(022) 820 801 centru@datepersonale.md
DP header logo
img mobile menu img close mobile menu
ROENРу
ico search toggle
datepersonale.md
/
Newsletter
/
Newsletter No 16

Newsletter No 16

img 439 Views

I.  Information and training activities carried out by the NCPDP

In the last quarter of 2023 (October – December), the National Centre for Personal Data Protection (NCPDP), continued to make progress in the aspect regarding information and awareness-raising activities in the field of personal data protection.

During the reporting period, the organization of training courses for the subdivisions of the General Inspectorate of Police (GPI) continued, according to the training plan approved and signed by the heads of the NCPDP and GPI on 25 January 2023.

The aim was to increase the awareness of the employees of the GPI’s subdivisions on the principles of personal data protection and on ensuring the correct application of the legal provisions in the field, in the activity they carry out. During the events important topics were addressed, such as: definition of general notions related to the field of personal data protection; the legal way of personalo data  processing in the activity carried out by the employees of the GPI’s subdivisions; the requirements of personal data protection in the exercise of their duties; the obligations of the police body as a data controller in relation to the data subject; the correct procedure of accessing personal data through the state information systems, as well as keeping correct records of the audit of such accesses; ensuring the security and confidentiality of personal data processed, etc.

Thus, training courses were organised for the following subdivisions:

  • 3 October – Telenesti Police Inspectorate of the GPI;

  • 10 October – Taraclia Police Inspectorate of the GPI;

  • 7 November – DAI, DCPI Interpolal GPI, DPC and DPI of GPI;

  • 27 November – Central Police Inspectorate of the Police Directorate;

  • 5 December – Police Department of Chisinau municipality.

In this context, about 200 representatives from GPI subdivisions were trained.

At the same time, training courses for medical institutions continued. On 3 November, a training course on “Legal provisions in the field of personal data protection” was held for the representatives of the “Chiril Draganiuc” Physiopneumology Institute, with the aim of strengthening the capacities of medical staff by familiarizing, raising their awareness and informing them about personal data protection.

During the event were addressed topics such as: definition of personal health data; processing of common categories of personal data; processing of special categories of personal data; legal grounds for processing personal health data; principles of processing personal data; patients’ rights; obligation of secrecy of personal data; confidentiality and professional secrecy; disclosure of personal health data; obligation to ensure confidentiality and security of personal data; data minimization and storage limitation, etc. About 80 representatives of the IMPS of Physiopneumology “Chiril Draganiuc” were trained during the event.

During the reporting period, the information and awareness-raising campaign for school communities continued under the title: “Personal data protection and children’s safety online“. The aim of the campaign, was to provide the school community with high visibility on data protection and child safety online at local and national level by promoting empowerment and best practice intervention and support. The topics covered in the training included: general notions on personal data; correct use of pictures/video online; risks and threats online; communication on social networks, etc. The training course was organized on December 7th for the public institution Liceul Teoretic “Dante Alighieri” from Chisinau. The event took place within the Personal Development class, the target audience being the students of the 5th class “B”. In this context, 37 students were trained.

In the last quarter of 2023, as throughout the year, the NCPDP showed openness and a spirit of collaboration, organising multiple training courses for representatives of public institutions, at their request. The training courses aimed at familiarising public officials with the aspects of personal data protection in the public service, the regulation of processing procedures, as well as the personal data confidentiality and security regime in accordance with the legislation in force.

During the events important topics were discussed, such as: definition of general notions related to the field of personal data protection; principles and legal grounds for personal data processing; rights of personal data subjects; processing of special categories of personal data; requirements for the protection of personal data in the exercise of official duties; ensuring the security and confidentiality of personal data processed; issues related to the appointment of the Data Protection Officer (DPO) and his/her obligations and tasks; issues related to the Data Protection Impact Assessment (DPIA) and the steps to be carried out  by a DPIA, etc. Thus, training courses were organised for the following institutions:

  • 02 October –  General Inspectorate of Carabineers;

  • 06 October – General Inspectorate Training Centre of Carabineers;

