Book of Rules for Personal Data Protection

                                                                                                                       Macedonian Bank for Development Promotion


In accordance with Article 62 of the Statute of the Macedonian Bank for Development Promotion AD Skopje, and pursuant to the Personal Data Protection Law (Official Gazette of RM no. 7/05, 103/08 and 124/10), the Board of Directors of the Bank adopted this Book of Rules.


Article 1

The Book of Rules for personal data protection regulates the protection of personal data as fundamental freedom and human right, and in particular the right to privacy with respect to the processing of personal data in the Macedonian Bank for Development Promotion (hereinafter: MBDP).


Article 2

In the Personal Data Protection Law and this Book of Rules the terms have the following meaning:

  1. Personal data means any information relating to an identified or identifiable natural person, and identifiable person means a person who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to person’s physical, physiological, mental, economic, cultural and social identity;
  2. Processing of Personal Data means any operation or set of operations which is performed upon personal data, by automatic means or otherwise, such as collection, registration, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, publishing or otherwise making available, alignment, combination, blocking or destruction;
  3. Personal data filling system means any structured set of personal data which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis;
  4. Data subject means any natural person to whom the processed data relate;
  5. Controller means Macedonian Bank for Development Promotion AD. The controller determines the purposes and means of the processing of personal data;
  6. Processor of personal data means a natural or legal person, or public authority which processes personal data on behalf of the controller;
  7. Third party means any natural or legal person other than the data subject, the controller, the processor and the person who, under the direct authority of the controller or the processor, are authorised to process the data;
  8. Recipient means a natural or legal person, public authority or other body to whom data are disclosed for performing regular operations in accordance with law;
  9. Consent of the data subject means any freely and explicitly given statement of the data subject’s wishes, by which the data subject consents to the processing of personal data relating to him for previously defined purposes;
  10. Special categories of data means personal data revealing racial or ethnic origin, political opinions, religious, philosophical or other beliefs, trade union membership, and data concerning people’s health, including genetic data, biometric data or data related to sex life.


Article 3

As a rule, processing of personal data shall be made on a basis of a previously obtained consent of the data subject. As an exception, data may be processed without the data subject’s consent for performance of a contract to which the data subject is party or at a data subject’s request prior to entering into a contract, for compliance with a legal obligations to which the Bank is subject and in other cases laid down by law. Personal data in MBDP are processed in accordance with law, for specified, explicit and legitimate purposes and are processed in a way compatible with those purposes.

Article 4

MBDP shall provide full confidentiality, integrity, availability and protection of personal data and to any natural person shall guarantee for the protection of the personal data without discrimination based on person’s nationality, race, colour of the skin, religious beliefs, ethnic belonging, sex, language, political and other convictions, material position, birth origin, education, social origin, citizenship, place and type of residence or any other personal characteristics.

Article 5

MBDP processes the personal data of the Bank employees with respect to the employment contract and the personal data of the members of the Supervisory Board and other bodies of the Bank for identification and fulfilment of the rights and obligations of the data subjects.
For processing the data referred to in paragraph 1 of this Article, consent of the data subject is not necessary.

Article 6

 MBDP shall not process any special categories data.
Notwithstanding the provision of paragraph 1 of this Article, the Bank shall process special categories data, if necessary, for:

  • Carrying out the specific rights and obligations of the controller in the field of labour rights, to the extent and with appropriate guarantee set by laws referring to this matter;
  • Protection of the vital interests of the data subject or of another person where the data subject is physically or legally incapable of giving his consent;
  • Performing activities of  public interest set by law or on a basis of a decision by the Office for Personal Data Protection;

 Article 7

The identification number of an individual may be processed only with prior explicit consent of the data subject and for exercising the legal rights and obligations of the data subject or MBDP and in other cases laid down by law.
MBDP shall ensure that identification number of an individual is not unnecessarily visible, published or taken over from the personal data filling system.

Article 8

Personal data may be received and processed only by the authorised officer in MBDP in accordance with special decision passed by the Bank Board of Directors.
The MBDP authorised officer may use the received and processed data only for the purposes for which the data were collected and in a manner compatible with those purposes.


