In light of the significant growth in the number of social networks over the last decade and the pressing need to protect the privacy of individuals’ personal data, the National Centre for Personal Data Protection (NCPDP) reiterates the following recommendations:

       With the appearance of social networks such as Twitter, Tumblr, Facebook, Telegram, Instagram, Linked In, Tik Tok, Snapchat, etc., social life has changed dramatically, becoming a powerful tool for socialising, making new friends and acquaintances, sharing photos, videos or promoting information. People easily share news, pictures, personal opinions and almost anything that happens in their lives. Disclosure of personal data creates a favorable environment for advertising companies, people launching charity appeals (fake fundraisers for humanitarian purposes), people seeking revenge, cyber criminals, and could involve collecting sensitive data about people’s online activities, interests, personal characteristics, political views, habits and behaviors.

       The personal information a person posts online, along with data describing their actions and interactions with others, can create a comprehensive profile that may contain that person’s activities and passions.

       Broadly speaking, social networking services (SNSs) can be defined as online communication platforms that allow people to join a network or create communities/groups of like-minded users with certain common characteristics:

• users are invited to provide personal data for the purpose of creating so-called “accounts/profiles”, which contain a personal description;
• SSR also offers tools that allow users to publish their own material (user-generated content such as a photo, music, videos or links to other sites);
• “social networking” is facilitated by the use of tools that provide each user with a contact list through which users can interact with each other.

       In terms of the national legislative framework governing the protection of personal data, SRP providers are data controllers. They provide the methods for processing user data and provide all the “basic” means/services related to user management (e.g. registration and deletion of user accounts). Application providers may also be data controllers if they create applications that work/run alongside the SSR and if users decide to use such an application.

       In most cases, users are considered to be data subjects. Data protection law does not impose obligations of a data controller on a natural person – a user who processes personal data “in the course of an exclusively personal or domestic activity” – the so-called “domestic activities exception”.

       However, in certain situations, there is a possibility that the activities of an SSR user may not be covered by the domestic activities exception and the user may be deemed to have taken over some of the obligations of a data controller, in which case the provisions of data protection legislation must be respected.

       Thus, the SSR user will be considered a controller and the domestic activities exception will not apply in the following situations:

• In general, access to the data (profile data, postings, reports…) with which a user operates/acts is limited to the contacts selected by the user. However, in certain situations, the user’s list of third party contacts may expand, without the user being aware of some contacts having access to his/her account. A high number of contacts may be an indication that the domestic activities exception does not apply and that the user may be considered a data controller. Thus, if access to profile information extends beyond the contacts selected by the user, as in the case of granting access rights to a profile to all SSR members, or where data is indexable by search engines, access is not limited to the personal or domestic domain. Similarly, if a user makes an informed decision to extend access to his or her profile by accepting more people beyond the selected “friends”, he or she will have to assume the responsibilities of a data controller.
• It should also be noted that even if the domestic activities exception does not apply, the SSR user may benefit from other exceptions, such as the exception for journalistic, artistic or literary purposes. In these cases, a balance must be struck between freedom of expression and the right to privacy.

       Last but not least, it should be noted that even where the domestic activities exception applies, a user may be held liable under the general provisions of the relevant national civil or criminal law (e.g. defamation, tort liability for infringement, criminal liability).

       Respectively, SSR users must show utmost caution what personal data they publish, what they write in public, what photos/videos or audio recordings they post or who they trust on a social network.

       At the same time, the NCPDP warns that the collection and processing of personal data on social networks, like any data processing, must be carried out in strict compliance with the provisions of the Personal Data Protection Law, and the personal data being processed must be: processed fairly and lawfully; collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes; adequate, relevant and not excessive in relation to the purpose for which they are collected and/or further processed.

       Thus, the NCPDP urges data subjects to protect their privacy before publishing or sharing certain information on social media or any other online platform.

       It is very important that social media users read carefully and understand:

• Privacy terms (e.g. content that can be shared with a third party, ability to remove content from the site, etc.);
• Site features (e.g. who can see your messages, whether it will be only specified recipients or all users on the platform, etc.);
• What biographical information should be provided (e.g. biographical data such as full name, year of birth, age or address should only be used when registering your account and not given to other users on social networks),
• Account information (e.g. sensitive information such as: school attended, political affiliation, bank account information, place of living/domicile, etc. should never be provided);
• Who the potential “Friends” are (e.g. by analysing their profile to understand who they are, what they do and what kind of content they distribute);
• The need to disable the location sharing features of the gadget being used;
• Extreme caution when posting photos/video or audio recordings online (it could be very difficult to delete them, as in the case of metadata or if someone has copied, shared or distributed them on other sites or social networks), etc.

       Even though it is quite difficult to control privacy on social networks, it is not impossible. The NCPDP emphasises the responsibility of every citizen to ensure the protection of personal data, and the security and privacy of this data must be a priority.

       On September 23, 2025, the National Center for Personal Data Protection (NCPDP) organized a training session in the field of personal data protection for the employees of the Dubăsari Police Inspectorate, according to the training plan within the General Police Inspectorate subdivisions for 2025, approved and signed by the heads of the NCPDP and the GPI on January 28 of this year.

       The purpose of the training session was to raise awareness among Dubăsari Police Inspectorate staff regarding the principles of personal data protection, as well as to ensure the proper application of legal provisions in this field within their professional duties.

