The National Centre for Personal Data Protection (CNPDCP), for information and enforcement purposes, communicates about the administrative fine of 525 000 euros imposed by the French Data Protection Authority (CNIL) on HUBSIDE.STORE for breach of Article 6 (Lawfulness of processing) and Article 14 (Information to be provided where personal data have not been obtained from the data subject) of the GDPR.

HUBSIDE.STORE conducts telephone and SMS prospecting campaigns to promote products sold in its stores (mobile phones, laptops, etc.), acquiring data from data brokers and publishers of competing product testing websites.

As a result of the investigations, the CNIL found several violations of the GDPR, such as:

• Failure to have a legal basis for processing personal data (Article 6 GDPR);

• The misleading aspect of the data collection forms used by data brokers responsible for data collection did not allow valid consent to be obtained from data subjects. Therefore, HUBSIDE.STORE did not have a valid legal basis for collecting data (Article 6 of the GDPR) for commercial marketing via telephone calls. It is also a violation of the French Postal and Electronic Communications Code (Article L.34-5) for the purpose of marketing via SMS;

• Failure to comply with the obligation to inform individuals (Article 14 of the GDPR). Investigations revealed that individuals contacted by telephone did not have all the necessary information on the collection and use of their personal data (e.g. the identity and contact details of the company, the purposes for which the data was used, the retention periods, the source of the data, their rights or even the possibility to lodge a complaint with the French Data Protection Authority).

In this context, the CNIL imposed an administrative fine of €525,000 on HUBSIDE.STORE, which has been made public. The CNIL cooperated closely with its counterparts (Belgium, Italy, Spain, Portugal) in examining the draft decision under the single procedure, as HUBSIDE.STORE processes data from customers and potential customers in several EU Member States. The amount of the fine, which represents approximately 2% of the company’s turnover, was decided according to the seriousness of the infringement and the responsibility assumed by the company using the data collected. The CNIL also took into account the fact that HUBSIDE.STORE made extensive use of commercial marketing.

The NCPDP, as the national surveillance authority for the processing of personal data, emphasises the responsibility of personal data controllers to comply with the provisions of the legislative framework for the protection of personal data and to ensure that personal data processing operations comply with the legislation in force.

On April 23, the National Center for Personal Data Protection (NCPDP) continued the information and awareness-raising campaign for the school community, organizing the training course “Personal data protection and children’s safety in the online environment” for the public institution Theoretical Lyceum “Iulia Hasdeu” from Chisinau. The event took place in the framework of the Personal Development class, the target audience being the students of classes IV “A”, IV “B” and IV “C”.

The aim of the school community information and awareness campaign was to provide high visibility on data protection and child safety online at local and national level by promoting empowerment and best practice intervention and support.

The topics covered in the training included: general notions on personal data; posting and correct use of pictures on social networks; creative, useful and safe use of the internet; risks of using the internet; aspects that can have negative consequences; attitudes and practices for sending pictures/videos online; communication on social networks, etc.

At the same time, the NCPDP trainers carried out interactive activities, there were discussions based on the information material presented, videos were shown and, at the end, students completed a crossword based on the material presented, the best ones being awarded with gifts.

The event was organised at the initiative of the NCPDP and 110 students were trained. Information materials and gifts for the students were developed with the support of the United Nations Children’s Fund (UNICEF).

It should be noted that the information and awareness-raising campaign for the school community was launched on 15 April 2022, and the CNPDCP aims to continue this training format in schools both in Chisinau municipality and the districts of the Republic of Moldova.

On April 19, the National Center for Personal Data Protection (NCPDP) continued the information and awareness-raising campaign for the school community, organizing the training course “Personal data protection and children’s safety in the online environment” for the public institution Lyceum “Liviu Rebreanu” from Chisinau. The event took place in the framework of the Personal Development class, the target audience being the students of classes IV “A”, IV “B” and IV “C”.

The aim of the school community information and awareness campaign is to provide high visibility on data protection and child safety online at local and national level by promoting empowerment and best practice intervention and support.

The topics covered in the training included:

• General notions of personal data (what they mean, how we identify them, how we operate with them);

• Attitudes and practices when sending pictures/videos online (the privacy of a social networking page, privacy settings, working with pictures/videos in a chat, attitude and actions taken in case a picture/video is taken without your consent and subsequently distributed);

• Online risks and threats (malware, spam, online harassment, information theft, situations that threaten your child’s privacy/security and solutions for such situations);

• Communication on social media, etc.

During the training, students played interactive games, completed a crossword based on the material presented and participated in a question and answer round, and the best were rewarded with presents.

The event was organised at the initiative of the NCPDP and 86 students were trained. The information materials and gifts given to the students were developed with the support of the United Nations Children’s Fund (UNICEF).

