The Personal Data Protection Officer (hereinafter the Officer) plays a key role in establishing and maintaining a personal data protection system for companies, non-profit organizations, government agencies or individuals who use personal data of individuals for their own (commercial) purposes. These entities are so-called controllers or use personal data of individuals for the needs and purposes of controllers, i.e. processors.
The Officer is a point of contact for all issues related to personal data, whether they come from the management of the company/institution, from the citizens, i.e. personal data entities or from the Agency for Personal Data Protection.
Due to this exposure, all those who in any way came in contact with the regulations for the protection of personal data met with the function Officer. Despite this, there are often misunderstandings in the public about which institutions and companies should appoint the Officer, who can be the Officer, what its tasks are, what its responsibilities are, etc. In this regard, this article provides answers to the most frequently asked questions about the Officer, in order to promote and advance the protection of the personal data of citizens.
Which companies and institutions are obliged to determine the Officer?
The obligation to determine the Officer was established for the first time with the 2010 amendments to the old Law on Personal Data Protection, which means that this obligation has existed in our country for more than 11 years. With the enactment of the new Law on Personal Data Protection, the obligation to determine the Officer remained, but underwent significant changes, in order to comply with the General Data Protection Regulation, better known as the GDPR.
With the entry into force of the new Law in August 2021, for some companies, the obligation to determine an Officer ceased to apply, while for others it began to apply.
In general, the entry into force of the new Law on Personal Data Protection has reduced the number of companies that are obliged to determine an Officer. This is because, in the new Law, the obligation to determine the Officer depends only on the basic activity of the company and the volume of personal data processing. Because of this, it can happen that a company with a large income and a large number of employees is not subject to the obligation to appoint an Officer.
According to the new law, the number of employees is no longer a decisive factor for the obligation to determine the Officer. The number of employees was a criterion for determining the Officer according to the old Law, namely every company that had more than 10 employees was obliged to determine the Officer, regardless of the volume of personal data processing.
It is also worth noting that, with the new Law, associations established for political, philosophical, and religious or trade union purposes are no longer explicitly released from the obligation to determine an Officer, as was the case with the old Law. The general rules for determining the Officer now apply to these associations.
When we talk about the general rules, according to the current Law there are three cases when the obligation to determine the Officer is valid, namely when:
-the processing of personal data is performed by state bodies;
-the basic processing activities due to their nature, scope and/or goals, require to a large extent regular and systematic monitoring of personal data subjects; or
-the basic activities consist of extensive processing of special categories of personal data or personal data related to criminal convictions and criminal offences.
According to the above, all state bodies established in accordance with the Constitution and the Law, institutions that perform activities in the field of education, science, health, culture, labour, social protection and child protection, sports, as well as in other activities of public interest determined by Law, and organized as agencies, funds, public institutions and public enterprises established by the state or the municipalities, are obliged to appoint an Officer.
When it comes to companies, most fall under the latter case, i.e. their core activities require regular and systematic monitoring of personal data subjects. This means that if the company regularly processes personal data for the realization of its primary business activity, then that company is obliged to determine an Officer.
Examples of business activities where as a rule there is regular processing of personal data are retail (physical and electronic), marketing activities (direct marketing, bonus cards, prize games…), delivery and postal services, travel services, services for accommodation, financial, legal, accounting, energy, health services, etc.
Due to the development of technology, even when performing business activities where as a rule there is no extensive processing of personal data, such as production and wholesale, large collections of personal data are increasingly processed through various tools, such as tools for Customer Management Relationship.
On the other hand, the processing of personal data for other secondary purposes, which may also be ongoing, is not a key factor in the obligation to determine the Officer. In this regard, the processing of personal data for human resources is a secondary function and if a company processes personal data exclusively for the needs of its own human resources, and not for its core business, this company may not apply the obligation to determine an Officer. It should be noted again that, according to the new Law, the number of employees is no longer a decisive factor for the obligation to determine the Officer, unlike the old Law.
However, if the processing of personal data is performed for other secondary purposes, and this processing is specifically regulated by Law, such as video surveillance, GPS monitoring, transfer of personal data abroad, etc. it is advisable to determine an Officer – not because of a legal obligation, but because of easier compliance with other specific obligations such as collection management, periodic evaluation, technical and organizational measures, etc.