       Important topics were discussed during the event, such as: the definitions of general concepts related to the field of personal data protection; the rights of personal data subjects; the processing of special categories of personal data; the lawful processing of personal data in police work; the requirements for data protection in the performance of job responsibilities; ensuring the security and confidentiality of processed personal data, etc.
       The training course proved to be particularly relevant and beneficial for the Dubăsari Police Inspectorate, contributing both to strengthening the professional capacities of employees and to improving institutional processes. By participating in the training, they acquired: in-depth knowledge of the national and European legal framework applicable in the field of data protection, with an emphasis on the specific responsibilities of law enforcement institutions; practical tools for the correct and secure management of personal data, including in the context of direct interaction with citizens; increased clarity and accountability in relation to the rights of data subjects, reducing the risk of violating the law and protecting the image of the institution, as well as the opportunity to align with current standards of transparency, professionalism and information security, thus strengthening the community’s trust in police activity.

       At the same time, the course had a direct and significant impact on the efficiency and accountability of the Dubăsari Police Inspectorate, contributing to the consolidation of an institutional culture based on respect for legality and the protection of citizens’ fundamental rights.

       During the event, 140 representatives of the Dubăsari Police Inspectorate were trained.

I.                  Information and training activities carried out by the NCPDP

       During the second quarter of 2025 (April-June), the National Center for Personal Data Protection (NCPDP) continued to make progress in the area of information and awareness-raising activities for the general public in the field of personal data protection.

       During the reporting period, continued the organization of training courses for the subdivisions of the the General Police Inspectorate subdivisions (GPI), in accordance with the training plan approved and signed by the heads of the NCPDP and GPI on January 28, 2025.

       Thus, training courses were organized for the following subdivisions:

• April 15 – Briceni Police Inspectorate;
• May 20 – Cahul Police Inspectorate;
• June 10 – Cantemir Police Inspectorate;
  In this context, around 211 representatives from the GPI subdivisions were trained.

       At the same time, the organization of training courses for the subdivisions of the General Inspectorate of Border Police (GIBP) continued, according to the training plan approved and signed by the heads of the NCPDP and GIBP, on January 28, 2025.

       Thus, training courses were organized for the following subdivisions:

• April 16 – East Regional Directorate of GIBP;
• May 15 – South Regional Directorate of GIBP;
• June 24 – North Regional Directorate of GIBP;
  In this context, 165 representatives from the GIBP subdivisions were trained.

       Likewise, the organization of training courses for employees within the structural, specialized and territorial subdivisions of the General Inspectorate for Migration (GIM) continued, according to the training plan approved and signed by the leaders of the NCPDP and GIM, on January 27, 2025.

       Thus, training courses were organized for the following subdivisions:

• May 16 – Structural and specialized subdivisions of GIM;
• May 23 – North Regional Directorate of GIM;
  In this context, 34 representatives from the GIM subdivisions were trained.

       On March 27, 2025, was approved and signed by the heads of the NCPDP and the Customs Service (CS), the Training Plan in the field of personal data protection for customs employees within  the CS.

       Thus, training courses were organized for the following subdivisions:

• April 08 – Central Customs Office and Central Administration, Training Center (two training courses);
• April 10 – Central Customs Office and Central Administration, Training Center (two training courses);
• May 06 – South Customs Office;
• May 08 – North Customs Office, Bălți;
• May 27 – North Customs Office, Briceni;
• May 29 – North Customs Office, Bălți;
  In this context, 343 representatives from the CS were trained.

       During this period, the NCPDP showed openness and spirit of cooperation, organizing multiple training courses for representatives of public/private institutions, at their request.

       Thus, training courses were organized for the following institutions:

• April 02 – National Office of Social Insurance, territorial subdivisions;
• April 03 – Municipal Enterprise INFOCOM;
• April 07 – Agency for Geodesy, Cartography and Cadastre;
• May 19 – Information Technology and Cyber Security Service;
• May 22 – Ungheni Refugee Council;
• June 03 – United Nations Population Fund (UNPFA), representatives of local public authorities;
• June 06 – State Chancellery, level I and II LPAs within the area of activity of the Hânceşti Territorial Office;
• June 13 – Cahul Refugee Council;
  In this context, 247 representatives of the above-mentioned institutions were trained.

       The aim of the training courses was to familiarize representatives of the above-mentioned institutions with aspects related to the field of personal data protection, the regulation of processing procedures, as well as with the confidentiality and security regime of personal data in accordance with the legislation in force.

       During the events important topics were discussed, such as: definition of general concepts related to the field of personal data protection; principles and legal grounds for processing personal data; rights of personal data subjects; processing of special categories of personal data; requirements for the protection of personal data in the exercise of official duties; ensuring the security and confidentiality of personal data processed; issues related to the appointment of the Data Protection Officer (DPO), as well as his/her obligations and tasks; issues related to the Data Protection Impact Assessment (DPIA), as well as the stages of conducting a DPIA, etc.

       At the same time, the information and awareness campaign for the school community was continued under the title: “Personal data protection and child safety in the online environment”.

