Newsletter No. 21

196 Views

I. Awareness-raising, communication and training activities carried out by the NCPDP

In the first quarter of 2025 (January-March), the National Center for Personal Data Protection (NCPDP) continued to make progress in the area of information and awareness-raising activities for the general public in the field of personal data protection.

During the reporting period, the organization of training courses for the subdivisions of the General Police Inspectorate (GPI) continued, according to the training plan approved and signed by the heads of the NCPDP and GPI on 28 January 2025.

Thus, training courses were organized for the following subdivisions:

February 04 – Anenii Noi Police Inspectorate;
March 11– Basarabeasca Police Inspectorate.

In this context, about 84 representatives of the GPI subdivisions were trained. At the same time, continued the organization of training courses for the subdivisions of the General Inspectorate of Border Police (GIBP), in accordance with the training plan approved and signed by the heads of the NCPDP and GIBP on January 28, 2025. Thus, on March 12, a training course was organized for the General Inspectorate of Border Police, with 45 representatives being trained.

On January 27, 2025, it was approved and signed by the leaders of the NCPDP and the General Inspectorate for Migration (IGM), training plan in the field of personal data protection for employees within the structural, specialized and territorial subdivisions of IGM.

Thus, training courses were organized for the following subdivisions:

February 26 – Southern Regional Directorate of IGM;
March 26 – Central Regional Directorate of IGM;
March 28 – Structural and Specialized Subdivisions of IGM.

In this context, 61 representatives from IGM subdivisions were trained.

During the reference period, NCPDP demonstrated openness and a spirit of collaboration, organizing multiple training courses for representatives of public/private institutions, at their request.

Thus, training courses were organized for the following institutions:

January 13 – State Enterprise “Moldelectrica”;
February 14 – maib;
March 13 – Higher School of Tourism and Hotel Services within ASEM;
March 18 – National Agency for the Prevention and Combating Violence against Women and Domestic Violence;
March 25 – National Agency for Solving Complaints;
March 26 – Chisinau Probation Office.

In this context, 251 representatives of the above-mentioned institutions were trained.

The aim of the training courses was to increase the NOSI employees’ awareness of the principles of personal data protection, as well as to familiarize them with the personal data confidentiality and security regime in accordance with the provisions of the legislation in force. During the events, important topics were discussed, such as: the definition of general notions related to the field of personal data protection; the rights of personal data subjects; the processing of special categories of personal data; principles and legal grounds for the processing of personal data; issues related to the appointment of the Data Protection Officer (DPO); aspects related to the Data Protection Impact Assessment; as well as the steps of carrying out a DPIA, etc.

In this regard, the information and awareness-raising campaign for the school community was continued under the title: “Personal data protection and child safety in the online environment“. The aim of the campaign was to provide the school community with high visibility on personal data protection and child safety online at local and national level by promoting empowerment and best practices for intervention and support. The topics covered in the trainings were: general notions on personal data; the correct use of photos/video online; risks and threats online; safety on online communication and gaming platforms, etc. Thus, several trainings were organized:

January 27 – IPLT “Ștefan cel Mare”, Chișinău;
March 27 – Fundul Galbenei Gymnasium, Hâncești;
March 27 – “Anton Bunduchi” Gymnasium, Hâncești

The events took place in the framework of the Personal Development class, the target audience being 4th grade students. In this context, 92 students were trained.

Furthermore, during the reference period, the NCPDP hosted two Study Visits:

February 25 – Study Visit for members of the European Law Students Association of the Republic of Moldova (ELSA);
March 26 – Study Visit of students of the Faculty of Law of the State University of Moldova.

The purpose of the actions carried out during the events was focused on raising the awareness of the young generation/university community regarding the field of personal data protection, strengthening knowledge in the field, as well as exploring the applicable legal framework, the rights and obligations of the parties involved and the importance of compliance with various areas. At the same time, the students were informed about the organization and functioning of the NCPDP, the attributions of the NCPDP subdivisions, the structure, the mission, as well as the role of the authority in monitoring compliance with the legislation on personal data protection. The events concluded with a question and answer session documented with practical examples, and the NCPDP aims to continue supporting such efforts to educate and raise awareness among young people about the importance of the field of personal data protection.

II. Control activity

In the period January – March 2025, the NCPDP initiated compliance checks of personal data processing operations in 85 cases. During the reporting period, 64 decisions were issued, of which 23 cases were found to be in violation of the legal provisions, and 40 infringement reports were concluded, which were subsequently submitted to the court for resolution.

