The National Center for Personal Data Protection (NCPDP), for information purposes, communicates about the ratification, by Law 36/20.03.2026 and the publication in the Official Gazette of the Republic of Moldova, of the Protocol amending the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data.

       The purpose of this Protocol is to modernize the international framework in the field of personal data protection, in order to ensure a high level of protection of the fundamental rights and freedoms of natural persons, especially the right to private life, in the context of technological developments and the globalization of data flows.

       The revised document, also known as „Convention 108+”, comes with a number of essential improvements, aimed at strengthening data protection mechanisms and responding to new challenges generated by the use of modern technologies.

       Among the main provisions of the Amending Protocol are:

• Strengthening the protection of personal data;
• Strengthening the rights of data subjects;
• Expanding the category of sensitive data, by including genetic, biometric and ethnic origin data;
• Introducing safeguards for decisions based solely on automated processing;
• Establishing clear obligations for controllers, including rules for international data transfers.

       The new regulations also place increased emphasis on controller’s accountability, processing transparency and the establishment of effective supervisory mechanisms, including by strengthening the role of independent control authorities and intensifying international cooperation.

       The ratification of this Protocol represents an important step for the alignment of the Republic of Moldova with international and European standards in the field of personal data protection. The implementation of its provisions will help to increase citizens’ confidence in the way their data are processed, as well as to facilitate the secure exchange of data at the international level. Law no. 36/20.03.2026 enters into force on August 23, 2026.

       Through this ratification, the Republic of Moldova reaffirms its commitment to ensure a high level of personal data protection and to strengthen international cooperation in this field.

       In this context, the NCPDP encourages public authorities, the private sector and other relevant actors to pay more attention to the new requirements and to take the necessary measures to ensure compliance with the updated standards in the field.

       On April 10, 2026, the National Center for Personal Data Protection (NCPDP) organized a training course in the field of personal data protection for representatives of the National Center for Sustainable Energy (NCSE), at their request.

       The objective of the training was to strengthen the theoretical knowledge and develop the practical skills of the participants regarding the correct application of the national and international normative framework in the field of personal data protection. In this context, the NCPDP trainers presented the main concepts and principles governing data processing, including lawfulness, fairness and transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity and confidentiality.

       At the same time, aspects related to the rights of data subjects were addressed, such as right to access, rectification, erase, restriction of processing and object, as well as the mechanisms by which these rights can be exercised in practice. Particular emphasis was placed on the responsibilities of controllers and processors, including the obligation to implement appropriate technical and organizational measures to ensure data security, prevent unauthorized access and manage security incidents.

       The importance of carrying out such training activities is determined by the need to ensure respect for the fundamental right to privacy and personal data protection, especially in the context of the digitization of public services and the increase in the volume of processed data. The training helped to raise awareness among employees of the risks associated with data processing and to develop an organizational culture based on responsibility, integrity and compliance.

       As a result of participating in this course, NCSE representatives have strengthened their skills in the field, being better prepared to correctly apply the legal provisions, adequately manage personal data and ensure respect for the rights of data subjects. The training also contributed to reducing the risks of data security breaches and increasing the level of citizens’ trust in the institution’s activity.

       NCPDP reaffirms its commitment to continue organizing and carrying out training and information activities in the field of personal data protection, in order to support public authorities and institutions in the process of aligning with national and international standards and ensuring a high level of data protection.

       The event took place in a hybrid format, with 60 representatives of the NCSE being trained.

       The National Center for the Personal Data Protection (NCPDP) organized, at the institution’s headquarters, an interinstitutional meeting with representatives of the Agency for Cybersecurity, with the objective of strengthening dialogue and cooperation in the fields of personal data protection and cyber security.

       During the meeting, the interdependence between the fields of personal data protection and cyber security was emphasized, in the context of accelerated digital transformations and the increase in risks associated with information security, highlighting the need for effective institutional cooperation between competent authorities.

       At the same time, the importance of complying with data protection principles and requirements was emphasized, especially in the exercise of duties aimed at monitoring, analyzing and reacting to risks and threats in cybersecurity, which may involve the processing of significant volumes of personal data. Ensuring an appropriate balance between cyber security measures and guaranteeing the rights of data subjects is an essential element in the exercise of the legal powers of both institutions.

       At the same time, it was emphasized that, on August 23, 2026, Law no. 195/2024 on personal data protection, a normative act that marks a reference moment in the consolidation of the national data protection framework and in its alignment with European standards.The effective implementation of the new legal provisions inherently implies the intensification of institutional cooperation, including in the field of prevention, notification and management of security incidents involving personal data.

       NCPDP expresses its conviction that a consolidated cooperation between institutions will contribute to strengthening the areas of competence and ensuring an increased level of protection of the fundamental rights and freedoms of the data subjects, in the context of the new digital challenges.

       On April 1, 2026, the National Center for Personal Data Protection (NCPDP) organized a training course in the field of personal data protection for the employees of the Institute for Standardization of Moldova (ISM), at the request of the beneficiary institution. The activity was part of the continuous efforts of the NCPDP to promote a solid culture of data protection and to support national authorities and organizations in the correct application of the relevant regulatory framework.

       The purpose of the training was to strengthen the theoretical and practical knowledge of the participants in the field of personal data protection, with an emphasis on the responsibilities of controllers, the basic principles of data processing, as well as on the correct application of legal requirements in the current activity of the institution. At the same time, the course aimed to develop the capacity of participants to identify the risks associated with data processing and to implement appropriate measures to prevent security incidents.