       The aim of the campaign was to raise awareness and educate children regarding: the importance of protecting personal data; identifying risks in the online environment; adopting responsible, safe and informed behavior in the digital space to support children to browse the internet in a safe, ethical and informed manner, reducing their vulnerability to online threats. The topics covered in the trainings were: general notions on personal data; how to protect your personal data online; risks and threats in the online environment; safety on communication platforms and online games, etc.

       In this regard, information activities were organized on 04.04.2025 for:

• PITL “Mihai Stratulat”, commune Boșcana;
  PITL  “Nicolae Bălcescu”, commune Ciorescu.
  The events took place in the framework of the Personal Development classes, the target audience being 4th grade students. In this context, 85 students were trained.

       Moreover, during the reference period, NCPDP launched a broad campaign to inform and raise awareness of the general public in the field of personal data protection, carried out under the heading “Maximum vigilance when transmitting/providing personal data” in collaboration with the GIP and GIBP.

       The campaign aims to raise awareness among citizens about the risks associated with uncontrolled disclosure of personal data. During the actions carried out, citizens were provided with informative materials and practical advice, being warned about the potential dangers related to the transmission/provision of personal data recorded in various documents, such as: identity cards, passports, civil status certificates, pensioner cards, bank cards and other similar documents containing sensitive information, as well as the recording of this data in various lists, for various purported purposes. The NCPDP representatives emphasized that any request from third parties regarding access to such data must be treated with utmost caution. It is essential that the holders/owners of these data/documents verify the legality of the request and the exact purpose of collecting information containing personal data, before providing them.

II.               Control activity

In the period April- June 2025, the NCPDP initiated compliance checks of personal data processing operations in 114 cases. During the reporting period, 99 decisions were issued, of which 39 cases were found to be in violation of the legal provisions, and 27 infringement reports were concluded, which were subsequently submitted to the court for resolution.

III.           Findings of the National Center for Personal Data Protection

1. The NCPDP examined the complaint of a personal data subject, concerning the alleged non-compliant operations of processing special categories of personal data, manifested by the transmission by a Police Inspectorate to the Local Public Authority (LPA) of information stored in the materials of a contravention process, initiated based on the complaint of the data subject’s mother, including the failure by the person with a responsible position within the LPA to exercise the data subject’s right of access to the personal data concerning him.

       In the course of the investigation, The Police Inspectorate invoked the fact that the disclosure of data/information to the person with a responsible position within the LPA was carried out based on the position of public agent of the personal data subject and Law No. 148/2023 on access to information of public interest.

       Applying the provisions of art. 6 paragraph (2) of Law no. 148/2023 on access to information of public interest, and art. 8 para. (1) p. f) of the law referred to above, it was determined that access to information of public interest may be limited in accordance with the proportionality criterion provided for in art. 9 if the disclosure of the information will prejudice the protection of personal data, or, art. 8 para. (3) establishes that, by way of derogation from para. (1) p. f), it is prohibited to limit access to information of public interest that constitutes personal data relating to the professional activity of public agents, within the meaning of the Integrity Law no. 82/2017, including: name and surname, position; studies, professional experience, remuneration, conflicts of interest, outstanding disciplinary sanctions.

       In the case under examination, the NCPDP found that the Police Inspectorate’s argument is not supported from a legal/legally substantiated point of view, or rather, the materials accumulated during the contravention process were not related to the data subject’s work activity, and the representative authority of the population of the administrative-territorial and executive unit of the local council was not part of the contravention process.

       At the same time, it was established that the processing of personal data/special categories of personal data of the data subject, manifested by the disclosure by transmission by the Police Inspectorate to the representative authority of the population of the administrative-territorial and executive unit of the local council, of the materials of the contravention process, cannot be qualified as compliant, or, the knowledge of these data by third parties is an interference in the private life of the data subject and his family, being held, in the case, a violation of the provisions of art. 4 para. (1) p. a) and b), art. 6 para. (1) and art. 7 para. (1) of Law no. 133/2011 on personal data protection.

       Furthermore, the NCPDP found that the representative authority of the population of the administrative-territorial and executive unit of the local council did not resolve the data subject’s request, failing to provide a substantiated/detailed response justifying its personal data processing operations, thus establishing a violation of art. 13 para. (1) p. a) of Law no. 133/2011 on personal data protection.

2. The NCPDP examined the complaint of some personal data subjects claiming the alleged non-compliant processing of personal data, manifested by the placement of photo/video images showing their domicile, accompanied by a defamatory text, on an account on the social network www.tiktok.com.

       In the course of the investigation it was determined that the petitioner and the persons complained about are relatives. Against the backdrop of conflicting relationships, a video was published on the user’s account on the social network www.tiktok.com, revealing the following personal data: express identification of the person, by mentioning the name and surname, as well as the previously held position (text inserted right on the video); a set of mentions of location data and identification of the residence, which generated the disclosure of personal data/including the location identifier of both spouses, communicating and presenting in the video recording the number/address of the residence, filming including the interior of the yard and voicing the intention to disclose personal data to as many people as possible.

       Additionally, it should be noted that knowingly posting information/images containing personal data on social networks represents in itself an awareness and acceptance of the situation that such information will immediately become public, being available to third parties for viewing/collection/use/disclosure, etc. Under these circumstances, personal data published on social media can be used by third parties for various purposes, including narrow interests, and can create major risks, psychological and physical harm to the data subject, etc.

