
public awareness of the measures that have to be undertaken for proper care, technical
and organizational, the Directorate for personal data protection, within its competence,
carries out training for interested controllers and processors throughout the year.
Trainings are held in accordance with the Annual Programme for training of
controllers of personal data collections and processors established and adopted by the
Directorate. Interested controllers and processors are included in the planned training
through the procedure of registration. At the same time, a number of training courses are
conducted on the basis of signed Memorandums of Cooperation.
Directorate for Personal Data Protection conducts two types of training:
organizational part solely by the Directorate for Personal Data Protection and in cooperation
between the Directorate and "Semos Education" or EC Council - USA.
Within the Directorate, the training is conducted according to predetermined
modules and one General module - General knowledge of data protection (general
training), 16 specialized modules and 5 separate modules, depending on the area from
where controllers and processors of personal data collections come from.
According to the Report on conducted training for securing confidentiality and
protection of the processing of personal data for 2015, prepared by the Commission for
conducting training within the Directorate for Personal Data Protection of Personal Data,
where all activities are handled according to the Guidelines on the organization and
implementation of training for controllers and processors no.02-1414 / 1 from 11.11.2010,
and the Rules of Procedure of the Commission for conducting training sessions, a total of
44 trainings were conducted, 38 trainings to ensure confidentiality and protection of the
processing of personal data and 6 certified training for digital security of computer users -
CSCU (Certified Secure Computer User).
The training was attended by 633 participants, 557 students attended the training of
confidentiality and protection of personal data and 76 participants participated on the
2015 ANNUAL REPORT of the DIRECTORATE FOR PERSONAL DATA PROTECTION
www.privacy.mk „Everyone has a right to privacy“
53
training for Certified Digital Security Computer Users – CSCU (Certified Secure Computer
User).
From the participants on the training to ensure confidentiality and protection of the
processing of personal data, 346 partcipants were representatives of the controllers from
the private sector, 211 participants were controllers from the public sector.
From the users of certified trainings for digital security of computer users – CSCU
(Certified Secure Computer User), 36 participants are representatives of controllers of the
private sector, 40 participants were controllers from the private sector.
Participants on the trainings were representatives from 420 different controllers.
In 2015, three workshops (roundtables) were held entitled „Privacy and Free Access
to Public Information‟ in cooperation with the Academy of Judges and Public Prosecutors,
attended by judges, prosecutors, court administrators and officers for data protection in
courts and public prosecution offices. Also, on the request of the officers for personal data
protection, a specialized training was organized within the area of judiciary, where
specialized emphasize was placed on the work preformed by the officer for protection of
personal data, in accordance with the regulations on protection of personal data.
Furthermore, in 2015, the Directorate for Personal Data Protection signed a
Memorandum of cooperation no.16-1251/1 from 28.04.2015, with the center for training
staff KDS Angelina DOOEL, whereby 7 trainings were conducted to ensure the
confidentiality and protection of personal data processing, out of which 5 trainings were
specialized for representatives of the controllers from the field of child care (kindergarden)
and 2 trainings (generic and specialized module) designed for controllors in the field of
tourism and hospitality (hotels).
In 2015, 3 trainings were conducted for Certified Digital Security of Computer Users
– CSCU (Certified Secure Computer User) allocated by the National Bank of Macedonia,
attended by 40 partcipants. Also one of the certified training for digital security of computer
users – CSCU (Certified Secure Computer User) was conducted on 40 participants‟
representatives of Macedonian Telekom AD Skopje.
In 2015, 4 trainings were conducted in the area of education, attended by 31
participants, 3 trainings in the area of health, attended by 44 participants, 3 trainings
(workshops) in the field of finance, banking, investment funds and brokerages, attended by
75 participants. 1 training for controllers from the district administration (Ministry of
2015 ANNUAL REPORT of the DIRECTORATE FOR PERSONAL DATA PROTECTION
www.privacy.mk „Everyone has a right to privacy“
54
Defence) attended by 31 participants; 5 trainings for controllers in the area of economics,
attended by 73 participants; 4 trainings for controllers in the field of justice, attended by 96
participants, 2 trainings for controllers in the security field, attended by 21 participants; 3
training programs in the trade of field of tourism, attended by 19 participants; 1 training for
controllers in the field of trade, attended by 16 participants. Also in 2015, 1 training was
conducted for controllers that offer funeral services (stonecutters) (21 participants) 1
training for dormitories (8 participants) and 1 training for representatives of libraries (7
participants) and 1 specialized training in the area of direct marketing (8 participants).
In addition to this report, a tabular presentation of conducted trainings on number of
participants in areas (Appendix 1, number of participants in industry sectors (public/private)
(Appendix 2) and tabular display of trainings conducted by months (Appendix 3). In addition
to this report, a graphic display is outlined that indicates the number of completed training
from 2010 to 2015 (Appendix 4) as well as table showing the number of trainings conducted
by year and number of participants (Annex No.5)
Appendix No.1
Module Area Number of
trainings on
personal data
protection
Number of
participants
1 Education 4 31
2 Health 3 44
3 Media / /
4 Finance, banking, investment fund and brokerage
3 75
5 Labor relations, employment, job placement, health and safety at work
/ /
6 Telecommunication / /
7 Pension funds / /
8 Administration 1 31
9 Child protection 2 25
10 Economics 6 73
2015 ANNUAL REPORT of the DIRECTORATE FOR PERSONAL DATA PROTECTION
www.privacy.mk „Everyone has a right to privacy“
55
11 Judiciary 4 96
12 Insurance 2 21
13 Private security / /
14 Tourism and hospitality 3 19
15 Local selfgovernment / /
16 Trade 1 16
17 Accounting / /
18 Funeral services 1 21
19 Dormitory 1 8
20 Direct Marketing 1 8
21 Debt recovery 1 15
22 Library 1 7
Training for officers of personal data protection in various areas
4 67
Total 38 557
Appendix no.2
Participants from controllers of public sector 211
Participants from controllers of private sector 346
Total 557
Appendix no. 3
No. Month Year
Number of trainings for PDP
1 January 2015 3 2 February 2015 3 3 Mart 2015 5 4 April 2015 7 5 May 2015 4 6 June 2015 5 7 July 2015 1 8 August 2015 / 9 September 2015 3 10 October 2015 3
2015 ANNUAL REPORT of the DIRECTORATE FOR PERSONAL DATA PROTECTION
www.privacy.mk „Everyone has a right to privacy“
56
11 November 2015 2 12 December 2015 2 Total:
38
No. Month Year
Number of trainings CSCU
1 January 2015 / 2 February 2015 / 3 March 2015 1 4 April 2015 / 5 May 2015 1 6 June 2015 / 7 July 2015 / 8 Аugust 2015 / 9 September 2015 1 10 Оctober 2015 1 11 November 2015 1 12 December 2015 1 Total:
6
Appendix No. 4
Appendix No. 5
Year Number of organized trainings
Number of participants
2010 10 174 2011 37 758 2012 40 723
0
10
20
30
40
50
60
70
2010 2011 2012 2013 2014 2015
number oforganizedtrainings
2015 ANNUAL REPORT of the DIRECTORATE FOR PERSONAL DATA PROTECTION
www.privacy.mk „Everyone has a right to privacy“
57
2013 54 1653 2014 66 1055 2015 44 633
The development of modern technology on a daily basis questions the security of
internet communication and general data protection. The Directorate for Personal Data
Protection of the Republic of Macedonia considers that it is of a particular interest to
increase citizens‟ awareness on these issues and their implementation.