       The importance of training lies in the essential role that data protection plays in ensuring respect for the fundamental rights and freedoms of natural persons, especially the right to privacy. In the context of accelerated digitization and the increase in the volume of processed data, public institutions and organizations must pay more attention to compliance with legal norms, as well as the implementation of effective data protection mechanisms. Such initiatives contribute to increasing the level of institutional responsibility and strengthening public trust in how personal data are managed.

       During the training, relevant topics were addressed such as: the basic principles of data protection, the legal grounds for processing, the rights of data subjects, the obligations of controllers and processors, technical and organizational security measures, as well as the management of security incidents and their notification.

       The lessons learned by the participants mainly concerned the importance of integrating data protection into all institutional processes („privacy by design” and „privacy by default”), the need to document processing operations, as well as adopting a proactive approach in identifying and mitigating risks. Participants also became aware of each employee’s role in ensuring compliance and preventing possible data security breaches.

       NCPDP reaffirms its openness to continue collaboration with national institutions, in order to develop professional skills in the field of personal data protection and promote good practices at the institutional level.

       About 20 representatives from ISM participated in the event.

       In light of the significant growth in the number of social networks over the last decade and the pressing need to protect the privacy of individuals’ personal data, the National Centre for Personal Data Protection (NCPDP) reiterates the following recommendations:

       With the appearance of social networks such as Twitter, Tumblr, Facebook, Telegram, Instagram, Linked In, Tik Tok, Snapchat, etc., social life has changed dramatically, becoming a powerful tool for socialising, making new friends and acquaintances, sharing photos, videos or promoting information. People easily share news, pictures, personal opinions and almost anything that happens in their lives. Disclosure of personal data creates a favorable environment for advertising companies, people launching charity appeals (fake fundraisers for humanitarian purposes), people seeking revenge, cyber criminals, and could involve collecting sensitive data about people’s online activities, interests, personal characteristics, political views, habits and behaviors.

       The personal information a person posts online, along with data describing their actions and interactions with others, can create a comprehensive profile that may contain that person’s activities and passions.

       Broadly speaking, social networking services (SNSs) can be defined as online communication platforms that allow people to join a network or create communities/groups of like-minded users with certain common characteristics:

• users are invited to provide personal data for the purpose of creating so-called “accounts/profiles”, which contain a personal description;
• SSR also offers tools that allow users to publish their own material (user-generated content such as a photo, music, videos or links to other sites);
• “social networking” is facilitated by the use of tools that provide each user with a contact list through which users can interact with each other.

       In terms of the national legislative framework governing the protection of personal data, SRP providers are data controllers. They provide the methods for processing user data and provide all the “basic” means/services related to user management (e.g. registration and deletion of user accounts). Application providers may also be data controllers if they create applications that work/run alongside the SSR and if users decide to use such an application.

       In most cases, users are considered to be data subjects. Data protection law does not impose obligations of a data controller on a natural person – a user who processes personal data “in the course of an exclusively personal or domestic activity” – the so-called “domestic activities exception”.

       However, in certain situations, there is a possibility that the activities of an SSR user may not be covered by the domestic activities exception and the user may be deemed to have taken over some of the obligations of a data controller, in which case the provisions of data protection legislation must be respected.

       Thus, the SSR user will be considered a controller and the domestic activities exception will not apply in the following situations:

• In general, access to the data (profile data, postings, reports…) with which a user operates/acts is limited to the contacts selected by the user. However, in certain situations, the user’s list of third party contacts may expand, without the user being aware of some contacts having access to his/her account. A high number of contacts may be an indication that the domestic activities exception does not apply and that the user may be considered a data controller. Thus, if access to profile information extends beyond the contacts selected by the user, as in the case of granting access rights to a profile to all SSR members, or where data is indexable by search engines, access is not limited to the personal or domestic domain. Similarly, if a user makes an informed decision to extend access to his or her profile by accepting more people beyond the selected “friends”, he or she will have to assume the responsibilities of a data controller.
• It should also be noted that even if the domestic activities exception does not apply, the SSR user may benefit from other exceptions, such as the exception for journalistic, artistic or literary purposes. In these cases, a balance must be struck between freedom of expression and the right to privacy.

       Last but not least, it should be noted that even where the domestic activities exception applies, a user may be held liable under the general provisions of the relevant national civil or criminal law (e.g. defamation, tort liability for infringement, criminal liability).

       Respectively, SSR users must show utmost caution what personal data they publish, what they write in public, what photos/videos or audio recordings they post or who they trust on a social network.

       At the same time, the NCPDP warns that the collection and processing of personal data on social networks, like any data processing, must be carried out in strict compliance with the provisions of the Personal Data Protection Law, and the personal data being processed must be: processed fairly and lawfully; collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes; adequate, relevant and not excessive in relation to the purpose for which they are collected and/or further processed.

       Thus, the NCPDP urges data subjects to protect their privacy before publishing or sharing certain information on social media or any other online platform.

