Contract effective date: September 18, 2024. Runtime consent, request, security, audit, and deployment timestamps remain factual records.
North Macedonia Web, Mobile, AI, and Quantum Compliance Profile
Status: UN Member State
Region: Europe
ISO-3: MKD
Policy effective date: 2024-09-18
Purpose: This page is a product, privacy, security, app-store, AI and quantum launch profile for website, web app and mobile app releases in North Macedonia.
Country-specific legal note
Country-specific privacy, cybercrime, e-commerce, consumer, telecom, tax, sector and AI rules must be verified through official local sources, UNCTAD tracker, DLA reference and local counsel before launch.
This profile intentionally does not pretend to be a final legal opinion. Before production launch, validate current local law, regulator guidance, court rulings, sanctions/export restrictions, telecom rules, consumer protection, tax/indirect tax, health/financial/children rules, AI rules, cryptography rules, and local app-store availability.
Required launch gates for North Macedonia
- Privacy notice gate: publish a clear privacy policy and in-app notice covering categories of personal data, sources, purposes, recipients, retention, user rights, contacts, complaint channels, cross-border transfers, SDKs, AI providers, analytics, ads, and deletion.
- Consent and permissions gate: do not collect or transmit non-essential tracking data, sensitive data, precise location, contacts, photos, microphone, camera, health, biometric or third-party AI data until the product has the required consent/notice/permission flow for this country.
- App-store disclosure gate: reconcile actual code behavior with Apple App Privacy Details, Google Play Data Safety, Samsung Galaxy Store Data Safety, Amazon Privacy Labels, Microsoft Store declarations, Huawei AppGallery privacy statements, and any local marketplace form.
- Security gate: apply OWASP ASVS for web/API, OWASP MASVS for mobile, secure SDLC, dependency scanning, secrets management, encryption, logging, incident response, least privilege, vulnerability disclosure and vendor risk review.
- Breach gate: map breach criteria, regulator/user/media notices, contractual notice, platform notice and health/financial/children escalations before collecting production data.
- Cross-border transfer gate: map where data is stored, accessed and supported; assess transfer mechanism, localization, onward transfer, vendor access and government-access risk before enabling data export.
- Children/youth gate: assess age scope, parental consent, youth safety, age-appropriate design, teen profiling, app content rating and behavioral advertising restrictions.
- Marketing gate: ensure email, SMS, push, telemarketing, personalized advertising, cookies and pixels follow local consent/opt-out and unsubscribe rules.
- Health/financial/regulated-data gate: perform sector classification for HIPAA/HBNR/medical device, banking, insurance, credit, education, employment, telecom or public-sector data.
AI requirements for North Macedonia
- Inventory every AI model, feature, provider, prompt path, training/fine-tuning dataset, output type, logging path and data recipient.
- Classify whether the AI system is prohibited, high-risk, limited-risk, generative, biometric, health/clinical, employment, education, credit, essential service, law-enforcement, children-facing or public-sector.
- Disclose material AI use in the product and policy. Do not imply professional, medical, legal, financial or therapeutic advice unless the product is properly qualified, reviewed and licensed.
- For third-party AI providers, block transmission of personal or sensitive data until the privacy notice, consent/permission, DPA, vendor review, retention controls and app-store labels are complete.
- Provide human review, appeal, correction and contestability for high-impact automated decisions where required.
- For generative AI, provide in-app reporting/flagging, moderation, abuse prevention, labeling where required, safety testing and incident response.
Quantum and post-quantum security requirements for North Macedonia
- Maintain a cryptographic inventory covering TLS, certificates, signatures, key exchange, stored backups, messaging, mobile keystores, firmware, cloud KMS, API signing, identity tokens and long-lived secrets.
- Identify long-lived confidential data vulnerable to harvest-now-decrypt-later risk, especially health, government ID, biometrics, children, finance, trade secrets, legal privilege, national security, hospital and critical infrastructure data.
- Build cryptographic agility before claiming quantum readiness. Favor standards-based migration planning referencing NIST FIPS 203, FIPS 204 and FIPS 205 where appropriate.
- Do not market the product as “quantum-proof,” “unbreakable,” “military-grade,” or “fully compliant” unless counsel and security leadership approve substantiation.
Evidence required before launch
- Country launch approval record.
- Data inventory and SDK inventory.
- Privacy policy, in-app notices and app-store disclosure screenshots.
- DPIA/PIA, transfer impact assessment and AI risk assessment where applicable.
- Vendor/subprocessor contracts and DPAs.
- Security test results, OWASP checklist and vulnerability remediation evidence.
- Consent, opt-out, rights request, deletion and account-closure test evidence.
- Local counsel memo or documented risk acceptance for any uncertain country-specific obligation.