III. Findings of the National Center for Personal Data Protection

1. The NCPDP has initiated proceedings, pursuant to art. 20 para. (1) let. a), i) and art. 27 para. (4) of Law no. 133 of 08.07.2011 on personal data protection, in the part relating to the alleged vulnerabilities of the website of a medical analysis laboratory, related to the breach of the security of special categories of personal data.

During the examination of the accumulated material, it was established that third parties, by accessing the “Company Organizational Chart” option and modifying the last 3 digits of the link, could view or even download files containing personal data of the data subjects, namely: name, surname, date, month, year of birth, home address (in some cases) and medical information regarding their health status.

Thus, based on the materials accumulated during the control initiated based on the self-report note, it was confirmed that the medical analysis laboratory did not implement the organizational and technical measures necessary to protect personal data against destruction, modification, blocking, copying, dissemination, as well as against other illicit actions, measures intended to ensure an adequate level of security with regard to the risks presented by the processing and the nature of the processed data.

In this context, it was found that the medical analysis laboratory processed the personal data of data subjects/patients in violation of the requirements set forth in art. 4 para. (1) let. a), art. 29 para. (1) and 30 para. (1) of the Law on Personal Data Protection no. 133 of 08.07.2011.

2. The NCPDP examined a notification from the Central Electoral Commission (CEC), regarding the collection of signatures by a person in support of a candidate for President of the Republic of Moldova.

During the investigation, it was determined that the initiative group, consisting of 100 people, for collecting signatures in support of a candidate nominated by a Political Party, was registered with the CEC, however, the person concerned was not found in the list of members of the initiative group who had the right to collect signatures of the respective candidate’s supporters. The following personal data were collected in the subscription lists: last name, first name, year of birth, signature, series and number of the identity card.

Based on the circumstances described, the NCPDP found that the collection of names, surnames, year of birth, domicile, series, identity card number and signature, as a form of personal data processing, must be carried out within an appropriate legal framework, in compliance with the legal regulations on data protection and with obtaining all necessary authorizations, otherwise, it is likely to infringe the fundamental rights of the data subjects concerned.

Thus, by collecting signatures without being part of a legally constituted initiative group and without obtaining prior authorization from the CEC, the person concerned violated the provisions of art. 4 para. (1) letter a) of Law no. 133/2011 on personal data protection, which regulates the fundamental principles of data processing.

IV. Prevention activity

During the reference period, in order to carry out the advisory tasks, in addition to the multiple answers provided, for advisory purposes, 379 telephone consultations were provided, either via e-mail or at the authority’s headquarters.

V. International and European news

Between February 4-5, 2025, in Brussels, Belgium, the TAIEX workshop on the transposition of the EU Digital Markets Law took place, organized by the General Directorate for Communications Networks, Content and Technology and the General Directorate for Competition, European Commission, in which a representative of the NCPDP participated.

The workshop aimed to familiarize participants with the legal framework of the Digital Markets Act (DMA), a key piece of the European Union’s digital strategy. It regulates large digital platforms, known as “gatekeepers”, setting clear obligations and restrictions to promote a fairer and more responsible digital sector.

The workshop was addressed to the beneficiary countries of the Western Balkans and the Eastern Partnership, including Albania, Bosnia and Herzegovina, Georgia, Kosovo, Moldova, Montenegro, North Macedonia, Serbia, Turkey and Ukraine.

The main objectives of the DMA are to safeguard competition, protect consumers and ensure fair access to digital markets.

For the candidate and neighbouring countries of the EU, it was underlined that alignment with the DMA is essential for integration into the European Union, and the necessary steps for this are still subject to debate and elaboration.

On February 12, the 102nd plenary meeting of the European Data Protection Board (EDPB) took place, which was organized with a physical presence in Brussels and in which the Republic of Moldova participated as an observer.

The EDPB adopted a statement on age assurance and decided to set up a working group on the application of AI. In addition, the Committee also adopted recommendations on the 2027 World Anti-Doping Code of the World Anti-Doping Agency (WADA). When processing personal data for anti-doping purposes, it is essential to respect and protect the personal data of athletes.

The EDPB’s main objective is to assess the compatibility of the WADA Anti-Doping Code and the International Standard for Data Protection (ISDP) with the GDPR. The Anti-Doping Code and Standards should subject National Anti-Doping Organizations (NADOS) subject to a standard equivalent to that of the GDPR when processing personal data for anti-doping purposes.

