The Law on Personal Data Protection (LPDP) of Macedonia extends its applicability to foreign entities offering goods or services to data subjects in Macedonia.

Text of Relevant Provisions

LPDP Art.3(2)(i):

"(2) Provisions of this Law apply to the processing of personal data of data subjects from the Republic of North Macedonia by a controller or processor not established in the Republic of North Macedonia, where the personal data processing activities are related to: the offering of goods or budgets, irrespective of whether a payment of the data subject from the Republic of North Macedonia is required, or"

Analysis of Provisions

The LPDP extends its territorial scope to include non-Macedonian controllers and processors who process personal data of Macedonian data subjects when offering goods or services. This provision is designed to ensure that Macedonian data subjects are protected even when engaging with foreign entities.

Key elements of this provision include:

1. It applies to controllers or processors "not established in the Republic of North Macedonia"
2. It covers the processing of personal data of "data subjects from the Republic of North Macedonia"
3. It relates to "the offering of goods or budgets"
4. It applies "irrespective of whether a payment of the data subject from the Republic of North Macedonia is required"

This provision aims to capture foreign entities that target the Macedonian market, regardless of whether they have a physical presence in the country. The inclusion of "budgets" alongside goods is noteworthy and may be interpreted to include services, although this is not explicitly stated.

The clause "irrespective of whether a payment of the data subject from the Republic of North Macedonia is required" is particularly important. It means that the law applies even to free goods or services offered to Macedonian data subjects, ensuring comprehensive protection regardless of the commercial nature of the offering.

Implications

This provision has significant implications for foreign businesses targeting the Macedonian market:

1. Extraterritorial application: Foreign companies offering goods or services to Macedonian data subjects must comply with the LPDP, even if they have no physical presence in Macedonia.
2. Broad scope: The law applies to both paid and free offerings, capturing a wide range of business models, including free online services that process user data.
3. Market targeting: Companies that specifically target the Macedonian market, for example through Macedonian-language websites or Macedonia-specific marketing, are likely to fall under this provision.
4. Compliance requirements: Foreign entities must ensure they have appropriate data protection measures in place when processing personal data of Macedonian data subjects, potentially including appointing a representative in Macedonia.
5. Potential enforcement challenges: While the law asserts its applicability to foreign entities, practical enforcement against companies with no physical presence in Macedonia may present challenges.

This extraterritorial scope aligns Macedonia's data protection framework with modern digital economy realities, where cross-border data processing is common. It aims to ensure that Macedonian data subjects enjoy consistent protection regardless of the location of the entity processing their data.