The National Center for Personal Data Protection of the Republic of Moldova (NCPDP) and the Agency for Cyber Security (ACS) have signed an inter-institutional cooperation agreement aimed at strengthening collaboration in the field of personal data protection and cyber security.

       The signing of the Agreement represents an important step in developing an effective mechanism for institutional cooperation, based on the exchange of information, technical expertise, best practices and the coordination of activities carried out within the areas of competence of the two institutions.

       The purpose of the Agreement is to strengthen inter-institutional relations and ensure effective and coordinated cooperation with a view to enhancing the level of personal data protection, preventing and effectively managing security incidents and strengthening national cyber resilience.

       Under the Agreement, the parties will cooperate in several areas of common interest, including: organizing and jointly participating in conferences, seminars, roundtables, training sessions and other relevant events;  the development and implementation of joint professional training programs for the staff of both institutions; the conduct of information and awareness campaigns on the personal data protection and cybersecurity; the promotion of a culture of data protection and cybersecurity among public authorities, the business community and citizens; joint participation in relevant international projects, initiatives, and programs; cooperation in managing security incidents and, where appropriate, conducting joint investigation and control activities, within the limits of legal authority; facilitating the exchange of information of mutual interest for the prevention and management of risks associated with cybersecurity and the personal data protection.

       At the same time, the Agreement provides for strict compliance with confidentiality requirements and the legal framework applicable to restricted-access information, including personal data processed within the framework of institutional cooperation.

       The signing of this Agreement reaffirms the joint commitment of the NCPDP and the ACS to strengthening institutional capacities and developing effective cooperation mechanisms to protect individuals’ fundamental rights and freedoms in the context of digital transformation and the challenges posed by cybersecurity.

       On May 11, 2026, the National Center for Personal Data Protection (NCPDP) organized the TAIEX workshop “Mechanisms for Ensuring the Lawfulness of Personal Data Processing.”

       The event brought together European experts and representatives of the NCPDP, with the aim of strengthening institutional capacities in the area of exercising supervisory and compliance functions regarding personal data protection legislation, in the context of the Republic of Moldova’s alignment with European Union standards.

       The workshop took place in a context marked by accelerated digital transformation and an increase in the volume of processed data, which require the strengthening of mechanisms to protect the fundamental right to privacy. At the same time, it took place in view of the entry into force of Law No. 195/2024 on personal data protection, which transposes the European acquis in this field.

       The main purpose of the event was to deepen understanding of how data protection authorities in European Union member states exercise their powers to oversee the lawfulness of data processing, as well as to identify effective solutions and best practices applicable to the work of the NCPDP.

       The event agenda included thematic sessions dedicated to:

• the regulatory framework and the role of supervisory authorities in the field of data protection;
• the conformity assessment process and methodologies for verifying compliance with legislation;
• control and audit mechanisms, including practices for monitoring and investigating violations;
• the use of modern technologies to ensure data security, such as encryption and pseudonymization;
• the analysis of case studies and relevant practical examples;
• criteria for establishing sanctions and assessing the impact of corrective measures applied.

       Mr. Bartłomiej Kohnke, a representative of the Polish Ministry of Justice, and Mr. Hristo Alaminov, a representative of the Bulgarian Commission for Personal Data Protection, participated as international experts. They presented the experience and practices of the institutions they represent, offering participants practical insights and useful tools for supervisory activities.

       The discussions highlighted the importance of developing effective oversight mechanisms based on risk assessment, transparency and the proportionate application of corrective measures, as well as the need to strengthen international cooperation in the field of data protection.

       Participants had the opportunity to analyze concrete procedures for conducting inspections, including the development of inspection methodologies, the conduct of internal and external audits as well as the application of sanctions in accordance with the severity of violations found..

       The TAIEX workshop contributed to the exchange of experiences and the adoption of European best practices, supporting the NCPDP in its institutional development and alignment with European standards in the field of personal data protection.

       The NCPDP reaffirms its commitment to continuing cooperation with European and international partners to strengthen an effective oversight system and ensure respect for individuals’ fundamental rights in the context of personal data processing.

       The workshop was organized and funded by the European Commission’s Technical Assistance and Information Exchange Instrument (TAIEX).

