The National Centre for Personal Data Protection (NCPDP), for information purposes, communicates the fact that, following its investigation, the European Data Protection Supervisor (EDPS) has found that the European Commission (EC) has infringed several provisions of Regulation (EU) 2018/1725, the EU Data Protection Act for EU institutions, bodies, offices and agencies, including those on transfers of personal data outside the EU/European Economic Area (EEA), imposing corrective measures. At the same time, the EC failed to provide adequate safeguards to ensure that personal data transferred outside the EU/EEA benefit from an adequate level of protection equivalent to that guaranteed in the EU/EEA. In addition, in its contract with Microsoft, the EC did not sufficiently specify what types of personal data are to be collected and for what purposes when using Microsoft 365. The EC’s breaches as data controller also relate to data processing, including transfers of personal data, carried out on its behalf.

The EDPS has therefore decided to order the EC, since 9 December 2024, to suspend all data flows resulting from the use of Microsoft 365 to Microsoft and its affiliates and subcontractors located in non-EU/EEA countries that are not subject to a adequacy decision and to bring its processing operations resulting from its use of Microsoft 365 into compliance with Regulation (EU) 2018/1725. The EC must demonstrate compliance with both provisions by 9 December 2024.

The EDPS considers that the corrective measures it imposes are appropriate, necessary and proportionate, taking into account the seriousness and duration of the breaches found. Many of the breaches found relate to all processing operations carried out by or on behalf of the EC when using Microsoft 365 and impact on a large number of individuals. The EDPS also takes into account the need not to compromise the EC’s ability to perform its public interest tasks or to exercise its duties as an official authority vested in it, as well as the need to give it adequate time to implement the envisaged suspension of relevant data flows and to bring data processing into compliance with Regulation (EU) 2018/1725.

The NCCDP, as the national supervisory authority for personal data, emphasises the responsibility of personal data controllers to comply with the provisions of the legislative framework for the protection of personal data and to ensure that personal data processing operations comply with the legislation in force.

On 15 March 2024, the National Centre for Personal Data Protection (NCPDP) organized a training course on personal data protection for the representatives of Riscani District Prosecutor’s Office, at their request.

The training course aimed at familiarizing the officials of Riscani District Prosecutor’s Office with the aspects of personal data protection in the public service, the regulation of processing procedures, as well as the confidentiality and security regime of personal data in accordance with the legislation in force.

During the event important topics were discussed, such as: 

Definition of general notions related to the field of personal data protection; 

Principles and legal grounds for processing personal data;

The rights of personal data subjects; 

Processing of special categories of personal data; 

Requirements for the protection of personal data in the exercise of official duties; 

Legal aspects of the processing of personal data by means of video surveillance systems; 

Ensuring the security and confidentiality of personal data processed;

Issues relating to the appointment of the Data Protection Officer (DPO); 

Data Protection Impact Assessment (DPIA) issues, etc.

The training course proved to be interactive and the topics related to the examination of requests for disclosure of personal data, as well as aspects related to the professional qualities that a DPO should possess and the position of DPO within the entity they represent, were of great interest to the course participants.

During the event, moderated by experts in the field of personal data protection from NCPDP, about 20 representatives of the Râșcani District Prosecutor’s Office were trained.

The National Centre for Personal Data Protection (NCPDP), for information and enforcement purposes, communicates about the administrative fine in the amount of EUR 24,000 imposed by the Polish Data Protection Authority (SA) on an insurance company for violation of Article 35 (Data Protection Impact Assessment) and 83 (General conditions for imposing administrative fines) of the GDPR.

The Polish SA has been informed that an unauthorised recipient has received a document confirming the granting of compensation in an email attachment. The e-mail from the insurance company contained personal data such as: name, surname, postal address, model and registration number of the car, policy number and the amount of compensation granted. The unauthorised recipient informed the insurance company that he had received an e-mail with an attachment containing another person’s personal data, but received no reply.

Following the investigations, the Polish SA decided to impose an administrative fine under Article 83(2)(a) of the GDPR, taking into account aggravating circumstances such as: the long duration of the breach, the intentional nature of the finding of a breach of data protection regulations in other ongoing proceedings against the company, the unsatisfactory level of cooperation with the Supervisory Authority.

At the same time, the Polish SA pointed out that the company is subject to specific obligations imposed by Article 35(1) of the Law of 11 September 2015 on insurance and reinsurance activities, according to which the insurance company and its employees, as well as persons and entities through which it carries out insurance operations, are obliged to keep the individual insurance contract secret. 

The NCPDP, as the national supervisory authority for personal data processing, emphasises the responsibility of personal data controllers to comply with the provisions of the legislative framework for personal data protection and to ensure that personal data processing operations comply with the legislation in force.

