I. Information and training activities carried out by the NCPDP
During the second quarter of 2025 (April-June), the National Center for Personal Data Protection (NCPDP) continued to make progress in the area of information and awareness-raising activities for the general public in the field of personal data protection.
During the reporting period, continued the organization of training courses for the subdivisions of the the General Police Inspectorate subdivisions (GPI), in accordance with the training plan approved and signed by the heads of the NCPDP and GPI on January 28, 2025.
Thus, training courses were organized for the following subdivisions:
- April 15 – Briceni Police Inspectorate;
- May 20 – Cahul Police Inspectorate;
- June 10 – Cantemir Police Inspectorate;
In this context, around 211 representatives from the GPI subdivisions were trained.
At the same time, the organization of training courses for the subdivisions of the General Inspectorate of Border Police (GIBP) continued, according to the training plan approved and signed by the heads of the NCPDP and GIBP, on January 28, 2025.
Thus, training courses were organized for the following subdivisions:
- April 16 – East Regional Directorate of GIBP;
- May 15 – South Regional Directorate of GIBP;
- June 24 – North Regional Directorate of GIBP;
In this context, 165 representatives from the GIBP subdivisions were trained.
Likewise, the organization of training courses for employees within the structural, specialized and territorial subdivisions of the General Inspectorate for Migration (GIM) continued, according to the training plan approved and signed by the leaders of the NCPDP and GIM, on January 27, 2025.
Thus, training courses were organized for the following subdivisions:
- May 16 – Structural and specialized subdivisions of GIM;
- May 23 – North Regional Directorate of GIM;
In this context, 34 representatives from the GIM subdivisions were trained.
On March 27, 2025, was approved and signed by the heads of the NCPDP and the Customs Service (CS), the Training Plan in the field of personal data protection for customs employees within the CS.
Thus, training courses were organized for the following subdivisions:
- April 08 – Central Customs Office and Central Administration, Training Center (two training courses);
- April 10 – Central Customs Office and Central Administration, Training Center (two training courses);
- May 06 – South Customs Office;
- May 08 – North Customs Office, Bălți;
- May 27 – North Customs Office, Briceni;
- May 29 – North Customs Office, Bălți;
In this context, 343 representatives from the CS were trained.
During this period, the NCPDP showed openness and spirit of cooperation, organizing multiple training courses for representatives of public/private institutions, at their request.
Thus, training courses were organized for the following institutions:
- April 02 – National Office of Social Insurance, territorial subdivisions;
- April 03 – Municipal Enterprise INFOCOM;
- April 07 – Agency for Geodesy, Cartography and Cadastre;
- May 19 – Information Technology and Cyber Security Service;
- May 22 – Ungheni Refugee Council;
- June 03 – United Nations Population Fund (UNPFA), representatives of local public authorities;
- June 06 – State Chancellery, level I and II LPAs within the area of activity of the Hânceşti Territorial Office;
- June 13 – Cahul Refugee Council;
In this context, 247 representatives of the above-mentioned institutions were trained.
The aim of the training courses was to familiarize representatives of the above-mentioned institutions with aspects related to the field of personal data protection, the regulation of processing procedures, as well as with the confidentiality and security regime of personal data in accordance with the legislation in force.
During the events important topics were discussed, such as: definition of general concepts related to the field of personal data protection; principles and legal grounds for processing personal data; rights of personal data subjects; processing of special categories of personal data; requirements for the protection of personal data in the exercise of official duties; ensuring the security and confidentiality of personal data processed; issues related to the appointment of the Data Protection Officer (DPO), as well as his/her obligations and tasks; issues related to the Data Protection Impact Assessment (DPIA), as well as the stages of conducting a DPIA, etc.
At the same time, the information and awareness campaign for the school community was continued under the title: “Personal data protection and child safety in the online environment”.
The aim of the campaign was to raise awareness and educate children regarding: the importance of protecting personal data; identifying risks in the online environment; adopting responsible, safe and informed behavior in the digital space to support children to browse the internet in a safe, ethical and informed manner, reducing their vulnerability to online threats. The topics covered in the trainings were: general notions on personal data; how to protect your personal data online; risks and threats in the online environment; safety on communication platforms and online games, etc.