       In this context, the NCPDP notes that personal data that are the subject of processing must be processed correctly and in accordance with the provisions of the law; collected for specified, explicit and legitimate purposes, and not subsequently processed in a manner incompatible with these purposes; adequate, pertinent and not excessive in relation to the purpose for which they are collected and/or subsequently processed; accurate and, if necessary, updated.

       It is subsequently noted that, in accordance with art. 5 para. (1) of Law no. 133/2011 on the personal data protection, the processing of personal data is carried out with the consent of the subject of personal data, as well as under the conditions set out in paragraph (5) of the same article.

       Subsequently, following the examination of the case, it was not determined what the legitimate need was for disclosing the personal data of the petitioners on their personal page on “TikTok”, as no legal basis was identified that would justify disclosing the personal data of the petitioners by publishing them on the “TikTok” social network.

       Furthermore, the NCPDP reveals that the circumstances of a conflict between relatives do not represent an event of high public interest, and the negative impact on the petitioners, as a result of posting the video recording, violated the latter’s right to privacy.

       In this context, the identifiers analyzed: the name/surname and the address of the real estate object of the petitioners, in total, lead to the establishment of the identity of the data subjects and, possibly, the person’s domicile.

       Thus, the NCPDP determined that the processing of personal data with reference to the domicile cannot be qualified as compliant, or, the knowledge of these data by the general public is an interference in the private life of the data subjects, being held, in the case, a violation of the provisions of art. 4 para. (1) p. a), b, c) and art. 5 para. (1) of Law no. 133/2011 on personal data protection.

3. NCPDP, following a complaint, conducted a verification of the information published on the website of the Official Information Storage Mechanism (ISM), in particular the semi-annual reports of banking institutions licensed by the National Bank of Moldova.

     Following the examination, reasonable suspicions were found regarding the non-compliant processing of personal data by two banking institutions, through the disclosure/dissemination of state identification numbers (IDNP) of individuals affiliated with persons with a responsible position, recorded in point 14, line II of the published semi-annual reports.

       Thus, one of the banking institutions published on its own website and within the official Information Storage Mechanism (ISM) the semi-annual report, which contained 47 IDNPs of individuals affiliated with persons with responsible positions, without depersonalizing them. According to Law No. 133/2011 on personal data protection, this action represents excessive and illegal data processing, contrary to the principles of legality, proportionality and confidentiality.

       The other banking institution published on the official ISM website the semi-annual report, which included the IDNPs of 11 affiliated individuals, violating the provisions of Law No. 133/2011 on personal data protection. According to the law, this information should only have been transmitted to the competent authorities and not made public, as the publication of IDNPs is considered excessive and disproportionate to the stated purpose. Although the bank invoked legal transparency obligations, NCPDP found the lack of a clear legal basis to justify the publication of this data. Thus, the controller was held liable for violating the conditions of lawful, confidential and proportionate processing of personal data.

       Although the banks invoked legal obligations under financial and banking legislation, the NCPDP found that there was no basis for publishing the IDNPs, and they should have been reported exclusively to the competent authorities, not to the general public. In the case, the NCPDP found a violation of art. 4 para. (1), art. 9 and art. 29 para. (1) of Law no. 133/2011, intervening in the contravention order, according to art. 74/1 para. (1) of the Contravention Code.

       It is noted that banking institutions have demonstrated receptivity by ensuring the depersonalization of published data, following the intervention of the NCPDP.

4. The NCPDP examined a complaint from the Central Electoral Commission (CEC) regarding the collection of signatures by an unauthorized person in support of a candidate for President of the Republic of Moldova.

       During the investigation, it was determined that the initiative group for collecting signatures in support of a candidate of a Political Party, numbering 100 people, was registered with the CEC, however, the person in question was not found on the list of members of the initiative group who had the right to collect signatures of the respective candidate’s supporters. The following personal data were collected in the subscription lists: last name, first name, year of birth, series and number of the identity card, signature.

       Based on the circumstances described, the NCPDP found that the collection of names, surnames, year of birth, domicile, series, identity card number and signature, as a form of personal data processing, must be carried out within an appropriate legal framework, in compliance with the legal regulations on data protection and with obtaining all necessary authorizations, otherwise, it is likely to infringe the fundamental rights of the data subjects concerned.

       Thus, by collecting signatures without being part of a legally constituted initiative group and without obtaining prior authorization from the CEC, the person concerned violated the provisions of art. 4 para. (1) p. a) of Law no. 133/2011 on personal data protection, which regulates the fundamental principles of data processing.

IV.            Prevention activity

During the reporting period, in order to carry out the advisory tasks, in addition to the multiple answers provided, for advisory purposes, 80 telephone consultations were provided, either via e-mail or at the authority’s headquarters.

V.               International and European news

– Between May 6-9, 2025, representatives of the NCPDP participated in the 33rd edition of the Spring Conference of European Data Protection Authorities, which took place in the city of Batumi, Georgia.
       This year’s Spring Conference, hosted by the State Data Protection Inspectorate of Georgia, brought together Data Protection Authorities from across Europe to address issues of common interest, emerging trends and innovative developments in the field of privacy and personal data protection. At the same time, a key objective of the conference was to promote cooperation by encouraging collaboration between the different data protection bodies in Europe and the professionals working within them. In addition, the conference served as a unique European platform for the exchange of experience and good practices in the field of personal data protection.