As a result of the signing of the Memorandum of Understanding between the
Directorate for Personal Data Protection (www.privacy.mk) and EC Council (International
Council of Electronic Commerce Consultants (www.eccouncil.org) the already established
need between the two entities to expand scope of cooperation by organizing training and
education of controllers and processors of personal data as well as for all computer users
who regularly get in contact with sensitive information, according to the Annual Program
Directorate.
The Directorate signed a memorandum of Cooperation with EC – Council of the
United States on 31.07.2013. Also, a memorandum with „Semos Education‟ was signed
which is the only authorized training center for EC-Council (International Council of
Electronic Commerce Consultants) in Macedonia.
CERTIFIED TRAINING FOR DIGITAL SECURITY OF COMPUTER USERS
2015 ANNUAL REPORT of the DIRECTORATE FOR PERSONAL DATA PROTECTION
www.privacy.mk „Everyone has a right to privacy“
58
8. COMMUNICATION AND PUBLIC RELATIONS
8.1. Increasing public awareness
Raising public awareness and informing citizens about the right to protection of
personal data and the right to privacy is one of the top priority activities in the work of the
Directorate. In 2015, the Directorate was aimed at promoting the right of personal data
protection, both to citizens and before the controllers of personal data collection, with
special attention to increasing cooperation with youth organizations, capacity building of
young people, and local councils of youth by supporting youth participation in creaing a
system for the protection of personal data.
8.2. Cooperation with media
Within the building a communication with the public, the Directorate has regular
cooperation with the media on a periodic basis. Taking into account the specificity of certain
media and targer groups to which they are directed, the Directorate for Personal Data
Protection has continued its ongoing cooperation wit the daily newspaper “Nova
Makedonija” on whose web portal citizens can ask questions of which the Directorate
provides answers, and the answers are published in the print edition every Monday.
In the past year, 30 texts were published in “Nova Makedonija” and the greatest
interests was shown in the area of personal data protection of children on the internet,
using „smart‟ devices, protection of personal data in the health sector, protection of privacy
at work, video survelliance etc.
The cooperation with the Macedonian Radio Skopje began in November 2015. On a
weekly basis, in the form of visits to the morning program “Hronomer” every Tuesday one
topic related with personal data protection was developed. A total of 5 regular performances
were realized.
Besides the cooperation between these two media, the Directorate for Personal
Data Protection regularly responds to all current issues in the focus of public and media.
2015 ANNUAL REPORT of the DIRECTORATE FOR PERSONAL DATA PROTECTION
www.privacy.mk „Everyone has a right to privacy“
59
Media No. of Annexes
Print Media 47
Television 55
Radio 23
Internet portals 55
Total 180
Newsletter of the Directorate
The electronic paper of the Directorate is on of the tools for informing the public
about the activities of the Directorate, as well as innovations in the field of protection of
personal data. In 2015, 2 editions were issued of the electronic paper of the Directorate.
The contents of the electronic paper are defined in a way that touches more target
groups. The newspaper reports on the activities of the Directorate as a competent authority
for personal data protection, inspection of the controllers in certain areas, recent information
related to the privacy protection in the world, but corresponds to the most common
questions and concerns of the citizens related to the processing of their personal data.
8.3. „28 January“– Celebrating the European Day for Data Protection
On January 28th, 2015, the Directorate for Personal Data Protection for the ninth
time has celebrated the European Day for Data Protection. The main goal of the events
organized to celebrate this day in the European countries is to raise public awareness of
personal data protection and to inform citizens of their rights in this field which would allow
implementation in a more effective manner.
2015 ANNUAL REPORT of the DIRECTORATE FOR PERSONAL DATA PROTECTION
www.privacy.mk „Everyone has a right to privacy“
60
For this occasion, a conference was held on the project „Privacy Class‟ and the
results for the analysis of the questionnaires intented for students of secondary schools of
the City of Skopje. The project was supported the Mayor of the city of Skopje, Mr. Koce
Trajanovski, OSCE Mission in Skopje and Methamorphosis – Foundation for Internet and
Society.
This year, the goals of the project „Privacy Class‟ were presented toward increasing
public awareness and education of the teachers and professors for personal data
protection, students throughout the territory of Skopje, as well as presenting the results of
the preformed opinion pools within the project, and asnwers to several questions were
initiated: how many students believe they should get knowledge on topics related to the
abuse of their photographs and materials with inappropriate content on social network; how
many students get provocative photos on social network, and how many of them send
such; how many have created fake profiles on social networks that are neither reported in
the Directorate? What is the percentage of parents who are informed and concerned, where
to look for an answer…? What parent says and what students?
At the same, recommendations were given for further actions to integrate the
curricula and content for detailed study of the right to privacy and protection of personal
data in a particular subject.
For that purpose, several lectures were held for teachers and high school students,
during entire 2015. With the support of OSCE Mission to Skopje, several workshops were
held on personal data protection, hate speech and discrimination, in order to raise
awareness among teachers of secondary school in Kicevo, Struga, Skopje, Gostivar,
Tetovo and Prilep.
The lecture of the topic “Personal Data Protection” – for practical application in the
education sector was highlighted as a need by the teaching staff in secondary schools in
several cities, thus around 120 teachers have gained knowledge in the field of national and
international legal framework for the right of protection of personal data and the right of
privacy. Significant number of questions were posed in terms of mechanisms for protection
of social networks as well as in the area of labor and employment and for signing
statements of confifentiality in schools.
High schools students were also involved in the project “Privacy Class” which was
originally intendent to be implemented in all Secondary schools of the city of Skopje, in
order to bring students closer to the issues in the field of personal data protection,
recommendation for safe use of social networks, non – profileration of hate speech, etc.
2015 ANNUAL REPORT of the DIRECTORATE FOR PERSONAL DATA PROTECTION
www.privacy.mk „Everyone has a right to privacy“
61
But this time, at the request of the secondary schools in other cities, the project
expanded and gave lectures in Tetovo, Kicevo, Gostivar, Struga and Prilep, with a scope of
150 high school students from all high schools. Activities within the project are entirely
aimed in the direction of education and the results should contribute to the eradication and
prevention of misuse of personal data online, social networks, and reduce the number of
registered hate crimes. Hight school students have gained certificates as future trainers and
activitst to fight against hate speech on the internet.
Guide to the protection of personal data of students in primary schools in
Macedonia.
The Directorate for personal data protection created a Guide for personal data
protection of students in primary schools in Republic of Macedonia as a part of the project
“Privacy Class”. This guide should contribute toward raising the awareness about the
protection of personal data of children and enable them to gain a greater understanding of
what are the challenges that they may face if they fail to protect personal data. The guide is
structured on a simple methodology adopted to the age of the readers. Additionally, the
guide can assist to other individuals and organizations dealing with education of children.