In this regard, information activities were organized on 04.04.2025 for:
- PITL “Mihai Stratulat”, commune Boșcana;
PITL “Nicolae Bălcescu”, commune Ciorescu.
The events took place in the framework of the Personal Development classes, the target audience being 4th grade students. In this context, 85 students were trained.
Moreover, during the reference period, NCPDP launched a broad campaign to inform and raise awareness of the general public in the field of personal data protection, carried out under the heading “Maximum vigilance when transmitting/providing personal data” in collaboration with the GIP and GIBP.
The campaign aims to raise awareness among citizens about the risks associated with uncontrolled disclosure of personal data. During the actions carried out, citizens were provided with informative materials and practical advice, being warned about the potential dangers related to the transmission/provision of personal data recorded in various documents, such as: identity cards, passports, civil status certificates, pensioner cards, bank cards and other similar documents containing sensitive information, as well as the recording of this data in various lists, for various purported purposes. The NCPDP representatives emphasized that any request from third parties regarding access to such data must be treated with utmost caution. It is essential that the holders/owners of these data/documents verify the legality of the request and the exact purpose of collecting information containing personal data, before providing them.
II. Control activity
In the period April- June 2025, the NCPDP initiated compliance checks of personal data processing operations in 114 cases. During the reporting period, 99 decisions were issued, of which 39 cases were found to be in violation of the legal provisions, and 27 infringement reports were concluded, which were subsequently submitted to the court for resolution.
III. Findings of the National Center for Personal Data Protection
1. The NCPDP examined the complaint of a personal data subject, concerning the alleged non-compliant operations of processing special categories of personal data, manifested by the transmission by a Police Inspectorate to the Local Public Authority (LPA) of information stored in the materials of a contravention process, initiated based on the complaint of the data subject’s mother, including the failure by the person with a responsible position within the LPA to exercise the data subject’s right of access to the personal data concerning him.
In the course of the investigation, The Police Inspectorate invoked the fact that the disclosure of data/information to the person with a responsible position within the LPA was carried out based on the position of public agent of the personal data subject and Law No. 148/2023 on access to information of public interest.
Applying the provisions of art. 6 paragraph (2) of Law no. 148/2023 on access to information of public interest, and art. 8 para. (1) p. f) of the law referred to above, it was determined that access to information of public interest may be limited in accordance with the proportionality criterion provided for in art. 9 if the disclosure of the information will prejudice the protection of personal data, or, art. 8 para. (3) establishes that, by way of derogation from para. (1) p. f), it is prohibited to limit access to information of public interest that constitutes personal data relating to the professional activity of public agents, within the meaning of the Integrity Law no. 82/2017, including: name and surname, position; studies, professional experience, remuneration, conflicts of interest, outstanding disciplinary sanctions.
In the case under examination, the NCPDP found that the Police Inspectorate’s argument is not supported from a legal/legally substantiated point of view, or rather, the materials accumulated during the contravention process were not related to the data subject’s work activity, and the representative authority of the population of the administrative-territorial and executive unit of the local council was not part of the contravention process.
At the same time, it was established that the processing of personal data/special categories of personal data of the data subject, manifested by the disclosure by transmission by the Police Inspectorate to the representative authority of the population of the administrative-territorial and executive unit of the local council, of the materials of the contravention process, cannot be qualified as compliant, or, the knowledge of these data by third parties is an interference in the private life of the data subject and his family, being held, in the case, a violation of the provisions of art. 4 para. (1) p. a) and b), art. 6 para. (1) and art. 7 para. (1) of Law no. 133/2011 on personal data protection.
Furthermore, the NCPDP found that the representative authority of the population of the administrative-territorial and executive unit of the local council did not resolve the data subject’s request, failing to provide a substantiated/detailed response justifying its personal data processing operations, thus establishing a violation of art. 13 para. (1) p. a) of Law no. 133/2011 on personal data protection.
2. The NCPDP examined the complaint of some personal data subjects claiming the alleged non-compliant processing of personal data, manifested by the placement of photo/video images showing their domicile, accompanied by a defamatory text, on an account on the social network www.tiktok.com.