In any case, both the decision to determine and the decision not to determine an Officer have certain consequences, so these decisions should be the result of a detailed analysis of all circumstances. However, if after the decision changes occur in the operation of the company, such a decision should be reconsidered.
The decision not to determine the Officer, in accordance with the principle of accountability, should be documented, i.e. supported by documents, from which it will be possible to show compliance with the Law at any time.
On the other hand, the Decision determining the Officer should be kept in the archives of the company/institution, and may be submitted to the Agency for Personal Data Protection, which keeps records of the Officer. Also, the contact details for the Officer should be made public by the company/institution, which should also notify the Agency for Personal Data Protection with an appropriate letter. The letter should contain the name and seat of the company/institution, name and surname of the Officer and their e-mail and telephone number.
Who can be nominated for an Officer?
The answer to this question is given in the Law on Personal Data Protection, which stipulates that the Officer can be a person, who:
-meets the conditions for employment,
-actively uses the Macedonian language,
-at the moment of the appointment, no punishment or misdemeanor sanction has been issued with a final court verdict, prohibition to perform a profession, activity or duty,
-has completed higher education and
-has acquired knowledge and skills regarding the practices and regulations for personal data protection, in accordance with the legal provisions.
It often happens that there is no person with higher education or a person with knowledge regarding the regulations for personal data protection among the employees of the controller/processor, therefore the Law leaves the possibility for an external person to be appointed as an Officer, and based on an agreement for providing services.
Whether an internal or external person is designated for the post of an Officer, that person may perform other tasks and duties, as long as those tasks do not lead to a conflict of interest with their tasks as an Officer. Persons who by definition cannot be appointed as an Officer due to conflict of interest are the management of the company/institution (manager, director, board of directors, etc.), the information system administrator, as well as external persons who are processors, as accountants, suppliers, etc.
It is important that the Officer is independent in carrying out its tasks, and is accountable directly to the highest management level of the company/institution. For this reason, if it is an internal Officer, it is recommended that the person is not employed in the hierarchically lowest positions, nor to come into daily contact with personal data.
In practice, the question is often asked whether the consent of the employee is required for them to be appointed to the Officer, as well as whether that relationship should be regulated by a separate agreement between the company/institution and the Officer. These issues are not regulated in the Law on Personal Data Protection, so it remains to be regulated according to the circumstances.
What are the tasks of the PDPO?
The main task of the Officer is to monitor the internal compliance of the company/institution with the regulations for personal data protection, to inform and advise the company/institution regarding the fulfillment of the obligations for personal data protection, to advise the company/institution on the applications requests from citizens, to provide advice on impact assessment on personal data protection and to act as a contact point for citizens and the Agency for Personal Data Protection.
As a rule, the Officer should be an independent expert with whom the management of the controller, the staff, the entities and the Agency can consult. The role of the Officer is extremely important in technologically advanced controllers, which use the latest technologies for personal data processing, such as automated individual decision making, profiling, artificial intelligence, employee performance measurement systems, programs to distinguish humans from a machine (CAPTCHA), etc.
Having in mind the seriousness of the violations in the field of personal data protection, it is in the interest of the company/institution itself to have an Officer who is an independent expert, which constantly monitors the development of technology, as well as changes in regulations in this area. In this regard, as technology is rapidly changing, and thus best practices for personal data protection, the company/institution should enable the Officer to regularly attend trainings organized by the Data Protection Agency or other experts in the field.
Despite the seriousness of the tasks performed by the Officer, the ultimate responsibility for compliance with the Law on Personal Data Protection lies with the company/institution. According to the Law, the Officer is not personally responsible for the compliance of the company/institution with the regulations for personal data protection. In this regard, the role of the Officer is consultative, and the final decision is made by the company/institution.
When talking about the role and tasks of the Officer, a distinction should be made between the Officer and the information system administrator. In general, the information system administrator has a narrower and more technical field of action, namely, it is an authorized person for information system security. The role of the administrator is not regulated directly in the Law on Personal Data Protection, as it appears as a practical need only for certain controllers who have a complex information system.
Due to this, the rights, obligations and responsibilities of the administrator are additionally regulated in the bylaws of the controller/processor. However, most often the administrator does not have a consultative role, but a role of execution of decisions from a technical point of view, which usually includes granting and withdrawing privileges to access the information system, password management, encryption/decryption keys, server room keys, delete electronic system data, blocking access to non-essential web pages, etc.