The guide is a result of the need to raise awareness for the protection of personal data. The
first lecture, on the initative of the elementary school was held on 05.10.2015 in the primary
school “Goce Delcev”, Skopje.
Guide to parents to protect the privacy and personal data of children online This Guide emerged as a need, taking into account the analysis preformed by the
Directorate for personal data protection in 2014, and the research was done within the
project „Privacy Class‟ in 2015. The focus of this guide is set towards the internet, social
2015 ANNUAL REPORT of the DIRECTORATE FOR PERSONAL DATA PROTECTION
www.privacy.mk „Everyone has a right to privacy“
62
networks, but other forms are also presented related with the communication and key
places concerning where misuse of personal data and privacy is might emerge.
Also, mechanisms for reporting are presented related with the abuse of personal
data on social networks. “Showing interest in the technologies used by your child, you can
learn along with him/her and know what he does when he is “on the internet” The
Directorate for personal data protection and Metamorphosis – Foundation for Internet and
Society, and secondary schools of the city of Skopje, as a part of “PRIVACY CLASS”.
Еducating students of the Faculty of Pedagogy in Stip, Tetovo, Skopje and Bitola
In order to raise public awareness of personal data protection and capacity of those
who work and deal with the education of young people in the next period, several lectures
were held at the Faculty of Philosophy – Institute of Pedagogy and from the Faculty of
Pedagogy “Sv. Kliment Ohridski” in Skopje, as well as Pedagocial faculties from Stip, Bitola
and Tetovo.
Of particular importance is the knowledge of the regulations on protection of
personal data of future teachers, those who work with children and education of children,
and those who realize practical work with children for the program for further learning and
teaching. This activity is supported by the OSCE Mission to Skopje, the civil assosication
“Sumnal”, “Otvorena porta – La Strada”, and “Sreken zivot”.
Recommendation for Privacy Class in the buses of Public Transportation Company Skopje
Within the good cooperation with the city of Skopje, as partners of the project, from
September 20, recommendation from Privacy Class were placed in buses of JSP Skopje.
The presentation of the main recommendation for the protection of personal data as well as
recommendations not to spread hate speech, to be cautious what is posted on social
networks, etc., within the buses of the Public Transportation Company Skopje – is a good
opportunity for wider perception and increasing awareness concerning these important
issues. At the same time, several target groups will be covered apart from the educational
process covered by the lectures of Personal Data Protection. For this purpose, posters
were placed, on Macedonian and Albanian, in buses of JSP Skopje.
2015 ANNUAL REPORT of the DIRECTORATE FOR PERSONAL DATA PROTECTION
www.privacy.mk „Everyone has a right to privacy“
63
8.4. 10 year anniversiary – Directorate for personal data protection!
On June 22, the Directorate for personal data protection celebrated 10 years of
existence. The Law on personal data protection was adopted in 2005, for the first time, this
matter was legally regulated. Within these 10 years, the Directorate is a creator of policy for
consistent implementation of regulations on protection of personal data at national level;
promoter/guardian of the right to protection of personal data; act on initiatives from citizens
and requests for violation of law; responds to complaints from individuals and legal entities
concerning the illegality when processing personal data; continuously educate controllers
and processors and gives experts assistance; preforming inspection and represents a body
that is continually consulted on amendments of legislative regulations in RM.
Within a same table sat representatives from Google and Facebook and entities for
Personal Data Protection in the region and beyond. With the support of the OSCE Mission
in Skopje, it was also disscuced about what are the challenges posed by new technology,
and how to preserve our privacy and personal data.
For this occasion, the Director of the Directorate for Personal Data Protection
addressed to the citizens of the Republic of Macedonia through nbapis in “Nova
Makedonija”. In the past 10 years, transparent work and educated and informed public were
and remain one of the priorities of the Directorate for Personal Data Protection.
On the occasion of the 10 year anniversary, the Directorate for Personal Data
Protectionin cooperation with Facebook released Handbook for parents on Instagram.
Besides the English version, the handbook was translated on six more languages and this
on Macedonian as well. Young people communicate and socialize through various
applications and video game talk, sending messages via telephone, and Instagram is
exactly one of the most popular applications for social networking of smart phones. As an
2015 ANNUAL REPORT of the DIRECTORATE FOR PERSONAL DATA PROTECTION
www.privacy.mk „Everyone has a right to privacy“
64
application, Instagram offers an advanced level of protection of the privacy of its users, but
it is also important for parents to be informed of the way their children use this platform and
be aware of the potential risks and dangers.
Research was also published on Institutional recognition of the Protection of
Personal data. The main objective of the implementation of this survey was to investigate
awareness of the existence of the Directorate for Personal Data Protection as an institution
and to detect how familiar they are with its work and responsibilities, where it was
determined that 63% of the respondents were aware of the existence of the Directorate for
personal data protection and 84% of them know that in case they have a problem regarding
personal data they may contact the Directorate.
8.5 Initiatives
DPDP became a member of the National committee against hate speech
On 22.01.2015 the Directorate for Personal Data Protection has become a member
of the National Committie against hate speech, which is actively involved in the campaign
against hate speech on the internet. The campaign against hate speech on the Internet is a
movement within the EU and beyond, against expressions of hate speech on the internet in
all its forms, including those that most affect young people, supported by the Council of
Europe. The campaign is a part of the project “Youth against hate speech on the Internet”
which stands for equality, dignity, human rights, and diversity. It is a project against hate
speech, racism and discrimation in all their forms of expression.
Taking into account the efforts of the Directorate for personal data protection for
outreach to young people on issues relating to the protection of personal data, the safe use
of social networks and non – proliferation of hate speech on the internet, supporting young
people in achieving their rights online and offline and thus prevent misuse of personal data
2015 ANNUAL REPORT of the DIRECTORATE FOR PERSONAL DATA PROTECTION
www.privacy.mk „Everyone has a right to privacy“
65
online, reducing the level of acceptance and dissemination of hate speech and the support
and solidarity to victims of hate speech, as an affirmation of the main objectives of the
campaign against hate speech on the internet.
DPDP has became a member of the Alliance for Open educational resources
Having in mind the activities which in continuity conduct for the youth population, the
Directorate for Personal Data Protection was invited to join the Alliances for Open
Educational Resources as an institution that advocates for education for all ages. Especially
in promoting the right to protection of personal data. In October 2013, the Alliance for Open
Educational Resources, initiated by the Metamorphosis Foundation, published the
Declaration for Open Educational Resources in Macedonia.
Currently we have over 370 individual supporters of the declaration, as well as 18
organizations among including higher education instituions, secondary schools and NGOs.
OER Declaration of Macedonia is based on the Declaration on Open Educational
Resources UNESCO adopted in Paris in 2012. Alliance for Open Educational Resources
group is open to individuals, organizations, institutions that function as an informal network
with a common goal – raising awareness and capacity of the academic and scientific
community for the creation and use of open educational resources in the country.
