(022) 820 801 centru@datepersonale.md
DP header logo
img mobile menu img close mobile menu
ROENРу
ico search toggle
datepersonale.md
/
Newsletter
/
Newsletter No. 20

Newsletter No. 20

img 584 Views

1. Information and training activities carried out by the NCPDP

During the fourth quarter of 2024 (October-December), the National Center for Personal Data Protection (NCPDP) continued to make progress in the area of information and awareness-raising activities for the general public in the field of personal data protection.

            During the reporting period, continued the organization of training courses for the subdivisions of the General Inspectorate of Border Police (GIBP), in accordance with the training plan approved and signed by the heads of the NCPDP and GIBP on February 21, 2024. Thus, training courses were organized for employees of the Border Police Sector (BPS) in the context of the development / implementation by the GIBP of the “Concept on the functional and decision-making autonomy of the Border Police patrol in the activity of surveillance of the state border”. The aim was to increase the awareness of the BPS employees who supervise the border for the purpose of combating illegal migration, trafficking in human beings and cross-border crime, on the principles of personal data protection, as well as on ensuring the correct application of the legal provisions in the field of the activity they perform. Thus, training courses were organized for the following subdivisions:

  • October 02 – Border Police Sector Tudora – 1 of East Regional Directorate;

  • October 09 – Border Police Sector Valea – Perjei of the South Regional Directorate.

In this context, around 240 representatives from the GIBP subdivisions were trained.

On July 08, 2024, was approved and signed by the heads of the NCPDP and the National Office of Social Insurance (NOSI), the Training Plan in the field of personal data protection for employees of the structural subdivisions of NOSI. The aim of the training courses was to increase the NOSI employees’ awareness of the principles of personal data protection, as well as to familiarize them with the personal data confidentiality and security regime in accordance with the provisions of the legislation in force. During the events, important topics were discussed, such as: the definition of general notions related to the field of personal data protection; the rights of personal data subjects; the processing of special categories of personal data; principles and legal grounds for the processing of personal data; issues related to the appointment of the Data Protection Officer (DPO); aspects related to the Data Protection Impact Assessment; ensuring the security and confidentiality of personal data by NOSI employees, etc.

In this context, on October 1st, two training courses were organized for the Territorial Office of Social Insurance, South region, being trained 131 representatives.

During this period, the NCPDP showed openness and spirit of cooperation, organizing multiple training courses for representatives of public institutions, at their request. The training courses were aimed at familiarizing public officials with the aspects related to the field of personal data protection in the public service, the regulation of processing procedures, as well as with the confidentiality and security regime of personal data in accordance with the legislation in force. During the events important topics were discussed, such as: Definition of general concepts related to the field of personal data protection; principles and legal grounds for processing personal data; rights of personal data subjects; processing of special categories of personal data; requirements for the protection of personal data in the exercise of official duties; ensuring the security and confidentiality of personal data processed; issues related to the appointment of the Data Protection Officer (DPO), as well as his/her obligations and tasks; issues related to the Data Protection Impact Assessment (DPIA), as well as the steps of conducting a DPIA, etc. Thus, training courses were organized for the following institutions:

  • October 08 – Parliament Secretariat;

  • October 10 – Association of Internal Auditors;

  • October 15 – National Employment Agency;

  • October 17 – National Anti-Corruption Center;

  • October 18 – Customs Service;

  • October 24 – State Financial Control Inspectorate;

  • October 25 – Territorial General Directorate “North” of the National Anti-Corruption Center;

  • October 28 – General Directorate for Education, Youth and Sport of the Chisinau Municipal Council;

  • October 30 – General Directorate of Education, Youth and Sport, directors of early education institutions in the Chisinau municipality;

  • November 05 – General Directorate of Medical and Social Assistance;

  • November 06 – General Directorate of Education, Youth and Sport, directors of educational institutions in Chisinau municipality;

  • November 11 – State Tax Service;

  • November 12 – General Territorial Directorate “South” of the National Anticorruption Center;

  • November 13 – General Directorate for the Protection of Children’s Rights;

  • November 22 – General Inspectorate for Migration;

  • December 11 – Supreme Court of Justice.

