Law recommendations by area
Generally, in the insurance area it is necessary to precisely define the categories of collected personal data of the insured – from the introduction of the Personal Identification Number in the Law on Insurance Supervision – to the introduction of health personal data collected for the electronic health card in the Law on Health Insurance. The categories of personal data should also be precisely defined in the Law on Compulsory Traffic Insurance, in the Law on Pension and Disability Insurance and in the Law on Mandatory Fully Funded Pension Insurance.
The obligation for adopting laws and for applying technical and organizational measures for personal data protection in the laws in the insurance area is required not only for the internal regulation of the work of the controllers, but also for signing agreements with the users, for obtaining data from other entities and for recordkeeping about the data processing.
The periods for storage of personal data are not clearly defined for all types of recordkeeping in the laws related to the insurance area. Some of these laws stipulate “the shortest period for storage” which is not in accordance with the Law on Personal Data Protection, because the deadline should be precisely defined.
The analysis of the Law on recordkeeping in the area of health, the Law on Health Protection and the Law on Protection of Patients’ Rights, indicates that the provisions in the area of health data recordkeeping, protection of patients’ rights and personal data protection are applied for the recordkeeping, storage, collection and handling of the medical documentation. If we take into consideration how this provision is applied in practice, then every health institution needs to adopt and apply technical and organizational measures for secrecy and protection of personal data.
The periods for storage of personal data stipulated in the laws related to health protection are not clearly defined for all types of recordkeeping. Deadlines for storage of personal data need to be specified.
In accordance with the Law on Health and Safety at Work, the Law on Labor Relations, the Law on recordkeeping in the area of labor and the Law on employment and insurance in case of unemployment, the personal data that is being processed should correspond to the purpose for which they were originally collected. The categories of personal data are defined in detail for each record separately, however, practice shows that a photocopy of an ID card is being collected for more records than stipulated, although it is not envisaged with this law, and this is not in compliance with the principles of personal data protection.
Certain additions and adjustments should be made in the Law on Health and Safety at Work in the area of defining the method of delivery of reports from the health facilities to the employer. Practice shows that there are cases in which the general report is not separated from the results of the conducted examination.
As for the definition and application of technical and organizational measures for secrecy and protection of personal data, it is necessary to clearly establish responsibility of the employer for creating rulebooks for protection of the personal data of employees and personal data of other stakeholders.
Although some of the employees’ contact details being collected may be entered optionally, such as, for example, the ethnicity of employees should be data that the employee chooses whether to provide or not, and the consent of the employee is not stipulated anywhere in the Law. The consent of the employees should be stipulated in the law.
The records for employees and records for wages are kept permanently, but other records containing personal data should be linked to the Law on filing.
The extent of personal data processed in accordance with the Housing Law is corresponding with the purpose, but practice shows that a high volume of data is being published on bulletin boards in the buildings – there is no provision in the Housing Law stipulating the publication of a list of tenants (their name and surname) who haven’t paid for the maintenance of the building, and therefore this data processing is considered to be excessive in terms of the objective that should be achieved.
A period for storage of data is envisaged only for video surveillance – 30 days. It is necessary to also specify the periods for storage of other personal data.
Although harmonization with the Law on Personal Data Protection is projected, the law does not include an article stipulating an obligation of the community of tenants for interior regulation of the technical and organizational measures for personal data protection.
In terms of the Law on Real Estate Cadastre, it is necessary to precisely define the categories of data to be collected in the Geodetic-cadastre information system.
The deadlines for storage of the collected personal data must be clearly defined.
In accordance with the Law on Primary Education, Law on Secondary Education, Law on Higher Education and the Law on Adult Education, consent from the personal data holders is not envisaged for personal data that is not listed in the categories of data – collected in practice, i.e. included in the (EMIS) software (health data, blood type, personal identification number of the parent). Consent for the processing of this data should be stipulated, as well as the software possibilities for the availability of this data.
The provision defining that the high school collects, processes, stores, sends and uses data included in the data sets in accordance with the regulations for personal data protection – for the integrated database maintained by the Ministry – is vague in the section pertaining to data sending. It should be defined where the data can be sent and under what conditions.
All the deadlines for storing personal data should be defined in all the specified laws and an article about the method of personal data protection should also be added, as stipulated in the Law on Primary Education.
The categories of personal data to be processed are not defined in the Law on Adult Education, although recordkeeping is stipulated. The article only stipulates that the content and form of the documentation and recordkeeping are regulated by the Minister, at the suggestion of the Center, which is not in accordance with the principles for personal data protection.
The analysis of the Law on a special registry for persons convicted for crimes of sexual abuse of minors and pedophilia, indicates that the purpose of processing personal data is to provide protection of children from sexual abuse, pedophilia and minors trafficking by providing information about the people who are convicted for such crimes and are living in their vicinity.