The Alliance for Open Educational Resources supports the development of Open
Educational Resources (OER) in Macedonia, based on the principles of the Paris
Declaration on Open Educational Resources 2012 adopted by UNESCO on the “World
Congress for Open Educational Resources” in 2012. The support means that whenever is
possible to respect and implement the recommendations adopted at the Congress in order
to provide outdoor education accessible to all.
DPDP has involved in creation of the National Youth Strategy of the Republic of Macedonia (2016-2025)
2015 ANNUAL REPORT of the DIRECTORATE FOR PERSONAL DATA PROTECTION
www.privacy.mk „Everyone has a right to privacy“
66
The Directorate for Personal Data Protection gives special emphasis on the
education of young people and informing them about the right of personal data protection.
Of particular importance is the inclusion in the drafting process of the new strategy for
youth. It is an activity of the Agency for Youth and Sport in collaboration with the
Development programme of the United Nations, approached to the process of creating a
new National Youth Strategy of the Republic of Macedonia (2016-2025).
The process of creating new National Strategy for Youth will take place in the period
from February to November 2015. It involves the creation of a document that reflects the
real needs of young people and the basic framework for undertaking activities that promote
the position of youth in society.
Creation of the guidelines for the vision of the strategy was one of the thematic
focused workshops designed for the working groups where they had the opportunity to
define the key challenges faced by young people. Participation of Workshops of the “Youth
Information” and “Education” should lead to conclusions and proposed measures for better
information, using appropriate tools to communicate with young people, as well as greater
inclusion of youth in building the formal education system for youth information and
education by institutions.
8.6 Cooperation with civil society and NGOs
Cooperation with the NGOs and civil society is one of the priorities for work in the
Annual Work Programme for 2015 for the Directorate for personal data protection. This
year, special attention was paid to raising public awareness and educating young people
involved in non-governmental organizations to support their work and development
activities.
“Association for youth activism “Youth Vision” – Caravan of Privacy
Issues related with employment and personal data protection, labor relations,
publishing personal data on social networks, sharing photos etc., again were topics of
education in Bitola on May 07, in the organization of the Association for youth activism
2015 ANNUAL REPORT of the DIRECTORATE FOR PERSONAL DATA PROTECTION
www.privacy.mk „Everyone has a right to privacy“
67
“Youth Vision” and several invited NGOs. For this goal, young people prepared a flyer for
greater transparency and attendance of young people for the event.
Cooperation with the Youth Education Forum Members of the program “Ucime Pravo” from several cities in Macedonia (Veles,
Bitola, Skopje, Kicevo, Gevgelija etc) as a part of the workshop – EU Weekend, which was
organized in Ohrid from 03-05 April, by the NGO “Youth Educational Forum” had the
opportunity to hear three guest lectures by a representative from the Directorate from
personal data protection.
The lectures were aimed at introducing the students to the legal framework of data
protection, and the rights of citizens to be informed about who process personal data, the
right to access and delete, and update data. Also they presented the initiatives
implemented by the Directorate for personal data protection for raising public awareness of
the right to protection of personal data. High school students have shown the biggest
interest to post personal information on social networks.
Also, at the invitation of the OIF representative from the Directorate for personal
data protection took part in the 7th consecutive summer school – Academy for Youth
organized by the OIF in the period from 18-20 August on Popova Sapka. Students have
shown particular interest for social networks, privacy policies, “The Right to be forgotten”
and series of events worldwide which highlighted the right to personal data protection.
„Days of education and career “
In the period from 07-09 May, the Directorate for Personal Data Protection was
present with its own promo console on the “Days of Education and Career” where visitors
can get acquainted with the Directorate as a body responsible for protection of personal
data as well to get informed on how to act in case there data are being misused and their
privacy right is violated. Promotional materials were also distributed, and especially for this
event, bookmarks were printed with the logo of the Directorate and its website, FB and
Twitter profile, through which citizens can contact the Directorate.
Survey was also preformed on the visitors, through specially developed
questionnaire for the knowledge of the responsibilities of the Directorate, from which is
expected to result with an analysis of the degree of distinctivenss of the Directorate. The
2015 ANNUAL REPORT of the DIRECTORATE FOR PERSONAL DATA PROTECTION
www.privacy.mk „Everyone has a right to privacy“
68
promotional counter is within the stand of the University “SS. Apostle Paul” – Ohrid, Hall 3
at Skopje Fair.
Humanitarian action of the 10th anniversary of the Directorate for pesonal data protection
In the spirit of celebrating 10 years of its existence, responsible and dedicated to
preform the function of guardian of personal data of citizens of the Republic of Macedonia,
in order to fulfil its commitment to humane and socially responsible actions, empoloyees of
the Directorate for personal data protection initiated humanitarian actions in cooperation
with the Red Cross of Macedonia. The action consisted of collecting clothes, shoes and
personal hygiene items. Also a box was set for collecting monetary donations. The
donations are intented for the stations of the homeless.
Responsibility and humanity, and above all humanity, are crucial foundations of a
healthy and functioning society and values that each socially responsible organization
should be practiced in its operations. According to the Memorandum of Cooperation, the
Directorate for personal data protection and the Red Cross of Macedonia on several
occasions have organized humanitarian relief efforts of varios target groups.
Local youth councils
On the conference for presenting results and challenges for the establishment of
local councils for youth has expressed interest in supporting the capacity building of the
same lectures for youth and delivering educational materials. For that purpose, in 12 local
youth councils in the municipalities of: Delcevo, Struga, Kicevo, Tetovo, Negotino, Skopje,
Debar, Ohrid, Bitola, representatives were present from the Directorate of Personal Data
Protection, lectures were held on their premises, for introducing the right for personal data
protection, the responsibilities of the Directorate, and initiatives and activities undertaken in
2015 ANNUAL REPORT of the DIRECTORATE FOR PERSONAL DATA PROTECTION
www.privacy.mk „Everyone has a right to privacy“
69
order to raise awareness among young people. Lectures developed in a fruitful debate from
which number of new ideas emerged for future mutual acitivites, organizing informative
events, as well as training for trainers at a local level that would further spread the
knowledge to the youth of the municipality.
After the lecture, materials and brochures were distributed in order to inform about
the the protection of personal data, as well as organizing several info-days in municipalities
with distribution of materials.
Visit of DPDP of NUUB Sv. Kliment Ohridski – Bitola The youth council of the municipality of Bitola again in cooperation with the
Directorate for Personal Data Protection donated books entitled “Privacy is just mine”. This
activity of the Youth Council of the Municipality of Bitola conducted in order to bring young
readers to their rights and opportunities for personal data protection.
Workshop of the right for personal data protection
On our initiative on 14.10.2015,and with the support from UNDP Office in Skopje, a
workshop was held for the right of personal data protection for the represenatives of youth
organizations and civil society. Participants shown great interest to present legislation in
Macedonia, the responsibilities of the DPDP, media and misuse of personal data etc.
