On 5 December 2023, the National Center for Personal Data Protection (NCPDP) organized a training course on personal data protection for employees of the Chisinau Police Department.

The aim of the training course was to increase the perception of the employees of the Chisinau Police Department on the principles of personal data protection, as well as on the correct application of the legal provisions in the field, in the activity they carry out.

During the event important topics were discussed, such as: definition of general notions related to the field of personal data protection; rights of personal data subjects; processing of special categories of personal data; the legal way of personal data processing in the work carried out by police bodies; requirements for the protection of personal data in the performance of duties; ensuring the security and confidentiality of personal data processed; the correct procedure for accessing personal data through the State Information Systems, as well as keeping correct audit records of such accesses; issues related to the appointment of the Data Protection Officer (DPO), as well as his/her obligations and tasks; issues related to the Data Protection Impact Assessment (DPIA), as well as the steps to carry out a DPIA, etc.

The training course proved to be an interactive one, participants asking multiple questions, based on their work, and receiving documented answers with practical examples from the trainers.

About 80 representatives of the Chisinau Police Department were trained during the event.

The training course is part of the training plan for GPI subdivisions for 2023, approved and signed by the heads of NCPDP and GPI on 25 January this year.

In the period 18-19 October, the representatives of the National Centre for Personal Data Protection (NCPDP) carried out a study visit entitled “Reconciling the right of access to information and personal data protection“. The event was hosted by the French National Commission for Information Technology and Civil Liberties (CNIL).

The purpose of the event was to take up the best legal and operational practices on mechanisms to reconcile the right of access to information and the protection of personal data.

During the study visit, moderated by experts in the field of personal data protection from the CNIL and CADA – Commission for Access to Administrative Documents, topics of importance such as: protection of personal data in the exercise of the right of access to information; reconciling the right of access to information and the right to protection of personal data; request for access to administrative documents or exercise of the right of access by the data subject, how to distinguish them and what is the impact; publication and re-use of data of public interest; re-use of data of public interest for scientific research purposes, etc. have been analysed and discussed.

The study visit was organised with the support of the EU TAIEX project – Technical Assistance and Information Exchange Instrument, managed and funded by the Directorate-General for European Neighbourhood Policy and Enlargement Negotiations (DG NEAR) of the European Commission.

On 18 October 2023, representatives of the National Centre for Personal Data Protection (NCPDP), organized a training course for employees of the Regional Directorate “Centre” of the General Inspectorate of Carabineers (GIC), with the title: “Ensuring the protection of personal data in the work of the General Inspectorate of Carabineers”, at the request of the Ministry of Internal Affairs.

The aim of the course was to increase the perception of GIC employees on the principles of personal data protection, as well as on ensuring the correct application of the legal provisions in the field in their work.

During the event important topics were discussed, such as: definition of general notions related to the field of personal data protection; rights of personal data subjects; processing of special categories of personal data; principles and legal grounds for personal data processing; the legal way of processing personal data in the activity carried out by the GIC; requirements for the protection of personal data in the exercise of service tasks; the obligations of the GIC as data controller in relation to the data subject; issues concerning the disclosure of information containing personal data and the GIC’s analysis of access to such data; ensuring the security and confidentiality of personal data processed; the examination of requests for disclosure of personal data, etc.

The training course proved to be useful one, participants asking the trainers many questions about practical examples in the field of personal data protection.

   Around 40 representatives of the Regional Directorate “Centre” of the General Inspectorate of Carabineers were trained during the event.

On October 17, the representatives of the National Center for Personal Data Protection (NCPDP) participated in the Conference “GDPR4BUSINESS”, organized by the National Association of ICT Companies within the ABA Rule of Law Initiative Project “Personal Data Protection – Rights and Obligations in the Republic of Moldova” in partnership with the European Business Association (EBA Moldova).

At the opening session, the Deputy Director of the NCPDP, Angela COLOMIICENCO, thanked the National Association of ICT Companies and its partners for their contribution to the initiation and organisation of the conference, welcoming the participation of business, civil society and representatives of public institutions in the event, which she described as testimony to the strengthening of cooperative relations in the field of personal data protection.

Ms Angela COLOMIICENCO said: “We are all witnessing a rapid transformation of the digital world, a world in which personal data is ubiquitous. The ever-increasing demand for personal data is accompanied by an increase in their value, on a social, political and economic level. In this context, data protection becomes essential for the rights and freedoms of individuals but also for increasing citizens’ trust that data controllers will respect the conditions of processing and will ensure data security, and an important role in this respect is played by data protection legislation, as well as by the NCPDP, which contributes strongly to the alignment of national legislation with the General Data Protection Regulation and the EU acquis. This legislative harmonisation is necessary in order to maintain the upward trend of personal data protection and not to allow a regression of the field, as well as to continue to ensure a genuine respect for the rights of personal data subjects and a legally secure territory for personal data controllers. NCPDP believes that the Republic of Moldova must have balanced and clear rules, without deviations from the GDPR, we need a comprehensive legislative framework for the protection of personal data, because the latest changes in the social sphere have shown that the complexity of personal data processing operations depends on various new circumstances related to the development of information technologies that the state often fails to regulate“.