  • 11 October – Regional Directorate “Centre” of the General Inspectorate of Carabineers;

  • 12 October – Agency for Court Administration, Northern Region;

  • 13 October – Agency for Court Administration, Centre Region;

  • 18 October – Regional Directorate “Centru” of the General Inspectorate of Carabinieers;

  • 20 October – Regional Directorate “SUD” of the General Inspectorate of Carabineers;

  • 25 October – Regional Directorate “NORTH” of the  General Inspectorate of Carabineers;

  • 31 October – Ministry of Energy;

  • 1 November – General Directorate for Education, Youth and Sport of the Chisinau Municipal Council;

  • 9 November – National Integrity Authority;

  • 16 November – State Chancellery;

  • 17 November – Directors of early education institutions in Chisinau municipality;

  • 22 November – Directors of educational institutions from Chisinau municipality;

  • 23 November – Ministry of Infrastructure and Regional Development;

  • 28 November – Ministry of Labour and Social Protection;

  • 29 November – Republican Centre for Psycho-pedagogical Assistance;

  • 6 December – State Protection and Guard Service;

  • 08 December – Ministry of Agriculture and Food Industry;

  • 18 December – National Agency for Food Safety.

In this context, about 1200 representatives of public institutions were trained.

II. Control activity

From October to December 2023, the NCPDP started the verification of compliance of personal data processing operations in 85 cases. During the reporting period, 89 decisions were issued, of which 43 cases were found to be in violation of the legal provisions, and 42 infringement notices were issued, which were subsequently handed over to the court for resolution.

III. Findings of the National Centre for Personal Data Protection

The NCPDP has examined the complaint of a data subject concerning the alleged non-compliant processing of personal data, materialized by the fraudulent storage and use of personal data belonging to him (name, surname, date/month/year of birth, IDNP). In the course of the investigation, the NCPDP found that personal data concerning the data subject had previously been transmitted by the complainant to the owner of a shop in order to support the payment of a fine via the RunPay terminal at the premises where he was working.

Subsequently, the data subject’s personal data were also used to apply for a loan by entering the IDNP and date/month/year of birth into the terminal. Although, the shop owner claimed that he had mistakenly entered the IDNP of the complainant, (believing that he had entered the personal data of the latter’s daughter), the NCPDP did not determine that there was any justification for entering the date/month/year of birth in the credit application, yet every parent knows the date of birth of their child.

It is imperative to point out that according to Article 11 of the Personal Data Protection Law the conditions and time limits for storing personal data are provided for by law, taking into account the provisions of Article 4 para. (1) letter e). At the end of personal data processing operations, if the subject of these data has not given his consent for another purpose or for further processing, they will be destroyed.

As the data subject did not consent to further processing of the personal data, the data subject’s identification data was to be destroyed immediately after the fine was paid via the terminal.

Thus, the NCPDP, verifying the fulfilment of the mandatory elements implying the conformity and legality of the personal data processing operations, established that there was no purpose and legal basis justifying the actions of the shop owner to store and further use the personal data of the data subject, manifested by their transmission to a credit company, actions contrary to the provisions of Article 4 para. (1) (a) and (e), Art. 5 para. (1) and Art. 11 of the Personal Data Protection Law.

II. The NCPDP has examined the complaint of a Public Authority submitted under its competence, requesting verification of the lawfulness of the processing of personal data of a data subject and his/her child, manifested by accessing/consulting/extracting personal information stored in a state information resource.

The investigation determined that from a user account that was assigned to a former employee of the authority, who resigned in 2019, using the work computer of a current employee, the data subject’s state border crossing information was searched, the information was saved in PDF format, then printed and transmitted to third parties.

Thus, it was established that the user account of the former employee was active even 3 years after the resignation of the employee, being disconnected only two months after the access referred to in the complaint.

Subsequently, it was determined that the work computer that was used for the processing of the data subject’s personal data was located in the common office of several employees and that the employee who was in charge of the computer was not at work at the time of the access. At the same time, it was established that other computers were connected under the IP-device (remote VPN user), and the service office where the  computer is located serves as a common office for all employees of the section, with unrestricted physical access to the computer.

