On December 23, 2024, the Personal Data Protection Agency (AZLP) adopted a new Rulebook on Security of Personal Data Processing, which will enter into force on July 1, 2025. The previous rulebook (Official Gazette No. 122/2020) will cease to apply on June 30, 2025.
This regulatory change introduces clear technical and legal standards for all data controllers and processors in North Macedonia.
What does the new rulebook on security of personal data processing require?
All entities that process personal data—whether manually or automatically—must establish a structured information security framework, including:
A documented information system that defines processing purposes, data types, infrastructure, and verification procedures;
Technical and organizational measures that ensure:
- Confidentiality, integrity, and availability of data,
- Data minimization,
- Traceability of all activities,
- Fairness and transparency in processing,
- Mechanisms for timely intervention in case of risk.
Organizations are also expected to periodically assess the effectiveness of these measures and update them in response to newly identified threats.
Risk assessment methodology – a key requirement
One of the most important elements of the new rulebook is the mandatory risk assessment methodology, which must be:
- Structured and documented;
- Designed to identify and evaluate risks to the rights and freedoms of data subjects;
- Focused on the likelihood and impact of each risk;
Regularly updated—at least once per year.
AZLP offers a sample methodology, but organizations may also adopt other recognized European frameworks if they meet the same standard of care.
Documentation and templates
To support compliance, the rulebook includes a set of standardized templates and tools, such as:
- Risk assessment template;
- Catalog of technical and organizational measures;
- Incident response plan;
- Data processor and sub-processor register;
- System security declaration.
These serve both internal governance and as required documentation in the event of a regulatory audit.
Closing arguments
From July 1, 2025, compliance with personal data security standards in North Macedonia moves from being optional to essential. The rulebook demands not only formal documents but a culture of accountability and preparedness.
Is your organization ready for personal data security standards ?
If you’re unsure whether your current practices meet the new legal and technical requirements, we offer support in:
- Drafting your risk assessment methodology;
- Preparing internal documentation and policies;
- Conducting staff training and implementation sessions.
Contact us
