NEWSLETTER No. 10

1.      Information activities performed by NCPDP

On January 28, the National Center for Personal Data Protection (NCPDP) in collaboration with TAIEX project experts organized the National Conference “Challenges of international data transfers from the perspective of the Convention 108+ and GDPR”. The aim of the Conference was to present information, examples of good practices and innovative solutions on raising awareness and informing the public sector about the challenges of cross-border data transfer. The workshop was conducted by personal data protection experts from Italy, Germany, Austria and the representatives of European Commission. Amongst the topics addressed by the experts were: cross-border transfers of personal data from the perspective of Convention 108+ and global trends, overview of the grounds for the cross-border transfers of personal data under the GDPR and the type of safeguards needed, challenges of cross-border data transfers from the perspective of the EU supervisory authorities, cross-border data transfers in the area of law enforcement cooperation, general information on the concept of adequacy and substantive and procedural aspects of adequacy decisions. The event was attended by about 70 representatives of the public sector.

Furthermore, on January 26, the Street Action – “Protect personal data”, organized by the representatives of the NCPDP in the context of the European Data Protection Day, was held. In this context, a few employees of the NCPDP distributed to passers-by, near the Cathedral Square, information materials, raising awareness among citizens about the concept of personal data, the rights of personal data subjects, security and confidentiality measures when processing data. At the same time, they were informed about the possible situations in which personal data are not processed in accordance with the provisions of national legislation in this field, providing them with practical guidance and recommendations that should be undertaken in such situations.

In the reference period, NCPDP registered a remarkable evolution in terms of training and awareness activities. The series of trainings organized for the representatives of the local public authorities (LPA) from the districts of the Republic of Moldova was continued, with the aim of strengthening the capacities of LPA representatives throw familiarizing, raising awareness and informing them with the field of personal data protection. The topics addressed in the training were: general notions on personal data protection; legal grounds for personal data processing; recording and live streaming of local councils’ meetings; approval of security policy and personal data filling systems instructions, etc. Separately, the issues related to the correct depersonalization of personal data contained in the administrative acts of local public authorities published in the State Local Documents Registry. The events, moderated by national experts in the field of personal data protection within NCPDP, were organized for about 50 mayors, district councilors and secretaries of local councils from each district center based on the protection measures imposed in the context of the COVID pandemic – 19. The training courses were conducted:

·        On 27 January –Ialoveni District Council;

·        On 04 February Telenești District Council;

·        On 11 February –Edineț District Council;

·        On 25 February – Drochia District Council;

·        On 11 March –Dondușeni District Council;

·        On 25 March –Soroca District Council.

2.      Control activity

During the reference period, the NCPDP initiated the verification of the conformity of the personal data processing operations, thus initiating 53 investigations. Of the 53 investigations: 47 finalized cases, in 27 cases the violation of the legal provisions was found. Furthermore, 18 minutes regarding the contravention were concluded, being subsequently submitted to the court for settlement.

3.      Findings of the NCPDP

I.                   Violation of personal data subject’s rights, the right of access to personal data, the right of intervention upon the personal data and the right to object.

The NCPDP, in the context of the examination of a complaint filed by a data subject, issued a decision finding a violation of Article 13 para. (1) and art. 14 of the Law no. 133/2011 on personal data protection by an economic agent, in the processing of the complainant’s personal data, manifested by ignoring the request of the data subject, whereby the latter requested, including a response demonstrating that the data controller had deleted the personal data concerning him, thus realizing his right of intervention upon the personal data.

Thus, the personal data subject has realized his or her right of access and right of intervention upon the personal data concerning him or her by submitting a request to the personal data controller, asking for information on how to ensure the protection of customers’ personal data, what are the purposes for which these data are used, what are the guarantees that personal data are not used for personal purposes.

Following the examination of the case, it was determined that personal data controller ignored the request of the data subject, failing to grant him the right of access and the right of intervention upon the personal data concerning the data subject, provided for in Article 13 para. (1) and art. 14 of the Law on personal data protection.