In these circumstances, it was not possible to identify with certainty the person/controller who processed the personal data of the data subjects, in which order the NCPDP found in rem that the processing of personal data of the data subjects concerned was carried out contrary to the provisions of Article 4 para. (1) (a), (b), (c) and Art. 5 para. (1) and para. (3) of the Personal Data Protection Law, in the absence of a legal basis and without the consent of the data subject, since the security incident was generated due to improper management and organization of the tasks set for the staff within the institution, which through malicious actions or even errors or negligence in the use of information resources generated the given incident, or the controller was obliged to review the access rights of users at regular intervals, as well: – review of access rights of the SIIV user – once in 6 months and after each change that occurred in the user’s activity, and review of granting access rights of privileged roles – once in 3 months.

At the same time, the Centre determined that the entity is liable for violation of Article 30 para. (1) of the Personal Data Protection Act, as it failed to ensure the necessary organisational and technical measures for the protection of the personal data made available to it, which consequently led to the unlawful processing of the personal data of the data subjects.

III.  The NCPDP received, in accordance with its competence, a request from the police, which concerned the request of an individual to verify the lawfulness of the processing of personal data.

In fact, the data subject reported that he had received numerous phone calls from various lending companies in the Republic of Moldova informing him about the examination of applications for credit based on his personal data submitted through the online applications applied for.

Following the actions carried out during the control, in the light of Law no. 133/2011 on the personal data protection, the NCPDP identified the person who processed the personal data, thus falling under the notion of data controller and being responsible for the personal data processing operations, as well as for ensuring the confidentiality and security of personal data.

In this context, the Personal Data Protection Authority found that the processing of the data subject’s personal data, carried out by the data controller, by disclosing the name, surname, state identification number (IDNP) and contact details of the complainant to the credit companies, took place contrary to the legal provisions laid down in Article 4 para. (1) letters a), b), c), Art. 5 para. (1), Art. 9 and Art. 29 para. (1) of Law No. 133/2011 on personal data protection.

IV. The NCPDP was referred to by an initiative group, which alleged that Law No 356/2022 on the amendment of some normative acts introduced amendments to Law No 93/1998 on the entrepreneur’s patent, which would have created conditions for the violation of legal provisions on the protection of personal data of holders of entrepreneur’s patents.

Thus, entrepreneurs operating in the markets, who have complied with the new tax regime, have found that the tax receipts issued to buyers contain personal data, in particular, the state identification number, indicated in the tax code field – C. F.

From the stipulated provisions, it was determined that the tax legislation regulates the record of tax liabilities of individuals on the basis of tax codes assigned in the prescribed order, resulting from the exercise of independent economic activity.

Examining the existing legal bases in force, in particular – Art. 5(28), Art. 162 para. (1) letter b), art. 163 of the Tax Code, point 10 letter i) of the Instruction on Taxpayer Records, point 24 of the Regulation on the Single Register of Cash Register and Control Equipment, which frames the fact of processing the IDNP of individuals, in the context of self-employed activity, subject from 1 July 2023 to the documentation of the sale of goods and the use only of cash register and control equipment connected to the Automated Information System “Electronic Monitoring of Sales”, in conjunction with the provisions of Art. 5 para. (5) b), art. 9 b) of Law no. 133/2011, the personal data processing operations in the case in question are carried out for the fulfilment of an obligation incumbent on the controller under the law.

At the same time, it has been identified as vulnerable the fact that any self-employed natural person is required by the existing legal framework, in particular the one concerning the algorithm of operation of cash register and control equipment, to make public/known his IDNP in the tax receipts issued daily.

However, similar regulations have been subject to constitutional review by the Constitutional Court, which has assessed the positive obligation of the competent authorities to ensure, also in the case under examination by the NCPDP, the protection of the IDNP of data subjects who practice independent activity in an efficient and similar way.

As a result, the NCPDP has attested to the existence of a defective legal framework governing the legal regime of the tax records of self-employed individuals, namely, the fact of recording the IDNP in the tax receipt issued by the licence holder to each client, interferes with the privacy of the person, being a disproportionate measure in relation to the intended purpose.