In this context, about 1520 representatives of public institutions were trained.

In this regard, the information and awareness-raising campaign for the school community was continued under the title: “Personal data protection and child safety in the online environment“. The aim of the campaign was to provide the school community with high visibility on personal data protection and child safety online at local and national level by promoting empowerment and best practices for intervention and support. The topics covered in the trainings were: general notions on personal data; the correct use of photos/video online; risks and threats online; communication on social networks, etc. Thus, several trainings were organized: 

  • October 04 – PITL “Constantin Negruzzi”, Chisinau;

  • November 12 – PITL “Mihai Eminescu”, Cahul;

  • December 03 – PITL “George Coșbuc”, Balti;

  • December 03 – PITL “Lucian Blaga”, Balti.

The events took place in the framework of the Personal Development class, the target audience being 4th grade students. In this context, 350 students were trained.

II. Control activity

In the period October – December 2024, the NCPDP initiated compliance checks of personal data processing operations in 63 cases. During the reporting period, 89 decisions were issued, of which 40 cases were found to be in violation of the legal provisions, and 35 infringement reports were concluded, which were subsequently submitted to the court for resolution.

III. Findings of the National Center for Personal Data Protection

1. The NCPDP examined the complaint of a data subject who alleged unauthorized and excessive processing of his personal data by an employee of a public authority, without any legal basis.

In the course of the investigation it was determined that the employee of the authority processed the personal data belonging to the petitioner through the governmental portal www.date.gov.md, generating the personal data of her first-degree relatives in a complementary/supplementary manner, in the order in which, in the report generated by the portal, personal data on the petitioner’s mother, husband and son are included, which, being printed, was attached to the material of the infringement proceedings initiated against the data subject.

Thus, it has been determined that the authority’s inspecting officer, in order to establish the identity and domicile of the person against whom the contravention case was initiated, accessed the personal data concerning the petitioner, and only those personal data that are necessary for the preparation of the contravention report were consulted, in strict compliance with art. 443 para. (1). p. c) Contravention Code.

In this context, it should be noted that, even if the extract/personal file, automatically generated by the government portal www.date.gov.md, includes the personal data of the relatives of the person to whom the administrative offence proceedings were initiated, the authority’s investigating officer was to take measures to depersonalize such data, if the file was to be attached to the administrative offence file, if it was not technically possible to separate them from the personal data subject in the system, which was necessary for the proper conduct of the administrative offence proceedings.

 In this case, it is found that the employee of the authority has excessively processed personal data, in the circumstances in which the processing operation, manifested by printing and attaching the extract generated from the portal www.date.gov.md, to the contravention file, of the categories of personal data relating to the mother, husband and child of the petitioner, have no bearing on the case under examination and it was not necessary to attach them to the case materials, not having established the existence of a legal basis, a specific, explicit and legitimate purpose and the causal link between the purpose and the identifiers of the data subject, being found the violation by the employee of the Authority of the provisions of Art. 4 para. (1) p. a), c) and art. 5 of Law no. 133/2011 on personal data protection, which determined the existence of the constitutive elements of the offense provided for in Article 741 paragraph (1) of the Contravention Code (failure to comply with the basic conditions for the processing, storage and use of personal data).

2. The NCPDP has examined the complaint of a data subject, in which he alleged that the director of the kindergarten in which he was working had improperly processed his personal data – name, surname, health data – by disseminating/publishing the Decision of the Equality Council on the social network “Facebook“, without ensuring the confidentiality of these data.

In the course of the investigation, the director of the kindergarten acknowledged the fact of publication/dissemination of the Decision of the Equality Council, without depersonalization of personal data, on the user profile created and managed by her on the social network Facebook, for the purposes of transparency and to prevent discrimination against her personality, on the grounds that, when she was hired by the Pre-School Education Institution, the petitioner signed the agreement on the processing of personal data of employees.

According to Article 3 of the Law on personal data protection, any operation performed on personal data by automated or non-automated means, such as the collection, use, disclosure/dissemination, erasure of personal data, corresponding to the case under examination – name, surname, data concerning health status leading to the direct or indirect identification of the data subject, constitutes a form of processing of personal data. In terms of compliance with the basic conditions for processing personal data, the legislator has laid down in Article 4 para. (1) p. a) that personal data subject to processing must be processed fairly and in accordance with the provisions of the law. According to Art. 5 para. (1) of the aforementioned Law, the processing of personal data shall be carried out with the consent of the personal data subject.

