Newsletter No. 11
730 Views
1. Information and training activities carried out by the NCPDP
During the second quarter of 2022, the National Center for Personal Data Protection (NCPDP), has made progress in the part related to training activities for representatives of local public authorities (LPAs) and central public authorities (CPAs). Thus, the training courses aimed at strengthening the capacities of representatives by familiarizing, raising awareness and informing them with the field of personal data protection. The most important topics covered were, as appropriate: general notions of personal data; processing of categories of personal data; legal grounds for personal data processing; filming and online transmission of local council meetings; depersonalisation of data in the State Register of Local Acts; the personal data protection officer; data protection impact assessment and prior consultation; designation of the function and tasks of the data protection officer. Training courses were conducted for the following institutions/authorities:
– 8 April – Balti Municipal Council;
– 19 April – Rezina District Council;
– 06 May – Floresti District Council;
– 20 May – Sîngerei District Council;
– June 3 – Ungheni District Council;
– 17 June – Calarasi District Council.
In this regard, the NCPDP has trained about 215 LPA representatives from the above-mentioned regions.
Regarding training for representatives of LPAs, the NCPDP organised trainings for about 1310 representatives of: Customs Service; State Tax Service; National Agency for Food Safety and Secretariat of the Parliament of the Republic of Moldova.
On 15 April this year, the NCPDP launched an information and awareness campaign for school communities entitled: “Personal data protection and children’s safety online”. The first training course was organized at Lyceum “Onisifor Ghibu” in Chisinau, the target audience being 4th grade pupils. The aim of the campaign is to provide the school community with high visibility on personal data protection and child safety online at local and national level by promoting empowerment and best practices for intervention and support. Subsequently, two more training sessions were held within the school community on 6 May.
The topics covered in the trainings were: general notions on personal data; correct use of photos/videos online; risks and threats online; communication on social networks.
Also, during the same period, the NCPDP signed two Collaboration Agreements with the “Academy of Public Administration” and the “National Association of ICT Companies”.
2. Control activity
In the period April-June 2022, the NCPDP stared the verification of compliance of personal data processing operations on 76 cases and 50 decisions were issued, of which 32 cases were found to be in breach of legal provisions. At the same time, 34 infringement reports were concluded and subsequently submitted to the court for resolution. Similarly, during the same period, 37 contraventions were found.
3. Findings of the National Centre for Personal Data Protection
I. Processing of personal data without legal basis, manifested by accessing data through the Real Estate Register and violation of the personal data subject’s right of access to personal data.
The NCPDP, in the context of the examination of a petition filed by a data subject, issued a decision finding a violation of Article 4 para. (1) (a) and (b), Art. 5 para. (1) and Art. 13 para. (1) of the Law no. 133/2011 on personal data protection by a real estate company, in the processing of personal data of the petitioner, manifested both by accessing the personal data of the data subject, stored in the Teal Estate Register, and ignoring the request of the data subject, whereby the latter requested information on the reasons, the purpose for processing personal data concerning him, realizing his right of access to personal data.
Thus, following the examination of the case, it was determined that the personal data controller processed the personal data of the data subject, stored in the Real Estate Register, without a legal basis and without the consent of the personal data subject, and it was found that the real estate company violated the provisions of Article 4 para. (1) (a) and (b) and Art. 5 para. (1) of Law no. 133 of 08.07.2011 on the protection of personal data.
Moreover, the real estate company ignored the data subject’s request, failing to grant him the right of access to personal data concerning the data subject provided for by Article 13 para. (1) of the personal data protection Law.
II. Breach of the rules on processing and storage of personal data.
The NCPDP was notified by a personal data subject that a data controller, without the consent of the data subject, makes payments on behalf of the data subject to the bank account of the legal entity, thus processing personal data – name, surname, state identification number.
Throughout the investigation it was found that an employee of a bank, during the year 2021, used a template of a cash collection order in favor of a legal entity, but with a member of the cooperative as the payer. In the mentioned orders the employee only changed the amount and the corresponding date, but omitted to change the data/information of the payer, although at the conclusion of the transaction the latter verified the identity of the administrator of the cooperative without him providing a copy of the identity card of the data subject.
We note that, according to Art. 4 para. (1) of Law no. 133 of 08.07.2011 on the personal data protection, personal data subject to processing must be: a) processed fairly and lawfully; b) collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes. […]. According to Art. 5 of the same normative act, the processing of personal data is carried out with the consent of the subject of the personal data, except in the cases exhaustively stated in para. (5) of the same article. According to Article 9 of the aforementioned normative act, the processing of the State identification number (IDNP) of the natural person, […] or other personal data having an identification function of general applicability may be carried out under the following conditions: a) the subject of the personal data has given his consent; b) the processing is expressly provided for by law.
In this context, the decision found that the bank employee, during 2021, violated the provisions of Art. (1) (a) and (b), Art. 5 para. (1) and art. 9 of Law no. 133 of 08.07.2011 on the personal data protection.
Moreover, the NCPDP has ordered by the decision of the banking institution to initiate training of employees/staff involved in the processing of personal data, in order to train them to perform their functional duties in accordance with the legislation in the field of personal data protection, as well as internal documents/regulations approved in this regard.