       Today, May 15, 2026, in Chișinău, Deputy Prime Minister and Minister of Foreign Affairs of the Republic of Moldova, Mihai Popșoi, presented to the Secretary General of the Council of Europe the instrument of ratification of the Protocol amending the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, signed in Strasbourg on February 9, 2023. It establishes clearer rules on the processing of sensitive data, strengthens data protection standards, regulates cross-border data transfers to other states or international organizations and addresses the challenges posed by technological developments and cybersecurity.

       This action reaffirms the Republic of Moldova’s commitment to continuing the process of harmonizing the national regulatory framework with European standards and to strengthening the protection of citizens’ fundamental rights, including the right to privacy and the protection of personal data.

       The meeting marks the conclusion of the Republic of Moldova’s term as Chair of the Committee of Ministers of the Council of Europe, held from November 14, 2025, to May 15, 2026, under the theme “For a Europe of Peace and Resilience.” This is the second presidency held by the Republic of Moldova since its accession to the Council of Europe, the first having been exercised in 2003.

       The National Center for Personal Data Protection (NCPDP), for information purposes, communicates about the ratification, by Law 36/20.03.2026 and the publication in the Official Gazette of the Republic of Moldova, of the Protocol amending the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data.

       The purpose of this Protocol is to modernize the international framework in the field of personal data protection, in order to ensure a high level of protection of the fundamental rights and freedoms of natural persons, especially the right to private life, in the context of technological developments and the globalization of data flows.

       The revised document, also known as „Convention 108+”, comes with a number of essential improvements, aimed at strengthening data protection mechanisms and responding to new challenges generated by the use of modern technologies.

       Among the main provisions of the Amending Protocol are:

• Strengthening the protection of personal data;
• Strengthening the rights of data subjects;
• Expanding the category of sensitive data, by including genetic, biometric and ethnic origin data;
• Introducing safeguards for decisions based solely on automated processing;
• Establishing clear obligations for controllers, including rules for international data transfers.

       The new regulations also place increased emphasis on controller’s accountability, processing transparency and the establishment of effective supervisory mechanisms, including by strengthening the role of independent control authorities and intensifying international cooperation.

       The ratification of this Protocol represents an important step for the alignment of the Republic of Moldova with international and European standards in the field of personal data protection. The implementation of its provisions will help to increase citizens’ confidence in the way their data are processed, as well as to facilitate the secure exchange of data at the international level. Law no. 36/20.03.2026 enters into force on August 23, 2026.

       Through this ratification, the Republic of Moldova reaffirms its commitment to ensure a high level of personal data protection and to strengthen international cooperation in this field.

       In this context, the NCPDP encourages public authorities, the private sector and other relevant actors to pay more attention to the new requirements and to take the necessary measures to ensure compliance with the updated standards in the field.

       On April 10, 2026, the National Center for Personal Data Protection (NCPDP) organized a training course in the field of personal data protection for representatives of the National Center for Sustainable Energy (NCSE), at their request.

       The objective of the training was to strengthen the theoretical knowledge and develop the practical skills of the participants regarding the correct application of the national and international normative framework in the field of personal data protection. In this context, the NCPDP trainers presented the main concepts and principles governing data processing, including lawfulness, fairness and transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity and confidentiality.

       At the same time, aspects related to the rights of data subjects were addressed, such as right to access, rectification, erase, restriction of processing and object, as well as the mechanisms by which these rights can be exercised in practice. Particular emphasis was placed on the responsibilities of controllers and processors, including the obligation to implement appropriate technical and organizational measures to ensure data security, prevent unauthorized access and manage security incidents.

       The importance of carrying out such training activities is determined by the need to ensure respect for the fundamental right to privacy and personal data protection, especially in the context of the digitization of public services and the increase in the volume of processed data. The training helped to raise awareness among employees of the risks associated with data processing and to develop an organizational culture based on responsibility, integrity and compliance.

       As a result of participating in this course, NCSE representatives have strengthened their skills in the field, being better prepared to correctly apply the legal provisions, adequately manage personal data and ensure respect for the rights of data subjects. The training also contributed to reducing the risks of data security breaches and increasing the level of citizens’ trust in the institution’s activity.

