This guide explains how personal data protection works in North Macedonia. It uses clear language. It has been drafted by our managing partner, Vladimir Boshnjakovski, who is an experienced personal data protection lawyer in North Macedonia and a personal data protection consultant in Skopje. He has worked with personal data compliance for over ten years, advising companies dealing with voluminous and sensitive personal data, such as financial companies and companies active in the healthcare sector. In addition, he acts as a data protection officer for two ICT companies.
As North Macedonia has fully incorporated the General Data Protection Regulation (GDPR) in its legislation, in a way his article intends to show “how to comply with GDPR in North Macedonia.”
You will learn:
- what the Law on Personal Data Protection (LPDP) requires,
- who the key roles are (controller, processor, DPO, and more),
- which rights individuals have,
- how to handle sensitive data (especially health data),
- how cross‑border transfers work in practice, including transfers to the EU/EEA and NATO member states.
For official sources, start here:
- Agency for Personal Data Protection (AZLP): forms, guidance, by‑laws, and updates.
- Law on Personal Data Protection (unofficial English translation hosted by the Council of Europe): helpful for quick reading.
- GDPR full text on EUR‑Lex: the reference point for EU standards.
Which industries should be most concerned with Personal Data Protection Compliance in North Macedonia?
North Macedonia has a modern, GDPR‑aligned law. The LPDP explicitly states it is harmonized with Regulation (EU) 2016/679.
Regulators also show clear sector priorities, as some industries have more inherent privacy risks due to the volume or sensitivity of the processed personal data. Other industries might attract attention due to ways of processing data that are new or invasive. That is not a theory. It affects day‑to‑day operations, vendor management, and incident response.
If you operate in tech, fintech, outsourcing, or healthcare, you likely process:
- large volumes of customer or employee data,
- identifiers and financial records,
- sensitive data such as health or biometric information,
- cross‑border data flows (cloud hosting, support, analytics, payroll).
The LPDP and the GDPR: what matches and what is different?
The LPDP tracks GDPR structure and language closely. You will recognize the same core building blocks: definitions, principles, lawful bases, data subject rights, accountability, DPO rules, security obligations, DPIAs, breach notification, and international transfer tools.
Quick comparison table
| Topic | North Macedonia LPDP (practical meaning) | GDPR (EU baseline) |
|---|---|---|
| Alignment | LPDP states harmonization with GDPR. | GDPR is the EU regulation. |
| Territorial reach | GDPR‑style extraterritorial scope. It covers local establishments and certain foreign controllers offering goods/services or monitoring behavior. | Same model. |
| Special categories | Same concept and list (health, genetic, biometric, etc.). | Same concept in Article 9. |
| Major local specificity | Prior approval requirements exist in certain cases, including health/genetic/biometric data (Article 84) and some systematic use of national ID numbers (Article 83). | GDPR does not require authority approval just because data is “health” or “biometric.” It requires a lawful basis and safeguards. |
| Data subject rights | Rights and timelines mirror GDPR: respond within one month, extend in complex cases, normally free of charge. | Same approach under Article 12 and Articles 15–22. |
| Breach notification | Notify AZLP within 72 hours where feasible; notify individuals if high risk. | Same structure (Articles 33–34). |
| International transfers | LPDP has GDPR‑style Chapter V tools. But it also has a notification step for transfers to the EU/EEA (and, since 2025, NATO member states). | GDPR Chapter V applies only to “third countries” and international organizations. No notification is required for transfers within the EU/EEA. |
| DPO | DPO rules are GDPR‑like, but LPDP includes formal criteria (education, language) and the AZLP keeps a public record of DPOs. | DPO rules exist, but GDPR does not impose a specific education/language checklist in the text. |
Key roles you must get right
The LPDP uses the same core roles as the GDPR. If you map your operations correctly, most compliance work becomes structured and repeatable.
Role map in plain language
| Role | What it means | What it must do in practice |
|---|---|---|
| Controller | Decides “why” and “how” personal data gets processed. | Provide transparency, pick a lawful basis, manage risk, keep records, implement security, manage vendors, answer rights requests. |
| Processor | Processes data for a controller, on instructions. | Follow documented instructions, keep confidentiality, support security and breach reporting, help with rights, allow audits. Contract terms must cover these points. |
| Sub‑processor | A processor’s vendor. | Needs controller authorization and “flow‑down” obligations in writing. |
| Joint controllers | Two or more controllers decide purpose and means together. | They must allocate responsibilities in an arrangement and share the “essence” with data subjects. |
| Representative | A local point of contact when a foreign business targets individuals in North Macedonia. | Required in many cases when Article 3(2) applies. |
| DPO | A compliance lead who advises and monitors. | Must be involved early, report to top management, and serve as contact point. The controller must publish contact details and communicate them to AZLP. |
Two practical points matter for day‑to‑day work:
- First, your controller‑processor contract is not “paperwork.” The LPDP lists what the contract must include, including confidentiality, security, assistance with rights requests, sub‑processor controls, deletion/return, and audit cooperation.