In the course of the investigation it was determined that the petitioner and the persons complained about are relatives. Against the backdrop of conflicting relationships, a video was published on the user’s account on the social network www.tiktok.com, revealing the following personal data: express identification of the person, by mentioning the name and surname, as well as the previously held position (text inserted right on the video); a set of mentions of location data and identification of the residence, which generated the disclosure of personal data/including the location identifier of both spouses, communicating and presenting in the video recording the number/address of the residence, filming including the interior of the yard and voicing the intention to disclose personal data to as many people as possible.
Additionally, it should be noted that knowingly posting information/images containing personal data on social networks represents in itself an awareness and acceptance of the situation that such information will immediately become public, being available to third parties for viewing/collection/use/disclosure, etc. Under these circumstances, personal data published on social media can be used by third parties for various purposes, including narrow interests, and can create major risks, psychological and physical harm to the data subject, etc.
In this context, the NCPDP notes that personal data that are the subject of processing must be processed correctly and in accordance with the provisions of the law; collected for specified, explicit and legitimate purposes, and not subsequently processed in a manner incompatible with these purposes; adequate, pertinent and not excessive in relation to the purpose for which they are collected and/or subsequently processed; accurate and, if necessary, updated.
It is subsequently noted that, in accordance with art. 5 para. (1) of Law no. 133/2011 on the personal data protection, the processing of personal data is carried out with the consent of the subject of personal data, as well as under the conditions set out in paragraph (5) of the same article.
Subsequently, following the examination of the case, it was not determined what the legitimate need was for disclosing the personal data of the petitioners on their personal page on “TikTok”, as no legal basis was identified that would justify disclosing the personal data of the petitioners by publishing them on the “TikTok” social network.
Furthermore, the NCPDP reveals that the circumstances of a conflict between relatives do not represent an event of high public interest, and the negative impact on the petitioners, as a result of posting the video recording, violated the latter’s right to privacy.
In this context, the identifiers analyzed: the name/surname and the address of the real estate object of the petitioners, in total, lead to the establishment of the identity of the data subjects and, possibly, the person’s domicile.
Thus, the NCPDP determined that the processing of personal data with reference to the domicile cannot be qualified as compliant, or, the knowledge of these data by the general public is an interference in the private life of the data subjects, being held, in the case, a violation of the provisions of art. 4 para. (1) p. a), b, c) and art. 5 para. (1) of Law no. 133/2011 on personal data protection.
3. NCPDP, following a complaint, conducted a verification of the information published on the website of the Official Information Storage Mechanism (ISM), in particular the semi-annual reports of banking institutions licensed by the National Bank of Moldova.
Following the examination, reasonable suspicions were found regarding the non-compliant processing of personal data by two banking institutions, through the disclosure/dissemination of state identification numbers (IDNP) of individuals affiliated with persons with a responsible position, recorded in point 14, line II of the published semi-annual reports.
Thus, one of the banking institutions published on its own website and within the official Information Storage Mechanism (ISM) the semi-annual report, which contained 47 IDNPs of individuals affiliated with persons with responsible positions, without depersonalizing them. According to Law No. 133/2011 on personal data protection, this action represents excessive and illegal data processing, contrary to the principles of legality, proportionality and confidentiality.
The other banking institution published on the official ISM website the semi-annual report, which included the IDNPs of 11 affiliated individuals, violating the provisions of Law No. 133/2011 on personal data protection. According to the law, this information should only have been transmitted to the competent authorities and not made public, as the publication of IDNPs is considered excessive and disproportionate to the stated purpose. Although the bank invoked legal transparency obligations, NCPDP found the lack of a clear legal basis to justify the publication of this data. Thus, the controller was held liable for violating the conditions of lawful, confidential and proportionate processing of personal data.
Although the banks invoked legal obligations under financial and banking legislation, the NCPDP found that there was no basis for publishing the IDNPs, and they should have been reported exclusively to the competent authorities, not to the general public. In the case, the NCPDP found a violation of art. 4 para. (1), art. 9 and art. 29 para. (1) of Law no. 133/2011, intervening in the contravention order, according to art. 74/1 para. (1) of the Contravention Code.
It is noted that banking institutions have demonstrated receptivity by ensuring the depersonalization of published data, following the intervention of the NCPDP.
4. The NCPDP examined a complaint from the Central Electoral Commission (CEC) regarding the collection of signatures by an unauthorized person in support of a candidate for President of the Republic of Moldova.