       During the working sessions, topical topics in the field of data protection were presented, such as:

• Regulation of artificial intelligence and legal frameworks on data protection at national, European and global levels;
• Protection of children’s privacy and personal data;
• Impact of modern technological developments and artificial intelligence on the right to privacy;
• Current challenges in the protection of personal health data;
• The role of data protection officers (DPOs) and privacy professionals, etc.
  The event was attended by 80 representatives, including leaders of the various European Data Protection Authorities. Representatives of four European institutions were also present: EUROPOL, EUROJUST, EUROSTAT and the EDPS.

– Between May 27-29, 2025, representatives of the National Commission for the Protection of Personal Data (NCPDP) participated in the 11th edition of the international e-Governance Conference 2025, which took place in Tallinn, Estonia. Titled “From Bytes to Benefits”, the conference explored the impact of digital transformation on the economy, as well as the financial costs and benefits it entails. The event was a landmark in the field of digital governance, with the aim of accumulating relevant knowledge on digital transformation, interoperability, cybersecurity and the use of artificial intelligence in public administration, as well as identifying good practices and opportunities for international collaboration.

       During the working sessions, topical topics were presented, such as:

• From bytes to benefits: a strategic approach to digital transformation;
• The real cost of digital transformation: the long-term investment;
• Building trust and value through interoperability: the engine of digital efficiency and economic growth;
• Shaping prosperity: political leadership and strategic choices for digital economic growth;
• Cybersecurity and public-private partnerships: the power of collaboration;
• Digital strategies: building a secure and prosperous future.
  At the same time, practical sessions and thematic presentations took place: examples of good practices from Estonia, Kenya, Ukraine and Brazil in areas such as cybersecurity, digital education, defense, open data and sustainability, political leadership in digitalization, the role of citizen-centered digital infrastructures, public-private partnerships in cybersecurity, thematic workshops: focused on interoperability, digital governance and DPI (Digital Public Infrastructure) frameworks, AI-assisted public service design, the transition from paper-based to digital services, the role of civil society in cyber resilience and exhibitions and demonstrations: technological examples applied in the field of public administration and emergency services.

       The e-Governance Conference 2025 was a global meeting point for digital governance leaders and practitioners from around the world, hosting over 600 digital development leaders, policy implementers and donors from over 80 countries. The event was organized by the e-Governance Academy (eGA), the Ministry of Foreign Affairs and the Estonian Centre for International Development Cooperation and supported by ITL, the European Union, CybExer, Digital Nation, EstoniaHub, FIAP, Recorded Future, the City of Tallinn, Visit Estonia, the World Bank Group and Zetes.

-The leadership of the NCPDP participated in the 106th Plenary Session of the European Data Protection Board (EDPB), which took place on June 3-4, 2025 in Brussels, Belgium.
Several documents were discussed and adopted during the Meeting, including:

•  Guidance on data transfers to third-country authorities, which focuses on Article 48 of the GDPR and clarifies how organizations can best assess under what conditions they can lawfully respond to requests for the transfer of personal data from third-country authorities (i.e. authorities in non-European countries).
• The report “Legislation and Compliance in the Field of AI Security and Data Protection” presented by the EDPB, which is aimed at professionals with legal skills, such as Data Protection Officers (DPOs) or privacy professionals.
• The report “Fundamentals of Secure AI Systems with Personal Data”, presented by the EDPB, which is aimed at professionals with technical skills, such as cybersecurity professionals, developers or implementers of high-risk AI systems.
  Request from the European Commission to issue a joint opinion of the EDPB and the European Data Protection Supervisor (EDPS) on its proposal to simplify record-keeping obligations for small and medium-sized enterprises, small mid-caps and organisations with fewer than 750 employees, which is a specific amendment to Article 30(5) of the GDPR. The EDPB and the EDPS will issue the joint opinion on this matter within eight weeks.

– Between June 17-19, 2025, NCPDP representatives participated in the 48th plenary meeting of the Consultative Committee of Convention 108, which took place in Strasbourg, France. The Committee strongly encouraged all States Parties to sign and ratify Convention 108+ as soon as possible, as a minimum of 38 ratifications are required for Convention 108+ to enter into force. Convention 108+ remains the only legally binding international instrument that protects personal data and the right to privacy, and aims to ensure adequate protection for all individuals in an ever-expanding digital age. The Committee organized a presentation on the current status of the signing and ratification process in States Parties and took note of the information provided by Committee members.
The meeting adopted the revised document on the interpretation of Article 11, with the United Kingdom abstaining.

       At the same time, Ms Tamar Kaldani was elected as the Council of Europe’s Commissioner for Data Protection by secret ballot. The Committee thanked the previous Commissioner, Mr Jean-Philippe Walter, for his outstanding work. Mr. Jean-Philippe Walter was congratulated for his significant contributions over four decades in promoting the right to privacy.

       It was decided to grant observer status to: the Network of African Data Protection Authorities (NADPA), Ecuador, the Chilean Professional Association and the Colombian Authority.

