NCPDP Newsletter No. 3 for the period November 2019 – January 2020

1. Information and training activities performed by NCPDP

Between November 2019 and January 2020, the NCPDP and the EU Twinning Project experts organized 20 training courses in the field of personal data protection for a total of 680 participants from different public and private entities.
In this context, we list below some of the training activities organized by the representatives of NCPDP and EU Twinning Project experts:
• Ministry of Finance– 30 civil servants;
• Parliament of the Republic of Moldova – 40 participants;
• Comrat Court of Appeal – 23 employees;
• Ministry of Health, Labor and Social Protection – 60 participants;
• College “Alexei Mateevici”, Chișinău – 110 students;
• General Directorate for Education, Youth and Sports, Chișinău – 84 participants;
• Chișinău Court – 30 participants;
• Ministry of Justice – 23 employees;
• Republican Center for Children and Youth ARTICO – educational hour for children of 7-14 years, – 40 children;
• Free International University of Moldova – 53 students, third year, Law Faculty;
• Awareness campaign for parents and children “Protect your child in the online environment”, action carried out in collaboration with General Police Inspectorate of Ministry of Internal Affairs, “Moldcell” – mobile network operator and Public Association “Solidary Parents”– 66 parents;
• Informational event for students on the occasion of European Data Protection Day – “Right of access to information and the right to privacy” with the participation of students from Law Faculty of Free International University of Moldova, last year and from the Faculty of Journalism of Moldova State University including the participation of representatives of civil society – “Promo-Lex”, “Center for Legal Resources”, “Centre for Investigative Journalism”, etc. – 14 participants;
• Training course for employees of “Moldcell” – mobile network operator – 45 participants;
• Awareness event for children – “Personal Data Protection expressed by drawing” – 24 children from ARTICO.
During these training actions, the representatives of the NCPDP specified the general rules on personal data protection, the principles of personal data processing, as well as a series of recommendations:
• the need to ensure an adequate level of security and confidentiality of personal data;
• the need to protect children in the online environment and to limit their access to social networks (Facebook, Twitter, Instagram etc.);
• the need to develop and implement appropriate measures in order to establish the mechanism for keeping records of personal data processing operations;
• the need to comply with data minimization principle, respectively minimization of categories and volume of personal data processed to those strictly necessary to fulfill the purpose (s) for which they were collected.

2. Activity of Control of NCPDP

During the reference period, the NCPDP carried out a number of 109 investigations on data controllers, both in the private and public sectors, in order to verify the lawfulness of personal data processing performed. Out of the 109 investigations – 8 investigation procedures were initiated as a result of NCPDP self-notification in connection with an alleged processing of personal data not in accordance with the rules in the field of personal data protection. Out of 109 investigations, 7 cases were finalized, the violation of the legal provisions was found and contravention in the form of fines was applied by the courts – in the total amount of 13 thousand MDL. The other cases are still under investigation.
At the same time, during the same reference period, NCPDP received a number of 231 complaints that led to investigations in order to resolve them. In general, the complaints concerned the following issues:
• achievement of the rights of data subjects – 45 complaints;
• processing of personal data through video surveillance devices – 39 complaints;
• processing of personal data in the absence of the data subject’s consent – 32 complaints;
• processing of personal data through disclosure on social networks – 24 complaints;
• processing of personal data in police activity – 23 complaints;
• processing of personal data by publishing the court decisions without depersonalization –17 complaints;
• processing of personal data in the financial sector – 16 complaints;
• etc.
In addition, at the “One-Stop Shop” of the NCPDP, 443 notifications were submitted for examination in order to register personal data controllers and / or personal data filing systems. Following the analysis of those notifications, 282 authorization decisions and 161 refusal decisions were issued. Thus, about 241 data controllers and 282 personal data filing systems were registered in the Register of evidence of personal data controllers, which indicates an increased interest of data controllers to comply with the requirements of the Law no.133 of 8 July, 2011 on personal data protection, compared to the previous period.

3. European and international news

On November 12th and 13th 2019, the fifteenth plenary session of the European Data Protection Board took place in Brussels. The meeting addressed the following topics:
• Report on the Third Annual Joint Review of the EU-US Privacy Shield
• Guidelines on the Territorial Scope of the GDPR (version following public consultation)
• Guidelines on Data Protection by Design and by Default
• Article 64 Opinion on ExxonMobil BCRs
• Response letter to LIBE on EU Information Systems
• Contribution to the consultation on a draft second additional protocol to the Budapest Convention on Cybercrime
More details are available at: https://edpb.europa.eu/news/news/2019/fifteenth-plenary-session-privacy-shield-review-guidelines-territorial-scope_ro
On December 2nd and 3rd 2019, the sixteenth plenary session of the European Data Protection Board is took place in Brussels.
During its December Plenary Session, the EDPB addressed the following issues:
• Art. 64 GDPR Opinion on accreditation requirements for the Code of Conduct monitoring body by UK SA. The EDPB adopted its opinion on the draft decision of the UK Supervisory Authority on Accreditation Requirements for Code of Conduct Monitoring Bodies. The opinion aims to ensure the consistency and correct application of these requirements within the EEA supervisory authorities.
• Response to the request for recommendations from BEREC on the revision of the guidelines on internet neutrality rules.
The EDPB has adopted the response to the request for guidance from the Body of European Regulators for Electronic Communications (BEREC) on the current EU data protection framework.
• Guidelines on “The criteria of the Right to be Forgotten in the search engines cases under the GDPR”
The Committee adopted draft guidelines on “Criteria for the right to be forgotten in search engines case under the GDPR”. The guidelines provide an interpretation of Article 17 of the GDPR on the grounds and exceptions for removal requests from search engine providers and are an update of the 2014 guidelines on the implementation of the Costeja decision issued by the Article 29 Working Party. ” (WP29).
On December 11th and 13th 2019, the 49th meeting of the Bureau of the Consultative Committee of Convention 108 for the Protection of Individuals with regard to Automated Data Processing took place. The following topics were discussed during the meeting:
• Ratification of the Protocol (CETS No. 223) amending Convention 108 by Bulgaria;
• The Ad Hoc Committee on Artificial Intelligence (CAHAI), which has started to work on the feasibility study of an international legal framework on artificial intelligence (AI), dealing with the mapping of the latest trends in AI data.
• Recent signatures (amending CETS Protocol No. 223 of Convention 108+) by Switzerland, Serbia and Northern Macedonia. So far the total number of signatories is 38;
On January 28th and 29th, the EEA Data Protection Authorities and the European Data Protection Supervisor, assembled in the European Data Protection Board, met for their seventeenth plenary session. During the plenary, a wide range of topics was discussed.