During the investigation, it was determined that the initiative group for collecting signatures in support of a candidate of a Political Party, numbering 100 people, was registered with the CEC, however, the person in question was not found on the list of members of the initiative group who had the right to collect signatures of the respective candidate’s supporters. The following personal data were collected in the subscription lists: last name, first name, year of birth, series and number of the identity card, signature.
Based on the circumstances described, the NCPDP found that the collection of names, surnames, year of birth, domicile, series, identity card number and signature, as a form of personal data processing, must be carried out within an appropriate legal framework, in compliance with the legal regulations on data protection and with obtaining all necessary authorizations, otherwise, it is likely to infringe the fundamental rights of the data subjects concerned.
Thus, by collecting signatures without being part of a legally constituted initiative group and without obtaining prior authorization from the CEC, the person concerned violated the provisions of art. 4 para. (1) p. a) of Law no. 133/2011 on personal data protection, which regulates the fundamental principles of data processing.
IV. Prevention activity
During the reporting period, in order to carry out the advisory tasks, in addition to the multiple answers provided, for advisory purposes, 80 telephone consultations were provided, either via e-mail or at the authority’s headquarters.
V. International and European news
– Between May 6-9, 2025, representatives of the NCPDP participated in the 33rd edition of the Spring Conference of European Data Protection Authorities, which took place in the city of Batumi, Georgia.
This year’s Spring Conference, hosted by the State Data Protection Inspectorate of Georgia, brought together Data Protection Authorities from across Europe to address issues of common interest, emerging trends and innovative developments in the field of privacy and personal data protection. At the same time, a key objective of the conference was to promote cooperation by encouraging collaboration between the different data protection bodies in Europe and the professionals working within them. In addition, the conference served as a unique European platform for the exchange of experience and good practices in the field of personal data protection.
During the working sessions, topical topics in the field of data protection were presented, such as:
- Regulation of artificial intelligence and legal frameworks on data protection at national, European and global levels;
- Protection of children’s privacy and personal data;
- Impact of modern technological developments and artificial intelligence on the right to privacy;
- Current challenges in the protection of personal health data;
- The role of data protection officers (DPOs) and privacy professionals, etc.
The event was attended by 80 representatives, including leaders of the various European Data Protection Authorities. Representatives of four European institutions were also present: EUROPOL, EUROJUST, EUROSTAT and the EDPS.
– Between May 27-29, 2025, representatives of the National Commission for the Protection of Personal Data (NCPDP) participated in the 11th edition of the international e-Governance Conference 2025, which took place in Tallinn, Estonia. Titled “From Bytes to Benefits”, the conference explored the impact of digital transformation on the economy, as well as the financial costs and benefits it entails. The event was a landmark in the field of digital governance, with the aim of accumulating relevant knowledge on digital transformation, interoperability, cybersecurity and the use of artificial intelligence in public administration, as well as identifying good practices and opportunities for international collaboration.
During the working sessions, topical topics were presented, such as:
- From bytes to benefits: a strategic approach to digital transformation;
- The real cost of digital transformation: the long-term investment;
- Building trust and value through interoperability: the engine of digital efficiency and economic growth;
- Shaping prosperity: political leadership and strategic choices for digital economic growth;
- Cybersecurity and public-private partnerships: the power of collaboration;
- Digital strategies: building a secure and prosperous future.
At the same time, practical sessions and thematic presentations took place: examples of good practices from Estonia, Kenya, Ukraine and Brazil in areas such as cybersecurity, digital education, defense, open data and sustainability, political leadership in digitalization, the role of citizen-centered digital infrastructures, public-private partnerships in cybersecurity, thematic workshops: focused on interoperability, digital governance and DPI (Digital Public Infrastructure) frameworks, AI-assisted public service design, the transition from paper-based to digital services, the role of civil society in cyber resilience and exhibitions and demonstrations: technological examples applied in the field of public administration and emergency services.
The e-Governance Conference 2025 was a global meeting point for digital governance leaders and practitioners from around the world, hosting over 600 digital development leaders, policy implementers and donors from over 80 countries. The event was organized by the e-Governance Academy (eGA), the Ministry of Foreign Affairs and the Estonian Centre for International Development Cooperation and supported by ITL, the European Union, CybExer, Digital Nation, EstoniaHub, FIAP, Recorded Future, the City of Tallinn, Visit Estonia, the World Bank Group and Zetes.