4. Supervisory activity
In accordance with the provisions of Law No. 175/2021 on the amendment of certain normative acts, which entered into force on 10 January 2022, the obligation to designate the personal data officer has been established. Thus, during the reference period, the NCPDP received 24 letters, through which it is informed about the designation of the personal data officer from the entities concerned, mainly from private entities.
At the same time, the following recommendations/opinions have been developed and posted on the official website of the NCPDP: Considerations in relation to the increasing use of video surveillance systems with audio recording functions; Practical and legal aspects in relation to the installation and management of video surveillance means.
In order to provide methodological and advisory support to personal data controllers and/or processors, more than 315 telephone consultations and 20 responses via e-mail were provided and recommendations were proposed to address discrepancies identified by the data controller.
At the same time, the NCPDP has informed 34 public authorities and institutions about the need to designate the personal data officer.
5. International and European news
– The 63rd plenary meeting of the European Data Protection Board (EDPB) was held online on 6 April. During the session, several topics were discussed, including a Statement on the announcement of a new Trans-Atlantic Data Privacy Framework. The EDPB welcomes the commitments made by the U.S. to take ‘unprecedented’ measures to protect the privacy and personal data of individuals in the European Economic Area when their data are transferred to the U.S.
– The 64th plenary meeting of the European Data Protection Board was held online on 4 May, at which was discussed the adoption of the EDPB-EDPS Joint Opinion 2/2022 on the Proposal of the European Parliament and of the Council on harmonised rules on fair access to and use of data (Data Act).
– The 65th plenary meeting of the European Data Protection Board took place online on 12 May. The plenary session focused on two topics, namely:
· They were adopted new Guidelines on the calculation of administrative fines, harmonising the methodology data protection authorities (DPAs) use. The guidelines also include harmonised ‘starting points’ for the calculation of a fine. Hereby, three elements are considered: the categorisation of infringements by nature, the seriousness of the infringement and the turnover of a business.
· The EDPB also adopted Guidelines on the use of facial recognition technology in the area of law enforcement. The guidelines provide guidance to EU and national law makers, as well as to law enforcement authorities, on implementing and using facial recognition technology systems.
– On May 18-20, the 30th edition of the Spring Conference of European Data Protection Supervisors took place in Cavtat, Croatia. The event was hosted by the Croatian Agency for the Protection of Personal Data, thus encouraging the participation of about 40 countries. The agenda of the event included topical issues in the field of personal data protection, such as Convention 108+, mutual assistance and global convergence, data protection in ECHR case law: latest developments. Member authorities adopted a Resolution on the need for a prompt ratification of the “Convention 108+”, the modernised version of Convention 108. The Resolution calls upon the governments of the member states of the Council of Europe, the governments of third countries to the Council of Europe, the European Union and International Organisations to speed up the signature and ratification of Convention 108+.
– The 66th plenary meeting of the European Data Protection Board took place on 14-15 June in Brussels, Belgium. During the Plenary, the EDPB adopted several documents, among which: Guidelines on certification as a tool for transfers. The main purpose of these guidelines is to provide further clarification on the practical use of this transfer tool and will be subject to public consultation until the end of September.
6. Other data protection authorities
· On 4 April, the Danish Supervisory Authority has reported Danske Bank to the Danish police and proposed a fine of 1.3 million EUR for the infringement of Article 5 (2) of the GDPR. During the Danish SA’s investigation, it has become clear that the bank in more than 400 systems has not been able to document whether rules have been laid down for deletion and storage of personal data, or whether manual deletion of personal data has been carried out. These systems process personal data of millions of people.
· On April 15, the administrative fine in the amount of 1,5 million euros applied by the French Lead Supervisory Authority (CNIL) to Dedalus Biologie for the infringement of articles 28, 29 and 32 of GDPR. Based on the elements collected during the investigations, CNIL identified three breaches. First, in the context of the migration of a software package to another tool, requested by two laboratories using the services of Dedalus Biologie, the latter extracted a larger volume of data than required. The company therefore processed data beyond the instructions given by the data controller and had failed to comply with Article 29 GDPR. Second, the company had not ensured security of personal data within the meaning of Article 32 GDPR. Furthermore, were also established that the general conditions of sale proposed by the company Dedalus Biologie and the contracts of maintenance transmitted to the CNIL did not contain the mentions provided for in Article 28 (3) GDPR.
· On 3 May, the Icelandic Supervisory Authority imposed a fine of € 35,000 on the municipality of Reykjavík for using the Seesaw education system, which is an American cloud-based service. Following the investigation, it was found that: the processing agreement between Reykjavík and Seesaw was insufficient, that the municipality could not demonstrate a specified, explicit and legitimate purpose for the processing in question, which was therefore considered unlawful, that the processing was neither fair nor transparent, that the principles of data minimisation and storage limitations were not implemented nor data protection by design and by default, taking into consideration the amount of data collected, the extent of their processing, the period of their storage and their accessibility, that the data protection impact assessment did not meet the minimum requirements, that the municipality did not demonstrate that it had ensured appropriate security of the personal data in question and that the data was being transferred to the United States without appropriate safeguards. The Icelandic SA furthermore concluded that all processing in the Seesaw educational system should be seized and students’ data deleted.