       It is very important that social media users read carefully and understand:

• Privacy terms (e.g. content that can be shared with a third party, ability to remove content from the site, etc.);
• Site features (e.g. who can see your messages, whether it will be only specified recipients or all users on the platform, etc.);
• What biographical information should be provided (e.g. biographical data such as full name, year of birth, age or address should only be used when registering your account and not given to other users on social networks),
• Account information (e.g. sensitive information such as: school attended, political affiliation, bank account information, place of living/domicile, etc. should never be provided);
• Who the potential “Friends” are (e.g. by analysing their profile to understand who they are, what they do and what kind of content they distribute);
• The need to disable the location sharing features of the gadget being used;
• Extreme caution when posting photos/video or audio recordings online (it could be very difficult to delete them, as in the case of metadata or if someone has copied, shared or distributed them on other sites or social networks), etc.

       Even though it is quite difficult to control privacy on social networks, it is not impossible. The NCPDP emphasises the responsibility of every citizen to ensure the protection of personal data, and the security and privacy of this data must be a priority.

       On September 23, 2025, the National Center for Personal Data Protection (NCPDP) organized a training session in the field of personal data protection for the employees of the Dubăsari Police Inspectorate, according to the training plan within the General Police Inspectorate subdivisions for 2025, approved and signed by the heads of the NCPDP and the GPI on January 28 of this year.

       The purpose of the training session was to raise awareness among Dubăsari Police Inspectorate staff regarding the principles of personal data protection, as well as to ensure the proper application of legal provisions in this field within their professional duties.

       Important topics were discussed during the event, such as: the definitions of general concepts related to the field of personal data protection; the rights of personal data subjects; the processing of special categories of personal data; the lawful processing of personal data in police work; the requirements for data protection in the performance of job responsibilities; ensuring the security and confidentiality of processed personal data, etc.
       The training course proved to be particularly relevant and beneficial for the Dubăsari Police Inspectorate, contributing both to strengthening the professional capacities of employees and to improving institutional processes. By participating in the training, they acquired: in-depth knowledge of the national and European legal framework applicable in the field of data protection, with an emphasis on the specific responsibilities of law enforcement institutions; practical tools for the correct and secure management of personal data, including in the context of direct interaction with citizens; increased clarity and accountability in relation to the rights of data subjects, reducing the risk of violating the law and protecting the image of the institution, as well as the opportunity to align with current standards of transparency, professionalism and information security, thus strengthening the community’s trust in police activity.

       At the same time, the course had a direct and significant impact on the efficiency and accountability of the Dubăsari Police Inspectorate, contributing to the consolidation of an institutional culture based on respect for legality and the protection of citizens’ fundamental rights.

       During the event, 140 representatives of the Dubăsari Police Inspectorate were trained.

I.                  Information and training activities carried out by the NCPDP

       During the second quarter of 2025 (April-June), the National Center for Personal Data Protection (NCPDP) continued to make progress in the area of information and awareness-raising activities for the general public in the field of personal data protection.

       During the reporting period, continued the organization of training courses for the subdivisions of the the General Police Inspectorate subdivisions (GPI), in accordance with the training plan approved and signed by the heads of the NCPDP and GPI on January 28, 2025.

       Thus, training courses were organized for the following subdivisions:

• April 15 – Briceni Police Inspectorate;
• May 20 – Cahul Police Inspectorate;
• June 10 – Cantemir Police Inspectorate;
  In this context, around 211 representatives from the GPI subdivisions were trained.

       At the same time, the organization of training courses for the subdivisions of the General Inspectorate of Border Police (GIBP) continued, according to the training plan approved and signed by the heads of the NCPDP and GIBP, on January 28, 2025.

       Thus, training courses were organized for the following subdivisions:

• April 16 – East Regional Directorate of GIBP;
• May 15 – South Regional Directorate of GIBP;
• June 24 – North Regional Directorate of GIBP;
  In this context, 165 representatives from the GIBP subdivisions were trained.

       Likewise, the organization of training courses for employees within the structural, specialized and territorial subdivisions of the General Inspectorate for Migration (GIM) continued, according to the training plan approved and signed by the leaders of the NCPDP and GIM, on January 27, 2025.

       Thus, training courses were organized for the following subdivisions:

• May 16 – Structural and specialized subdivisions of GIM;
• May 23 – North Regional Directorate of GIM;
  In this context, 34 representatives from the GIM subdivisions were trained.

       On March 27, 2025, was approved and signed by the heads of the NCPDP and the Customs Service (CS), the Training Plan in the field of personal data protection for customs employees within  the CS.

       Thus, training courses were organized for the following subdivisions:

• April 08 – Central Customs Office and Central Administration, Training Center (two training courses);
• April 10 – Central Customs Office and Central Administration, Training Center (two training courses);
• May 06 – South Customs Office;
• May 08 – North Customs Office, Bălți;
• May 27 – North Customs Office, Briceni;
• May 29 – North Customs Office, Bălți;
  In this context, 343 representatives from the CS were trained.

       During this period, the NCPDP showed openness and spirit of cooperation, organizing multiple training courses for representatives of public/private institutions, at their request.

       Thus, training courses were organized for the following institutions:

• April 02 – National Office of Social Insurance, territorial subdivisions;
• April 03 – Municipal Enterprise INFOCOM;
• April 07 – Agency for Geodesy, Cartography and Cadastre;
• May 19 – Information Technology and Cyber Security Service;
• May 22 – Ungheni Refugee Council;
• June 03 – United Nations Population Fund (UNPFA), representatives of local public authorities;
• June 06 – State Chancellery, level I and II LPAs within the area of activity of the Hânceşti Territorial Office;
• June 13 – Cahul Refugee Council;
  In this context, 247 representatives of the above-mentioned institutions were trained.