-The leadership of the NCPDP participated in the 106th Plenary Session of the European Data Protection Board (EDPB), which took place on June 3-4, 2025 in Brussels, Belgium.
Several documents were discussed and adopted during the Meeting, including:
- Guidance on data transfers to third-country authorities, which focuses on Article 48 of the GDPR and clarifies how organizations can best assess under what conditions they can lawfully respond to requests for the transfer of personal data from third-country authorities (i.e. authorities in non-European countries).
- The report “Legislation and Compliance in the Field of AI Security and Data Protection” presented by the EDPB, which is aimed at professionals with legal skills, such as Data Protection Officers (DPOs) or privacy professionals.
- The report “Fundamentals of Secure AI Systems with Personal Data”, presented by the EDPB, which is aimed at professionals with technical skills, such as cybersecurity professionals, developers or implementers of high-risk AI systems.
Request from the European Commission to issue a joint opinion of the EDPB and the European Data Protection Supervisor (EDPS) on its proposal to simplify record-keeping obligations for small and medium-sized enterprises, small mid-caps and organisations with fewer than 750 employees, which is a specific amendment to Article 30(5) of the GDPR. The EDPB and the EDPS will issue the joint opinion on this matter within eight weeks.
– Between June 17-19, 2025, NCPDP representatives participated in the 48th plenary meeting of the Consultative Committee of Convention 108, which took place in Strasbourg, France. The Committee strongly encouraged all States Parties to sign and ratify Convention 108+ as soon as possible, as a minimum of 38 ratifications are required for Convention 108+ to enter into force. Convention 108+ remains the only legally binding international instrument that protects personal data and the right to privacy, and aims to ensure adequate protection for all individuals in an ever-expanding digital age. The Committee organized a presentation on the current status of the signing and ratification process in States Parties and took note of the information provided by Committee members.
The meeting adopted the revised document on the interpretation of Article 11, with the United Kingdom abstaining.
At the same time, Ms Tamar Kaldani was elected as the Council of Europe’s Commissioner for Data Protection by secret ballot. The Committee thanked the previous Commissioner, Mr Jean-Philippe Walter, for his outstanding work. Mr. Jean-Philippe Walter was congratulated for his significant contributions over four decades in promoting the right to privacy.
It was decided to grant observer status to: the Network of African Data Protection Authorities (NADPA), Ecuador, the Chilean Professional Association and the Colombian Authority.
The meeting was extremely valuable for following and understanding developments in the field of data protection. It provided an opportunity to contribute to the development of new international instruments, to support dialogue between states and to outline strategic directions for the coming period. The participation of the Moldovan delegation in the Strasbourg meeting reinforced the commitment of the Republic of Moldova to align with European standards in the field of data protection. The event facilitated the establishment of contacts with counterpart authorities and international specialists, contributing to the identification of best practices and relevant European recommendations. In addition, the active position of the Republic of Moldova in the discussions of Convention 108 confirms the support of the international community for its legislative modernization efforts.
VI. Other data protection authorities
- An administrative fine of 900,000 euros was imposed by the French Data Protection Authority (CNIL) on SOLOCAL MARKETING SERVICES for violating Article 6 (Lawfulness of processing) and Article 7 (Conditions of consent) of the GDPR.
As part of its priority theme on the control of commercial prospecting in 2022, the CNIL focused on the practices of professionals in this ecosystem, in particular on intermediaries who resell data, called data brokers. Thus, the CNIL carried out on SOLOCAL MARKETING SERVICES, which got prospect data mainly from data brokers, publishers of game contests and product testing sites (these actors are the first links in the chain, the primary collectors, who are responsible for collecting prospect data). SOLOCAL MARKETING SERVICES used this data to operate commercial prospecting by SMS or e-mail to individuals concerned, on behalf of its advertiser customer. It may also pass on some of this data to its customers, so that they can carry out their own commercial prospecting by telephone or post.
Following the CNIL investigations, it found several violations, such as:
– Failure to comply with the obligation to obtain the consent of individuals to receive commercial prospecting by electronic means (Article L.34-5 of the French Post and Electronic Communications Code): The restricted committee considered that the misleading appearance of the forms used by data brokers made it impossible to obtain free and unambiguous consent, in compliance with the requirements of the GDPR, which would have formed the basis for the prospecting operations carried out by the company.