In this respect, the economic agent was issued with a report on the infringement under Article 741 para. (3) of the Contravention Code.

II.               Violation of the processing and storage of personal data rules by means of a video surveillance system

NCPDP, in the framework of the examination of a complaint filed by a data subject, issued a decision finding a violation of the provisions of Article 4 para. (1) (a), (b), (c), Art. 5 para. (1) of the Law no. 133/2011, to the processing of complainant’s personal data, in connection with the collection/recording of the voice of the data subject, without his consent, by means of the video surveillance camera, installed on an electric pole, which included both the property of the video surveillance system manager and a portion of the space not belonging to the latter, without identifying the determined, explicit and legitimate purpose, the causal link between the purpose and the processed personal data of the complainant, the proportionality, fairness and consistency with the legal rules in the field of personal data protection.

Therefore, in the view of the above, the NCPDP has held that, before installing a video surveillance system, the data controller must always critically examine whether this measure is, firstly, appropriate for the achievement of the desired objective and, secondly, proportionate and necessary for its purposes, in relation to the interests or fundamental rights and freedoms of the data subject. Therefore, the audiovisual recording by the data controller in question, by means of the video surveillance camera, without the consent of the data subject, constituted an excessive and disproportionate measure in relation to the stated purpose, in this case, ensuring the security of property.

In this respect, the personal data controller was issued with a report on the infringement under Article 741 para. (1) of the Contravention Code.

4.      Surveillance activity

In accordance with the provisions of the Law No 175 of 11 November 2021 on the amendment of certain regulatory acts, which entered into force on 10 January 2022, the obligation to designate the data protection officer has been established.

In this regard, the NCPDP has received more than twenty letters informing it about the designation of data protection officer from the entities concerned. At the same time, the NCPDP has intervened, where appropriate, with recommendations in order to remove the discrepancies identified.

At the same time, a number of communications were drafted and posted on the NCPDP website concerning: changes in the legislation in the field of personal data protection; the need to designate the data protection officer; the obligation for data controllers to post this information on the website and the obligation for data controllers to carry out a data protection impact assessment, etc.

During the reporting period, the NCPDP has prepared and published in the Official Gazette and on the NCPDP website the List of States ensuring an adequate level of personal data protection, in the context of the amendments to Article 32 of the Law No. 133 on personal data protection.

Furthermore, a list of the types of processing operations subject to the requirement to carry out a data protection impact assessment has been drawn up and will be published on the NCCDP website.

In addition, the NCPDP intends to publish guidance on personal data protection impact assessment for recommendation purposes.

In order to provide methodological and advisory support to personal data controllers and/or processors, more than 391 telephone consultations and 34 responses via e-mail were provided.

5.      International and European news

–       On January 18, took place the 59th Plenary Session of the European Data Protection Board (EDPB), which was held on-line. During the Plenary, the EDPB adopted several documents, among which:

·        Guidelines on the Right of Access. The Guidelines aim to analyse the various aspects of the right of access and to provide more precise guidance on how the right of access has to be implemented in different situations.

·        A letter in reply to letters calling for a consistent interpretation of cookie consent.

·        The updated Guidelines on consent. The guidelines aim to ensure a harmonized approach on the conditionality of consent and on the unambiguous indication of wishes.

–       On February 22, took place the 61st Plenary Session of the European Data Protection Board, which was held on-line. During the Plenary, the EDPB adopted several documents, among which:

·        The EDPB adopted a letter in reply to the European Parliament’s Civil Liberties, Justice and Home Affairs Committee (LIBE) regarding the Second Additional Protocol to the Cybercrime Convention, and in view of the two European Commission Proposals for Council Decisions authorising Member States to sign and ratify the Protocol.

·        Following public consultation, the EDPB adopted a final version of the Guidelines on Codes of Conduct as a tool for transfers, taking into consideration the feedback received from stakeholders. The main purpose of the guidelines is to clarify the application of articles 40 (3) and 46 (2) (e) GDPR.