       The aim of the training courses was to familiarize representatives of the above-mentioned institutions with aspects related to the field of personal data protection, the regulation of processing procedures, as well as with the confidentiality and security regime of personal data in accordance with the legislation in force.

       During the events important topics were discussed, such as: definition of general concepts related to the field of personal data protection; principles and legal grounds for processing personal data; rights of personal data subjects; processing of special categories of personal data; requirements for the protection of personal data in the exercise of official duties; ensuring the security and confidentiality of personal data processed; issues related to the appointment of the Data Protection Officer (DPO), as well as his/her obligations and tasks; issues related to the Data Protection Impact Assessment (DPIA), as well as the stages of conducting a DPIA, etc.

       At the same time, the information and awareness campaign for the school community was continued under the title: “Personal data protection and child safety in the online environment”.

       The aim of the campaign was to raise awareness and educate children regarding: the importance of protecting personal data; identifying risks in the online environment; adopting responsible, safe and informed behavior in the digital space to support children to browse the internet in a safe, ethical and informed manner, reducing their vulnerability to online threats. The topics covered in the trainings were: general notions on personal data; how to protect your personal data online; risks and threats in the online environment; safety on communication platforms and online games, etc.

       In this regard, information activities were organized on 04.04.2025 for:

• PITL “Mihai Stratulat”, commune Boșcana;
  PITL  “Nicolae Bălcescu”, commune Ciorescu.
  The events took place in the framework of the Personal Development classes, the target audience being 4th grade students. In this context, 85 students were trained.

       Moreover, during the reference period, NCPDP launched a broad campaign to inform and raise awareness of the general public in the field of personal data protection, carried out under the heading “Maximum vigilance when transmitting/providing personal data” in collaboration with the GIP and GIBP.

       The campaign aims to raise awareness among citizens about the risks associated with uncontrolled disclosure of personal data. During the actions carried out, citizens were provided with informative materials and practical advice, being warned about the potential dangers related to the transmission/provision of personal data recorded in various documents, such as: identity cards, passports, civil status certificates, pensioner cards, bank cards and other similar documents containing sensitive information, as well as the recording of this data in various lists, for various purported purposes. The NCPDP representatives emphasized that any request from third parties regarding access to such data must be treated with utmost caution. It is essential that the holders/owners of these data/documents verify the legality of the request and the exact purpose of collecting information containing personal data, before providing them.

II.               Control activity

In the period April- June 2025, the NCPDP initiated compliance checks of personal data processing operations in 114 cases. During the reporting period, 99 decisions were issued, of which 39 cases were found to be in violation of the legal provisions, and 27 infringement reports were concluded, which were subsequently submitted to the court for resolution.

III.           Findings of the National Center for Personal Data Protection

1. The NCPDP examined the complaint of a personal data subject, concerning the alleged non-compliant operations of processing special categories of personal data, manifested by the transmission by a Police Inspectorate to the Local Public Authority (LPA) of information stored in the materials of a contravention process, initiated based on the complaint of the data subject’s mother, including the failure by the person with a responsible position within the LPA to exercise the data subject’s right of access to the personal data concerning him.

       In the course of the investigation, The Police Inspectorate invoked the fact that the disclosure of data/information to the person with a responsible position within the LPA was carried out based on the position of public agent of the personal data subject and Law No. 148/2023 on access to information of public interest.

       Applying the provisions of art. 6 paragraph (2) of Law no. 148/2023 on access to information of public interest, and art. 8 para. (1) p. f) of the law referred to above, it was determined that access to information of public interest may be limited in accordance with the proportionality criterion provided for in art. 9 if the disclosure of the information will prejudice the protection of personal data, or, art. 8 para. (3) establishes that, by way of derogation from para. (1) p. f), it is prohibited to limit access to information of public interest that constitutes personal data relating to the professional activity of public agents, within the meaning of the Integrity Law no. 82/2017, including: name and surname, position; studies, professional experience, remuneration, conflicts of interest, outstanding disciplinary sanctions.

       In the case under examination, the NCPDP found that the Police Inspectorate’s argument is not supported from a legal/legally substantiated point of view, or rather, the materials accumulated during the contravention process were not related to the data subject’s work activity, and the representative authority of the population of the administrative-territorial and executive unit of the local council was not part of the contravention process.

       At the same time, it was established that the processing of personal data/special categories of personal data of the data subject, manifested by the disclosure by transmission by the Police Inspectorate to the representative authority of the population of the administrative-territorial and executive unit of the local council, of the materials of the contravention process, cannot be qualified as compliant, or, the knowledge of these data by third parties is an interference in the private life of the data subject and his family, being held, in the case, a violation of the provisions of art. 4 para. (1) p. a) and b), art. 6 para. (1) and art. 7 para. (1) of Law no. 133/2011 on personal data protection.

       Furthermore, the NCPDP found that the representative authority of the population of the administrative-territorial and executive unit of the local council did not resolve the data subject’s request, failing to provide a substantiated/detailed response justifying its personal data processing operations, thus establishing a violation of art. 13 para. (1) p. a) of Law no. 133/2011 on personal data protection.

2. The NCPDP examined the complaint of some personal data subjects claiming the alleged non-compliant processing of personal data, manifested by the placement of photo/video images showing their domicile, accompanied by a defamatory text, on an account on the social network www.tiktok.com.

