The National Center for the Protection of Personal Data (NCPDP), for informational and practical purposes, reports on the administrative fine of €80,000 imposed by the French Data Protection Authority (CNIL) on CALOGA for violations of article 5 (Principles relating to the processing of personal data), article 6 (Lawfulness of processing), and article 7 (Conditions for consent) of the General Data Protection Regulation (GDPR).

As part of its 2022 priority focus on the oversight of direct marketing practices, CNIL investigated the activities of actors in this ecosystem—particularly data intermediaries known as data brokers. CNIL thus carried out investigations into CALOGA, which obtained marketing data primarily from other data brokers, online game competition organizers, and product testing websites. CALOGA used these data to send email marketing messages to potential customers on behalf of its advertising clients. It also shared part of these data with its clients so they could conduct their own electronic marketing campaigns.

Following the investigations, CNIL identified several infringements, including:

• Failure to obtain valid consent from individuals to receive electronic commercial offers (article L.34-5 of the French Postal and Electronic Communications Code): the misleading nature of the consent forms used by data brokers made it impossible to obtain freely given and unambiguous consent, as required under the GDPR, which should have formed the legal basis for CALOGA’s marketing activities;

• Failure to allow for withdrawal of consent (article L.34-5 of the CPCE, as referenced in article 7 GDPR): in CALOGA’s system, potential clients could not unsubscribe from the company’s various databases with a single click. Therefore, withdrawing consent was not as easy as giving it;

• Failure to ensure a legal basis for data processing (article 6 GDPR): in its role as a data broker, the company shared databases with other partners, who then used them to send marketing emails on behalf of their own advertising clients;

• Failure to define and respect a proportional data retention period (article 5(1)(e) GDPR): every time a potential client opened one of the company’s emails—even by mistake—CALOGA extended the retention period for that individual’s data in its databases, potentially indefinitely.

In this context, CNIL imposed an administrative fine of €80,000, which was made public. The amount of the fine was determined based on the large number of individuals involved, the company’s longstanding position on the market, the financial gain obtained from the violations, and the company’s complete cessation of operations in 2024.

NCPDP, as the national supervisory authority for personal data processing, emphasizes the responsibility of personal data controllers to comply with the legal framework on personal data protection and to ensure that data processing operations are conducted in accordance with the applicable law.

The National Center for Personal Data Protection (NCPDP), for informational and practical purposes, reports on the administrative fine of 5 million euros imposed by the Italian Data Protection Authority (SA) on Luka Inc. for violations of Article 5 (Principles relating to the processing of personal data), Article 6 (Lawfulness of processing), Article 12 (Transparent information, communication and modalities for the exercise of the rights of the data subject), Article 13 (Information to be provided where personal data are collected from the data subject), Article 24 (Responsibility of the controller), and Article 25 (Data protection by design and by default) of the GDPR.

The Italian SA launched an investigation on its own initiative following press reports and a preliminary inquiry into the Replika service — a chatbot with both written and voice interfaces developed and managed by the U.S.-based company Luka Inc., based on a generative AI system. The chatbot enables users to “create” a “virtual companion” that can serve as a confidant, therapist, romantic partner, or mentor.

Following the investigation, the Italian SA confirmed that the alleged violations, which had prompted it to order the app’s blocking in February 2023, did indeed occur. Until February 2, 2023, the company had not identified a legal basis for the data processing operations carried out through Replika. Additionally, Luka Inc. provided a privacy policy that was non-compliant in several respects. The Italian SA also found that, until February 2, 2023, the company had not implemented any age verification mechanisms—either at registration or during use of the service—despite having stated that minors were excluded from the category of potential users.

Technical assessments revealed that the age verification system currently implemented by the controller still has several deficiencies.

In this context, the Italian SA imposed an administrative fine of 5 million euros on Luka Inc. for violations of Articles 5(1)(a), 5(1)(c), 6, 12, 13, 24, and 25(1) of the GDPR. Furthermore, the Italian SA reserves the right to investigate and assess, in a separate and autonomous procedure, the lawfulness of the processing operations carried out by Luka Inc., specifically regarding the legal bases applicable throughout the lifecycle of the generative AI system underlying the Replika service.

As the national supervisory authority for personal data processing, the NCPDP emphasizes the responsibility of data controllers to comply with the legal framework on personal data protection and to ensure that all data processing activities are conducted in accordance with the applicable legislation.