- Second, the DPO function is operational. The LPDP describes DPO tasks like advising, monitoring compliance, training, DPIA support, and acting as a contact point with AZLP.
Rights and obligations that drive real compliance work
People (data subjects) have enforceable rights. Controllers have tight response duties. This is where most disputes start.
What rights look like in practice
| Right | What the person can ask for | What your organization must have ready |
|---|---|---|
| Access | “Do you process my data? Show me a copy and key details.” | Data map, systems search process, verified identity workflow, response templates. |
| Rectification | “Fix incorrect data.” | Ownership of data sources, correction logs, downstream update notices where needed. |
| Erasure | “Delete my data” (where the law allows). | Retention rules, deletion procedures, exception analysis (legal obligations, claims, etc.). |
| Restriction | “Stop using my data for now.” | Ability to flag and freeze processing in systems. |
| Portability | “Give me my data in a usable format.” | Export formats, authentication controls, vendor support. |
| Objection | “Stop processing based on my situation,” especially marketing. | Legitimate interest assessment files, opt‑out tooling. |
| Complaint and court action | People can go to AZLP and courts. Damage claims are possible. | Internal escalation, legal review process, incident and evidence retention. |
Timelines matter. Under the LPDP, the controller must act without undue delay and generally within one month, with a possible extension of two more months for complex cases. If the controller refuses or does nothing, it must explain the reasons and point to the option to complain and seek judicial remedy.
Sensitive personal data and high‑risk processing
What counts as “sensitive” in North Macedonia
The LPDP defines “special categories” in the same way as the GDPR. It includes racial/ethnic origin, political opinions, religious/philosophical beliefs, trade union membership, and genetic, biometric, and health data, plus sex life/sexual orientation.
The default rule is also GDPR‑like: processing of special categories is prohibited unless an exception applies (explicit consent, employment/social security conditions, vital interests, public interest, healthcare, and other listed grounds).
A major local difference: prior approvals
North Macedonia adds an extra layer in some areas.
Health, genetic, and biometric data: Article 84 provides that processing these categories requires prior approval from the AZLP in defined cases, although it also provides exceptions (for example, where processing is set by law with safeguards).
National ID number processing: Article 83 restricts processing of the national identification number, and requires prior AZLP approval for certain systematic and extensive processing.
These rules matter most in:
- Healthcare (clinical records, patient portals, lab results, telemedicine, diagnostic tools),
- Finance (KYC, credit scoring, fraud monitoring),
- Tech (biometric access control, AI‑driven profiling, large‑scale analytics on sensitive datasets).
“New product” risk: DPIA and early design
If you launch a new product, treat privacy as part of design.
The LPDP requires a data protection impact assessment (DPIA) before processing that is likely to create high risk, especially when you use new technologies, do large‑scale profiling, process special categories at scale, or monitor public areas at scale.
It also requires data protection by design and by default. That means you build minimization, access control, and privacy settings into the product from day one.
High‑risk processing notification
Beyond DPIAs, the LPDP includes a separate “high‑risk processing notification” concept. Article 71 requires controllers to notify the AZLP when using new technologies where high risk may arise, and it lists required content (filing system title, purpose, legal basis, categories, recipients, transfer info, and security measures).
This is one reason local compliance often needs internal documentation, not just a privacy notice.
International data transfers: EU/EEA, NATO, and third countries
Cross‑border data flows are common for Macedonian companies. Cloud providers, hosting, customer support, payroll, and group reporting all trigger transfer questions.
Transfers to the EU/EEA and NATO member states
Under Article 48, LPDP rules on “third‑country transfers” do not apply to transfers from North Macedonia to an EU Member State or to an EEA member. The controller or processor must still notify the AZLP about such transfers.
In May 2025, the law was amended to add NATO member states into this simplified regime. The amendment inserts “NATO member state” into Article 48 and related provisions.
The transfer rulebook also matters. It sets out the notice and applications process, and it requires submitting the notice (and certain applications) 15 days before the start of the transfer, via the AZLP e‑application system or email (scanned copy).
Plain‑English takeaway: for EU/EEA and NATO destinations, you usually do not need a separate AZLP “transfer approval,” but you do need a simple notification step.