       In the course of the investigation it was determined that the petitioner and the persons complained about are relatives. Against the backdrop of conflicting relationships, a video was published on the user’s account on the social network www.tiktok.com, revealing the following personal data: express identification of the person, by mentioning the name and surname, as well as the previously held position (text inserted right on the video); a set of mentions of location data and identification of the residence, which generated the disclosure of personal data/including the location identifier of both spouses, communicating and presenting in the video recording the number/address of the residence, filming including the interior of the yard and voicing the intention to disclose personal data to as many people as possible.

       Additionally, it should be noted that knowingly posting information/images containing personal data on social networks represents in itself an awareness and acceptance of the situation that such information will immediately become public, being available to third parties for viewing/collection/use/disclosure, etc. Under these circumstances, personal data published on social media can be used by third parties for various purposes, including narrow interests, and can create major risks, psychological and physical harm to the data subject, etc.

       In this context, the NCPDP notes that personal data that are the subject of processing must be processed correctly and in accordance with the provisions of the law; collected for specified, explicit and legitimate purposes, and not subsequently processed in a manner incompatible with these purposes; adequate, pertinent and not excessive in relation to the purpose for which they are collected and/or subsequently processed; accurate and, if necessary, updated.

       It is subsequently noted that, in accordance with art. 5 para. (1) of Law no. 133/2011 on the personal data protection, the processing of personal data is carried out with the consent of the subject of personal data, as well as under the conditions set out in paragraph (5) of the same article.

       Subsequently, following the examination of the case, it was not determined what the legitimate need was for disclosing the personal data of the petitioners on their personal page on “TikTok”, as no legal basis was identified that would justify disclosing the personal data of the petitioners by publishing them on the “TikTok” social network.

       Furthermore, the NCPDP reveals that the circumstances of a conflict between relatives do not represent an event of high public interest, and the negative impact on the petitioners, as a result of posting the video recording, violated the latter’s right to privacy.

       In this context, the identifiers analyzed: the name/surname and the address of the real estate object of the petitioners, in total, lead to the establishment of the identity of the data subjects and, possibly, the person’s domicile.

       Thus, the NCPDP determined that the processing of personal data with reference to the domicile cannot be qualified as compliant, or, the knowledge of these data by the general public is an interference in the private life of the data subjects, being held, in the case, a violation of the provisions of art. 4 para. (1) p. a), b, c) and art. 5 para. (1) of Law no. 133/2011 on personal data protection.

3. NCPDP, following a complaint, conducted a verification of the information published on the website of the Official Information Storage Mechanism (ISM), in particular the semi-annual reports of banking institutions licensed by the National Bank of Moldova.

     Following the examination, reasonable suspicions were found regarding the non-compliant processing of personal data by two banking institutions, through the disclosure/dissemination of state identification numbers (IDNP) of individuals affiliated with persons with a responsible position, recorded in point 14, line II of the published semi-annual reports.

       Thus, one of the banking institutions published on its own website and within the official Information Storage Mechanism (ISM) the semi-annual report, which contained 47 IDNPs of individuals affiliated with persons with responsible positions, without depersonalizing them. According to Law No. 133/2011 on personal data protection, this action represents excessive and illegal data processing, contrary to the principles of legality, proportionality and confidentiality.

       The other banking institution published on the official ISM website the semi-annual report, which included the IDNPs of 11 affiliated individuals, violating the provisions of Law No. 133/2011 on personal data protection. According to the law, this information should only have been transmitted to the competent authorities and not made public, as the publication of IDNPs is considered excessive and disproportionate to the stated purpose. Although the bank invoked legal transparency obligations, NCPDP found the lack of a clear legal basis to justify the publication of this data. Thus, the controller was held liable for violating the conditions of lawful, confidential and proportionate processing of personal data.

       Although the banks invoked legal obligations under financial and banking legislation, the NCPDP found that there was no basis for publishing the IDNPs, and they should have been reported exclusively to the competent authorities, not to the general public. In the case, the NCPDP found a violation of art. 4 para. (1), art. 9 and art. 29 para. (1) of Law no. 133/2011, intervening in the contravention order, according to art. 74/1 para. (1) of the Contravention Code.

       It is noted that banking institutions have demonstrated receptivity by ensuring the depersonalization of published data, following the intervention of the NCPDP.

4. The NCPDP examined a complaint from the Central Electoral Commission (CEC) regarding the collection of signatures by an unauthorized person in support of a candidate for President of the Republic of Moldova.

       During the investigation, it was determined that the initiative group for collecting signatures in support of a candidate of a Political Party, numbering 100 people, was registered with the CEC, however, the person in question was not found on the list of members of the initiative group who had the right to collect signatures of the respective candidate’s supporters. The following personal data were collected in the subscription lists: last name, first name, year of birth, series and number of the identity card, signature.

       Based on the circumstances described, the NCPDP found that the collection of names, surnames, year of birth, domicile, series, identity card number and signature, as a form of personal data processing, must be carried out within an appropriate legal framework, in compliance with the legal regulations on data protection and with obtaining all necessary authorizations, otherwise, it is likely to infringe the fundamental rights of the data subjects concerned.

       Thus, by collecting signatures without being part of a legally constituted initiative group and without obtaining prior authorization from the CEC, the person concerned violated the provisions of art. 4 para. (1) p. a) of Law no. 133/2011 on personal data protection, which regulates the fundamental principles of data processing.