On June 10, 2025, the National Center for Personal Data Protection (NCPDP) organized a training session in the field of personal data protection for the employees of the Cantemir Police Inspectorate.

The purpose of the training session was to raise awareness among Cantemir Police Inspectorate staff regarding the principles of personal data protection, as well as to ensure the proper application of legal provisions in this field within their professional duties.

During the event, several important topics were addressed, including:

• The definitions of general concepts related to the field of personal data protection;

• The rights of data subjects;

• The processing of special categories of personal data;

• The lawful processing of personal data in police work;

• The requirements for data protection in the performance of job responsibilities;

• Ensuring the security and confidentiality of processed personal data, etc.

The training course proved to be highly useful and interactive. Particular interest was shown in topics related to the proper procedures for accessing personal data via State Information Systems, including the application of exceptions and restrictions governed by Article 15 of Law No. 133/2011.

Approximately 50 representatives of the Cantemir Police Inspectorate took part in the training.

This training session is part of the 2025 training plan for IGP subdivisions, approved and signed by the leadership of both the NCPDP and the General Police Inspectorate on January 28 of the current year.

The National Center for Personal Data Protection (NCPDP), for informational and practical purposes, announces the imposition of an administrative fine of €13,500 by the Polish Data Protection Authority (SA) for violations of Article 24 (Responsibility of the controller) and Article 32 (Security of processing) of the GDPR.

In 2022, Polskie Radio Szczecin released a press article in which a conviction for sexual harassment was described. The journalist revealed that a parliament member’s son was the victim and did it in such a way that the child could be identified. Following the discovery of harassment, this person committed suicide. 

Following the investigation carried out by the Polish SA, the following violations were found:

• Polskie Radio Szczecin, as the data controller, did not carry out a risk analysis for the processing of personal data in connection with its editorial activities;

• It failed to comply with its own personal data protection documentation;

• It also failed to implement data security measures to ensure the ability to continuously ensure the confidentiality, integrity, availability and resilience of processing systems and processing services due to:

  • lack of clear and transparent rules on the handling of press material containing personal data, regulating the obligation to verify such material prior to publication in terms of personal data identifying natural persons whose publication may infringe the law or the rights and freedoms of natural persons;

  • lack of encryption for personal data storage devices used outside the processing area;

• Polskie Radio Szczecin has not put in place appropriate technical and organisational measures to ensure that the effectiveness of the technical and organisational measures to ensure the security of personal data is regularly tested, measured and evaluated.

In this context, the Polish SA imposed an administrative fine of €13,500 for violations of Article 24(1) and Article 32(1,2) of the GDPR. Additionally, on the basis of the issued decision, Polskie Radio Szczecin is to correct organisational and technical errors within 60 days.

As the national supervisory authority for personal data processing, NCPDP emphasizes the responsibility of personal data controllers to comply with the legal framework on data protection and to ensure that data processing operations are carried out in accordance with the applicable legislation.

The National Center for Personal Data Protection (NCPDP), for informational and practical purposes, reports on the administrative fine of €262,500 imposed by the Polish Data Protection Authority (SA) on the company Centrum Medyczne Ujastek Sp. z o.o. for violations of Article 5 (Principles relating to processing of personal data), Article 6 (Lawfulness of processing), Article 9 (Processing of special categories of personal data), Article 13 (Information to be provided where personal data is collected from the data subject), Article 24 (Responsibility of the controller), Article 25 (Data protection by design and by default), and Article 32 (Security of processing) of the GDPR.

Between July 1 and 23, 2023, Centrum Medyczne Ujastek Sp. z o.o., based in Krakow, carried out monitoring through video surveillance in the neonatology department, recording images of both newborns and their mothers engaged in intimate activities such as breastfeeding According to the explanations provided by the facility, the children whose images were captured on the recordings no longer required intensive care, so their health was not at risk. 

Following investigations, the Polish SA found that the video surveillance conducted by the medical center violated applicable regulations and was furthermore covert in nature—neither the patients nor the employees of the facility were informed about the continuous video recording. determined that the memory cards that contained the recordings had not been encrypted, and that the devices used for image recording had not been configured to meet the requirements of the facility. In addition, the risk analysis provided by the medical center did not cover the risks that were the cause of the incident and did not identify security measures that could have prevented the incident from occurring. 