Transfers to third countries outside EU/EEA and NATO
The LPDP uses a GDPR‑style structure:
Adequacy: Transfers may proceed when the AZLP decides the third country or international organization provides an adequate level of protection. The transfer rulebook states the AZLP considers EU decisions and also whether a third country is a signatory to the Council of Europe Convention 108.
Appropriate safeguards: When there is no adequacy decision, transfers may rely on safeguards (contracts, binding corporate rules, and similar tools, depending on the legal pathway). North Macedonia has adopted standard contractual clauses (SCCs) for third‑country transfers by AZLP decision, aligned with the EU SCC framework.
Derogations (“exceptions”): The law also lists exceptions for specific situations, like explicit consent or necessity for a contract, public interest, or legal claims.
Transfer toolbox table
| Destination | What you typically need | Key sources |
|---|---|---|
| EU/EEA | Transfer notification to AZLP; keep records of transfers. | LPDP Article 48; Rulebook on transfers. |
| NATO member state | Since 2025, treated like EU for Article 48 notification logic. Watch 2026 draft changes. | LPDP amendment 101/25; draft amendment notices. |
| Other third country | Adequacy decision, or safeguards (SCCs, etc.), or a narrow exception. | LPDP Articles 49–50; AZLP SCC decision and guidance. |
What should I know about using cloud services under personal data protection law in North Macedonia?
Cloud services are permitted under the Law on Personal Data Protection in North Macedonia. However, using international cloud providers creates legal responsibilities that go beyond basic IT security.
When your company uses providers such as AWS, Microsoft Azure, Google Cloud, or other SaaS platforms, you remain fully responsible as controller. Outsourcing infrastructure does not transfer liability for compliance.
A key issue is international data transfer. Many cloud providers store or replicate data across multiple jurisdictions. Even if your company operates in Skopje, your data may be processed in the EU, the United States, or other third countries. This triggers cross-border transfer rules under personal data protection law.
Before using cloud services, you must assess:
- Where the data will be stored and accessed
- Whether the transfer falls within the EU/EEA simplified route
- Whether transfers to third countries require additional safeguards
- Whether a notification to the Agency for Personal Data Protection is required
If personal data is transferred outside the EU/EEA or other permitted jurisdictions, appropriate safeguards such as standard contractual clauses or other legal mechanisms may be necessary.
In addition to transfer issues, you must ensure that a compliant controller-processor agreement is in place. The contract should regulate confidentiality, security measures, sub-processors, audit rights, and breach notification obligations.
Technical and organizational safeguards are also essential. Encryption, access controls, logging systems, and clear incident response procedures reduce regulatory risk. If the processing involves sensitive personal data or large-scale monitoring, a Data Protection Impact Assessment may be required.
Improper cloud configurations are a frequent trigger for regulatory scrutiny, especially when companies fail to assess international transfer implications.
If your business relies on international cloud infrastructure, consult a Personal data protection lawyer in North Macedonia to structure compliant data transfer mechanisms and reduce enforcement exposure.
Our experience: building frameworks, launching products, and handling audits and disputes
We work with organizations that run on data.
We have supported IT companies that handle large volumes of user data, usage logs, and cloud hosted datasets. We also advise on vendor chains and cross‑border transfers as part of day‑to‑day delivery.
We also advise financial companies that process high‑value identity and transactional datasets. These projects often trigger strict governance around identifiers and profiling.
We also support healthcare providers and healthtech businesses. Health data sits in the LPDP’s “highest sensitivity” zone. In some cases, the law requires prior AZLP approval for health/genetic/biometric processing.
What we routinely do:
- build LPDP/GDPR‑style compliance frameworks (policies, registers, vendor contracts, and training),
- advise on new product launches where privacy risks are not obvious at first (profiling, biometrics, AI, large‑scale analytics),
- support and represent clients in AZLP supervisions and evidence requests,
- handle disputes and litigation that involve alleged abuse or misuse of personal data, including compensation exposure.
Our approach is practical. We combine legal analysis with real operational design. That includes risk modeling, data flows, and measurable controls.
Need Structured Personal Data Protection Advice in North Macedonia?
Personal data protection is no longer just a compliance checkbox. It affects your contracts, cloud infrastructure, HR processes, marketing activities, and cross-border operations.
Professional legal guidance reduces uncertainty and protects your business.
As a Personal data protection lawyer in North Macedonia, we advise IT companies, financial institutions, healthcare providers, and international investors on regulatory compliance, internal documentation, inspections, and litigation involving misuse of personal data.
We combine legal expertise with strong business and technological understanding, allowing us to deliver practical, risk-focused solutions.
📞 Call us: +389 70 257 879
📧 Email: contact@boshnjakovski.com
🌐 Website: www.boshnjakovski.com