Mr. Alexei STRAHOV, Head of the Prevention, Surveillance and Evidence Department, participated in the conference as an expert on behalf of the NCPDP, who addressed the topic “Data Protection Officer” (DPO), highlighting the newest and important aspects required by the provisions of Law 133/2011 on the protection of personal data, appointment of the DPO, DPO function, and DPO tasks.

At the same time, the conference presented practices with applicable content for business and representatives of public authorities, such as:

• Key aspects of the draft law on Personal Data Protection;
• international and regional experience in the application of GDPR;
• solutions and responses to situations, cases and challenges faced by business and public authorities in implementing the harmonised legal framework.

   During the event, as speakers, participated state officials, national and international experts in the field of data protection.

On 16 October 2023, representatives of the National Centre for Personal Data Protection organized a training course for employees of Glodeni District Hospital with the title: “Legal provisions in the field of personal data protection”.

The aim of the course was to strengthen the capacities of medical staff by familiarising, raising awareness and informing them about the field of personal data protection.

The event covered important topics such as:

• Definition of personal health data;
• Processing of special categories of personal data;
• Legal grounds for processing personal data concerning health;
• Patients’ rights;
• The mandatory secrecy of personal data;
• Disclosure of personal health data;
• Data minimisation and storage limitation;
• Processing of personal data in the work of health professionals;
• Obligation to ensure confidentiality and security of data processing; etc.

The training course, moderated by the representative of the Prevention, Surveillance and Evidence Directorate, proved to be a useful one, with participants asking the trainer many questions about practical examples in the field of personal data protection. At the same time, the topics related to the processing of personal data in the activity carried out by medical staff, the patient’s right to confidentiality of information related to medical confidentiality, as well as the disclosure of such data to the patient’s legal representative, were of particular interest to the participants.

About 90 representatives of Glodeni District Hospital were trained during the event.

On the 11^th of October 2023, the representatives of the National Centre for Personal Data Protection (NCPDP) organized a training course for employees of the Regional Directorate “Centre” of the General Inspectorate of Carabineers (IGC), entitled: “Ensuring the personal data protection in the work of the General Inspectorate of  Carabineers “, at the request of the Ministry of Internal Affairs.

The aim of the course was to increase the perception of IGC employees on the principles of personal data protection, as well as on ensuring the correct application of the relevant legal provisions in their work.

During the event important topics were discussed, such as:

• Definition of general notions related to the field of personal data protection;
• The rights of personal data subjects;
• Processing of special categories of personal data;
• Principles and legal grounds for personal data processing;
• The legal modalities of processing personal data in the activity carried out by the IGC;
• Requirements for the protection of personal data in the exercising of the work tasks;
• The obligations of the IGC as data controller in relation to the data subject;
• Disclosure aspects of information containing personal data and the analysis carried out by the IGC in relation to access to such data;
• Ensuring the security and confidentiality of personal data processed;
• Examination of requests for disclosure of personal data, etc.

The training course proved to be a useful one, with participants asking the trainers many questions about practical examples in the field of personal data protection.

About 50 representatives of the Regional Directorate “Centre” of the General Inspectorate of Carabineers have been trained during the event.

On the 10^th of October 2023, the National Center for Personal Data Protection (NCPDP) organized a training course on personal data protection for the employees of Taraclia Police Inspectorate.

The aim of the training course was to increase the perception of Taraclia Police Inspectorate employees on the principles of personal data protection, as well as on ensuring the correct application of legal provisions in the field, in the activity they carry out.

During the event important topics were discussed, such as: definition of general notions related to the field of personal data protection; rights of personal data subjects; processing of special categories of personal data; the legal way of personal data  processing  in the work carried out by police bodies; requirements for the protection of personal data in the performance of duties; the correct procedure for accessing personal data through the State Information Systems, as well as the correct record keeping of the audit of such accesses; issues concerning the disclosure of information containing personal data, as well as the data controller’s analysis of the access to such data; ensuring the security and confidentiality of personal data processed, etc.

About 30 representatives of Taraclia Police Inspectorate were trained during the event.

The training course is part of the training plan for GPI subdivisions for 2023, approved and signed by the heads of NCPDP and GPI on January 25.

   In the context of recent media reports regarding access to personal data processed through the “Yandex Go” application (such as: mobile device data, names, phone numbers, email addresses, banking information, and addresses for taxi routes), the National Center for Personal Data Protection (NCPDP) provides the following clarifications and recommendations for data subjects:

   NCPDP encourages data subjects to be vigilant and to inform themselves about the conditions stipulated in the Yandex Privacy Policy before installing the Yandex Go application on their mobile devices: once this application is installed, the processing of personal data is based on the consent of the data subject.

   According to the Yandex Privacy Policy, customers are informed of the following:

– Section 2: Who processes your personal information: To provide you with access to the Sites and Services, your personal information is collected and used by Yandex which may include YANDEX LLC, a company incorporated under Russian law, with a head office registered at 119021, Russia (“YANDEX” LLC), or its affiliates for particular Services or in specific jurisdictions.