Subsidiarily, it was recommended to the Ministry of Finance/State Tax Service to establish technical and organizational measures to ensure the protection of personal data of self-employed persons, by identifying and implementing appropriate and efficient mechanisms for keeping tax records, without prejudice to the right to protection of personal data, for example: by depersonalizing the IDNP of the self-employed individual recorded in the tax voucher or by assigning a new tax code separate from the IDNP, in the context of the circumstances highlighted in para. II of the finding part of this Decision, informing the NCPDP of the action taken in this respect.

IV. Surveillance activity

During the reporting period, the NCPDP continued to organise training courses for persons designated by the controller or the processor as Data Protection Officer. This obligation is stipulated by the provisions of Law no. 133/2011 on the protection of personal data, which establishes the duty of the controller and the processor to designate a Personal Data Protection Officer in the cases provided for in Article 25 of the aforementioned law.

The aim of the training course, which took place on 21 December, was to develop theoretical knowledge in the field of personal data protection and practical skills on the application of regulations and legislative requirements in the field. During the event, important topics were discussed, such as: definition of general notions related to the field of personal data protection; rights of personal data subjects; processing of special categories of personal data; principles and legal grounds for processing personal data; ensuring security and confidentiality of personal data processed; issues related to the Data Protection Officer (DPO); issues related to Data Protection Impact Assessment, etc. About 10 DPOs from both the public and private sectors were trained during the event.

At the same time, in order to provide methodological and advisory support to personal data controllers and/or processors, more than 50 telephone consultations and 15 responses via e-mail were provided, with recommendations being proposed to remove discrepancies identified by personal data controllers.

V. International and European news 

On 17 October 2023, NCPDP’s representatives participated in the “GDPR4BUSINESS” Conference, organized by the National Association of ICT Companies within the ABA Rule of Law Initiative Project “Personal Data Protection – Rights and Obligations in the Republic of Moldova” in partnership with the European Business Association (EBA Moldova). The NCPDP’s expert addressed the topic “Data Protection Officer” (DPO), highlighting the most new and important issues required by the provisions of Law 133/2011 on the protection of personal data: appointment of DPO; DPO function; DPO tasks.

At the same time, the conference presented practices with applicable content for business and representatives of public authorities, such as:

– Key aspects of the draft law on Personal Data Protection;

– international and regional experience in applying the GDPR;

– solutions and responses to situations, cases and challenges faced by business and public authorities in implementing the harmonised legal framework.

The event was attended by state officials, national and international experts as speakers.

On 18-19 October 2023, representatives of the NCPDP carried out a study visit “Reconciling the right of access to information and personal data protection“. The event was hosted by the French National Commission for Information Technology and Liberties (CNIL) (Commission Nationale de l’Informatique et des Libertés).

The aim of the event was to take stock of the best legal and operational practices of the CNIL on mechanisms for reconciling the right of access to information and the protection of personal data.

During the study visit, moderated by experts in the field of personal data protection from the CNIL and CADA – Commission for Access to Administrative Documents, topics of importance such as: protection of personal data in the exercise of the right of access to information; reconciling the right of access to information and the right to protection of personal data; request for access to administrative documents or exercise of the right of access by the data subject, how to distinguish them and what is the impact; publication and re-use of data of public interest; re-use of data of public interest for scientific research purposes, etc.

The study visit was organised with the support of the EU TAIEX project – Technical Assistance and Information Exchange Instrument, managed and funded by the Directorate-General for European Neighbourhood Policy and Enlargement Negotiations (DG NEAR) of the European Commission.

From 1 to 3 November 2023, the NCPDP’s representative participated in the Internet Freedom Summit 2023, which took place in Ohrid, North Macedonia.