       NCPDP reaffirms its commitment to continue organizing and carrying out training and information activities in the field of personal data protection, in order to support public authorities and institutions in the process of aligning with national and international standards and ensuring a high level of data protection.

       The event took place in a hybrid format, with 60 representatives of the NCSE being trained.

       The National Center for the Personal Data Protection (NCPDP) organized, at the institution’s headquarters, an interinstitutional meeting with representatives of the Agency for Cybersecurity, with the objective of strengthening dialogue and cooperation in the fields of personal data protection and cyber security.

       During the meeting, the interdependence between the fields of personal data protection and cyber security was emphasized, in the context of accelerated digital transformations and the increase in risks associated with information security, highlighting the need for effective institutional cooperation between competent authorities.

       At the same time, the importance of complying with data protection principles and requirements was emphasized, especially in the exercise of duties aimed at monitoring, analyzing and reacting to risks and threats in cybersecurity, which may involve the processing of significant volumes of personal data. Ensuring an appropriate balance between cyber security measures and guaranteeing the rights of data subjects is an essential element in the exercise of the legal powers of both institutions.

       At the same time, it was emphasized that, on August 23, 2026, Law no. 195/2024 on personal data protection, a normative act that marks a reference moment in the consolidation of the national data protection framework and in its alignment with European standards.The effective implementation of the new legal provisions inherently implies the intensification of institutional cooperation, including in the field of prevention, notification and management of security incidents involving personal data.

       NCPDP expresses its conviction that a consolidated cooperation between institutions will contribute to strengthening the areas of competence and ensuring an increased level of protection of the fundamental rights and freedoms of the data subjects, in the context of the new digital challenges.

       On April 1, 2026, the National Center for Personal Data Protection (NCPDP) organized a training course in the field of personal data protection for the employees of the Institute for Standardization of Moldova (ISM), at the request of the beneficiary institution. The activity was part of the continuous efforts of the NCPDP to promote a solid culture of data protection and to support national authorities and organizations in the correct application of the relevant regulatory framework.

       The purpose of the training was to strengthen the theoretical and practical knowledge of the participants in the field of personal data protection, with an emphasis on the responsibilities of controllers, the basic principles of data processing, as well as on the correct application of legal requirements in the current activity of the institution. At the same time, the course aimed to develop the capacity of participants to identify the risks associated with data processing and to implement appropriate measures to prevent security incidents.

       The importance of training lies in the essential role that data protection plays in ensuring respect for the fundamental rights and freedoms of natural persons, especially the right to privacy. In the context of accelerated digitization and the increase in the volume of processed data, public institutions and organizations must pay more attention to compliance with legal norms, as well as the implementation of effective data protection mechanisms. Such initiatives contribute to increasing the level of institutional responsibility and strengthening public trust in how personal data are managed.

       During the training, relevant topics were addressed such as: the basic principles of data protection, the legal grounds for processing, the rights of data subjects, the obligations of controllers and processors, technical and organizational security measures, as well as the management of security incidents and their notification.

       The lessons learned by the participants mainly concerned the importance of integrating data protection into all institutional processes („privacy by design” and „privacy by default”), the need to document processing operations, as well as adopting a proactive approach in identifying and mitigating risks. Participants also became aware of each employee’s role in ensuring compliance and preventing possible data security breaches.

       NCPDP reaffirms its openness to continue collaboration with national institutions, in order to develop professional skills in the field of personal data protection and promote good practices at the institutional level.

       About 20 representatives from ISM participated in the event.

       In light of the significant growth in the number of social networks over the last decade and the pressing need to protect the privacy of individuals’ personal data, the National Centre for Personal Data Protection (NCPDP) reiterates the following recommendations:

       With the appearance of social networks such as Twitter, Tumblr, Facebook, Telegram, Instagram, Linked In, Tik Tok, Snapchat, etc., social life has changed dramatically, becoming a powerful tool for socialising, making new friends and acquaintances, sharing photos, videos or promoting information. People easily share news, pictures, personal opinions and almost anything that happens in their lives. Disclosure of personal data creates a favorable environment for advertising companies, people launching charity appeals (fake fundraisers for humanitarian purposes), people seeking revenge, cyber criminals, and could involve collecting sensitive data about people’s online activities, interests, personal characteristics, political views, habits and behaviors.