Thus, it was determined that, although the director of the kindergarten, would have a legal basis for processing the personal data of employees, in the employment relationship, the processing of personal data concerning the petitioner, manifested by disseminating / publishing on the social network “Facebook” the Decision of the Council for Equality, which contains information such as name, surname, data on health cannot take place, and cannot be justified by the existence of the agreement on the processing of her personal data signed at the time of her employment, whereas, by this agreement, the data subject has expressed his consent to the processing of personal data by the employer for the purpose of keeping records of the employees and the fulfillment of the legal obligations arising from the employment relationship.

For these reasons, the NCPDP found that the controller processed the personal data – name, surname, health data of the complainant without a legal basis, not ensuring the confidentiality of the processed data, actions that contravene the provisions of art. 4 para. (1) p. (1) and art. (1) of the Law on personal data protection.

Subsequently, given the fact that the NCPDP has not identified the existence of a legal basis for the dissemination of personal data, pursuant to the provisions of Article 20 para. (2) of the above-mentioned normative law, it was ordered to delete the photo image of the Equality Council Decision containing the personal data of the data subject, published on the social network “Facebook“, or to depersonalize the personal data, so that the details of personal or material circumstances no longer allow their attribution to an identified or identifiable natural person or to allow attribution only in the conditions of an investigation requiring disproportionate expenditure of time, means and manpower.

IV. Supervisory activity

During the reporting period, the NCPDP issued some clarifications and recommendations for both data subjects and personal data controllers:

Warning! Personal data fraud

NCPDP repeatedly recommends maximum vigilance when transmitting personal data

In the context of the issues recently deplored including to the National Center for Personal Data Protection (NCPDP), regarding the collection of personal data recorded in identity cards, by the exponents of a political party, for the purpose of registration on the platform “PSB” to benefit from financial resources from banking institutions in the Russian Federation, as this essentially amounted to the identification of the existence of credits in the name of the data subjects to be repaid by the latter, the NCPDP repeatedly warns the data subjects and makes the following clarifications and recommendations to them:

The NCPDP has repeatedly urged data subjects to exercise the utmost caution when disclosing/transmitting personal data concerning them, because, identity documents (such as identity cards, passports), contain a multitude of personal data, which require effective protection by the holder/owner.

We reiterate that, if you are asked to present your identity documents and/or to provide copies of these documents, under different pretexts, you must trust the lawfulness of the collection of personal data and the subsequent use of these data. Contrary, the provision/transmission of the personal data on these documents by the data subject for purposes other than those expressly provided for by law may result in their unlawful use for purposes contrary to those originally intended, in the detriment of the data subject. Similarly, the data subject could lose control over his or her personal data.

The cases referred to the NCPDP clearly demonstrate that the submission of copies of their identity cards by data subjects for the alleged benefit of certain money has led to the opening of loans in their name at banking institutions in the Russian Federation, which are now claiming the repayment of the accumulated loan debts (for example, by the “Promsvyazbank” (PSB Bank) of the Russian Federation.

The NCPDP points out that, under the conditions of voluntary provision/transmission of personal data, the collection of such personal data is based on the consent of the personal data subject (Art. 5 para. (1) of Law 133/2011), even if the subsequent use of such data proves to be for other purposes/to the detriment of the data subject concerned.

The NCPDP, as the national supervisory authority for the processing of personal data, emphasizes the responsibility of each citizen to ensure the protection of personal data, therefor the security and confidentiality of such data must be a priority.

In attention personal data controllers!

The NCPDP, informs that, in accordance with the provisions of item 2.1 of the Government Decision no. 678/2024 on amending and repealing some Government Decisions (facilitating the activity of the business environment VI), which entered into force on November 15, 2024, the Government Decision no. 1123/2010 on the approval of the Requirements for ensuring the security of personal data when processing personal data within the framework of personal data information systems (Requirements) was repealed.