During the plenary session, the Board also decided to extend the scope of the ChatGPT task force to AI enforcement. In addition, the EDPB members underlined the need to coordinate DPAs’ actions regarding urgent sensitive matters and for that purpose will set up a quick response team.

Between February 20-21, 2025, in Brussels, Belgium, the Regional Workshop on the Implementation of the Second Protocol to the Convention on Cybercrime took place, organized by the joint project of the European Union and the Council of Europe CyberEast+ (Reunion).

The event was dedicated in particular to representatives of the Ministries of Foreign Affairs, Ministries of Justice, Prosecutors General’s Offices, National Police, Ministries of Interior and specialized investigative services/agencies within the Eastern Partnership (Armenia, Azerbaijan, Georgia, Moldova and Ukraine) in the context of discussing instruments for enhanced cooperation and disclosure of electronic evidence within the framework of the Second Additional Protocol to the Convention on Cybercrime (Budapest).

The Second Protocol was presented, implementation strategies were also discussed for Articles 6 and 7 (direct cooperation with service providers), exchange of data and Articles 8, 9 and 10 (cooperation between States, access to electronic evidence), the implementation of Articles 11 and 12 (judicial procedures for access to digital evidence), as well as Articles 13 and 14 (international cooperation and data protection).

Between March 3 and 7, 2025, in Paris, France was organized the Academy “Design and Delivery of Services in the Digital Age”. The aforementioned Academy was organized in close collaboration and synergy between OECD SIGMA and GIZ EAP Regional Fund for Public Administration Reform.

The Academy’s reasoning was that in the design and delivery of services, public administrations should not rely only on their own experience and knowledge, as is currently the case in the Eastern Partnership countries. Thus, users of public services should be involved in expressing their needs and expectations. Where traditional relations with citizen-users were/are bureaucratic and hierarchical, the new relations are to be more pluralistic and user-centred. This requires an approach by public administrations to engage citizens and businesses, with the aim of gaining insight into their perceptions, expectations and commitment through active participation.

The following aspects were discussed within the Academy: the objectives of the academy and the importance of digitizing public services, the principles of modern public administration and digital governance, (at the same time, OECD representatives presented recommendations for user-centered design in service delivery), was analyzed the “Services Publics +” Program implemented by the Interministerial Directorate of Public Transformation, the “Design Thinking” methodology and its impact on innovation in public services were explained, the concept of change management and its importance, aspects related to defining problems and mapping stakeholders.

VI. Other data protection authorities
The French Data Protection Authority (CNIL) imposed the administrative fine of 240 000 euros on KASPR for violation of Article 5 – Principles relating to processing of personal data, Article 6 – Lawfulness of processing, Article 12 – Transparent information, communication and modalities for the exercise of the rights of the data subject, Article 14 – Information to be provided where personal data have not been obtained from the data subject, Article 15 – Right of access by the data subject.

KASPR markets an extension for the Chrome browser that enables paying customers to obtain the professional contact details of people whose profiles they visit on the LinkedIn social network. To do this, the company builds a database of contact details from LinkedIn and other websites such as domain name registries. The contact details thus collected generally enable the company’s customers to contact the target persons, for example for commercial prospecting, recruitment or identity verification. KASPR’s database contains about 160 million contacts.

The French Supervisory Authority, CNIL received many complaints from people who had been canvassed by entities that obtained their contact details via the KASPR extension.

The CNIL found several breaches of the GDPR:

Failure to comply with the obligation to have a legal basis (Article 6 of the GDPR)
Failure to comply with the obligation to define and respect a data retention period proportionate to the purpose of the processing (Article 5-1-e of the GDPR)
Failure to comply with the obligation to provide transparency and information to individuals (Articles 12 and 14 of the GDPR)

In this context, CNIL imposed a fine of 240,000 euros on KASPR for all these breaches, and ordered the company to: cease collecting the data of persons who chose to limit the visibility of their contact details, and delete the data collected in this way. If it is impossible to distinguish the data whose visibility had been limited, the company will have to inform the persons concerned, within 3 months, of the processing of their data and of the possibility of objecting to it, and to use their data solely for this purpose; stop the automatic renewal of the storage of personal data of target persons; inform the people whose data is collected in a language they understand; respond to requests for access from individuals, providing all available information on the sources of data collection.

