Data Protection Impact Assessment

Assessment №:
Definitions:
* “Data Processing” means: collection, recording, storage, alteration, recovery, disclosure, sharing, unification,
archiving, destruction or otherwise using the personal data.

** “Personal Data” means: any information relating to an identified or identifiable natural person. Personal Data
can only be names or contact details or information that easily can be related to another information, held by the
controller so that the natural person could be identified.

*** “The Regulation” – Regulation 2016/679 (General Data Protection Regulation/ GDPR) and Macedonian Law on
Personal Data Protection

Project/activity data that is to be accessed

Manager/Owner/Person responsible for the project:
Name of the project/activity/system:
Sector (for example marketing, business and etc.)
Project sponsor
Data protection officer (name of the data protection officer)
Estimated start date of the project/activity

Basic information for assessing the need of the impact

assessment – please encircle the correct or clarify

Is the Project/ Activity related to personal data processing? Yes/No

If the project/ activity is not related to personal data processing, it is not necessary to fill-in the remaining questions.

Is the project/activity related to sensitive data (such is data revealing racial or

ethnic origin, political opinions, religious or philosophical beliefs, or trade union
membership, and the processing of genetic data, biometric data for the purpose Yes/No
of uniquely identifying a natural person, data concerning health or data
concerning a natural person’s sex life or sexual orientation)?

Do you expect to process personal data of more than 10 000 people during the
Yes/No
activity/project?
Is the project local or regional/worldwide?

Does the project contain profiling of natural persons and/or automated

Yes/No
decision-making (no human interference)?

Is the project related to systematic monitoring of a publicly accessible area on a

Yes/No
large scale?

1
 Data Protection Impact Assessment

Is the project/activity related to implementation of a new technology? Yes/No

Is the project/activity related to processing of personal data of vulnerable

categories of data subjects (such as children, employees seeking asylum, Yes/No
mentally ill, elderly, etc.)

Can the project/ activity lead to the prevention of the exercise of the rights of
Yes/No. If the answer is “yes”,
the natural persons (is it related to implementation of a client approval process;
please clarify
to a potential limitation of the access to the product/service and etc.)?

Conclusion: please mark the correct (if only one of the indicators above is present, this is an indication for high
risk)

Opinion of the owner/the person responsible for the project/activity:

Existence of high risk for the data subjects’ rights under the meaning of art.
35 of the Regulation
No high risk for the data subjects’ rights under the meaning of art. 35 of the
Regulation

Opinion of the data protection officer:

Existence of high risk for the data subjects’ rights under the meaning of art.
35 of the Regulation
No high risk for the data subjects’ rights under the meaning of art. 35 of the
Regulation

The opinion of the data protection officer is not bound by the abovementioned indicators. In case his/her opinion states that
there is high risk for the data subjects’ rights, the remaining questions shall be filled-in. In case according to the opinion there is
no high risk for the data subjects’ rights, you may not fill-in the remaining questions unless the data protection officer does not
say otherwise. If necessary, the data protection officer may request additional information as well.

Assessment’s revisions
Version Author/Prepared
Date Description of the changes
№ by

2
 Data Protection Impact Assessment
Part I

1.0 Full description

1.1 Please describe the project/activity/system in an easily comprehensible language with no technical terms.
Specify in the description how the personal data will be used within the project/activity/system.

1.3 Please specify the purposes for which the personal data will be used.

2.0 Categories of natural persons whose data will be processed

2.1 Please indicate Yes or No against each category if the personal data of the relevant category of people will be
processed
Employees
Persons under civil contracts
Suppliers (natural persons)
Representatives of legal entities or contact persons
Current clients
Visitors to an Internet site
Children (aged up to 14 or 16 years)
Other – please clarify in the field below
Clarification of what "other" categories of persons’ data will be processed:
2.2 Types/categories of personal data that are to be processed

Please enumerate all categories of personal data that are to be collected and processed in relation to the project/
activity/ system. The personal data can be of the following categories: name, personal identification number, contact
data (specify what data – telephone, address, email), data comprised in the CV, etc.

2.3 Will any of the categories of data specified below be processed – please indicate Yes or No against each category

Health (physical or mental)

Employment relations (trade union membership or in other employees’ representative bodies)
Racial or ethnic origin
Political opinions, including political parties membership
Religious beliefs
Criminal past

3
 Data Protection Impact Assessment
Sexuality
Biometric data
Genetic data

3.0 Personal data minimization

3.1 Please confirm that all personal data that are to be collected and processed
are actually necessary for achieving the purposes of the project/activity – indicate
Confirmed or Cannot be confirmed

3.2 Please clarify the assessment of the data necessity by specifying why all of the abovementioned data is
necessary for the project/activity/system

4.0 Collection and use of the personal data - please indicate Yes or No
4.1 Will new data of natural persons, which have not been collected until this moment, be
collected?
4.2 Will the available personal data (already collected) be used for new purposes, different
from those, for which the data have been initially collected?