Press release – Macedonia now on Goodle street view
2015 ANNUAL REPORT of the DIRECTORATE FOR PERSONAL DATA PROTECTION
www.privacy.mk „Everyone has a right to privacy“
70
The Directorate was actively involved in negotiations before the procedure for
starting Google street view in Macedonia. As of October 2015, you can virtually explore the
center of Skopje and Bitola to walk around or admire Ohrid – the city of pearls with launch
of the new Street View Gallery in Macedonia.
8.7 Signed Memorandums
During 2015, memorandums were signed between the Directorate for Personal Data
Protection with several NGOs working on educating the youth, as well as with technical and
legal faculties. Several lectures were held on an invitation of Faculties, which effectively
proved the need and increased interest in sharing knowledge in terms of data protection
and application of legislation in terms of information technology development.
1. Signed memorandum of cooperation with NGO “Youth Education Forum” 2. Signed memorandum of cooperation with NGO “Youth Can” 3. Signed memorandum of cooperation with the International Slavic University
„G.R. Derjavin“ in Bitola 4. Signed memorandum for cooperation with “FINKI”
2015 ANNUAL REPORT of the DIRECTORATE FOR PERSONAL DATA PROTECTION
www.privacy.mk „Everyone has a right to privacy“
71
9. INTERNATIONAL COOPERATION
International cooperation is a strategic decision of the Directorate for personal data
protection. Achieving international cooperation is mainly realized through participation in
working groups, international organizations and relevant institution in the field of interest.
9.1. Activities related to the process of European integration
Excerpt from the report by the European Commission for the Republic of Macedonia for 2015 concerning the protection of personal data
“The Law on personal data protection is aligned with EU legislation. Directorate for
personal data protection continues to strengthen its capabilities through ongoing training,
with 4 new jobs and slight increase in the budget. The Directorate has increased its
acitivities in 2014, implementation of 404 inspections in the public and private sector (387 in
2013) and finding 300 violations in total. The Directorate received 371 complaints in 2014
(404 in 2013) which mostly relate to the misuse of personal data on social networks. The
number of controllers of personal data and trained processors rose to 66 in 2014 (54 in
2013) and activities to raise public awareness. The Directorate is consulted on a draft
legislation, public policy and operations on data controllers more frequently than in previous
years. Additional efforts are needed to ensure full harmonization on sectoral laws with the
Law on personal data protection. The Directorate, which is an independent regulatory body,
has yet to take actions on the recent publication of mass illegial survelliance of individuals
through electronic communication. This raised questions about the ability to act with
complete independence”.
NPAA – National Programme for the Adoption of the Acquis
Within the continuous delivery of updating the situation regarding the
implementation and adoption of the Law on European Union, the Directorate has completed
the following objectives defined in Chapter 3:23 Judiciry and Fundametal Rights of the
National Programme for the Adoption of the Acquis (NPAA), planned for 2015 which refer to
personal data.
It means revision/overview of activities implemented within the framework of the
Action Plan for implementing of the strategic document – Communication strategy for
2015 ANNUAL REPORT of the DIRECTORATE FOR PERSONAL DATA PROTECTION
www.privacy.mk „Everyone has a right to privacy“
72
raising public awareness of the right to protection of personal data; implementation of
inspections;
Subcommittie on justice, freedom, and security
Concerning the 11th meeting of the subcommitties of justice, freedom and security,
held in Brussels in 2015, materials were prepared in the field of protection of personal data
protection whereby new development and updates of laws were discussed, regulations and
so on., which contain provision on the protection of personal data, which is of a particular
importance for the Directorate in its efforts to actively participate in policy making and giving
opinions on laws and regulations on a national level.
Internal ministerial body for human rights2
The Directorate for personal data protection is one of the 12 representatives in the
inter ministerial body for Human rights, which in 2015 held a session.3 With the conclusion,
it has been decided to form an Experts Working Group with representatives / employees at
expert level of all institutions, members of the Inter Ministerial group on human rights,
aimed at strengthening the work of the body, with aim to review current issues and
obligations of RM in the area of human rights.
2 Confirmation of the commitment of the state of human rights and the establishment of the Inter-Ministerial Group on Human Rights Resolution of the Government of the Republic of Macedonia in April 2012. This body chaired by the Minister for Foreign Affairs, and its members are state secretaries in the Ministry of Foreign Affairs, Ministry of Justice, Ministry of Labor and Social Policy, Ministry of Interior, Ministry of Education and Science, Ministry of Health, Secretariat European Affairs, the Secretariat for implementation of the Framework agreement and the Directors of the Commission for relations with religious communities and religious groups. State Statistical Office, the Directorate for Personal Data Protection and the Agency for the rights of minorities. External members of the body : the Deputy Ombudsman of the Republic of Macedonia, the President of the Agency for audio and audiovisual media services , the President of the Commission for Protection against Discrimination and the President of the Commission for Protection of the Right to Free Access to Public Information . The powers of the Inter-Ministerial Group on Human Rights relating to: strengthen coordination in the area of human rights of all ministries and authorities Government, information exchange and implementation of the recommendations contained in the reports of the committees and other bodies of the UN, Council of Europe, EU and other international organizations, giving proposals for improvement of legislation in the field of human rights and provision of other proposals to the Government of importance to the promotion of human rights in the country. 3 At the meeting of Inter-Ministerial Body for Human Rights discussed the review of the reporting obligations of the Republic of Macedonia in terms of international human rights instruments , the review of the current liabilities of the country in the field of human rights in the context of EU integration , the program for Government Cooperation with UNICEF proposed measures for providing accreditation status " A" of the Ombudsman by the International Coordinating Committee of National Institutions for the Protection and Promotion of Human Rights (in accordance with the Paris Principles ) , recording cases motivated by hatred by competent institutions , initiating procedures for signing and ratification of international agreements on human rights by the Republic and visit reports to the monitoring mechanisms of the UN and Council of Europe.
2015 ANNUAL REPORT of the DIRECTORATE FOR PERSONAL DATA PROTECTION
www.privacy.mk „Everyone has a right to privacy“
73
9.2. Following the European legislation on protection of personal data
During 2015 an expert discussion has continued at European level aimed at
improving the text of the draft of the new EU legislation on the protection of personal data.
Within the bodies and organs of EU and in the Council of Europe, it has been discussed
about the mechanisms and instruments which have to be implemented by the national
legislation and to be compatible with globalization, with digital development, and the need
to protect privacy.
After the enactment of the new regulations, which establishes a general EU
framework for the protection of personal data, which will replace Directive 95/46 EC of 18th
December 2015 COREPER has confirmed the agreed text to the European Parliament for
reform in the area of data protection. The reform package includes a Regulation on Data
Protection Directive and the data protection for police departments and criminal justice. It
will focus on strengthening the rights of individuals, strengthening the EU internal market,
providing greater focus on implementation, streamlining of international transfers of
personal data and set global standards for data protection. The regulation also promotes
the introduction techniques such as anonymisng, pseudonymization, and encryption. 4
Proposal for new text of regulations can be read on the following link:
http://ec.europa.eu/justice/datarotection/document/review2012/com_2012_11_en.pdf
9.3. Participation in the EU bodies for the protection of personal data
Advisory committee of the Council of Europe to protect the individual from the automatic processing of personal data T-PD The Council of Europe is a leading organization for human rights in Europe.