       The personal information a person posts online, along with data describing their actions and interactions with others, can create a comprehensive profile that may contain that person’s activities and passions.

       Broadly speaking, social networking services (SNSs) can be defined as online communication platforms that allow people to join a network or create communities/groups of like-minded users with certain common characteristics:

• users are invited to provide personal data for the purpose of creating so-called “accounts/profiles”, which contain a personal description;
• SSR also offers tools that allow users to publish their own material (user-generated content such as a photo, music, videos or links to other sites);
• “social networking” is facilitated by the use of tools that provide each user with a contact list through which users can interact with each other.

       In terms of the national legislative framework governing the protection of personal data, SRP providers are data controllers. They provide the methods for processing user data and provide all the “basic” means/services related to user management (e.g. registration and deletion of user accounts). Application providers may also be data controllers if they create applications that work/run alongside the SSR and if users decide to use such an application.

       In most cases, users are considered to be data subjects. Data protection law does not impose obligations of a data controller on a natural person – a user who processes personal data “in the course of an exclusively personal or domestic activity” – the so-called “domestic activities exception”.

       However, in certain situations, there is a possibility that the activities of an SSR user may not be covered by the domestic activities exception and the user may be deemed to have taken over some of the obligations of a data controller, in which case the provisions of data protection legislation must be respected.

       Thus, the SSR user will be considered a controller and the domestic activities exception will not apply in the following situations:

• In general, access to the data (profile data, postings, reports…) with which a user operates/acts is limited to the contacts selected by the user. However, in certain situations, the user’s list of third party contacts may expand, without the user being aware of some contacts having access to his/her account. A high number of contacts may be an indication that the domestic activities exception does not apply and that the user may be considered a data controller. Thus, if access to profile information extends beyond the contacts selected by the user, as in the case of granting access rights to a profile to all SSR members, or where data is indexable by search engines, access is not limited to the personal or domestic domain. Similarly, if a user makes an informed decision to extend access to his or her profile by accepting more people beyond the selected “friends”, he or she will have to assume the responsibilities of a data controller.
• It should also be noted that even if the domestic activities exception does not apply, the SSR user may benefit from other exceptions, such as the exception for journalistic, artistic or literary purposes. In these cases, a balance must be struck between freedom of expression and the right to privacy.

       Last but not least, it should be noted that even where the domestic activities exception applies, a user may be held liable under the general provisions of the relevant national civil or criminal law (e.g. defamation, tort liability for infringement, criminal liability).

       Respectively, SSR users must show utmost caution what personal data they publish, what they write in public, what photos/videos or audio recordings they post or who they trust on a social network.

       At the same time, the NCPDP warns that the collection and processing of personal data on social networks, like any data processing, must be carried out in strict compliance with the provisions of the Personal Data Protection Law, and the personal data being processed must be: processed fairly and lawfully; collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes; adequate, relevant and not excessive in relation to the purpose for which they are collected and/or further processed.

       Thus, the NCPDP urges data subjects to protect their privacy before publishing or sharing certain information on social media or any other online platform.

       It is very important that social media users read carefully and understand:

• Privacy terms (e.g. content that can be shared with a third party, ability to remove content from the site, etc.);
• Site features (e.g. who can see your messages, whether it will be only specified recipients or all users on the platform, etc.);
• What biographical information should be provided (e.g. biographical data such as full name, year of birth, age or address should only be used when registering your account and not given to other users on social networks),
• Account information (e.g. sensitive information such as: school attended, political affiliation, bank account information, place of living/domicile, etc. should never be provided);
• Who the potential “Friends” are (e.g. by analysing their profile to understand who they are, what they do and what kind of content they distribute);
• The need to disable the location sharing features of the gadget being used;
• Extreme caution when posting photos/video or audio recordings online (it could be very difficult to delete them, as in the case of metadata or if someone has copied, shared or distributed them on other sites or social networks), etc.

       Even though it is quite difficult to control privacy on social networks, it is not impossible. The NCPDP emphasises the responsibility of every citizen to ensure the protection of personal data, and the security and privacy of this data must be a priority.