On 20 March 2024, the National Centre for Personal Data Protection (NCPDP) organised two training courses on personal data protection for employees of the Eastern Regional Directorate of the General Inspectorate of Border Police (IGPF).

The aim of the training courses was to increase the awareness of the employees of the Eastern Regional Directorate of the IGPF on the principles of personal data protection, as well as on ensuring the correct application of the legal provisions in the field, in the activity they carry out.

During the trainings important topics were discussed, such as: 

Definition of general notions related to the field of personal data protection; 

Principles and legal grounds for personal data processing; 

The rights of personal data subjects; 

Processing of special categories of personal data; 

Requirements for the protection of personal data in the exercise of official duties; 

Ensuring the security and confidentiality of personal data processed; 

Issues relating to the appointment of the Data Protection Officer (DPO);

Data Protection Impact Assessment (DPIA) issues; 

Legal aspects of personal data processing through video surveillance systems, etc.

The training courses proved to be interactive and useful, and issues related to the examination of requests for disclosure of personal data, the correct procedure for accessing personal data through state information systems, as well as the correct procedure for identifying persons who do not have identity documents, were of great interest to the course participants.

About 60 representatives of the Eastern Regional Directorate of the IGPF were trained during the events.

The training courses are part of the IGPF training plan for 2024, approved and signed by the heads of the NCPDP and IGPF on 21 February this year.

From 11 to 13 March 2024, the representatives of the National Centre for Personal Data Protection (NCPDP) made the study visit “Processing of personal data through video surveillance systems”. The event was hosted by the Spanish Data Protection Authority (AEPD) – Agencia Española de Protección de Datos.

The purpose of the event was both to take up legal and operational best practices on the use of video surveillance means, and to provide employees of the NCPDP with the skills and resources necessary to effectively address issues related to the processing of personal data through video surveillance systems, in accordance with current legislation and in the interest of protecting the rights of data subjects.

During the study visit, moderated by experts in the field of personal data protection from the AEPD, topics of importance were analysed in depth, such as: the evolution of video-surveillance regulations, the latest legislative changes and regulations related to personal data processing through video-surveillance systems, with a focus on GDPR regulations; data subjects’ rights and ethics in video-surveillance; reception and classification of complaints; inspection procedures and instructions; technical and organisational measures to ensure the security of personal data; promotion of technologies applied to video-surveillance, etc.

The study visit was organised with the support of the EU TAIEX Project – Technical Assistance and Information Exchange Instrument, managed and funded by the Directorate-General for European Neighbourhood Policy and Enlargement Negotiations (DG NEAR) of the European Commission.

Personal data is processed every second around the world – at work, when dealing with public authorities, in healthcare, when trading goods or services, when travelling abroad or when surfing the internet.

Every year, on 28 January, the European community celebrates “European Data Protection Day”. This year marks the 18th edition and 43 years since the adoption of Convention 108 for the protection of individuals with regard to automatic processing of personal data in Strasbourg on 28 January 1981.

The purpose of Convention No 108 is to ensure in the territory of each State Party, respect for the fundamental rights and freedoms, and in particular the right to privacy with respect to the processing of personal data, of every individual, regardless of nationality or residence.

It is a very special day, not only for the member states of the Council of Europe, but also for the entire Global Data Protection Community and, above all, for every individual protected by this fundamental right.

To this end, Council of Europe member states and others are organising various activities and public events to mark the day. The Republic of Moldova marks this event together with all European countries. Although the field of personal data protection is a relatively new one for Moldovan society, we have managed to make great strides in the last decade in ensuring respect for the right to privacy and in efforts to align with European standards in the field of personal data protection.

Our role as the National Data Protection Authority is becoming increasingly important and the annual celebration of this day is an opportunity to bring to the attention of the public the importance of respecting the principles of personal data processing, the right to privacy and the right to personal data protection, enshrined as fundamental rights.

Today, 26 January, the National Centre for Personal Data Protection (CNPDCP) in collaboration with TAIEX project experts is organising the national conference “Raising Awareness on the Convention 108+”.

The aim of the conference is to raise awareness of both public institutions and the private sector about Convention 108 + as a viable tool to facilitate international data transfers, thus ensuring an adequate level of protection for data subjects globally.

