The Law on Personal Data Protection (LPDP) of Macedonia uses the factor of monitoring data subjects within its jurisdiction to extend its territorial scope to controllers and processors not established in Macedonia.

Text of Relevant Provisions

LPDP Art.3(2)(ii):

"(2) Provisions of this Law apply to the processing of personal data of data subjects from the Republic of North Macedonia by a controller or processor not established in the Republic of North Macedonia, where the personal data processing activities are related to: the monitoring of the data subject behaviour as far as their behaviour takes place in the Republic of North Macedonia."

Analysis of Provisions

The LPDP extends its territorial scope beyond controllers and processors established in Macedonia to include those not established in the country, provided they engage in specific activities related to Macedonian data subjects. One of these activities, as stated in Article 3(2)(ii), is "the monitoring of the data subject behaviour as far as their behaviour takes place in the Republic of North Macedonia".

This provision is significant because it allows the Macedonian data protection law to apply to foreign entities that monitor the behavior of Macedonian residents within the country's borders. The key elements of this provision are:

1. The controller or processor is not established in Macedonia.
2. The processing activities involve monitoring behavior.
3. The monitored behavior takes place in Macedonia.
4. The data subjects are from Macedonia.

The law does not provide a specific definition of "monitoring," which leaves room for interpretation. However, it likely encompasses various forms of online tracking, surveillance, or profiling activities that observe and analyze the behavior of individuals within Macedonia.

Implications

This provision has several important implications for businesses and organizations:

1. Extraterritorial reach: Foreign companies that monitor Macedonian residents' behavior within the country must comply with Macedonian data protection law, even if they have no physical presence in Macedonia.
2. Online services: This likely applies to many online services, such as social media platforms, e-commerce websites, or mobile apps that track user behavior for purposes like targeted advertising or user experience optimization.
3. IoT and smart devices: Companies offering Internet of Things (IoT) devices or smart home technologies that collect data on user behavior within Macedonia may fall under this provision.
4. Compliance requirements: Foreign entities engaged in monitoring activities must ensure they comply with all aspects of the Macedonian LPDP, including data subject rights, data protection principles, and potentially appointing a representative in Macedonia.
5. Potential for enforcement: The Macedonian data protection authority may have grounds to take enforcement action against foreign entities that fail to comply with the LPDP when monitoring Macedonian residents.
6. Risk assessment: Companies operating globally need to assess whether their activities constitute "monitoring" of Macedonian data subjects and, if so, ensure compliance with Macedonian data protection law.

This provision aligns Macedonia's data protection law with similar extraterritorial provisions in other jurisdictions, such as the EU's General Data Protection Regulation (GDPR). It reflects a growing trend in data protection legislation to protect citizens' data rights regardless of the geographical location of the data controller or processor.