The EDPB adopted its opinions on the Accreditation Requirements for Codes of Conduct Monitoring Bodies submitted to the Board by the Belgian, Spanish and French supervisory authorities (SAs). These opinions aim to ensure consistency and the correct application of the criteria among EEA SAs.
The EDPB adopted draft Guidelines on Connected Vehicles. As vehicles become increasingly more connected, the amount of data generated about drivers and passengers by these connected vehicles is growing rapidly. The EDPB guidelines focus on the processing of personal data in relation to the non-professional use of connected vehicles by data subjects. More specifically, the guidelines deal with the personal data processed by the vehicle and the data communicated by the vehicle as a connected device. The guidelines will be submitted for public consultation.
The Board adopted the final version of the Guidelines on the processing of Personal Data through Video Devices following public consultation. The guidelines aim to clarify how the GDPR applies to the processing of personal data when using video devices and to ensure the consistent application of the GDPR in this regard. The guidelines cover both traditional video devices and smart video devices. The guidelines address, among others, the lawfulness of processing, including the processing of special categories of data, the applicability of the household exemption and the disclosure of footage to third parties. Following public consultation, several amendments were made.
The EDPB adopted its opinions on the draft accreditation requirements for Certification Bodies submitted to the Board by the UK and Luxembourg SAs. These are the first opinions on accreditation requirements for Certification Bodies adopted by the Board. They aim to establish a consistent and harmonised approach regarding the requirements which SAs and national accreditation bodies will apply when accrediting certification bodies.
The EDPB adopted its opinion on the draft decision regarding the Fujikura Automotive Europe Group’s Controller Binding Corporate Rules (BCRs), submitted to the Board by the Spanish Supervisory Authority.
Letter on unfair algorithms
The EDPB adopted a letter in response to MEP Sophie in’t Veld’s request concerning the use of unfair algorithms. The letter provides an analysis of the challenges posed by the use of algorithms, an overview of the relevant GDPR provisions and existing guidelines addressing these issues, and describes the work already undertaken by SAs.
Letter to the Council of Europe on the Cybercrime Convention
Following the Board’s contribution to the consultation process on the negotiation of a second additional protocol to the Council of Europe Convention on Cybercrime (Budapest Convention), several EDPB Members actively participated in the Council of Europe Cybercrime Committee’s (T-CY) Octopus Conference. The Board adopted a follow-up letter to the conference, stressing the need to integrate strong data protection safeguards into the future Additional Protocol to the Convention and to ensure its consistency with Convention 108, as well as with the EU Treaties and Charter of Fundamental Rights. More information is available at: https://edpb.europa.eu/news/news/2020/seventeenth-edpb-plenary-session_en

4. Other data protection authorities

During this period, several data protection authorities in the European Union carried out investigations which led to the imposition of administrative fines to data controllers from various sectors of activity. Of these, the following should be highlighted:
• The National Authority for Supervision of Personal Data Processing in Romania applied a fine of 80,000 EUR, finding that the controller violated both the provisions of art. 25 para. (1) and art. 5 par. 1 let. f) of the GDPR. The controller did not ensure compliance with the principle of data protection by design and by default (privacy by design and privacy by default), as it did not proceed to adopt appropriate technical and organizational measures to integrate adequate safeguards in the automated system for data processing within the settlement process of card transactions, being affected a number of 225,525 customers whose payment operations were doubled in the period 8-1 October 2018, also related to the provisions of art. 32 para. (1) let. d) of the GDPR.
• The Norwegian Data Protection Authority issued an administrative fine of 49,300 EUR for storing patient data from nursing homes and health centers outside the electronic medical record system, from 2007 till November 2018.
• The Italian Supervisory Authority imposed two fines totaling 11.5 million EUR, regarding the illicit processing of personal data in the context of activities for the promotion and activation of unsolicited contracts. The fines were determined according to the parameters set out in the EU Regulation, including the wide range of stakeholders involved, the degree of conduct, the duration of the infringement and the economic conditions of the controllers. More information is available at: https://edpb.europa.eu/news/national-news_en