IV.            Prevention activity

During the reporting period, in order to carry out the advisory tasks, in addition to the multiple answers provided, for advisory purposes, 80 telephone consultations were provided, either via e-mail or at the authority’s headquarters.

V.               International and European news

– Between May 6-9, 2025, representatives of the NCPDP participated in the 33rd edition of the Spring Conference of European Data Protection Authorities, which took place in the city of Batumi, Georgia.
       This year’s Spring Conference, hosted by the State Data Protection Inspectorate of Georgia, brought together Data Protection Authorities from across Europe to address issues of common interest, emerging trends and innovative developments in the field of privacy and personal data protection. At the same time, a key objective of the conference was to promote cooperation by encouraging collaboration between the different data protection bodies in Europe and the professionals working within them. In addition, the conference served as a unique European platform for the exchange of experience and good practices in the field of personal data protection.

       During the working sessions, topical topics in the field of data protection were presented, such as:

• Regulation of artificial intelligence and legal frameworks on data protection at national, European and global levels;
• Protection of children’s privacy and personal data;
• Impact of modern technological developments and artificial intelligence on the right to privacy;
• Current challenges in the protection of personal health data;
• The role of data protection officers (DPOs) and privacy professionals, etc.
  The event was attended by 80 representatives, including leaders of the various European Data Protection Authorities. Representatives of four European institutions were also present: EUROPOL, EUROJUST, EUROSTAT and the EDPS.

– Between May 27-29, 2025, representatives of the National Commission for the Protection of Personal Data (NCPDP) participated in the 11th edition of the international e-Governance Conference 2025, which took place in Tallinn, Estonia. Titled “From Bytes to Benefits”, the conference explored the impact of digital transformation on the economy, as well as the financial costs and benefits it entails. The event was a landmark in the field of digital governance, with the aim of accumulating relevant knowledge on digital transformation, interoperability, cybersecurity and the use of artificial intelligence in public administration, as well as identifying good practices and opportunities for international collaboration.

       During the working sessions, topical topics were presented, such as:

• From bytes to benefits: a strategic approach to digital transformation;
• The real cost of digital transformation: the long-term investment;
• Building trust and value through interoperability: the engine of digital efficiency and economic growth;
• Shaping prosperity: political leadership and strategic choices for digital economic growth;
• Cybersecurity and public-private partnerships: the power of collaboration;
• Digital strategies: building a secure and prosperous future.
  At the same time, practical sessions and thematic presentations took place: examples of good practices from Estonia, Kenya, Ukraine and Brazil in areas such as cybersecurity, digital education, defense, open data and sustainability, political leadership in digitalization, the role of citizen-centered digital infrastructures, public-private partnerships in cybersecurity, thematic workshops: focused on interoperability, digital governance and DPI (Digital Public Infrastructure) frameworks, AI-assisted public service design, the transition from paper-based to digital services, the role of civil society in cyber resilience and exhibitions and demonstrations: technological examples applied in the field of public administration and emergency services.

       The e-Governance Conference 2025 was a global meeting point for digital governance leaders and practitioners from around the world, hosting over 600 digital development leaders, policy implementers and donors from over 80 countries. The event was organized by the e-Governance Academy (eGA), the Ministry of Foreign Affairs and the Estonian Centre for International Development Cooperation and supported by ITL, the European Union, CybExer, Digital Nation, EstoniaHub, FIAP, Recorded Future, the City of Tallinn, Visit Estonia, the World Bank Group and Zetes.

-The leadership of the NCPDP participated in the 106th Plenary Session of the European Data Protection Board (EDPB), which took place on June 3-4, 2025 in Brussels, Belgium.
Several documents were discussed and adopted during the Meeting, including:

•  Guidance on data transfers to third-country authorities, which focuses on Article 48 of the GDPR and clarifies how organizations can best assess under what conditions they can lawfully respond to requests for the transfer of personal data from third-country authorities (i.e. authorities in non-European countries).
• The report “Legislation and Compliance in the Field of AI Security and Data Protection” presented by the EDPB, which is aimed at professionals with legal skills, such as Data Protection Officers (DPOs) or privacy professionals.
• The report “Fundamentals of Secure AI Systems with Personal Data”, presented by the EDPB, which is aimed at professionals with technical skills, such as cybersecurity professionals, developers or implementers of high-risk AI systems.
  Request from the European Commission to issue a joint opinion of the EDPB and the European Data Protection Supervisor (EDPS) on its proposal to simplify record-keeping obligations for small and medium-sized enterprises, small mid-caps and organisations with fewer than 750 employees, which is a specific amendment to Article 30(5) of the GDPR. The EDPB and the EDPS will issue the joint opinion on this matter within eight weeks.

– Between June 17-19, 2025, NCPDP representatives participated in the 48th plenary meeting of the Consultative Committee of Convention 108, which took place in Strasbourg, France. The Committee strongly encouraged all States Parties to sign and ratify Convention 108+ as soon as possible, as a minimum of 38 ratifications are required for Convention 108+ to enter into force. Convention 108+ remains the only legally binding international instrument that protects personal data and the right to privacy, and aims to ensure adequate protection for all individuals in an ever-expanding digital age. The Committee organized a presentation on the current status of the signing and ratification process in States Parties and took note of the information provided by Committee members.
The meeting adopted the revised document on the interpretation of Article 11, with the United Kingdom abstaining.