– Section 8: Where your Personal information is stored and processed: Yandex stores Personal information in the Russian Federation and in the EEA. … by using the Sites or Services you provide Yandex with your express and unambiguous consent to such transfer, storage, and/or processing of the information in other jurisdictions, including Russia.

   Furthermore, in the case of using foreign systems/platforms which are managed or created by non-resident controllers, whose servers are located outside the country, there is an implicit situation of cross-border transfer of personal data collected/processed through these systems/platforms – this causes the mandatory application of the provisions of Article 32 of Law No.133/2011 on personal data protection.

   In these circumstances, the cross-border transfer of personal data to States which do not provide an adequate level of protection (such as, for example, the Russian Federation) can befall under the conditions set out in Article 32 para. (5) of the Law No.133/2011 on personal data protection. This article stipulates that transmission of personal data to States which do not provide an adequate level of protection may take place:

1. b) with the consent of the data subject, with information on the possible risks that such transfers may involve for the data subject due to the lack of a decision on the adequacy of the level of protection and adequate safeguards;
2. i) if the processing takes place on the basis of the standard contract for the cross-border transmission of personal data, developed and approved by the Center, concluded by the controller.

   Also, it should be noted that in the case of taxi management platforms owned by non-resident entities but operating and/or having legal effects on the territory of the Republic of Moldova, competent state authorities may encounter obstacles and/or may not be able to exercise effective control over the potentially harmful activities.

   Furthermore, in the circumstances described above, including the personal data subject will lose control over his personal data and will be in difficulty to exercise their rights established by the Law No.133/2011 on personal data protection.

   In the context of the abovementioned information, as well as considering that personal data were transferred cross-border to States which do not provide an adequate level of protection could be used to the detriment of data subjects or for purposes other than those declared by the data controller, through the Opinion submitted to the Government regarding the Project on legislative initiative No. 252 of July 13, 2023, NCPDP has proposed, among other things:

… in the context of ensuring the effective protection of processed personal data, it would be appropriate to inspect the possibility of establishing a standard regarding the use of automated management systems/platforms managed/maintained/stored within the territory of the Republic of Moldova. Moreover, taking into account the provisions of Article 4 and Article 5 para. (5) letter b) of Law No. 133/2011 on personal data protection, the obligations/rules for processing personal data (such as, for example: the use of national electronic management systems/platforms, as well as the storage of servers within the territory of the Republic of Moldova, without allowing the cross-border transfer of personal data) must be provided for by law.

On 27^th of September 2023, the representatives of the National Centre for Personal Data Protection organized a training course for employees of the Municipal Children’s Hospital No. 1 with the title: “Legal provisions in the field of personal data protection”.

The aim of the course was to strengthen the capacities of medical staff by familiarizing, raising awareness and informing them with the field of personal data protection.

The event addressed important topics such as: definition of personal health data; processing of special categories of personal data; legal grounds for processing personal health data; patients’ rights; obligation of secrecy of personal data; disclosure of personal health data; data minimization and storage limitation, etc.

The training course, moderated by representatives of the Prevention, Sueveillance and Evidence Department, proved to be very useful and interactive. The legal modalities of processing personal data in the daily work carried out by the medical staff, as well as the aspects related to the examination of requests for disclosure of personal data on health status to the patient’s legal representative, were of great interest to the course participants.

About 70 representatives of the Municipal Children’s Hospital No. 1 were trained during the event.

   On 28^th of September 2023, the National Centre for Personal Data Protection (NCPDP) organised a training course entitled “Ensuring personal data protection in the work of the National Anti-Corruption Centre” for employees of the National Anti-Corruption Centre (NAC), at their request.

   The aim of the training course was to increase the perception of NAC’s employees on the principles of personal data protection, in order to learn and assimilate the best practices in the field, as well as to ensure the correct application of legal provisions in their work, which will subsequently contribute to increasing the performance of NAC’s employees in detecting and counteracting corruption.

   During the event important topics were discussed, such as:

• Definition of general notions related to the field of personal data protection;
• The legal way of processing personal data in the work carried out by NAC’s employees;
• The requirements for the protection of personal data in exercising their duties;
• The correct procedure for accessing personal data through state information systems and the records kept by the NAC of such accesses;
• The regulatory framework governing the protection of information in criminal cases containing personal data;
• Verification of the conformity of personal data processing. Stages of investigation;
• Data Protection Officer (DPO) issues;
• Data Protection Impact Assessment issues, etc.

   At the same time, during the event was discussed about the importance of personal data protection in the framework of criminal prosecution actions carried out by NAC’s officers, as well as the legality of accesses for the purpose of identifying potential suspects in relation to causality, necessity and proportionality of these actions.

   The training course proved to be an interactive one, the NCPDP’s trainers providing participants with answers/explanations to the many questions they asked.

    About 150 NAC’s representatives were trained during the event.