The Hamburg Supervisory Authority (SA) has imposed an administrative fine of 900,000 euros on a company in the field of credit collection services for violating Article 5 (Principles relating to the processing of personal data) and Article 6 (Lawfulness of processing) of the GDPR.

The Hamburg Supervisory Authority (SA) had audited companies with a strong market presence in the field of credit collection services as part of a targeted audit. Hamburg is a leading location in Europe in this sector. The data processed about defaulting debtors tends to be particularly sensitive and is regularly shared with other parties such as credit reference agencies and address investigation services. Therefore, the data subjects must be able to trust that their data will be handled responsibly. Regardless of individual complaints, the way in which debtors’ data is stored and processed by the respective service providers was examined. For this purpose, the companies were sent detailed questionnaires, the answers to which provided comprehensive insights into data storage. In addition, the companies were asked to provide meaningful documents such as the directory of processing activities, lists of security measures, and sample letters used.

For the most part, the Hamburg SA was able to determine a high degree of professionalism and sensitivity. During the dialogues, improvements in data storage and transparency towards data subjects were achieved.

However, in the case of one company, the team from the Hamburg DPA found during the on-site inspection that data records had continued to be stored without a legal basis, even though the deletion deadlines had long since expired, thus violating art. 5.1 letter (a) and 6 paragraph (1) of the GDPR.

Even though the originally processed data records were not passed on to third parties during this period, some of them had still not been deleted from the company’s database five years after the legal retention period had expired.

In this context, the Hamburg-based SA imposed an administrative fine of 900,000 euros. The decision is legally binding. The company admitted the violation and accepted the fine. It cooperated professionally with the supervisory authority in the follow-up, which is why the fine is comparatively low.

The Polish Data Protection Authority (SA) has imposed an administrative fine of EUR 330,000 on a medical company for violating Article 5 (Principles relating to the processing of personal data), Article 24 (Controller’s liability) and Article 32 (Security of processing) of the GDPR.

The IT infrastructure of the Company American Heart of Poland S.A. was attacked by hackers, who thus gained access to the detailed personal data of approximately 21 000 individuals. The incident covered a wide range of data, i.e.: surname, first name, parents’ first names, mother’s family name, date of birth, data on earnings or assets held, health data, bank account number, residence or stay address, personal identification number (PESEL number), username or password, ID card series and number, telephone number and email address.

The Polish Data Protection Authority, in the course of its activities, established that:

the company had not implemented all the necessary measures to protect the data it was processing, and was unable to determine the cause of the leakage;
the company did not comply with its own data security recommendations, i.e. it stored customers’ COVID test result information on network drives, whereas medical data should be stored on a dedicated system for processing health data;
the cloud platform used by the company was too poorly secured. Three servers running at the company’s headquarters did not have up-to-date technical support from the manufacturer (support ended in January 2020). The software on the company’s servers had not been updated through an oversight by IT staff, so a vulnerability was created in the IT system that could have contributed to hackers taking over the devices:
the company inadequately protected itself against ‘phishing’ attacks, which involve the person attacking the system impersonating another entity (person). According to the findings of the President of the Personal Data Protection Office, in all likelihood, this is how hackers got into the IT system.
The Finnish Data Protection Authority (SA) imposed an administrative fine of 950,000 euros on Sambla Group for violation of Article 5 – Principles relating to processing of personal data, Article 25 – Data protection by design and by default and Article 32 – Security of processing of the GDPR.

The Finnish SA launched an investigation based on a complaint filed by a customer. A technical investigation revealed serious data security issues with the controller’s loan comparison services. When the seriousness of the data security problems became apparent in spring of 2024, the company was ordered to immediately cease processing personal data relating to loan applicants in its e-services.

Sambla Group’s loan comparison services did not impose adequate restrictions to prevent third parties from accessing loan application data, thus violating the provisions of Art. 32, Art. 25 and Art. 5(1)(f) of the GDPR. Due to poor data security measures, the content of customer’ loan applications was accessible to third parties through personal customer URLs. Anyone with access to the URL and sufficient technical knowledge to exploit the security vulnerability had direct access to the data. The technical investigation revealed that the URLs had been targeted wit phishing and personal data had been disclosed to third parties. The information available through the links included at least the loan applicant’s contact details, as well as information on their income, housing costs, marital status and possible children.

In this context, the Finnish SA has imposed an administrative fine of €950 000 on the controller, being ordered to notify its customers of the incident. The controller has announced that it has stopped using the vulnerable URLs and has improved data security measures of its services.