Curently, it has 47 member states, 28 of which are EU member states. All member states of
4 These pillars of privacy, will undergo changes with proposed changes to EU regulations will result in the need for change and domestic regulations. Although at present, the Law on Protection of Personal Data ( "Official Gazette " no. 7/05 , 103/08 , 124/10 , 135/11 , 43/14 and 153/15 ) is fully compliant with international legislation , employees of the Department daily follow the direction in which the proposed changes at European level, in order to prepare for rapid adaptation to change and acceptance of innovations, as well as to ensure the full functioning of the concept of privacy and following the latest standards in this area. In addition Directive 95/46 / EC and Convention 108, Directorate monitor all other directives, recommendations, opinions and resolutions adopted by international expert groups working in the field of protection of personal data and participate with their views and comments in the preparation of the new .
2015 ANNUAL REPORT of the DIRECTORATE FOR PERSONAL DATA PROTECTION
www.privacy.mk „Everyone has a right to privacy“
74
the Council has signed the European Convention on Human Rights, an international treaty
(tool) designet to protect human rights, democracy and the rule of law.
Convention on the protection of individuals with regard to Automatic Processing of
Personal Data (Convention 108) is open to accession by January 28 1981 and it‟s the first
legally binding international instrument in the field of personal data protection. According to
this Convention, countries are invited to take the necessary steps in the national law to
apply the principles of the Convention in order to ensure on their territory protection of
fundamental human rights in relation to the processing of personal data.
The European Court of Human Rights monitors the implementation of the
convention on human rights by member states. Physical individuals may file a complaint or
proceedings of violations in cases of violations of human rights court in Strasbourg, but only
after they use all legal remedies at home. What is new is that the European Union is
preparing to sign the European Convention on human rights, which will create a common
European legal space for over 820 million citizens in the segment.
Council of Europe, through the T-PD Consultative Committie continue disscusions
on amendments to the convention 108 of the council of Europe for the protection of the
individual in connection with the automatic processing of personal data including the
Additional Protocol to the Convention regarding supervisory authorities and transfer data to
third countries. The text is supported by representatives of the authorities to protect
personal data within the highest body of the Council of Europe, which is in a final phase.
For this purpose, an ad hock committee CAHDATA was formed.
The Directorate is a full member of the Consultative Committie to protect the
individual from automatic processing of personal data T-PD. The Directorate participated in
32nd session on the T-PD Commitie held from 01 to 03 July in Strasbourg. The topic of
discussion was the modernization of convention, the main innovation in the field of personal
data protection, as well as the signing and ratification of the accession to Convention 108.
Article 29 Working Party
The Directorate has an observer status in the Working Group 29. During 2015,
representatives of the Directorate participated on all four meetings of the working group 29
which provided to follow the news that will be covered by the new legislation on protection
of personal data of European Union, whose adoption is expected in the next period.
2015 ANNUAL REPORT of the DIRECTORATE FOR PERSONAL DATA PROTECTION
www.privacy.mk „Everyone has a right to privacy“
75
Spring Conference – European Annual Conference on Data Protection (Spring Conference)
In the period 18-20 May 2015, the Director of the Directorate for Personal Data
Protection took part in the European Conference of bodies on protection of personal data,
held in Machester, organized by the Commisioner for Personal Data Protection in the UK.
Topic of this year‟s Spring Conference entitled “Navigating through the digital future – in
practice”. The main driver of panel disscusions of the conference is to reform the protection
of personal data in Europe which launched a discussion about the power and competence
of the authorities to protect the personal data, which puts into focus the right to protection of
personal data. The Director of the Directorate, has a speech in the panel discussion
dedicated to “Case Handling Workshop” hosted by DPDP in 2014, which refered to the
success of the 26th organized workshop of cases, an event which is a great opportunity for
the authorities to protect personal data exchange experiences and practical examples of
their work. The Director presented a handbook which the Directorate prepared as a product
of a previously organized international workshop in Skopje.
Participation on the 37th International Conference of the Commissioners for data protection
Between 04-08 May the Director of the Directorate for personal data protection, Mr.
Dimitar Georgievski took part in the 37th international conference of Commissioners on
personal data protection held in Amsterdam, Netherlands. Under the motto “Building
bridges of privacy”, more than 750 experts worldwide discussed the so called “Bridges of
privacy” while sharing meaningful experiences and practices in the field of protection of
personal data and the right to privacy, primarily referring to finding practical solutions to
increase the level of personal data over atlantic transfers.
These “bridges to privacy” are designed to strengthen the value based on privacy in
a way that would resolve the differences between the legislations of the EU and US. The
report “Tour du Monde” as a sublimination of the overall discussion of the Conference, in
2015 ANNUAL REPORT of the DIRECTORATE FOR PERSONAL DATA PROTECTION
www.privacy.mk „Everyone has a right to privacy“
76
order to show that problems and challenges related to privacy and protection of personal
data exist and they are same on every place on earth.
The presence of representatives from more than a hundred bodies on protection of
personal data and the right to privacy around the world were presented as an excellent
opportunity for informal sharing of experience and best practices, as well as acquiring
numerous contacts for future professional collaborations and expanding the sphere of
international cooperation of the Directorate for personal data protection.
Participation on the 5th Congress of the European Days of personal data protection, and participation on a conference on privacy protection in Berlin, Germany
In the period from 04 to 08 May, the Directorate for personal data protection took
part in 5th Congress of the European Days of Personal data protection and the conference
on privacy protection in Berln, Germany. A lot of European experts discussed topics such
as: cloud data, big data, and data collection while preforming direct marketing. Participation
of these type of events is essential in order to exchange experiences and knowledge in
various areas related with personal data protection to monitor modern trends in
technologies. More on:
International conference on the protection of personal data and privacy in the use of drones
In the period 05-06 February 2015 in Budapest, Hungary, the Director of the
Directorate for personal data protection Mr. Georgievski took part in the International
Conference on the protection of personal data and privacy in the use of drones. Organizer
of the conference is the Hungarian authority of personal data protection.