It should be noted that the information and awareness-raising campaign for the school community was launched on 15 April 2022, and the NCPDP aims to continue this training format both in schools in the Chisinau municipality and in the districts of the Republic of Moldova.

On 18 April 2024, the National Center for Personal Data Protection (NCPDP) organized a training course in the field of personal data protection for representatives of the State Pedagogical University “Ion Creanga”.

The aim of the training course was to increase the awareness of employees in the educational sector on the principles of personal data protection and on ensuring the correct application of the legal provisions in the field in their work.

During the event important topics were discussed, such as:

• Definition of general notions related to the field of personal data protection;

• The rights of personal data subjects;

• Principles and legal grounds for processing personal data;

• Processing of special categories of personal data;

• Requirements for the protection of personal data in the exercise of official duties;

• Ensuring the security and confidentiality of personal data processed, etc.

The training course was an interactive one, with multiple practical examples presented in order to increase the perception of the University representatives on the principles of personal data protection. At the same time, the legal way of requesting and disclosing personal data, as well as the period of storage of information containing personal data in accordance with legal provisions, were of great interest to the course participants.

During the event, moderated by experts in the field of personal data protection from the NCPDP, about 40 representatives of the State Pedagogical University “Ion Creanga” were trained.

On 16 April 2024, the representatives of the National Centre for Personal Data Protection organized a training course for the representatives of the Single National Emergency Calls Service 112 (112 Service) in the field of personal data protection.

The aim of the course was to increase the awareness of the employees of the 112 Service on the principles of personal data protection, as well as on ensuring the correct application of the legal provisions in the field, in the activity they carry out.

During the event important topics were discussed, such as:

• Definition of general notions related to the field of personal data protection;

• The rights of personal data subjects;

• Processing of special categories of personal data;

• Principles and legal grounds for processing personal data;

• The legal modalities of processing of personal data in the activity carried out by the 112 Service;

• Requirements for the protection of personal data in the exercise of the tasks of the service;

• Ensuring the security and confidentiality of personal data processed;

• Issues relating to the appointment of the Data Protection Officer (DPO);

• Data Protection Impact Assessment (DPIA) issues and the steps to carry out a DPIA, etc.

The training course proved to be an interactive one, and the topics related to access to information of public interest in the light of the legislation on the protection of personal data, the fairness of their disclosure in relation to the proportionality criterion of limiting access to information of public interest, as well as the time limit for the retention/storage and use of personal data at the end of processing operations, were of great interest to the course representatives.

During the event, moderated by representatives of the NCPDP, about 20 representatives of the 112 Service were trained.

On 10 April 2024, the National Centre for Personal Data Protection (NCPDP) organised a training course on personal data protection for employees of the General Inspectorate of Border Police (IGPF).

The aim of the training course was to increase the awareness of the employees of the General Inspectorate of the Border Police on the principles of personal data protection, as well as on ensuring the correct application of the legal provisions in this field in their work.

During the event important topics were discussed, such as: definition of general notions related to the field of personal data protection; principles and legal grounds for personal data  processing; rights of personal data subjects; processing of special categories of personal data; requirements for the protection of personal data in the exercise of official duties; ensuring the security and confidentiality of personal data processed; issues related to the appointment of the Data Protection Officer (DPO); issues related to the Data Protection Impact Assessment (DPIA); legal issues related to the processing of personal data through video surveillance systems, etc.

At the same time, we would like to mention that this was the last training course organized according to the IGPF training plan for the year 2024, approved and signed by the NCPDP and IGPF heads on February 21. Thus, training courses were organized for the following subdivisions:

• 06 March – IGPF Northern Regional Directorate (2 training courses);

• 13 March – IGPF Southern Regional Directorate (2 training courses);

• 20 March – IGPF Eastern Regional Directorate (2 training courses);

• 27 March – IGPF West Regional Directorate (2 training courses);

• April 3 – Border Police Sector “Chisinau International Airport” of the IGPF;

• 10 April – General Inspectorate of Border Police.

In this context, about 370 representatives from IGPF subdivisions were trained.

During the event, the NCPDP and IGPF heads mentioned the importance of promoting and ensuring the protection of the rights of individuals with regard to the processing of personal data, the need for joint efforts to implement these values, as well as the importance of the correct application of legal provisions in the field in the work carried out, expressing maximum openness for future fruitful collaborations.

On March 22, 2024, representatives of the National Center for Personal Data Protection (CNPDCP) organized a training course for the employees of the Agency for Intervention and Payments for Agriculture (AIPA), entitled: “General aspects of personal data protection”.

