Data protection & privacy laws in North Macedonia (2026)

The LPDP (Official Gazette No. 42/20, amended by 294/21 and 101/25) entered into force on 24 February 2020 and closely mirrors the GDPR in structure, scope, and core obligations — reflecting North Macedonia's EU accession candidate status.

The Agency for Personal Data Protection (AZLP) is an independent state body accountable to the Parliament of North Macedonia. It supervises data processing legality, investigates violations, and can impose fines of up to 2% or 4% of total annual global turnover depending on the severity of the infringement.

The LPDP goes beyond GDPR in two notable ways: processing of a data subject's personal identification number (PIN) requires explicit consent unless mandated by law, and processing for direct marketing purposes requires consent in all cases (no legitimate-interest basis permitted).

Data Protection Officers must be appointed for public authorities and controllers whose core activities involve large-scale systematic monitoring or processing of special categories of data. A North Macedonia-specific requirement mandates that the DPO be fluent in the Macedonian language and hold a higher educational degree.

On 14 May 2025 the Assembly passed an amendment (Official Gazette No. 101/25) extending the list of countries exempt from third-country data transfer restrictions to all NATO member states, previously limited to EU/EEA countries. Controllers transferring data to NATO countries must still notify the AZLP.

A new Rulebook on the Security of Personal Data Processing (Official Gazette No. 266/2024) became applicable on 1 July 2025, introducing detailed technical and organisational security requirements for data controllers and processors operating in North Macedonia.