Article 9

In order to protect the life and health of employees, prevent an unauthorised entry in the Bank and in particular in the information system of the Bank, and to protect its property, the Bank is under surveillance.
The Bank has 24 hours surveillance of the entry in the Bank building and its premises.
The video surveillance is automated and the storage duration of the recording solely depends on the size of the operating memory of the PC used for surveillance, since there is an automatic erasure and rerecording on the available memory, but in any case can not be longer than 30 days. Erasure takes place in sequence, starting with the oldest data.


Article 10

The Bank keeps records of entrance and exit of third persons in order to protect the property, life or body of the Bank employees and visitors and for maintaining order in the premises.
Track records of check-in and check-out in the Bank are kept by taking name and surname of the visitor and the employee he is visiting. If necessary, personal data of the visitor may be checked against his personal identity document.
Track records referred to in the previous paragraph shall be kept for one year.


Article 11

MBDP shall, at the time of collection of personal data from the data subject, provide the latter with the following information:

  • the identity of the controller and his contact details,
  • the purpose of the data processing,
  • the recipients or the category of recipients of the personal data,
  • the obligation  to provide reply to the questions,
  • the possible consequences of failure to reply,
  • the existence of the right of access to and rectification of the data.

MBDP shall not inform the data subject, if he already has the data referred to in the previous paragraph.
In case the collection of data referred to in paragraph 1 of this Article is carried out by a Questionnaire, the Questionnaire must stipulate if the questions are obligatory or voluntary, the possible consequences of failure to reply, data about the recipient and the right to agree with the data processing.
MBDP shall inform the data subject for the right of access and rectification of the data, if necessary, taking into account the specific circumstances of data collection, in order to enable fair processing of his data.


Article 12

MBDP shall be obliged to provide data confidentiality and security, and to process the data in accordance with its authorisations. MBDP authorised officers who have right to access or process the personal data, must not disclose them, i.e. they should disable the access of the unauthorised persons to the personal data. Obligation of the MBDP employees to protect the personal data shall continue after termination of the position, employment, carrying out operations related to personal data processing.

 Article 13

MBDP shall not use the personal data for the purpose of advertising.

Article 14

In order to provide secrecy and protection of the personal data processing, MBDP shall implement appropriate technical and organizational measures to protect personal data  against accidental or unlawful destruction, accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves transmission of data over a network, and against all other unlawful forms of processing. MBDP shall implement appropriate administrative, technical and physical measures and controls in compliance with the established security standards of the information system, appropriate to the risks represented by the processing and the nature of the data to be protected.
Special data categories and identification numbers may be transmitted over telecommunication networks only if they are specifically protected by appropriate methods making them unreadable during transmission.

Article 15

MBDP shall store and protect the personal data pursuant to the provisions of the Law on Personal Data Protection and this Book of Rules. The Bank Board of Directors shall give authorisation to persons who will process the personal data in the Bank. The authorised person for personal data processing must know the principles for safety of personal data prior to his access to personal data and must process data in accordance with Bank instructions, unless otherwise stipulated by law. MBDP shall keep records of the employees authorised for data processing. The Board of Directors appoints a data protection officer whose responsibilities are defined by law.


Article 16

MBDP shall keep filling system of the personal data of the employees and  filling system of the members of the management and other bodies of the Bank. If necessary, other filling systems may be kept at MBDP.

Article 17

MBDP shall keep the personal data of the Bank employees for a period of 45 years. Personal data of the members of the management bodies and other bodies of the Bank shall be kept as long as they serve the purpose they were processed for. Personal data of the entities related to the credit agreements and business relations of the Bank shall be kept until the end of the obligation established by each agreement.


Article 18

MBDP shall not provide transfer of personal data to third countries. As an exception, MBDP may provide transfer of personal data in accordance with Article 33 of the Law on Personal Data Protection.


Article 19

MBDP shall disclose personal data to recipients on a basis of a written request by the recipient, if the data are needed for carrying out operations within the legitimate responsibilities of the recipient and if their disclosure is not forbidden by law.


Article 20

Provisions of the Law on Personal Data Protection shall apply to the matters not regulated herein.

 Article 21

This Book of Rules for Personal Data Protection shall enter into force on the date of its adoption by the Bank Board of Directors.



Adopted: December, 2010
Last amended: 02.03.2012, Decision on amending the Book of Rules for Personal Data Protection