·        The EDPB adopted a letter on Artificial Intelligence liability.

–       On March 14, took place the 62nd Plenary Session of the European Data Protection Board, which was held on-line. During the Plenary, the EDPB adopted several documents, among which:During the Plenary, the EDPB adopted several documents, among which:

·        Guidelines on Art. 60 GDPR. The drafting of such guidance is part of the EDPB Strategy and Work Programme 2021-2022 to support effective enforcement and efficient cooperation between national supervisory authorities.

·        Guidelines on dark patterns in social media platform interfaces. The guidelines offer practical recommendations to designers and users of social media platforms on how to assess and avoid so-called “dark patterns” in social media interfaces that infringe on GDPR requirements.

·        A toolbox on essential data protection safeguards for enforcement cooperation between EEA and third country SAs. This contributes to one of the key actions of the EDPB Strategy and Work Programme 2021-2022 and aims to facilitate the engagement between EDPB members and the SAs of third countries. The toolbox covers key topics, such as enforceable rights of data subjects, compliance with data protection principles and judicial redress.

·        A joint EDPB-EDPS opinion on the proposals to extend the Digital COVID Certificate by up to 12 months. The subject will continue to be discussed at the next Plenary Session.

–       On March 23-25, took place the 55th meeting of the Bureau of the Committee of the Convention for the protection of individuals with regard to automating processing of personal data, which was held online. During the Meeting, several topics were discussed, among which:

·        Convention 108+ State of play, ratifications and accessions;

·        Evaluation and follow up mechanism under Convention 108+;

·        Digital identity;

·        Inter-state exchanges of data for Anti-Money Laundering/Countering Financing of Terrorism, and tax purposes;

·        Contractual clauses in the context of transborder data flows;

·        Cooperation with other bodies and entities of the Council of Europe.

6.      Other data protection authorities

·        On January 28, Hellenic Data Protection Authority (DPA) applied a total fine in the amount of EUR 9 250 000 to telecommunications companies COSMOTE and OTE S.A. due to personal data breach and illegal data processing. The investigation of the case revealed that COSMOTE had infringed the principles of legality and transparency due to the provision of unclear and insufficient information to subscribers. The company was also found responsible for poor data protection impact assessment, poor anonymisation, inadequate security measures taken, and failure to allocate the roles of the two companies (COSMOTE / OTE) in relation to the processing in question. In addition, ΟΤΕ S.A. was found to have infringed Article 32 of the GDPR due to inadequate security measures taken in relation to the infrastructure used in the context of the breach. The Hellenic DPA, on the one hand, fined COSMOTE a total of EUR 6 000 000, and imposed the sanction of stopping the processing and destroying the data, and, on the other, fined OTE S.A. a total of EUR 3 250 000.

·        On February 10, the Italian Data Protection Authority (SA) applied a fine in the amount of EUR 20 million to Clearview AI for illegal personal data processing. Following the investigation, launched an own volition proceeding, the Italian SA found that the personal data held by the company, including biometric and geolocation information, were processed unlawfully without an appropriate legal basis. Furthermore, the company infringed several fundamental principles of the GDPR, such as transparency, purpose limitation, and storage limitation. In this context, Italian SA imposed a ban on any further collection, by way of web scraping techniques, of images and the relevant metadata concerning persons in the Italian territory and on its further processing and ordered erasure of the data, including biometric data, processed by its facial recognition system.

·        On March 15, the Irish Data Protection Authority (SA) applied a fine in the amount EUR 17 million to Meta Platforms (formerly Facebook) for the infringement of the Articles 5(2) and 24(1) GDPR.  Following the investigations, Irish SA found that Meta Platforms failed to have in place appropriate technical and organisational measures such as would enable it to readily demonstrate the security measures that it implemented in practice to protect EU users’ data, in the context of the twelve personal data breaches.