Participation on a regional conference “Privacy in the Digital Age”
On January 27, 2015, the Director of the Directorate for personal data protection,
Mr. Georgievski visited the Republic of Kosovo and took presence in the regional
conference entitled “Privacy in the Digitalized Age”, which is organized by the Agency of
personal data protection in Kosovo. At the conference, Mr. Georgievski was a part of the
presenters on a topic “New Challenges facing the Balkan authorities for protection of
personal in digitalized age”. Participants were addressed by representatives of the
authorities to protect data from Kosovo, Albania, Montenegro, Bulgaria, Norway, and
Japan, where challenges and experiences were shared. The representative of Japan
2015 ANNUAL REPORT of the DIRECTORATE FOR PERSONAL DATA PROTECTION
www.privacy.mk „Everyone has a right to privacy“
77
devoted his speech to “Privacy in Japan: law, culture, and reform.” This is an excellent
opportunity for participants to exchange their practices, discuss issues, share and discuss
possible solutions for further reforms and actions, especially the regional aspect. Agenda
Participation on the 8th International Conference on Computers, Privacy, and Protection of Personal Data (CPDP 2015) Brussels
In the period 21-23 January 2015, the Director of the Directorate for personal data
protection took part in the 8th International Conference on Computers, Privacy and
Protection of Personal Data Protection (CPDP 2015) in Brussels. The conference is an
event where partcipants share the most current and latest developments and experience in
the legal, regulatory, academic and technological development in the field of personal data
protection and privacy and gathers each year academics, lawyers, policy makers, computer
scientist, and representatives of civil associations, in order to exchange ideas by discussing
the most current issues and trends in this area. That makes the conference one of the most
frequent conferences in the field of data data protection and privacy in Europe and
worldwide. More than 415 participants from the academic area, the public and private
sector, were part of the 70 panel disscussions which were held during this year‟s three day
conference on highly topical themes: mobility (mobile technologies, transferable
technologies; border survelliance) big data, privacy and innovation, cyber security,
management of the internet and privacy, as well as reforms concerning the protection of
personal data in the EU and the United States aimed at regulating the monitoring of
governments. One of the panelist on the conference was Jan Albercht MEP and rapporterur
on data protection in the European Parliament together with other MEPs were part of the
panel discussion entitled “Reform for personal data protection: Have we found the right
balance between fundamental rights and economic interest?” He emphasized his optimistic
perception about the draft – DP EU Regulative, saying that it is possible to come to a
decision until 2015. Albercht said that Parlaiment‟s position is already a compromise
between the many stakeholders prepared to negotiate for more points, but now the parties
have to talk about the details and not to return to the principles. He stressed that subsidy for
IT companies in the EU are to introduce regulations and would be a handicap if Europe has
28 different models for data protection. The delay means loss of purchasing power for EU
and loss of rights.
Also, a representative from the body for personal data protection from Chile
announced that it is in the process on drafting a new law on personal data protection which
2015 ANNUAL REPORT of the DIRECTORATE FOR PERSONAL DATA PROTECTION
www.privacy.mk „Everyone has a right to privacy“
78
is aimed at new draft amendments to EU legislation. It means the establishment of a new
body with higher fines for violations related to personal data and privacy. At the moment,
the maximum amount is 3000 euros.
Participation on an International Conference “Gaining digital edge: freedom of expressions”
In the period 16-18 October in Belgrade, representative from the Directorate for
personal data protection, through the OSCE Mission in Serbia, the Foundation SHARE –
Serbia and Central European University for Public Policy, took part in the International
Conference “Gaining digital edge: freedom of expression”, attended by several NGOs,
institutions, and universities in the region and beyond. The conference was aimed at
networking with civil society working on projects to raise public awareness about the safe
use of the Internet: sharing of best practices for the education of young people on privacy
and protection of personal data. Topics that were discussed: Right to deletion of data; the
Delfi case before the European Court of Justice; Ethics of research and use of data: privacy
risk? New frontiers in publishing the video materials; etc.
Participation on the 17th meeting of the authorities for personal data protection of the countries from Eastern and Central Europe – CEEDPA
A representative from the Directorate for personal data protection took part in this
event. Collegaues from Albania hosted the 17th meeting of the authorities to protect the
personal data of the countries of Central and Eastern Europe, held in the period 29-30 April
2015 in Tirana, Albania. Topics which were related with the professional disscusions were
mainly related to data security and also individual experiences were presented of the
authorities to protect the personal data of countries from Central and Eastern Europe in
carrying out inspections in the processing of personal data, etc. One part of the meeting
was devoted to the independence of protection of personal data and the challeges they
face. At the same time, the authority for the protection of personal data of Kosovo became
a new member of CEEDPA.
2015 ANNUAL REPORT of the DIRECTORATE FOR PERSONAL DATA PROTECTION
www.privacy.mk „Everyone has a right to privacy“
79
Participation on the 1st meeting of the Working group on the protection of personal data within the PCC SEE
A representative from the Directorate for personal data protection took part in the 1st
meeting of the Working group on the protection of personal data within the PCC SEE, held
from 16-18 December 2015 in Ljubljana, Slovenia. The meeting agreed to prepare a
questionnaire to assess the situation on the protection of personal data in Each Member
State of the Convention; to form a subgroup within the Working Group on Data Protection,
to hold meetings for the preparation of the Implementation Agreement on protection of
personal data under Article 34 of the Convention.
Participation of IDC SEE FORUM 2015
In the period from 13-21 September 2015 in Opatija, Croatia, the Director for
personal data protection participated on the IDC SEE FORUM which held from 16-18
September and which presents an opportunity to get to know and consider future trends
and challenges, analysis of current strategies, and an opportunty to exchange experiences
and best practices in the field of IT.
Study visit to Oslo, Norway
In the period from 08 to 09 September 2015, representatives from the Directorate
for personal data protection of the Republic of Macedonia led by the deputy director of the
Directorate and representatives of the authorities to protect personal data from the Western
Balkans (Serbia, Montenegro, Bosni and Hercegovina, Albania and Kosovo) realized a
study visit to Norwegian authorities for the protection of personal data, Datatilsynet. The
study visit is realized within the project “Continued support to the promotion of the
protection of personal data”. The purpose of this study visit is to get to know with the work
and exchange experiences of the Norwegian authorities for the protection of personal data
(Datatilsynet), as well as visiting NorSys center, presenting the experiences and best
practices to address the challenges for the protection of privacy on the Internet on the
Western Balkans.
2015 ANNUAL REPORT of the DIRECTORATE FOR PERSONAL DATA PROTECTION
www.privacy.mk „Everyone has a right to privacy“
80
Participation in the International conference “Free Access to Information – regional experience and international standard”
The deputy director of the Directorate for personal data protection in the period from
19-20 November 2015 in Podgorica, Montenegro, took part in this conference where new
approaches were discussed about the judgement of the European Court of Human Rights
in this field.
Participation on an International conference “Trust, privacy and security while protecting personal data in the digital world”
The Director of the Directorate in the period between 16-20 November in Sofia,
Bulgaria, took part in the International Conference on “Trust, privacy, and security while
protection personal data in the digital world” focusing on themes which cover legal issues
and strategic visions for the acquisition of privacy in the digital world. In the presence and
active participation of experts from the IT sector, attention was also paid on the new
aspects of regulations of this matter.
Participation on an international conference “Competence to combat hate speech on the internet”
In the period from 14-20 December in Tbilisi, Georgia, organized by the “Al-ternativi
International” Bulgaria through the Erasmus + Programme, a representative from the
Directorate for Personal data protection took part in the international conference
“Competence to combat hate speech on the Internet” which was attended by several
NGOs, institutions, and universities from 9 countries. The purpose of this trip was
networking with civil society working on projects to raise public awareness about the safe
use of the Internet; sharing of best practices for the education of young people on privacy
and protection of personal data.
