Документи | Personal Data Protection

Ss. Cyril and Methodius University in Skopje (hereafter referred to as the University) collects, stores, and processes personal data as part of its educational and scientific activities.

From the perspective of personal data protection: The University acts as the Data Controller, and Data Subjects include prospective students, enrolled students (past or present), and employees (past or present).

The procedure describes how a data subject can request information about the scope and purpose of the processing of their personal data, as well as how to request the modification, supplementation, or deletion of certain personal data.

– Tasks performed in the public interest or under the official authority of the University or a third party to whom the data is disclosed, or

– Legitimate interests of the University, a third party, or the data subject,

the data subject has the right to request the cessation of such processing if their rights and freedoms override these interests.

If the request is valid, the University must stop further processing of the personal data.

A special form, Request to Cease Processing Personal Data (Appendix 2), is available on the University’s website.

The completed form can be submitted to the data subject’s primary unit (faculty, institute, or affiliated member) or to the Rectorate, where it will be forwarded to the Data Protection Officer. The officer gathers the required information and provides a response to the request.

If a data subject requests, or if the University determines that personal data is incomplete, inaccurate, outdated, or not being processed in compliance with legal provisions, the University is obligated to modify, supplement, delete, or cease using the personal data.

Data subjects may document their requests using a special form, Request to Modify, Supplement, or Delete Personal Data (Appendix 3), which is available on the University’s website.

The completed form can be submitted to the data subject’s primary unit (faculty, institute, or affiliated member) or to the Rectorate, where it will be forwarded to the Data Protection Officer. The officer gathers the required information and provides a response to the request.

The University is obligated to notify the data subject, data users, or third parties to whom the data was disclosed of the modifications, supplements, or deletions within 30 days of receiving the request. This notification is waived only if it is impossible or requires disproportionate effort or expense.

The rights of data subjects outlined in the previous sections may be restricted in specific cases where their exercise would jeopardize the University's legal obligations. These cases include:

• Protection of national security and defense;
• Detection and prosecution of criminal offenses;
• Protection against breaches of ethical rules of a particular profession;
• Protection of significant economic or financial interests of the state;
• Protection of significant economic or financial interests of the European Union;
• Protection of the rights and freedoms of the data subject or the rights of other individuals.

The University may deny requests for information on personal data processing when authorized by law, especially if personal data is processed exclusively for scientific research or collected solely for statistical purposes, provided it is retained only as long as necessary for these purposes.

When personal data is collected directly from the data subject, the subject must be informed about:

• The identity of the data controller and their authorized representative (if any) in the Republic of North Macedonia;
• The purposes of data processing;
• The recipients or categories of recipients of personal data;
• The mandatory nature of providing responses to questions involving personal data;
• The potential consequences of not providing a response;
• The existence of the right to access and rectify their personal data.

When personal data is not collected directly from the data subject, the University must inform the subject at the time the data is recorded or, if the data is to be disclosed to a third party, no later than the first disclosure. The subject must be informed about:

• The identity of the data controller and their authorized representative (if any) in the Republic of North Macedonia;
• The purposes of data processing;
• The categories of data;
• The recipients or categories of recipients of personal data;
• The existence of the right to access and rectify the data.

The University is not obligated to inform data subjects about the processing of personal data for historical, scientific, or statistical purposes if:

• It is impossible or requires disproportionate effort or cost;
• The collection or disclosure of personal data is legally prescribed.

A data subject may request the University to provide information about:

• Whether their personal data is being processed;
• The purposes and legal basis for processing personal data and the recipients or categories of recipients to whom the data is disclosed;
• The personal data relating to them and the source of the data;
• The logic behind automated data processing, in cases where automated decisions affect the data subject.

To facilitate this, a specific form, Request for Information on Personal Data Processing (Appendix 1), is available on the University’s website.

The completed form can be submitted to the data subject’s primary unit (faculty, institute, or affiliated member) or to the Rectorate, where it will be forwarded to the Data Protection Officer. The officer gathers the required information and provides a response to the request.

The University is required to respond to a properly submitted request within 15 days from the date of receipt.

If the University has previously responded to such a request, it is not obligated to respond again to the same or similar requests unless there have been changes to the personal data, or at least six months have passed since the last request.

Documents