5.0 Data storage

5.1. Where will the personal data be stored? Please specify all applicable options
On paper
Local electronic database/application, information system
Regional electronic database/ application, information system
In a “cloud”

If the personal data is to be stored in information system or electronic database, please answer the questions below

5.2. Please describe in detail the electronic system and how it can be accessed (is it limited and by what
mechanism)

5.3. Who can access the system/database and why?

5.4 In which country/countries the system/database (the servers) is located (stored)?

4
 Data Protection Impact Assessment
5.5 Is a data archive of the system/database stored in a country different from the
abovementioned country/countries or is there another country involved in a recovery plan in
case of an accident (disaster recovery plan)? If the answer is Yes, please give an additional
clarification in the field below.

5.6 Is the system/database linked with other systems?

5.7 Will the personal data be accessible for mobile/portable devices that are not owned by
the Controller? If the answer is Yes, please clarify whether the security level is discussed with
Information Security Directorate.

6.0 Data security

6.1 Is the project/activity discussed with Information Security Directorate? Please indicate
Yes or No

If the answer is Yes, please answer to the following two questions:

6.2 With whom was the project/activity been discussed?

6.3 Have all recommendations of Information Security Directorate been fulfilled and
implemented? Please indicate Yes or No
If the answer is No, please explain why below

7.0 Access to the data

7.1 In which countries the data will be accessed? Clarification – the data can be accessed and if they are in a
system/database, which can be viewed in different countries. Please enumerate all countries.

7.2 Please specify what controls have been implemented in order to ensure that only the persons that must have
access in order to fulfill the project/activity will access the data.

5
 Data Protection Impact Assessment
8.0 Storage term
8.1 Is there a storage term for the personal data, processed in relation to the activity/project? Specify the relevant
term and the internal document it is based on, if applicable.

8.2 Is there a personal data deletion process established after the expiry of the storage term?

9.0 Territorial scope

9.1. Will the project/activity be realized only in Macedonia?

9.2. If the answer to question 9.1. is No, please enumerate the countries in which the
project/activity will be realized?

9.3. Are all the persons whose data is to be processed located in Macedonia?
If the answer to question 9.3. is No, please enumerate the countries in which the persons are located.

10.0 Third-parties participation

10.1 Will any third parties - natural persons and legal entities (outside the Controller) have
access to the personal data, and in this regard will the third party’s personal data be stored or
processed in any other way?
If the answer to question 10.1 is Yes, please answer to the following questions:
10.2 Please specify in what capacity the third parties will have access to the personal data (for example supplier,
consultant, etc.). Please indicate the names of the third parties and the services they are to provide in relation to the
project/activity.

10.3 Have the third parties undergone a preliminary examination in relation to the personal
data protection (data privacy due diligence).
10.4 Are the Controller’s clauses on the personal data protection included in the agreements
with third parties (Personal Data Protection Agreement)?
10.5. Please attach the text of the personal data protection clauses that will be or are already included in the
agreement with the third party.
10.6. Are the Standard Contractual Clauses approved by the European Commission signed in case that the third party
is outside the European Union. Please attach the text.

Part II
11.0 Information provided to natural persons

6
 Data Protection Impact Assessment

11.1 Is there (an approved) template of information that is to be provided to the natural
persons and that is related to the processing of their personal data (information under art.
13 of the Regulation) that can be used for the purposes of the project/activity?
11.2 Please attach the template.

12.0 Consent

12.1 Has an assessment of whether it is necessary to obtain a consent of the natural

persons for processing their personal data for the purposes of the project/activity been
made?

12.2 Is there (an approved) consent template that may be used for the project/activity?
12.3 Please attach the template.

13.0 Risks and measures to manage them

13.1 Inspecting the third parties that participate in the project – please indicate if there are identified risks.

If certain risks have been identified, please specify the measures to manage them.

13.2. Personal data protection clauses in the third parties’ agreements – please indicate if there are identified risks.

If certain risks have been identified, please specify the measures to manage them.

13.3. Information provided to natural persons, data subjects and consent of persons – please indicate if there are
identified risks.

If certain risks have been identified, please specify the measures to manage them.

13.4 Data minimization – please indicate if there are identified risks.

If certain risks have been identified, please specify the measures to manage them.

13.5. Access to personal data - please indicate if there are identified risks.

If certain risks have been identified, please specify the measures to manage them.

7
 Data Protection Impact Assessment

13.6. Data security - please indicate if there are identified risks.

If certain risks have been identified, please specify the measures to manage them.

13.7. Personal data storage term - please indicate if there are identified risks.

If certain risks have been identified, please specify the measures to manage them.

13.8 International data transfer - please indicate if there are identified risks.

If certain risks have been identified, please specify the measures to manage them.

Approval and assessment

Name and position Signature Date
Person who prepared the
assessment
Person responsible for the
project
Data protection officer