The event included interactive sessions, workshops, roundtables and training sessions, focusing on topical issues in the field of personal data protection and privacy, such as:

– Privacy in a connected world: Navigating and Challenges of Data Protection in the Digital Age;

– International data protection standards and the importance of harmonisation for efficient cross-border data transfers;

– Balancing privacy and technological innovation;

– The role of regulators in promoting a privacy-sensitive innovation culture;

– Strategies for monitoring and enforcing data protection regulations on online platforms;

– The role of data protection authorities in ensuring compliance and addressing detected breaches;

– The future of privacy: emerging technologies and trends, etc.

At the event, the NCPDP’s representative addressed the topic – “Balancing privacy and data protection from a South-East European perspective“. Participants also shared their views on strategies for monitoring and enforcing data protection regulations on online platforms, in particular, on the future of privacy in an era of artificial intelligence, blockchain and other new technologies impacting privacy.

The event, organised by ABA ROLI, brought together civil society representatives, academics, lawyers, journalists from North Macedonia, Romania, Moldova and Serbia.

From 8 to 9 November, the NCPDP’s representatives  participated in the European Case Management Workshop 2023, held in Bern, Switzerland, an annual event that provides a forum for participatory dialogue between Data Protection Authorities on the challenges they face and the solutions they apply in their daily practice.

The aim of the event was to focus on topical issues in the field of personal data protection and privacy, in particular such as:

– Handling unfounded or excessive requests in an overt manner – as per Article 57 (4) of the GDPR;

– Essential personal data protection safeguards for law enforcement cooperation between data protection authorities in the EEA;

– GPS tracking in employment relationships;

– Facial recognition and detection through the lens of personal data protection;

– The concept of harm related to the protection of personal data of data subjects, etc.

The European Case Management Workshop 2023 was attended by 82 representatives from 29 countries and 37 Data Protection Authorities.

On 15-17 November, representatives of the NCPDP attended the 45th plenary meeting of the Consultative Committee of the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (Convention 108) in Strasbourg, France.

The meeting discussed important topics including:

– Convention 108+, ratifications and current accessions;

– Contractual clauses in the context of cross-border data flows;

– Interpretation of Article 11 of the modernised Convention 108;

– Protection of personal data in the electoral process;

– Cooperation with other Council of Europe bodies and entities;

– Major developments and activities in the field of data protection, etc.

The CNPDCP delegation reported on the status of ratification of the Protocol amending ETS 223 to Convention 108, indicating that the draft law on the ratification of the Protocol amending Convention No. 108 for the Protection of Individuals with regard to Automatic Processing of Personal Data and related documents have been submitted to the Ministry of Justice for the necessary procedures to ensure its submission to the Government of the Republic of Moldova for approval, after which it will be submitted to Parliament for ratification. Regarding the legislative review in the field of personal data protection, at the moment, the Republic of Moldova is in the process of ensuring the transposition of Regulation (EU) 2016/679 and Directive (EU) 2016/680 into national legislation.

The delegation of the NCPDP reported on the status of ratification of the Protocol amending CETS 223 to Convention 108, indicating that the draft law on the ratification of the Protocol amending Convention No. 108.  

At the same time, the Moldovan delegation also mentioned developments and activities in the field of data protection at national level.

VI. Other data protection authorities

 On 05 October, the Croatian Data Protection Authority decision was issued on the imposition of an administrative fine in the amount of €5,470,000 on the debt collection agency EOS Matrix for violation of Articles 5, 6, 9, 12, 13 and 32 of the GDPR.

The investigation was initiated following an anonymous petition alleging that there was unauthorised processing of a large amount of personal data of individuals (debtors) by EOS Matrix (data controller). The petition was accompanied by a USB stick containing 181641 personal data of individuals such as: name, surname, date of birth and personal identification number who had outstanding debts to credit institutions. In addition, the petition mentioned that 294 individuals included in the database were minors at the time of its compilation.

The investigation found that:

EOS Matrix Debt Collection Agency has not implemented sufficient technical measures in the processing system – the main database where personal data of approximately 370,000 data subjects are processed, contrary to the provisions stipulated in Article 32 of the GDPR.

The data controller also processed personal data of natural persons who are neither debtors nor legal representatives of heirs in debtor-creditor relationships, contrary to the provisions of Article 6(1) of the GDPR.