This is not in accordance with the principles for protection of personal data in terms of the availability of information. The practice in the countries that have such a registry is to limit the access to this registry, i.e. access to the registry is only granted to kindergartens, schools, orphanages and boarding schools.
The scope of the data included in the registry would be appropriate if access is restricted. In this case, when the register is publicly available, it’s necessary to reduce the scope of personal data (initials, year of birth, residential address).
The exclusion from the public registry upon the request of an individual is contrary to the principles for personal data protection. The controller should exclude the data after the deadline expires, regardless of whether the individual requested it or not.
As for the Law on Social Protection, it is necessary to include an article stipulating the application of technical and organizational measures for secrecy and for protection of personal data, and it is also necessary to define the periods for storage of personal data collected for the purposes of this law.
The periods for storage of personal data should be defined for each record separately.
An article should be added, stipulating the application of technical and organizational measures for secrecy and for protection of personal data.
In the Energy Law, it is necessary to define the obligations of operators for adopting rules for the application of technical and organizational measures for the secrecy and protection of the personal data of consumers.
A clarification is needed in the provision relating to the scope of personal data that is collected. The scope is appropriate, except in the section regarding the support with proof for personal identification. This formulation is ambiguous, and also leaves room for keeping photocopies of personal documents, which is not in accordance with the principles for personal data protection.
The periods for storage of personal data should be defined for each record separately.
An article should be added, stipulating the application of technical and organizational measures for secrecy and for protection of personal data.
The Law on Civil Servants stipulates a registry of civil servants to be created as a personal data set, but the personal data to be processed in this set are not defined, and neither is the method of processing. Also, no deadlines for data storage are provided and these two laws should be amended in accordance with all the principles for personal data protection.
The subject matter regulated by this law is specific in terms of the application of the principles for personal data protection, and it is not possible to precisely define all the data for persons included in media reports or persons connected to them. However, it is necessary to define precise guidelines for the publication of personal data of the persons included in the media reports. This would also set standards for the just processing of personal data, leading to the introduction of technical and organizational measures for protecting the personal data from the media. This law should also stipulate the consent of the data holder.
It is necessary to amend the provision stipulating the following: the data is provided to the Ministry of Labour and Social Policy, the Employment Agency of the Republic of Macedonia and the Health Insurance Fund of Macedonia, for the purpose of performing their tasks and in accordance with the regulations for personal data protection, only if a bank signs a memorandum of cooperation with these institutions, regulating the method of availability of the data. First of all, the very approach is arguable as an activity, and second – the grounds for allowing it.
The stipulated signing of a memorandum for cooperation with the institutions in order to obtain data is arguable, as the memorandum does not have the legal power to allow this. It is not a document based on which those who are affected the most – the citizens, can exercise a right or be able to disagree. This puts into question the seriousness of the banks, particularly due to the fact that the bank secret is no longer a secret, because of the exception for revealing the secret to the institutions.
As for the regulation of payment transactions, in accordance with the law – the Minister of Finance regulates the payment instruments and their content and form, except the form of payment instruments included in the transfer media. With this kind of formulation, the content of the payment instruments is still to be determined with a rulebook, which is not in accordance with the principles for personal data protection.
Practice indicates that for payments from physical entities, the payment instrument contains a personal identification number, and there are no legal grounds for this.
The Civil Procedure Law contains a provision defining the scope of personal data. The scope is appropriate, except in the section regarding the support with proof for personal identification. This formulation is ambiguous, and also leaves room for keeping photocopies of personal documents, which is not in accordance with the principles for personal data protection.
An additional intervention is required in this law, in order to specify the periods for storage of personal data for each record separately, as well as the technical and organizational measures for secrecy and protection of personal data.
The scope of personal data stipulated in the Law on enforcement suits the purpose, with a remark that the scope of data for the persons for whom the enforcement agent makes a public announcement is not precisely defined. A citizen’s personal identification number is often included in the announcement, and there are no legal grounds for this.
It is necessary to define the periods for storage of personal data for each record separately, and to add an article stipulating the application of technical and organizational measures for secrecy and for protection of personal data..
The categories of personal data processed in the records of the Law on Road Safety are defined in other laws and rulebooks of the Ministry of Interior. The scope of personal data needs to be completely regulated in the records with surveillance footage of the roads.
Since video surveillance is regulated by the Law on Personal Data Protection, it needs to be compliant with the principles for fair video surveillance. The goal is clear and justified, but it’s necessary to specify the personal data that is to be collected (the focus of recording cameras), who from the police will have access to the recorded materials, how will they be sent to the driver or the vehicle owner. The law should also stipulate special alerts drivers for drivers at places where a video surveillance system is set up.
Periods for storage should be specified, except for the video surveillance footage, for which the projected period for storage is six months.
The Law does not include an article for personal data protection, hence the need to include a specific section about personal data protection, i.e. about the technical and organizational measures guaranteeing the secrecy and protection of the data.