The event was opened by the Director of the NCPDP, Ms Victoria Muntean: “Convention 108+ is an essential pillar in ensuring an adequate level of protection for data subjects globally. In an age where data is the currency of progress, it is crucial to ensure that it is treated with respect and security. This conference is a significant step in the right direction, bringing to the attention of both public institutions and the private sector a comprehensive perspective on Convention 108+ and its impact in facilitating international data flows. The topicality of this issue is all the more important in the context of the signing by the Republic of Moldova, on 9 February 2023, of the Protocol amending Convention 108+. We are now at a crucial moment in the process of securing the ratification of this document, which brings with it new and modern rules in the field of personal data protection. The Protocol amending Convention 108+ is a clear manifestation of our firm commitment to international standards and to the fundamental rights of individuals with regard to the processing of personal data.”

The conference is moderated by data protection experts from Italy, Slovenia and Spain. Among the topics addressed by the experts are: the impact of Convention 108+ on adequacy decisions and data transfers, with a focus on compliance with the EU acquis; Convention 108+ as a viable tool to facilitate international data transfers while ensuring an adequate level of protection for individuals worldwide; Convention 108+ as a bridge between legal regimes and countries; the ratification process of Convention 108+; lessons learned and advice from ratifying countries; Convention 108+: the Evaluation and Review Mechanism, etc.

Around 100 representatives from both public institutions and the private sector will participate in the event.

The workshop is organised and funded by the European Commission Technical Assistance and Information Exchange Instrument (TAIEX).

On 5 December 2023, the National Center for Personal Data Protection (NCPDP) organized a training course on personal data protection for employees of the Chisinau Police Department.

The aim of the training course was to increase the perception of the employees of the Chisinau Police Department on the principles of personal data protection, as well as on the correct application of the legal provisions in the field, in the activity they carry out.

During the event important topics were discussed, such as: definition of general notions related to the field of personal data protection; rights of personal data subjects; processing of special categories of personal data; the legal way of personal data processing in the work carried out by police bodies; requirements for the protection of personal data in the performance of duties; ensuring the security and confidentiality of personal data processed; the correct procedure for accessing personal data through the State Information Systems, as well as keeping correct audit records of such accesses; issues related to the appointment of the Data Protection Officer (DPO), as well as his/her obligations and tasks; issues related to the Data Protection Impact Assessment (DPIA), as well as the steps to carry out a DPIA, etc.

The training course proved to be an interactive one, participants asking multiple questions, based on their work, and receiving documented answers with practical examples from the trainers.

About 80 representatives of the Chisinau Police Department were trained during the event.

The training course is part of the training plan for GPI subdivisions for 2023, approved and signed by the heads of NCPDP and GPI on 25 January this year.

In the period 18-19 October, the representatives of the National Centre for Personal Data Protection (NCPDP) carried out a study visit entitled “Reconciling the right of access to information and personal data protection“. The event was hosted by the French National Commission for Information Technology and Civil Liberties (CNIL).

The purpose of the event was to take up the best legal and operational practices on mechanisms to reconcile the right of access to information and the protection of personal data.

During the study visit, moderated by experts in the field of personal data protection from the CNIL and CADA – Commission for Access to Administrative Documents, topics of importance such as: protection of personal data in the exercise of the right of access to information; reconciling the right of access to information and the right to protection of personal data; request for access to administrative documents or exercise of the right of access by the data subject, how to distinguish them and what is the impact; publication and re-use of data of public interest; re-use of data of public interest for scientific research purposes, etc. have been analysed and discussed.

The study visit was organised with the support of the EU TAIEX project – Technical Assistance and Information Exchange Instrument, managed and funded by the Directorate-General for European Neighbourhood Policy and Enlargement Negotiations (DG NEAR) of the European Commission.

On 18 October 2023, representatives of the National Centre for Personal Data Protection (NCPDP), organized a training course for employees of the Regional Directorate “Centre” of the General Inspectorate of Carabineers (GIC), with the title: “Ensuring the protection of personal data in the work of the General Inspectorate of Carabineers”, at the request of the Ministry of Internal Affairs.

The aim of the course was to increase the perception of GIC employees on the principles of personal data protection, as well as on ensuring the correct application of the legal provisions in the field in their work.

During the event important topics were discussed, such as: definition of general notions related to the field of personal data protection; rights of personal data subjects; processing of special categories of personal data; principles and legal grounds for personal data processing; the legal way of processing personal data in the activity carried out by the GIC; requirements for the protection of personal data in the exercise of service tasks; the obligations of the GIC as data controller in relation to the data subject; issues concerning the disclosure of information containing personal data and the GIC’s analysis of access to such data; ensuring the security and confidentiality of personal data processed; the examination of requests for disclosure of personal data, etc.

The training course proved to be useful one, participants asking the trainers many questions about practical examples in the field of personal data protection.

   Around 40 representatives of the Regional Directorate “Centre” of the General Inspectorate of Carabineers were trained during the event.