We emphasize that the repeal of the mentioned Requirements does not exclude the obligation of controllers, as well as their processors (if applicable), provided for in Articles 29 and 30 of Law no. 133/2011, to implement the necessary organizational and technical measures to protect personal data against destruction, alteration, blocking, blocking, copying, dissemination, and other unlawful actions, measures designed to ensure an adequate level of security in relation to the risks presented by the processing and the nature of the data processed, including ensuring their confidentiality.

In this context, we recommend that you consult the Guidelines on security measures for the protection and processing of personal data in information systems, which are published on the official website of the National Authority for Personal Data Protection in the chapter Recommendations of the NCPDP (https://datepersonale.md/data-controllers/ncpdp-guidelines/).

At the same time, we communicate that the obligation of personal data controllers to submit annually, by January 31, to the NCPDP generalized reports on security incidents of the personal data information systems managed by them, has been excluded by default.

For any further information, please contact the Prevention, Surveillance and Evidence Department of the General Surveillance and Conformity Department of the NCPDP, at the contact telephone number 022-811-801/811-802.

At the same time, in order to provide methodological and consultative support to personal data controllers and/or processors, more than 35 telephone consultations and 6 replies by e-mail were provided, with recommendations being proposed to eliminate discrepancies identified by personal data controllers.

V. International and European news

  • The 97th plenary meeting of the European Data Protection Board (EDPB) took place on 7-8 October 2024 with physical attendance. The representative of the NCPDP participated as usual as an observer. 

    At the meeting, the EDPB adopted a number of important documents, including:

  • Opinion on certain obligations following from the reliance on processors and sub-processor;

  • Guidelines on processing of personal data on the basis of legitimate interest;

  • Statement on the issuance of additional procedural rules for the enforcement of the GDPR.

The EDPB also adopted its work program for 2024-2025. This is the first of two work programs that will implement the EDPB’s strategy for 2024-2027 adopted in April 2024. The document is based on the priorities set out in the EDPB strategy and also takes into account the needs identified as most important for stakeholders.

  • On October 15-17, 2024, the delegation of the Republic of Moldova was in Brussels to present the progress of preparations for the adoption and implementation of the EU communautaire acquis in the framework of the bilateral screening on Chapter 23 “Justice and Fundamental Rights”, coordinated by the Ministry of Justice. In three days, around 25 professionals from various key legal institutions gave 26 presentations.

Specialists from the Ministry of Justice, the Anti-Corruption Prosecutor’s Office, the National Anti-Corruption Center, the National Penitentiary Administration, the Central Electoral Commission, the Ministry of Labor and Social Protection, the Audiovisual Council, the Agency for Geodesy, Cartography and Cadastre, and the Agency for Interethnic Relations explained to the European Commission the level of transposition of the communautaire acquis and answered to clarifying questions. At the same time, the representatives of the institutions informed about the planned actions for further harmonization of national legislation with EU legislation. 

  • On 30 – 31 October 2024, the representatives of the NCPDP participated in a study visit to the Latvian State Data Inspectorate (Inspectorate), an event organized within the project entitled “Strengthening personal data protection in the Republic of Moldova. Phase I”.

The purpose of the study visit consisted in taking over the best legal and operational practices by the NCPDP representatives regarding the certification of Data Protection Officers (DPO), Data Protection Impact Assessment (DPIA), as well as in strengthening data protection mechanisms by aligning them with European standards and practices.

During the two days, important topics were discussed, such as:

  • Data Protection Officer certification: the purpose of DPO certification, who issues DPO certifications, who can apply for a DPO certification, what is the feedback from different stakeholders on these DPO certifications, etc.

  • Presentation of the DPO certification scheme: conception, development and introduction of DPO certification: experiences, failures, successes and lessons learned;

  • Privacy Impact Assessment in Latvia: how a DPIA is performed, who is obliged to perform a DPIA, the necessity of performing a DPIA, training of other persons such as employees of public authorities on issues related to the privacy of personal data, etc.

  • On November 4-6, 2024 in Strasbourg, France, took place the 47th plenary meeting of the Consultative Committee of Convention 108.