       The meeting was extremely valuable for following and understanding developments in the field of data protection. It provided an opportunity to contribute to the development of new international instruments, to support dialogue between states and to outline strategic directions for the coming period. The participation of the Moldovan delegation in the Strasbourg meeting reinforced the commitment of the Republic of Moldova to align with European standards in the field of data protection. The event facilitated the establishment of contacts with counterpart authorities and international specialists, contributing to the identification of best practices and relevant European recommendations. In addition, the active position of the Republic of Moldova in the discussions of Convention 108 confirms the support of the international community for its legislative modernization efforts.

VI.            Other data protection authorities

• An administrative fine of 900,000 euros was imposed by the French Data Protection Authority (CNIL) on SOLOCAL MARKETING SERVICES for violating Article 6 (Lawfulness of processing) and Article 7 (Conditions of consent) of the GDPR.
  As part of its priority theme on the control of commercial prospecting in 2022, the CNIL focused on the practices of professionals in this ecosystem, in particular on intermediaries who resell data, called data brokers. Thus, the CNIL carried out on SOLOCAL MARKETING SERVICES, which got prospect data mainly from data brokers, publishers of game contests and product testing sites (these actors are the first links in the chain, the primary collectors, who are responsible for collecting prospect data). SOLOCAL MARKETING SERVICES used this data to operate commercial prospecting by SMS or e-mail to individuals concerned, on behalf of its advertiser customer. It may also pass on some of this data to its customers, so that they can carry out their own commercial prospecting by telephone or post.

     Following the CNIL investigations, it found several violations, such as:

–          Failure to comply with the obligation to obtain the consent of individuals to receive commercial prospecting by electronic means (Article L.34-5 of the French Post and Electronic Communications Code): The restricted committee considered that the misleading appearance of the forms used by data brokers made it impossible to obtain free and unambiguous consent, in compliance with the requirements of the GDPR, which would have formed the basis for the prospecting operations carried out by the company.

–          Failure to demonstrate that the data subject has consented to processing of his or her personal data (Article 7 of the GDPR): The company failed to provide the French SA with proof of consent from individuals whose data has been transferred to it by one of its main suppliers. As a result, the French SA was unable to examine the collection forms used by this supplier and, therefore, the validity of the consent of the data subjects.

       In this context, the CNIL imposed an administrative fine of 900,000 euros on the company SOLOCAL MARKETING SERVICES, which was made public, and an order to cease electronic commercial prospecting in the absence of valid consent, together with a penalty of €10 000 per day overdue after a period of 9 months. The amount of this fine takes into account the very large number of people concerned (several million), the company’s historical position on the market, the financial benefit derived from the breaches, and the measures taken by the company to comply with some of its obligations since the checks were carried out.

• Administrative fine of 5 million euros imposed by the Italian Data Protection Authority (SA) on Luka Inc. for violations of Article 5 (Principles relating to the processing of personal data), Article 6 (Lawfulness of processing), Article 12 (Transparent information, communication and modalities for the exercise of the rights of the data subject), Article 13 (Information to be provided where personal data are collected from the data subject), Article 24 (Responsibility of the controller), and Article 25 (Data protection by design and by default) of the GDPR.
         The Italian SA launched an investigation on its own initiative following press reports and a preliminary inquiry into the Replika service — a chatbot with both written and voice interfaces developed and managed by the U.S.-based company Luka Inc., based on a generative AI system. The chatbot enables users to “create” a “virtual companion” that can serve as a confidant, therapist, romantic partner, or mentor.

       Following the investigation, the Italian SA confirmed that the alleged violations, which had prompted it to order the app’s blocking in February 2023, did indeed occur. Until February 2, 2023, the company had not identified a legal basis for the data processing operations carried out through Replika. Additionally, Luka Inc. provided a privacy policy that was non-compliant in several respects. The Italian SA also found that, until February 2, 2023, the company had not implemented any age verification mechanisms—either at registration or during use of the service—despite having stated that minors were excluded from the category of potential users.

       Technical assessments revealed that the age verification system currently implemented by the controller still has several deficiencies.

       In this context, the Italian SA imposed an administrative fine of 5 million euros on Luka Inc. for violations of Articles 5(1)(a), 5(1)(c), 6, 12, 13, 24, and 25(1) of the GDPR. Furthermore, the Italian SA reserves the right to investigate and assess, in a separate and autonomous procedure, the lawfulness of the processing operations carried out by Luka Inc., specifically regarding the legal bases applicable throughout the lifecycle of the generative AI system underlying the Replika service.

• The administrative fine in the amount of of €262,500 imposed by the Polish Data Protection Authority (SA) on the company Centrum Medyczne Ujastek Sp. z o.o. for violations of Article 5 (Principles relating to processing of personal data), Article 6 (Lawfulness of processing), Article 9 (Processing of special categories of personal data), Article 13 (Information to be provided where personal data is collected from the data subject), Article 24 (Responsibility of the controller), Article 25 (Data protection by design and by default), and Article 32 (Security of processing) of the GDPR.
  Between July 1 and 23, 2023, Centrum Medyczne Ujastek Sp. z o.o., based in Krakow, carried out monitoring through video surveillance in the neonatology department, recording images of both newborns and their mothers engaged in intimate activities such as breastfeeding According to the explanations provided by the facility, the children whose images were captured on the recordings no longer required intensive care, so their health was not at risk.