The aim of the course was to increase AIPA employees’ awareness of the principles of personal data protection, as well as to ensure the correct implementation of the legal provisions in the field, in their work.

During the event important topics were discussed, such as:

– Definition of general notions related to the field of personal data protection;

– The rights of personal data subjects;

– Processing of special categories of personal data;

– Principles and legal grounds for processing personal data;

– The legal modalities of personal data processing in the activity carried out by AIPA;

– Requirements for the protection of personal data in the performance of duties;

– Ensuring the security and confidentiality of personal data processed;

– Issues relating to the appointment of the Data Protection Officer (DPO);

– Data Protection Impact Assessment (DPIA) issues, etc.

The training course proved to be an interactive one, and aspects related to access to information of public interest though the lens of personal data protection legislation, the correct procedure for accessing personal data through the State Information Systems, as well as keeping correct records of the audit of these accesses, were of great interest to the course participants.

About 40 AIPA representatives were trained during the event, moderated by experts in the field of personal data protection from the NCPDP.

On 26 March 2024, the National Centre for Personal Data Protection (NCPDP) organised a training course on personal data protection for representatives of the Ministry of Economic Development and Digitisation (MEDD), at their request.

The training course aimed to familiarize MEDD officials with the aspects of personal data protection in the public service, the regulation of processing procedures, as well as the personal data confidentiality and security regime in accordance with the legislation in force.

During the event important topics were discussed, such as:

• Definition of general notions related to the field of personal data protection;

• Principles and legal grounds for personal data processing;

• The rights of personal data subjects;

• Processing of special categories of personal data;

• Requirements for the protection of personal data in the exercise of official duties;

• Ensuring the security and confidentiality of personal data processed;

• Issues relating to the appointment of the Data Protection Officer (DPO);

• Data Protection Impact Assessment (DPIA) issues and the steps involved in conducting a DPIA, etc.

The training course proved to be an interactive one, participants asking multiple questions, based on their work, and receiving documented answers with practical examples from the trainers.

About 20 representatives of the Ministry of Economic Development and Digitisation were trained during the event, moderated by experts in the field of personal data protection from the NCPDP.

On 27 March 2024, the National Centre for Personal Data Protection (NCPDP) organised two training courses in the field of personal data protection for employees of the Western Regional Directorate of the General Inspectorate of Border Police (IGPF).

The aim of the training courses was to raise the awareness of the employees of the Western Regional Directorate of the IGPF on the principles of personal data protection, as well as on ensuring the correct application of the relevant legal provisions in their work.

During the events important topics were discussed, such as:

• Definition of general notions related to the field of personal data protection;

• Principles and legal grounds for  personal data processing;

• The rights of personal data subjects;

• Processing of special categories of personal data;

• Requirements for the protection of personal data in the exercise of official duties;

• Ensuring the security and confidentiality of personal data processed;

• Issues relating to the appointment of the Data Protection Officer (DPO);

• Data Protection Impact Assessment (DPIA) issues, etc.

The training courses proved to be interactive and useful, and the issues of the correct procedure for accessing personal data through state information systems, the legal aspects of  personal data processing through video surveillance systems, as well as what the consequences of non-compliant/illegal processing of personal data may be, were of great interest to the course participants.

Around 60 representatives of the Western Regional Directorate of the IGPF were trained during the events.

The training courses are part of the IGPF training plan for the year 2024, approved and signed by the heads of the NCPDP and IGPF on 21 February this year.

On 3 April 2024, the National Centre for Personal Data Protection (NCPDP) organized a training course in the field of personal data protection for the representatives of the Border Police Sector “Chisinau International Airport” of the General Inspectorate of Border Police (IGPF).

The aim of the training course was to increase the perception of the employees of the Border Police Section “Chisinau International Airport” of the IGPF on the principles of personal data protection, as well as on ensuring the correct application of the legal provisions in the field, in the activity they carry out.

During the training course important topics were discussed, such as:

• Definition of general notions related to the field of personal data protection;

• Principles and legal grounds for processing personal data;

• The rights of personal data subjects;

• Processing of special categories of personal data;

• Requirements for the protection of personal data in the exercise of official duties;

• Ensuring the security and confidentiality of personal data processed, etc.

The training course proved to be interactive and useful, with participants asking multiple questions, based on their work, and receiving documented answers with practical examples from the trainers. At the same time, the aspects of the correct procedure for accessing personal data through state information systems, the examination of requests for disclosure of personal data, as well as the legal aspects of personal data processing through video surveillance systems were of great interest to the course participants.

About 40 representatives of the Border Police Section “Chisinau International Airport” of the IGPF were trained during the event.

The training course is part of the IGPF training plan for 2024, approved and signed by the heads of the NCPDP and IGPF on February 21, 2024.