The National Center for Personal Data Protection (NCPDP), for information and application purposes, communicates about the fine in the amount of 125 000 euros applied by the French Supervisory Authority (CNIL) to CITYSCOOT for the disproportionately infringement on the privacy of its customers by geolocating them almost permanently.

CNIL carried out investigations on the company CITYSCOOT, which rents scooters for a short period. The investigations focused in particular on the data collected as well as on the information and consent obtained from users before processing technical information on their mobile phone or computer.

Following the investigations, CNIL found several violations, such as:

·        Failure to comply with the obligation to ensure data minimisation (Article 5.1.c of the GDPR);

·        Failure to comply with the obligation to provide a contractual framework for the processing operations carried out by a processor (Article 28.3 of the GDPR);

·        Failure to inform the user and obtain his or her consent before writing and reading information on his or her personal device (Article 82 of the French Data Protection Act).

On the basis of these findings, CNIL imposed a fine in the amout of 125 000 euros to CITYSCOOT, which was made public. This decision was taken in cooperation with the Spanish and Italian data protection authorities, as CITYSCOOT also offers these services in these countries. The amount of the penalty takes into account the company’s turnover, the number of users (about 250 000 in 2022) and the seriousness of the breaches identified, but also the measures taken by the company to remedy them during the procedure.

The NCPDP, as national supervisory authority for personal data processing, emphasizes the responsibility of personal data controllers to comply with the provisions of legal framework on personal data protection and to ensure that personal data processing operations are in accordance with the legislation in force.

On 29-30 March, the National Centre for Personal Data Protection (NCPDP) in collaboration with TAIEX project experts is organising the TAIEX Expert Mission “Personal data processing for statistical purposes” in online format.

The objective of the Expert Mission is to present the European legal and operational best practices on the mechanisms of processing and storage of personal data for statistical purposes by the National Bureau of Statistics (NBS), data exchange between the institutions and the NBS, as well as the regulations related to the security of these data.

The event takes place over two days:

·        On the first day there will be discussions between EU experts, representatives of the NCPDP and representatives of the NBS in order to identify issues related to personal data processing for statistical purposes, ensuring guarantees on the security of personal data and their non-excessiveness for the production of official statistics, while respecting the rights of data subjects.

·        On the second day, a training course will be held for representatives of public institutions from the National Bureau of Statistics; General Inspectorate of Border Police; Public Services Agency; E-Governance Agency; Ministry of Internal Affairs; Ministry of Health; State Chancellery; State Tax Service; Customs Service

The Expert Mission will be moderated by data protection experts from România and Greece. Among the topics to be addressed by the experts are: general conditions for the processing of personal data for statistical purposes; further processing of personal data for statistical purposes; access of the NBS to information systems where personal data are processed; regulations laying down safeguards for the protection of personal data processed for statistical purposes; longer storage of personal data for statistical purposes; conditions for depersonalisation/pseudonymisation of personal data; international legal standards in both statistical activities and personal data protection; ensuring security and confidentiality when processing personal data for statistical purposes; etc.

The event is attended by 24 representatives of public sector.

The Expert Mission is organised and funded by the Technical Assistance and Information Exchange instrument of the European Commission (TAIEX).

On 6 March 2023, the National Centre for Personal Data Protection (NCPDP) jointly with the General Police Inspectorate (GPI), organized a training course on personal data protection for employees of the National Investigation Inspectorate (NII).

The aim of the training course was to increase NII employees’ awareness on the principles of personal data protection, as well as to ensure the correct application of the relevant legal provisions in their work.

In the framework of the event, the following important topics were discussed:

– Definition of personal data concepts;

– The legal way of personal data processing in the activity carried out by NII;

– The requirements for the personal data protection in carrying out their duties and responsibilities;

– Legal aspects of personal data processing through video surveillance systems;

–  Aspects regarding disclosure of criminal cases data handled in their basic activity;

– Correct procedure for accessing personal data via State Information Systems and correct evidence of audit records on such accesses;

– Rights of personal data subjects, etc.

About 60 NII representatives attended the training course.

 Many questions were given to the trainers and all of them were answered/explained to the participants regarding aspects of personal data protection.

The training course is part of the schedule of trainings in the GPI subdivisions for the year 2023, approved and signed by the heads of the NCPDP and GPI on 25 January this year.

The National Centre for Personal Data Protection (NCPDP) organised on 9 February a debate with students and master students from the Moldova State University (USM) in the field of personal data protection.

The theme of the debate was: “Current challenges in the field of personal data protection” which covered the following topics:

   NCPDP – Data Protection Authority;

  What is personal data;

  Principles of personal data protection;

  Rights of personal data subjects and how to apply them;

  Elementary application measures for personal data security and privacy;

   National and international practice concerning the cases examined in the field of personal data protection.

The aim of the debate was to make students and master students understand the challenges they are facing in the current period related to the field of personal data protection.

The debate was attended by about 35 students from the second, third and fourth year of studies, as well as master students of the Law Faculty of USM. All those present in the hall showed interest in the topics discussed and asked questions to the representative of the NCPDP.

This activity is part of the action plan approved by the NCPDP in the context of Data Protection Day, which is marked annually on 28 January in the European community and beyond.

On February 9, 2023, in Strasbourg, H.E Ambassador Daniela Cujbă, Permanent Representative of the Republic of Moldova to the Council of Europe, signed the Protocol amending the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (CETS No.223), which was adopted by the Committee of Ministers of the Council of Europe on 18 May 2018 and opened for signature on 10 October 2018.