       At the same time, Ms Tamar Kaldani was elected as the Council of Europe’s Commissioner for Data Protection by secret ballot. The Committee thanked the previous Commissioner, Mr Jean-Philippe Walter, for his outstanding work. Mr. Jean-Philippe Walter was congratulated for his significant contributions over four decades in promoting the right to privacy.

       It was decided to grant observer status to: the Network of African Data Protection Authorities (NADPA), Ecuador, the Chilean Professional Association and the Colombian Authority.

       The meeting was extremely valuable for following and understanding developments in the field of data protection. It provided an opportunity to contribute to the development of new international instruments, to support dialogue between states and to outline strategic directions for the coming period. The participation of the Moldovan delegation in the Strasbourg meeting reinforced the commitment of the Republic of Moldova to align with European standards in the field of data protection. The event facilitated the establishment of contacts with counterpart authorities and international specialists, contributing to the identification of best practices and relevant European recommendations. In addition, the active position of the Republic of Moldova in the discussions of Convention 108 confirms the support of the international community for its legislative modernization efforts.

VI.            Other data protection authorities

• An administrative fine of 900,000 euros was imposed by the French Data Protection Authority (CNIL) on SOLOCAL MARKETING SERVICES for violating Article 6 (Lawfulness of processing) and Article 7 (Conditions of consent) of the GDPR.
  As part of its priority theme on the control of commercial prospecting in 2022, the CNIL focused on the practices of professionals in this ecosystem, in particular on intermediaries who resell data, called data brokers. Thus, the CNIL carried out on SOLOCAL MARKETING SERVICES, which got prospect data mainly from data brokers, publishers of game contests and product testing sites (these actors are the first links in the chain, the primary collectors, who are responsible for collecting prospect data). SOLOCAL MARKETING SERVICES used this data to operate commercial prospecting by SMS or e-mail to individuals concerned, on behalf of its advertiser customer. It may also pass on some of this data to its customers, so that they can carry out their own commercial prospecting by telephone or post.

     Following the CNIL investigations, it found several violations, such as:

–          Failure to comply with the obligation to obtain the consent of individuals to receive commercial prospecting by electronic means (Article L.34-5 of the French Post and Electronic Communications Code): The restricted committee considered that the misleading appearance of the forms used by data brokers made it impossible to obtain free and unambiguous consent, in compliance with the requirements of the GDPR, which would have formed the basis for the prospecting operations carried out by the company.

–          Failure to demonstrate that the data subject has consented to processing of his or her personal data (Article 7 of the GDPR): The company failed to provide the French SA with proof of consent from individuals whose data has been transferred to it by one of its main suppliers. As a result, the French SA was unable to examine the collection forms used by this supplier and, therefore, the validity of the consent of the data subjects.

       In this context, the CNIL imposed an administrative fine of 900,000 euros on the company SOLOCAL MARKETING SERVICES, which was made public, and an order to cease electronic commercial prospecting in the absence of valid consent, together with a penalty of €10 000 per day overdue after a period of 9 months. The amount of this fine takes into account the very large number of people concerned (several million), the company’s historical position on the market, the financial benefit derived from the breaches, and the measures taken by the company to comply with some of its obligations since the checks were carried out.

• Administrative fine of 5 million euros imposed by the Italian Data Protection Authority (SA) on Luka Inc. for violations of Article 5 (Principles relating to the processing of personal data), Article 6 (Lawfulness of processing), Article 12 (Transparent information, communication and modalities for the exercise of the rights of the data subject), Article 13 (Information to be provided where personal data are collected from the data subject), Article 24 (Responsibility of the controller), and Article 25 (Data protection by design and by default) of the GDPR.
         The Italian SA launched an investigation on its own initiative following press reports and a preliminary inquiry into the Replika service — a chatbot with both written and voice interfaces developed and managed by the U.S.-based company Luka Inc., based on a generative AI system. The chatbot enables users to “create” a “virtual companion” that can serve as a confidant, therapist, romantic partner, or mentor.

       Following the investigation, the Italian SA confirmed that the alleged violations, which had prompted it to order the app’s blocking in February 2023, did indeed occur. Until February 2, 2023, the company had not identified a legal basis for the data processing operations carried out through Replika. Additionally, Luka Inc. provided a privacy policy that was non-compliant in several respects. The Italian SA also found that, until February 2, 2023, the company had not implemented any age verification mechanisms—either at registration or during use of the service—despite having stated that minors were excluded from the category of potential users.

       Technical assessments revealed that the age verification system currently implemented by the controller still has several deficiencies.

       In this context, the Italian SA imposed an administrative fine of 5 million euros on Luka Inc. for violations of Articles 5(1)(a), 5(1)(c), 6, 12, 13, 24, and 25(1) of the GDPR. Furthermore, the Italian SA reserves the right to investigate and assess, in a separate and autonomous procedure, the lawfulness of the processing operations carried out by Luka Inc., specifically regarding the legal bases applicable throughout the lifecycle of the generative AI system underlying the Replika service.