Google in Macedonia for growth opportunities and challenges of innovation guided by open data
On June 21, 2015, in Skopje, Google in cooperation with the Directorate for
personal data protection of Macedonia organized an event of closed character that
gathered all stakeholders, representatives from various sectors, telecommunication,
banking, banking, education, IT companies and so on. The event entitled “Innovation driven
2015 ANNUAL REPORT of the DIRECTORATE FOR PERSONAL DATA PROTECTION
www.privacy.mk „Everyone has a right to privacy“
81
by data – Growth opportunities and challenges” was completely dedicated on consequential
and socio - economic value that derives from the use of data analysis by private and public
organizations to make better decisions and create new products and services. During the
event, participants discussed the results from document policies toward “Innovation driven
by data – growth opportunities and challenges in South East Europe” prepared by seven
institutes in the region that participated in the research and preparation of the paper. The
policy document highlighted the advantages of acceptance of innovations driven by data
and the need to develop balanced policies in support of open data, and crop utilization of
open data.
The Directorate for personal data protection became a part of the EuroCloud initiative
The Directorate for personal data protection has become a part of the initiative Euro
Cloud as a partner who will be involved in all activities, relating to the protection of personal
data when using “Cloud” services.
Eurocloud is an independent non profit organization that represents pan European
center for knowledge sharing between customers that offer or use Cloud computing service
providers and research centers. EuroCloud maintans an open dialogue with all partners in
order to link business and IT. The Directorate became a part of this initiative, taking into
account future acitivities and plans, and to provide adequate protection to the processing of
personal data which are processed through „Cloud‟ services.
9.4. Use of EU funds
The implementation of the project “Support to access the right to protection of
personal data” has started on November 23, 2015, finance by the IPA TAIB 2012
programme. The duration of the project is 24 months and will be implemented by the group
Vialto Consulting Ltd. (Vialto), Hungary in consortium with IPS Institute for Project
Consultancy (IPS) from Slovenia and National Authority for Data Protection and Freedom of
Information (NADPFI), Hungary. The main objective of the project is ti improve data
protection in the country in line wih EU legislation. Also, this project will provide further
improvement (legal and institutional) framework for personal data protection in the Republic
of Macedonia, in accordance with best EU practices, in order to ensure that citizens are
guaranteed protection of their personal data through:
2015 ANNUAL REPORT of the DIRECTORATE FOR PERSONAL DATA PROTECTION
www.privacy.mk „Everyone has a right to privacy“
82
Further harmonization of national legislation with new reforms for the
protection of personal data in the EU and positive experiences
Strenghtening the mechanisms for protection of personal data in various
areas
Develop and implement a new strategy for the protection of personal data
Implementation of ISO standards and standards for privacy
The project will be implemented through the following three components:
Component 1: Implementation of the Strategy for Protection of Personal data from
2012 to 2016 and the development of a new strategy 2017 – 2022,
Component 2: Capacity building for further implementation of the Law on Protection
on Personal data and improving cooperation with controllers, and
Component 3: Implementation of IT standards and privacy standards
Norwegian grant for institutional strengthening of the Directorate for Personal Data Protection
The upgrading of the institutional and organizational capabilities of the Directorate
continued during 2015 through the project “Continued support for the promotion of the
protection of personal data protection” funded by the Ministry of Foreign Affairs of Norway.
The project introduced and implemented new mechanism and tools in the current legal
environment, paying particular attention to Delete ME and Data Processing in Cloud
Computing. The second component of the project is focused on deepening cooperation
among law on personal data protection in the Western Balkans.
During 2015, individual visits were realized by the Director and the Deputy Director
of the Directorate, within all authorities of personal data protection in the Western Balkan
countries and the cooperation was established within the project. Also, their representatives
participated in the conference organized to mark the the tenth anniversary of the existence
of the Directorate for Personal Data Protection, which had a special panel dedicated to
regional cooperation. Within this event, also the promotion of the project took place. At the
end of the year, new web page www.deleteme.mk which was created to enable citizens
2015 ANNUAL REPORT of the DIRECTORATE FOR PERSONAL DATA PROTECTION
www.privacy.mk „Everyone has a right to privacy“
83
efficient, effective and transparent way to deal with an invasion of privacy when using social
networks. This web site will be put into use in the beginning of 2016. Through the project
trainings were conducted for the employees of the Directorate in order to improve their
knowledge concerning risks of privacy in the use of technology in every day work and life.
Multi – user TAIEX workshop on the protection of personal data of foreigners
In the period 24-25 February in Skopje, with the support of the European
Commission, DG Enlargement Institutional building, TAIEX - Justice and home Affairs, and
organized by the Directorate for Personal Data Protection and the Ministry of Internal Affairs
held multi-user TAIEX workshop on the protection of personal data of foreigners (with a
focus on „asylum seekers, migrants). This workshop was developed as a common regional
need expressed by a number relevant domestic institutions and in the period when the
Republic of Macedonia, the Ministry of Internal Affairs, is under the MARRI presidency, also
supported by MARRI Regional Center. The main objetives is to recognize lectures and best
practices from Member States of the EU on this part of the legislation for asylum and
migration, with special attention on the aspect of data protection. Since there are no such
initiatives, training, even low number of seminars conducted on the subject, it will important
to gather representatives from the ministries of interior in the region of the Western Balkans
and Turkey working in the field of asylum, refugees, and migration issues, and
representatives from the authorities to protect personal data in the region and to upgrade its
facilities, including data protection as an aspect of the subject.
9.5 Bilateral and multilateral cooperation
Recognition for successful operation of the CNIL – body for protection of personal data in France
On the occasion of the 10 year anniversary, on June 22, by a representative of CNIL
– the authority to protect personal data of France, the Directorate for personal data
2015 ANNUAL REPORT of the DIRECTORATE FOR PERSONAL DATA PROTECTION
www.privacy.mk „Everyone has a right to privacy“
84
protection was awarded a plaque for successful operation and active participation in
international discussion for the challenges of personal data protection. The recognition has
even greated significance given that the chief Commissioner of the CNIL, Isabelle Falk-
Pjerotin, which is also the Chairman of the Article 29 Working Group, which includes
representatives of all authorities of personal data protection in the EU. Although the
Directorate for personal data protection has a status of an „observer‟ still actively
participates in the plenary session.
Working visit of the authority for Personal data Protection in Serbia
On October 02, 2015, the Director of the Directorate for personal data protection
made an official visit to the Authority for Personal data protection in Serbia to share the
experiences of implementation of the regulations on protection of personal data.
Furthermore, within the visit, a Memorandum of Cooperation was signed between the two
bodies.
Official visit of the authority for the protection of personal data of Kosovo
The Director of the Directorate for personal data protection, from 05-08 March,
Pristina, held an official visit to the institution for the protection of personal data from
Kosovo, based on a signed memorandum of cooperation between the two institutions to
exchange experiences and mutual stimulation of bilateral and multilateral projects, IPA
experiences, and Erasmus plus.
2015 ANNUAL REPORT of the DIRECTORATE FOR PERSONAL DATA PROTECTION
www.privacy.mk „Everyone has a right to privacy“