       Following investigations, the Polish SA found that the video surveillance conducted by the medical center violated applicable regulations and was furthermore covert in nature—neither the patients nor the employees of the facility were informed about the continuous video recording. determined that the memory cards that contained the recordings had not been encrypted, and that the devices used for image recording had not been configured to meet the requirements of the facility. In addition, the risk analysis provided by the medical center did not cover the risks that were the cause of the incident and did not identify security measures that could have prevented the incident from occurring.

       In this context, the Polish SA has imposed an administrative fine of €157,500 for violations of Article 6(1), Article 9(1), and Article 13(1,2) of the GDPR, and an additional fine of €105,000 for violations of Article 24(1), Article 25(1), and Article 32(1,2) of the GDPR.

       On July 15, 2025, the National Center for Personal Data Protection (NCPDP) organized a training session in the field of personal data protection for  the employees of the Căușeni Police Inspectorate, according to the training plan within the General Police Inspectorate subdivisions for 2025, approved and signed by the heads of the NCPDP and the GPI on January 28 of this year.

       The purpose of the training session was to raise awareness among Căușeni Police Inspectorate staff regarding the principles of personal data protection, as well as to ensure the proper application of legal provisions in this field within their professional duties.

       During the event, several important topics were addressed, including:

• The definitions of general concepts related to the field of personal data protection;
• The rights of personal data subjects;
• The processing of special categories of personal data;
• The lawful processing of personal data in police work;
• The requirements for data protection in the performance of job responsibilities;
• Ensuring the security and confidentiality of processed personal data, etc.
  The training course proved to be highly useful and interactive, and the aspects related to the proper procedure for accessing personal data via State Information Systems, including the application of exceptions and restrictions governed by Article 15 of Law 133/2011, as well as the requirements regarding the protection of personal data in the exercise of official duties, presented a high interest for the course participants.

       40 representatives of the Căușeni Police Inspectorate were trained during the event.

       On July 7, 2025, the National Center for Personal Data Protection (NCPDP) organized a street information and public awareness campaign, which aimed to promote the importance of personal data protection and cultivate responsible behavior regarding the use of this data.

       The event took the form of an open dialogue with citizens, offering them the opportunity to ask questions and receive relevant information about their rights in terms of personal data protection, as well as about the risks associated with non-compliant data processing.

       Through this initiative, organized in the context of the anniversary of 17 years of activity, NCPDP reaffirms its mission to contribute to the development of an institutional and social culture in which the right to privacy, guaranteed by the Constitution of the Republic of Moldova, by national and European legislation, is aware of and known, respected and actively promoted in all areas of life.

       The activity included: distribution of information materials on personal data protection; information actions carried out by representatives of the NCPDP; direct interactions with citizens to clarify specific situations regarding data processing; examples of good practices in the responsible use of personal data in the digital environment.

       The aim of the street action is to bring the essential concepts of data protection closer to citizens, contributing to increasing their awareness of the notion of personal data, the rights of data subjects, data security and confidentiality measures, as well as the principles of personal data protection. At the same time, citizens were informed about possible situations of non-compliant processing of personal data, being provided with practical guidance and recommendations that should be undertaken in such cases.

       Through this action, NCPDP aims not only to celebrate an important anniversary in the institution’s activity, but also to convey a clear message: the protection of personal data is a shared responsibility, which requires active involvement not only from the authorities/organizations, but also from each individual citizen.

       In an era where digital technology is omnipresent and personal data circulates rapidly online and offline, education on its protection becomes essential. NCPDP will continue to conduct awareness campaigns, provide support to public and private institutions, and ensure compliance with the legal framework regarding the processing of personal data.

       Between July 2-3, 2025, representatives of the National Center for Personal Data Protection (NCPDP) participated in the 75th meeting of the International Working Group on Data Protection in Technology (known as the “Berlin Group”), which took place in the city of Tbilisi, Georgia.

       The aim of the event was to bring together international experts in the field of data protection to discuss and analyze the impact of new technologies on privacy and personal data security. During the meeting, participants exchanged good practices, presented national innovations, and addressed emerging challenges such as neurodata, 6G technology, and digital identity, with a view to developing common recommendations to support the improvement of data protection standards at the international level.

       During the two working days, important topics were addressed, such as:

–         Neurodata and the implications for privacy;

–         The evolution of 6G technology and the related challenges in the field of data protection;

–         Digital identity;

–         Government digital services and data protection within them (e.g. MY.GOV.GE – the unified portal of electronic services in Georgia);

–         National presentations on innovations and good practices in the field of data protection.

       The event represented a valuable framework for the international exchange of experience, strengthening cooperation between supervisory authorities and identifying common directions of action facing new technological challenges, bringing together representatives from 14 countries, as well as delegates from the European Data Protection Supervisor and the Electronic Privacy Information Center.

On July 3, 2025, the National Center for Personal Data Protection (NCPDP) organized a training course in the field of personal data protection for members of the Moldovan Banks Association (ABM), at their request.

The aim of the training course was to provide ABM members with the necessary knowledge and skills to understand and effectively implement regulations and good practices regarding the protection of personal data, ensuring compliance with applicable legislation, as well as to promote a responsible and secure organizational culture in the management of personal data.

During the event, important topics were discussed, such as: the definition of general notions related to the field of personal data protection; the rights of personal data subjects; the principles and legal grounds for processing personal data; requirements regarding the protection of personal data in the exercise of official duties; ensuring the security and confidentiality of processed personal data, etc.