With regard to the processing of health data, it was established that the data controller actively recorded comments related to the debtor’s state of health contrary to the provisions stipulated in Article 9(2) of the GDPR. Examining the first three privacy policies (which were in force between May 2018 and October 2020), it was established that the data controller specified that it does not and will not process health data. Therefore, the processing of personal data was non-transparent, which is not in line with Articles 12(1) and 13(1) and (2) of the GDPR.

In addition, between May 2018 and January 2019, the data controller processed data relating to 49 850 data subjects by recording telephone conversations without having established the legal basis referred to in Article 6(1) of the GDPR, which also led to a breach of Article 5(2) of the GDPR.

On 12 October, the French Data Protection Authority (CNIL) issued a decision imposing an administrative fine of €600,000 on the controller GROUPE CANAL+ for violating the legal provisions stipulated in the GDPR.

The CNIL has received numerous complaints about difficulties encountered by individuals in having their rights taken into account by GROUPE CANAL+, which produces media channels and distributes pay-TV offers.

Based on the findings of the investigation, the CNIL considered that the controller did not comply with several obligations under the GDPR and the French Post and Electronic Communications Code (CPCE), such as:

  • Failure to comply with the obligation to obtain the consent of individuals to receive commercial prospecting by electronic means (Articles L. 34-5 of the CPCE and 7 of the GDPR);

  •  Failure to comply with the obligation to provide information (Articles 13 and 14 GDPR) and failure to exercise the rights of data subjects (Articles 12 and 15 GDPR);

  •  Failure to provide a contractual framework for processing operations carried out by a processor (Article 28.3 GDPR);

  •  Failure to comply with the obligation to ensure the security of personal data (Article 32 GDPR);

  •  Failure to comply with the obligation to notify the CNIL of a data breach (Article 33 of the GDPR).

  • The amount of this fine was decided on the basis of the breaches identified, as well as taking into account the cooperation of the data controller and all the measures the data controller has taken to comply with the legal provisions.

On 11 December, the final decision of the Norwegian Supervisory Authority (Datatilsynet) of 6 February 2023 was announced regarding the imposition of an administrative fine of NOK 10 million (approximately 850 thousand euros) on SATS for violation of Art. 5 Principles relating to the processing of personal data, Art. 6 Lawfulness of processing, Art. 12 Transparency of information, communications and the means of exercising the data subject’s rights, Art. 13 Information to be provided where personal data are collected from the data subject, Art. 15 Right of access of the data subject, Art. 17 Right to erasure of data (“right to be forgotten”) of the GDPR.

Datatilsynet has received several complaints regarding the company SATS during the period 2018-2021. These related to alleged breaches of complainants’ rights under the General Data Protection Regulation as customers of the Fitness Network, as well as the company’s failure to comply with access and deletion requests.

SATS is the largest fitness chain in the Scandinavian countries, with gyms in Norway, Sweden, Denmark and Finland. The company is headquartered in Norway and therefore Datatilsynet handled the case in cooperation with several supervisory authorities using the One Stop Shop mechanism. As the lead supervisory authority, Datatilsynet was primarily responsible for investigating, analysing and taking a decision in this case, being the lead supervisory authority.

img
Acțiune stradală organizată în contextul „Zilei Europene a Protecției Datelor”

       În fiecare an, la data de 28 ianuarie, comunitatea europeană celebrează „Ziua Europeană a Protecției Datelor”, un eveniment de referință, susținut de Comisia Europeană, care promovează dreptul la viață privată și protecția datelor cu caracter personal. Această zi reprezintă un moment de reflecție asupra importanței protecției informațiilor ce conțin date cu caracter […]

img 47 Views
img
Study visit “Mechanisms for exercising control and establishing pecuniary sanctions”

       Between January 19 and 21, representatives of the National Center for Personal Data Protection (NCPDP) conducted a study visit entitled “Mechanisms for exercising control and establishing pecuniary sanctions”, held in the Republic of Estonia.        The purpose of the event was to adopt european best practices regarding control mechanisms, the […]

img 32 Views
img Video gallery
img Information