The new Data Protection Law (“DPL”) has been adopted and announced in 2020, following, almost the whole content of the General Data Protection Regulation Directive (“GDPR”), especially regarding the territorial scope of the law, the obligation for DPO appointment, the obligations of data controllers and data processors, the performance of data impact assessment, the notification upon data breach, etc..
Similar as GDPR, the DPL has determined for the data controllers and data processors, an 18-month period for compliance to its provisions. In addition, the same period has been aimed for adoption of the by-laws, so the Data Protection Agency (the legal successor of the Data Protection Directorate) (the “Agency”) has adopted such acts during May 2020, so the legal framework in this field has been completed. Changes to DPL has been adopted at the end of December 2021, but the same were aimed for terminologically compliance to the current provisions. In the same period, standard contractual clauses for the processing agreements concluded between controller-processor, as well as clauses for the purposes of data transfer towards third countries have been adopted by the Agency.
The prescribed period for compliance with the DPL has expired on August, 24 2021, and afterwards as announced by the Ministry of Justice of RNM, the same period has been extended for additional six months period when the targeted controllers and processors have not been subject of imposing fines by the Agency, in events then the Agency is aware (by its own initiation or as a result of filed request by third parties) that some of them are not in compliance to the provisions of DPL.