The main topics were focused on the current status of signatures and ratifications of the Protocol amending Convention 108 (CETS No. 223, referred to as Convention 108+), at the moment: 46 states have signed, of which 31 states have ratified it.

The Committee strongly encouraged all States Parties to sign and ratify Convention 108+ as soon as possible. A minimum of 38 ratifications is required for Convention 108+ to enter into force. Convention 108+ remains the only legally binding international instrument that protects personal data and the right to privacy, aiming to ensure adequate protection for all individuals in an ever-expanding digital age. The Committee organized a presentation on the current status of the signature and ratification process in the States Parties, took note of the information provided by the Committee members.

The Committee discussed the status of implementation of the 2022 – 2025 work program and decided to start working on privacy and data protection considerations in machine learning and large language models (LLMs) as the next topic.

The Committee organized elections for the Bureau. The composition of the new Bureau is as follows:

  • President: Beatriz de Anchorena (Argentina)

  • First Vice-President: Caroline Gloor Scheidegger (Switzerland)

  • Second Vice-President: Anamarija Mladinic (Croatia)

Bureau members:

  • Alessandra Pierucci (Italy)

  • Virpi Koivu (Finland)

  • Gonzalo Sosa Barreto (Uruguay)

  • Ousmane Thiongane (Senegal)

  • On November 29, 2024, the seminar “Artificial intelligence and data protection: complementarity and integrated approach” took place at the Council of Europe headquarters in Strasbourg. The event brought together international experts and representatives of Member States to analyze the interaction between data protection and the development of artificial intelligence (AI).

The seminar emphasized the complementarity between AI regulation and data protection, the need for human control in the use of the technologies and the importance of an integrated approach in regulation. It also discussed the risks of AI on fundamental rights and methods to assess the impact of these technologies.

It was concluded that: international collaboration and flexibility of regulations are essential to ensure a robust legal framework that supports technological innovation while respecting fundamental rights and democratic principles.

The seminar was organized with the support of the Committee for Artificial Intelligence (CAI) and the Consultative Committee of the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (T-PD), in collaboration with the University of Strasbourg.

  • The 99th plenary meeting of the European Data Protection Board took place in Brussels on December 2-3, 2024, an essential event for strengthening data protection regulations in Europe. The Republic of Moldova had the honor to participate as an observer, contributing to the discussions and decisions that will shape the future of this field. 

On the agenda of the meeting were topics such as the approval of national certification criteria, the launch of the European Data Protection Seal and the publication of Guidelines on data transfers to third countries. These initiatives not only strengthen the European legislative framework but also promote transparency and trust in the way personal data is handled. 

Also, there were addressed the challenges of emerging technologies such as artificial intelligence and the importance of the protection of minors in the digital environment, by the nomination of an EDPB representative to Working Party 6. 

The decisions taken at this meeting represent significant steps towards a safer digital future, adapted to new technological challenges and ensuring that citizens’ fundamental rights are respected. 

  • The European Case Handling Workshop (ECHW 2024) took place on 5-6 December 2024 in Tallinn, Estonia, and it was organized by the Estonian Data Protection Inspectorate. The main goal of the workshop was to share national experiences and good practices, as well as to get results following a specific case or investigation in the field of violations of the right to the protection of personal data and privacy.

The workshop represented a participatory dialogue between personal data protection authorities on the challenges they face and the solutions they apply in their daily practice.

The topics proposed to the participants for the exchange of experiences included the most important challenges in the field of personal data protection, such as video surveillance, the relationship between data controllers and processors, new IT security technologies in the processing of personal data, social networks, etc.

VI. Other data protection authorities

  • The French Data Protection Authority (CNIL) has imposed an administrative fine on COSMOSPACE – €250 000 and on TELEMAQUE – €150 000, for violation of Article 5 Principles relating to processing of personal data and Article 9 Processing of special categories of personal data of the GDPR.

    COSMOSPACE and TELEMAQUE provide remote clairvoyance services, one by telephone and the other by online chat and text messages. Inspections carried out by the CNIL in 2021 revealed several breaches, including the collection of sensitive data without prior explicit consent (in particular health data and data relating to sexual orientation), the retention of data for an excessive period, the sending of commercial prospection communications to people who had not given their consent and, in the case of COSMOSPACE, systematic recording of telephone calls. 