– Failure to demonstrate that the data subject has consented to processing of his or her personal data (Article 7 of the GDPR): The company failed to provide the French SA with proof of consent from individuals whose data has been transferred to it by one of its main suppliers. As a result, the French SA was unable to examine the collection forms used by this supplier and, therefore, the validity of the consent of the data subjects.
In this context, the CNIL imposed an administrative fine of 900,000 euros on the company SOLOCAL MARKETING SERVICES, which was made public, and an order to cease electronic commercial prospecting in the absence of valid consent, together with a penalty of €10 000 per day overdue after a period of 9 months. The amount of this fine takes into account the very large number of people concerned (several million), the company’s historical position on the market, the financial benefit derived from the breaches, and the measures taken by the company to comply with some of its obligations since the checks were carried out.
- Administrative fine of 5 million euros imposed by the Italian Data Protection Authority (SA) on Luka Inc. for violations of Article 5 (Principles relating to the processing of personal data), Article 6 (Lawfulness of processing), Article 12 (Transparent information, communication and modalities for the exercise of the rights of the data subject), Article 13 (Information to be provided where personal data are collected from the data subject), Article 24 (Responsibility of the controller), and Article 25 (Data protection by design and by default) of the GDPR.
The Italian SA launched an investigation on its own initiative following press reports and a preliminary inquiry into the Replika service — a chatbot with both written and voice interfaces developed and managed by the U.S.-based company Luka Inc., based on a generative AI system. The chatbot enables users to “create” a “virtual companion” that can serve as a confidant, therapist, romantic partner, or mentor.
Following the investigation, the Italian SA confirmed that the alleged violations, which had prompted it to order the app’s blocking in February 2023, did indeed occur. Until February 2, 2023, the company had not identified a legal basis for the data processing operations carried out through Replika. Additionally, Luka Inc. provided a privacy policy that was non-compliant in several respects. The Italian SA also found that, until February 2, 2023, the company had not implemented any age verification mechanisms—either at registration or during use of the service—despite having stated that minors were excluded from the category of potential users.
Technical assessments revealed that the age verification system currently implemented by the controller still has several deficiencies.
In this context, the Italian SA imposed an administrative fine of 5 million euros on Luka Inc. for violations of Articles 5(1)(a), 5(1)(c), 6, 12, 13, 24, and 25(1) of the GDPR. Furthermore, the Italian SA reserves the right to investigate and assess, in a separate and autonomous procedure, the lawfulness of the processing operations carried out by Luka Inc., specifically regarding the legal bases applicable throughout the lifecycle of the generative AI system underlying the Replika service.
- The administrative fine in the amount of of €262,500 imposed by the Polish Data Protection Authority (SA) on the company Centrum Medyczne Ujastek Sp. z o.o. for violations of Article 5 (Principles relating to processing of personal data), Article 6 (Lawfulness of processing), Article 9 (Processing of special categories of personal data), Article 13 (Information to be provided where personal data is collected from the data subject), Article 24 (Responsibility of the controller), Article 25 (Data protection by design and by default), and Article 32 (Security of processing) of the GDPR.
Between July 1 and 23, 2023, Centrum Medyczne Ujastek Sp. z o.o., based in Krakow, carried out monitoring through video surveillance in the neonatology department, recording images of both newborns and their mothers engaged in intimate activities such as breastfeeding According to the explanations provided by the facility, the children whose images were captured on the recordings no longer required intensive care, so their health was not at risk.
Following investigations, the Polish SA found that the video surveillance conducted by the medical center violated applicable regulations and was furthermore covert in nature—neither the patients nor the employees of the facility were informed about the continuous video recording. determined that the memory cards that contained the recordings had not been encrypted, and that the devices used for image recording had not been configured to meet the requirements of the facility. In addition, the risk analysis provided by the medical center did not cover the risks that were the cause of the incident and did not identify security measures that could have prevented the incident from occurring.
In this context, the Polish SA has imposed an administrative fine of €157,500 for violations of Article 6(1), Article 9(1), and Article 13(1,2) of the GDPR, and an additional fine of €105,000 for violations of Article 24(1), Article 25(1), and Article 32(1,2) of the GDPR.
41 Views
