Arben Gudaci, lawyer and personal data protection officer at the Macedonian Young Lawyers Association, and personal data protection consultant, who has worked in the field of personal data protection since 2009.

In 2021 you were the lecturer of many trainings in relation with reconciling the work of legal entities with the Law on Personal Data Protection. What is your opinion, are legal entities ready to complete abide by the Law on Personal Data Protection?  

Starting from February/March up until today, on many trainings I had the opportunity to feel the worry among most legal entities about the new Law on Personal Data Protection’s entry into force from up close.  During these trainings/counseling, the first myth that I believe we destroyed is that with the new law something new and unknown for our legislation and practice is being established, which is not true. Our country since 2005 has passed the Law on Personal Data Protection and most of the bigger companies were in compliance with the “old” Law on Personal Data Protection. The “new” Law practically transposed the General Data Protection Regulation, better known as GDPR, and upgrades the existing personal data protection system. Certainly, there are some novelties in the new Law for which we will need more time to completely adopt and implement, however, it is mainly about upgrading and extending the existing personal data protection systems. I believe that it does not pose a challenge for the larger companies, and many of them have already taken appropriate measures for adjustment, but it poses a real challenge for the medium and small enterprises, as well as for the non-governmental sector. The challenge for these categories of controllers is enormous, starting with the most basic thing, insufficient funds, taking into consideration that we are in the middle of a global pandemic which affects exactly the small and medium enterprises, as well as the non-governmental sector. From all conversations, trainings, and counseling, it is clear that there is a huge will among these categories of controllers, but the challenge is too big. Most of them lack the human resources which would be involved in aligning operations with the Law. Even those enterprises and associations should be trained, prepared for proper implementation of the Law. Therefore, the answer would be that one gets the feeling that larger companies should be able to comply without any difficulty, whereas the small and medium enterprises, as well as the non-governmental sector, are facing greater challenges in the period of compliance with the Law.

What is the best way to help legal entities to translate personal data protection policies into day-to-day practice?

I think that the most necessary thing as assistance for legal entities is preparation of  specific guidelines and instructions for compliance with the Law on specific areas, which would facilitate the adoption and implementation of the personal data protection policies. The starting point must be in the direction of the spirit of the Law on Personal Data Protection, more specifically, to establish a culture of data protection within our daily lives, whether it is a job, use of social networks or online shopping. Also, frequent and purposeful consultations are needed for certain areas, meaning categories of controllers, in order to clear the dilemmas that prevail among legal entities regarding the implementation of legal provisions.

What type of advice would you give to the legal entities and what type to the natural persons regarding the personal data protection?

Regarding legal entities, my advice is not to consider the law as an additional burden, meaning a burden that would additionally aggravate their functioning, but to see it as a huge opportunity, firstly, to protect the data that is the basis for their normal functioning, secondly, to distinguish themselves from the competition by ensuring that the data of their employees, clients and other data processed will be protected and secure, and thirdly, all of our companies providing goods and services in the EU member states have the obligation to comply with the General Data Protection Regulation, and in compliance with our law they are prepared at the same time and on the same scale as their partners in the EU member states. In such a digital world, if we cannot be in front of the competition, we can at least keep up with them.

Regarding natural persons, I think that we must all work on raising the public awareness for one’s personal data protection. If we check the statistics, we will confirm that most of the complaints submitted to the competent authority, the Personal Data Protection Agency, relate to the abuse of personal data when using social media. This situation has been going on for several years, which indicates that we must work harder to raise public awareness, especially among the younger population that is more involved in the use of social media and other tools on the internet.

Secondly, it is also important to mention that this law is adopted with one purpose only which is to protect the personal data of the natural persons and in that context, we should all be aware of our rights when some legal entity is processing our personal data. Whenever our personal data is processed, no matter whether it is collected directly from us or from another legal entity, we have the right to be informed about the identity and contact of the legal entity that collects out data, the purpose/s for which the data is collected, the users of the personal data, where the data are transferred (whether it is transferred outside the country), the time period during which the data is stored, that is, if it is impossible, the criteria used to determine that deadline, the rights that belong to us, such as: the right to access, the right to correction, amendment, deletion, transfer and other rights, as well as the legal basis for processing our data.

Translated by: Emilija Kuzmanovska