In this context, CNIL imposed a fine of €250,000 on COSMOSPACE and a fine of €150,000 on TELEMAQUE. These fines were adopted in cooperation with about fifteen European counterparts of the CNIL in both cases. The amounts of these fines were decided on the basis of the seriousness of the breaches, the number of people concerned – the database shared by the two companies containing the data of more than 1.5 million people – and the sensitivity of the data processed. The financial situations of the companies and their structures were also taken into account, in order to set dissuasive but proportionate fines.

  • The Finnish Data Protection Authority (SA) imposed an administrative fine of 2,4 million euro on Posti for violation of Article 6 (Lawfulness of processing), Article 13 (Information to be provided where personal data are collected from the data subject), Article 5 (Principles relating to processing of personal data) and Article 25 (Data protection by design and by default) of the GDPR.

The Finnish Supervisory Authority (SA) investigated the processing of personal data of Posti related to the creation of an electronic mailbox. The Finnish SA had received complaints about the forwarding of letters to Posti‘s online service without the customer’s consent. The controller had automatically created an electronic mailbox for customers without a separate request. The electronic mailbox had been linked to a wider set of services. The investigation showed that the customer could not choose whether to use it or not, as the different services were linked together in a single contract. 

Following the investigation, the Finnish SA found out that the service requested by the customer could have been provided without the automatic creation of an electronic mailbox. Also, the controller did not inform its customers clearly about the activation of the electronic mailbox. There were also technical settings in the service that did not meet data protection requirements. These included an automatically activated selector function and a pre-ticked checkbox.

In this context, the Finnish SA imposed an administrative fine of €2,4 million on the controller for unlawful processing of personal data. At the same time, the controller was reprimanded for the shortcomings in informing the customers and was ordered to correct its unlawful practices and to take into account that electronic services must be built from the outset so that only necessary personal data is processed.

  • Ireland’s Data Protection Authority (DPA) has fined Meta Platforms Ireland Limited (Meta) €251 million following two investigations into a security breach that affected the personal data of 29 million users globally.

    The incident, reported by Meta in September 2018, involved unauthorized access to a number of categories of personal data, such as: a user’s full name; email address; phone number; location; work; date of birth; religion; gender; timeline posts; groups a user belonged to; and children’s personal data. About three million of the affected users were from the European Union and the European Economic Area. The breach was caused by the exploitation of user tokens on the Facebook platform by unauthorized third parties. Although the breach was quickly remedied by Meta and its US parent company shortly after its discovery, the Irish DPA found that the tech giant had violated the General Data Protection Regulation (GDPR) by:

  • Failure to document the facts and measures taken to remedy them – Articles 33 (3) and 33 (5);

  • Failing to ensure that, by default, only personal data that are necessary for each specific purpose of the processing are processed – Articles 25(1) and 25(2).

In this context, the Irish DPA imposed a fine of 251 million euro on Meta. The amount underlines the European Union’s focus on holding large technology companies accountable, with the Irish Authority being the main regulator responsible for holding them to account. The company has announced it will appeal the decision.

img
CNPDCP avertizează: utilizarea ilegală a datelor cu caracter personal atrage sancțiuni

       În contextul creșterii numărului de cazuri în care datele cu caracter personal ajung în posesia unor persoane neautorizate, fiind inclusiv utilizate de escroci în diverse scheme infracționale, Centrul Național pentru Protecția Datelor cu Caracter Personal (CNPDCP) reiterează că prelucrarea acestor informații în scopuri ilegale reprezintă încălcare a prevederilor legale.       […]

img 59 Views
img
Protejați-vă datele cu caracter personal: Fraude telefonice în creștere

       Centrul Național pentru Protecția Datelor cu Caracter Personal (CNPDCP) atenționează cetățenii asupra creșterii numărului de tentative de fraudă și escrocherii telefonice, prin intermediul cărora persoane necunoscute solicită comunicarea unor date cu caracter personal, precum IDNP-ul, adresa de domiciliu sau alte informații confidențiale, sub diverse pretexte.        Escrocii utilizează diverse identități […]

img 104 Views
img Video gallery
img Information