The amending Protocol modernises and improves the Convention (ETS No 108), taking into account the new challenges in ensuring the protection of individuals with regard to the processing of personal data that have emerged since the adoption of Convention 108 in 1981.

The Protocol provides a robust and flexible multilateral legal framework to facilitate cross-border data flows while providing effective safeguards when personal data are used. The Treaty addresses the challenges to privacy arising from the use of new information and communication technologies and strengthens the mechanism of the Convention to ensure its effective implementation.

The Republic of Moldova is the 45th state to sign the Protocol amending the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data. So far, the Protocol has been ratified by 21 states.

On 1 February 2023, the National Centre for Personal Data Protection (NCPDP) in collaboration with the General Police Inspectorate (IGP) started the training cycle in the context of signing the Training Plan agreed by the Parties on 25 January this year.

In this context, about 60 employees from the Anenii Noi Police Inspectorate were trained.

The training course aimed to increase the police body’s awareness of personal data protection principles and to ensure the correct implementation/application of data protection legal provisions in their work.

Several important topics were covered in the training course, including:

–    The legal way of personal data processing in the work carried out by the IGP;

–    Obligations of the police body as data controller in relation to the data subject;

–   The requirements for personal data protection in the exercise of official duties;

–    Legal aspects of personal data processing through video surveillance systems;

–   Correct procedure for accessing personal data through State Information Systems and keeping correct audit records of such accesses;

–    Personal data security and confidentiality measures, etc.

In addition to what was presented by the representative of the NCPDP, the representative of the IGP pointed out certain aspects of police activity provided for in the internal regulations of IGP.

The training course proved to be quite interactive, as the participants asked the trainers many questions, to which they received answers.

On 31 January 2023, the National Centre for Personal Data Protection (NCPDP) trained representatives of libraries in the mun. Chișinău and other districts of the Republic in the field of personal data protection.

The request for organizing the training course came from the Technical-Scientific Republican Library of the National Institute of Economic Research in mun. Chișinău, in the context of the “Data Protection Day” on 28 January.

The theme of the training course was “Personal data protection measures in the libraries”. The aim of the course was to increase the perception of library employees with the field of personal data protection.

The training covered the following topics:

– General notions in the field of personal data protection;

– Legal grounds for personal data processing;

– Processing of special categories of personal data;

– Personal data security and confidentiality measures.

The training course was organised in a hybrid format and was attended by about 80 participants.

At the end of the course, the trainers provided answers to all questions given by the participants.

On 28 January 2023, the National Center for Personal Data Protection (the Center) held the meeting of the Consultative Council to the National Center for Personal Data Protection.

The meeting was opened and chaired by Ms Victoria MUNTEAN, Director of the Center, and President of the Consultative Council.

Within the event, the results of the Center’s work and the main achievements in terms of personal data protection in 2022 and the objectives for the next period were briefly presented.

At the same time, the protection of personal data in the context of the exercise of the right to freedom of expression and the right of access to information by media representatives was discussed, followed by mention of the pressing problems faced by the institution and proposals for optimizing and improving the work of the Center.

The Council meeting was an interactive one, the members coming up with proposals and suggestions to improve the situation.

In this context, the members of the Council highlighted that all areas of activity, such as justice, medical, banking, social protection, economic, etc. interfere with the field of personal data protection and, in this respect, the need to amend the legislation in this field, in line with the new EU standards, is very important.

At the end, the members of the Consultative Council appreciated the efforts of the Center in terms of the results achieved during the period of activity and outlined the need to continue working together at institutional level in order to develop effective mechanisms for the protection of personal data in the Republic of Moldova.

Every year on 28 January, the European community celebrates “Data Protection Day”. This year it is celebrated the 42nd anniversary of Convention No 108 for the Protection of Individuals with regard to Automatic Processing of Personal Data, adopted in Strasbourg on 28 January 1981, and the 17th anniversary of this Day.

The purpose of Convention No 108 is to secure in the territory of each State Party for every individual, whatever his nationality or residence, respect for his rights and fundamental freedoms, and in particular his right to privacy, with regard to automatic processing of personal data re

The Republic of Moldova signed Convention No 108 on 4 May 1998 and ratified it by Parliament Decision No 483-XIV of 2 July 1999.

On 26 April 2006, the Committee of Ministers of the Council of Europe decided to launch a Data Protection Day, to be celebrated every year on 28 January.

In this regard, Council of Europe member states and not only, organize every year various activities and public events to mark the day. The Republic of Moldova celebrates this event together with all European countries.

Although the field of personal data protection is a relatively new one for the Moldovan society, nevertheless, we have managed in the last decade to make a lot of progress in ensuring respect for the right to privacy, as well as to align the  national legislation with European standards in the field of personal data protection.

Our role as the National Personal Data Protection Authority becomes more and more important and the annual celebration of this day is an opportunity to bring to the attention of the public the importance of respecting the principles of personal data protection, the right to privacy with regard to the protection of personal data.

Every year on 28 January, the European community celebrates “Data Protection Day”. In this regard, the National Centre for Personal Data Protection (NCPDP) has organised an information street activity on 27 January 2023.

A group of NCPDP’s employees went nearby the Arc of Triumph in mun. Chisinau, where they distributed information materials to passers-by, informing them about “Data Protection Day”, the concept of personal data, the rights of data subjects, security and confidentiality measures when processing data. At the same time, they were informed about the possible situations in which personal data are not processed in accordance with the provisions of national legislation in this field, providing them with practical guidance and recommendations that should be undertaken in such situations.

We remind you that the street activity was organized in order to raise society’s awareness in the field of personal data protection, in accordance with the Action Plan approved by the NCPDP in the context of Data Protection Day celebration.