The training course was interactive, with multiple practical examples presented, in order to increase the level of perception of ABM members on the principles of personal data protection. At the same time, the new legal provisions in the field of personal data protection, the aspects related to the obligations of the controller/ processor empowered by the operator in relation to the designation of the Data Protection Officer, his obligations and tasks, the conditions under which it is necessary to carry out the Data Protection Impact Assessment, as well as the pecuniary sanctions in case of a violation of the legislation in the field, presented a high interest for the course participants.

At the end of the course, participants expressed positive opinions, emphasizing the clarity and applicability of the information presented, the usefulness of case studies in understanding real challenges, the need to implement standardized internal procedures regarding data protection, as well as the need for periodic training to stay up to date with legislative changes.

During the event, 25 ABM representatives were trained.

On 13 June 2025, the National Center for Personal Data Protection (NCPDP) organized a training session in the field of personal data protection for representatives of the Cahul Refugee Council, at the request of the United Nations High Commissioner for Refugees (UNHCR).

The aim of the training was to inform participants about the field of personal data protection, in the context in which refugees are often exposed to security and confidentiality risks. Participants were also provided with the necessary tools to act in full compliance with the applicable legislation and professional ethics.

The event addressed several important topics, including:

• Compliance with the fundamental principles governing the collection, processing, and storage of personal data.
• Ensuring the confidentiality and security of sensitive information concerning refugees, asylum seekers, and other individuals registered by UNHCR;
• Prevention and reporting of data security incidents, etc.

Approximately 15 representatives took part in the event, including members of the Refugee Council, local authority representatives, and members of non-governmental organizations.

This event highlights NCPDP’s ongoing commitment to developing a data protection framework that responds to the needs of an increasingly diverse and interconnected society. Through such training sessions, NCPDP aims to contribute to raising awareness and responsibility regarding data protection among both public authorities and international organizations involved in supporting refugees.

The National Center for Personal Data Protection (NCPDP) informs, for public awareness purposes, about the participation of its leadership in the 106th Plenary Session of the European Data Protection Board (EDPB), which took place on 3–4 June 2025 in Brussels, Belgium.

During the meeting, several documents were adopted, including:

• Following a public consultation, the EDPB adopted the final version of the Guidelines on Data Transfers to Public Authorities in Third Countries, which focus on Article 48 of the GDPR and clarify how organizations can best assess the conditions under which they may lawfully respond to personal data transfer requests from authorities in non-EU countries.

• The EDPB presented the report “Law and Compliance in AI Security and Data Protection”, aimed at legal professionals such as Data Protection Officers (DPOs) or privacy experts.

• The EDPB also presented the report “Fundamentals of Secure AI Systems with Personal Data”, aimed at professionals with technical expertise, such as cybersecurity experts, developers, or implementers of high-risk AI systems.

• Lastly, the Board discussed the European Commission’s request for a joint opinion from the EDPB and the European Data Protection Supervisor (EDPS) on its proposal to simplify record-keeping obligations for small and medium-sized enterprises (SMEs), small mid-cap companies, and organizations with fewer than 750 employees. This proposal would amend Article 30(5) of the GDPR. The EDPB and EDPS will issue a joint opinion on the matter within eight weeks.

NCPDP, as the national supervisory authority for personal data processing, emphasizes the importance of Moldova’s participation in the EDPB Plenary Sessions, as well as the relevance of the documents adopted, in order to align national data protection legislation with EU standards.

The Slovenian Supervisory Authority (SA) launched an inspection ex officio after receiving an official notification regarding a data security breach. A school reported unauthorized access to students’ personal data by an external catering service provider contracted to supply meals at the school. The provider had been granted access to the school’s entire student database, including sensitive data such as subsidies and account balances, although it only needed the students’ names and surnames to monitor the catering services.

The Slovenian SA identified significant deficiencies in the school’s data protection practices. The external catering provider received unrestricted access to the entire student database, including unnecessary information such as subsidies and account balances. The school failed to implement appropriate measures to ensure compliance with the principle of data protection by design and by default, as required under Article 25 of the GDPR. Although the school promptly reported the breach, it failed to implement effective long-term technical and organizational measures to address the root causes and prevent recurrence. The case highlights the importance of adopting proper data protection protocols in educational institutions to ensure the security and integrity of students’ personal data.

The Slovenian SA issued a reprimand to the school and its principal, as the person responsible. The controller filed a request for judicial protection with the local court, which dismissed the request and upheld the decision of the Slovenian Supervisory Authority. The court emphasized that proper implementation of the principle of data protection by design and by default could have prevented the subsequent abusive practices, including unauthorized modifications of the data by the external provider and even potential fraud.

This example draws attention to the specific nature of the school environment, where the processing of students’ personal data requires special care. IT systems are often used in schools for various purposes—from managing school records to organizing meals. Precisely because of the complexity of such solutions, it is essential for schools, when establishing cooperation with external providers, to clearly define the scope of data access granted to providers and, by implementing adequate measures, ensure strict compliance with the data minimization principle.

NCPDP, as the national supervisory authority for personal data processing, emphasizes the responsibility of personal data controllers to comply with the legal framework on personal data protection and to ensure that data processing operations are conducted in accordance with the applicable law.