• The administrative fine in the amount of of €262,500 imposed by the Polish Data Protection Authority (SA) on the company Centrum Medyczne Ujastek Sp. z o.o. for violations of Article 5 (Principles relating to processing of personal data), Article 6 (Lawfulness of processing), Article 9 (Processing of special categories of personal data), Article 13 (Information to be provided where personal data is collected from the data subject), Article 24 (Responsibility of the controller), Article 25 (Data protection by design and by default), and Article 32 (Security of processing) of the GDPR.
  Between July 1 and 23, 2023, Centrum Medyczne Ujastek Sp. z o.o., based in Krakow, carried out monitoring through video surveillance in the neonatology department, recording images of both newborns and their mothers engaged in intimate activities such as breastfeeding According to the explanations provided by the facility, the children whose images were captured on the recordings no longer required intensive care, so their health was not at risk.

       Following investigations, the Polish SA found that the video surveillance conducted by the medical center violated applicable regulations and was furthermore covert in nature—neither the patients nor the employees of the facility were informed about the continuous video recording. determined that the memory cards that contained the recordings had not been encrypted, and that the devices used for image recording had not been configured to meet the requirements of the facility. In addition, the risk analysis provided by the medical center did not cover the risks that were the cause of the incident and did not identify security measures that could have prevented the incident from occurring.

       In this context, the Polish SA has imposed an administrative fine of €157,500 for violations of Article 6(1), Article 9(1), and Article 13(1,2) of the GDPR, and an additional fine of €105,000 for violations of Article 24(1), Article 25(1), and Article 32(1,2) of the GDPR.

       On July 15, 2025, the National Center for Personal Data Protection (NCPDP) organized a training session in the field of personal data protection for  the employees of the Căușeni Police Inspectorate, according to the training plan within the General Police Inspectorate subdivisions for 2025, approved and signed by the heads of the NCPDP and the GPI on January 28 of this year.

       The purpose of the training session was to raise awareness among Căușeni Police Inspectorate staff regarding the principles of personal data protection, as well as to ensure the proper application of legal provisions in this field within their professional duties.

       During the event, several important topics were addressed, including:

• The definitions of general concepts related to the field of personal data protection;
• The rights of personal data subjects;
• The processing of special categories of personal data;
• The lawful processing of personal data in police work;
• The requirements for data protection in the performance of job responsibilities;
• Ensuring the security and confidentiality of processed personal data, etc.
  The training course proved to be highly useful and interactive, and the aspects related to the proper procedure for accessing personal data via State Information Systems, including the application of exceptions and restrictions governed by Article 15 of Law 133/2011, as well as the requirements regarding the protection of personal data in the exercise of official duties, presented a high interest for the course participants.

       40 representatives of the Căușeni Police Inspectorate were trained during the event.

       On July 7, 2025, the National Center for Personal Data Protection (NCPDP) organized a street information and public awareness campaign, which aimed to promote the importance of personal data protection and cultivate responsible behavior regarding the use of this data.

       The event took the form of an open dialogue with citizens, offering them the opportunity to ask questions and receive relevant information about their rights in terms of personal data protection, as well as about the risks associated with non-compliant data processing.

       Through this initiative, organized in the context of the anniversary of 17 years of activity, NCPDP reaffirms its mission to contribute to the development of an institutional and social culture in which the right to privacy, guaranteed by the Constitution of the Republic of Moldova, by national and European legislation, is aware of and known, respected and actively promoted in all areas of life.

       The activity included: distribution of information materials on personal data protection; information actions carried out by representatives of the NCPDP; direct interactions with citizens to clarify specific situations regarding data processing; examples of good practices in the responsible use of personal data in the digital environment.

       The aim of the street action is to bring the essential concepts of data protection closer to citizens, contributing to increasing their awareness of the notion of personal data, the rights of data subjects, data security and confidentiality measures, as well as the principles of personal data protection. At the same time, citizens were informed about possible situations of non-compliant processing of personal data, being provided with practical guidance and recommendations that should be undertaken in such cases.

       Through this action, NCPDP aims not only to celebrate an important anniversary in the institution’s activity, but also to convey a clear message: the protection of personal data is a shared responsibility, which requires active involvement not only from the authorities/organizations, but also from each individual citizen.

       In an era where digital technology is omnipresent and personal data circulates rapidly online and offline, education on its protection becomes essential. NCPDP will continue to conduct awareness campaigns, provide support to public and private institutions, and ensure compliance with the legal framework regarding the processing of personal data.

       Between July 2-3, 2025, representatives of the National Center for Personal Data Protection (NCPDP) participated in the 75th meeting of the International Working Group on Data Protection in Technology (known as the “Berlin Group”), which took place in the city of Tbilisi, Georgia.

       The aim of the event was to bring together international experts in the field of data protection to discuss and analyze the impact of new technologies on privacy and personal data security. During the meeting, participants exchanged good practices, presented national innovations, and addressed emerging challenges such as neurodata, 6G technology, and digital identity, with a view to developing common recommendations to support the improvement of data protection standards at the international level.

       During the two working days, important topics were addressed, such as:

–         Neurodata and the implications for privacy;

–         The evolution of 6G technology and the related challenges in the field of data protection;

–         Digital identity;

–         Government digital services and data protection within them (e.g. MY.GOV.GE – the unified portal of electronic services in Georgia);

–         National presentations on innovations and good practices in the field of data protection.

       The event represented a valuable framework for the international exchange of experience, strengthening cooperation between supervisory authorities and identifying common directions of action facing new technological challenges, bringing together representatives from 14 countries, as well as delegates from the European Data Protection Supervisor and the Electronic Privacy Information Center.