In this context, the Polish SA has imposed an administrative fine of €157,500 for violations of Article 6(1), Article 9(1), and Article 13(1,2) of the GDPR, and an additional fine of €105,000 for violations of Article 24(1), Article 25(1), and Article 32(1,2) of the GDPR.

As the national supervisory authority for personal data processing, the NCPDP emphasizes the responsibility of personal data controllers to comply with the provisions of the legal framework on personal data protection and to ensure that personal data processing operations are carried out in accordance with the applicable legislation.

On 6 June 2025, the National Center for Personal Data Protection (NCPDP) organized a training session in the field of personal data protection for representatives of Level I and II Local Public Authorities (LPAs) from the jurisdiction of the Hîncești Territorial Office, at the request of the State Chancellery (SC).

The purpose of the training was to familiarize public officials from Level I and II LPAs within the jurisdiction of the Hîncești Territorial Office of the SC with key aspects related to the field of personal data protection in public service, the regulation of data processing procedures, as well as the confidentiality and security requirements for personal data, in accordance with the current legislation.

The event addressed important topics, such as: the definition of general concepts related to the field of personal data protection; the principles and legal grounds for personal data processing; the rights of data subjects; the processing of special categories of personal data; data protection requirements in the performance of official duties; ensuring the security and confidentiality of processed personal data; aspects concerning the appointment of a Data Protection Officer (DPO), including their responsibilities and tasks, among others.

The training proved to be interactive, with particular interest shown in topics such as: access to information of public interest with regard to personal data protection legislation; the proper procedure for accessing personal data through state information systems; and the obligation to anonymize/depersonalize excessive personal data when publishing normative acts.

The event was attended by approximately 85 representatives of Level I and II LPAs from the districts of Hîncești, Cimișlia, Leova, and Basarabeasca, as well as employees of the Hîncești Territorial Office of the SC.

On June 3, 2025, the National Center for Personal Data Protection (NCPDP) organized a training session in the field of personal data protection for the representatives of 10 local public authorities (LPAs) participating in the financial support program “Strengthening Governance Based on Reliable and Disaggregated Demographic Data for Central and Local Public Authorities”, at the request of the United Nations Population Fund (UNFPA).

The purpose of the training session was to strengthen the capacities of LPA representatives by familiarizing, raising awareness, and informing them about the field of personal data protection.

The event addressed important topics, such as:

• The definition of general concepts related to the field of personal data protection;

• The principles and legal grounds for personal data processing;

• The access to information of public interest with regard to personal data protection legislation;

• The proper procedure for accessing personal data through state information systems and the record maintained by municipal representatives of such access;

• Examination of requests for the disclosure of personal data, among other topics.

The event was held online, and was attended by 42 representatives from the municipalities of Ghidighici, Budești, Ruseștii Noi, Edineț, Bălți, Florești, Copceac, Cimișlia, Nisporeni, and Strășeni.

This event underscores the strong commitment of the NCPDP to continue organizing training sessions in the field of personal data protection, thereby contributing to the strengthening of a culture of respect for the right to privacy, and increasing awareness among LPA representatives regarding the importance of processing personal data in accordance with legal requirements.

Every year, on May 9th, Europe Day is celebrated as a symbol of peace and unity in Europe. Europe Day 2025 marks the fundamental values that served as the foundation for the formation and development of the European Union— principles that have transformed the 27 member states into prosperous countries dedicated to promoting human rights, peace, and progress. Additionally, Europe Day 2025 commemorates the 75th anniversary of the Schuman Declaration, which laid the foundation for the European Union as we know it today. In a speech delivered in Paris in 1950, then French Minister of Foreign Affairs Robert Schuman proposed establishing a new form of political cooperation in Europe to forever eliminate the possibility of another war between European nations. Robert Schuman’s proposal is considered the cornerstone of the European Union. To mark this day, EU institutions open their doors to the public in early May in Brussels and Strasbourg. Local EU offices throughout Europe and worldwide organize various activities and events for all ages.

In the Republic of Moldova, Europe Day was officially established in 2017, making it one of the country’s youngest holidays. This year, Europe Day will be celebrated under the slogan “Peace, Prosperity, Dignity – Europe Is You!” The traditional European Village will take place in the Great National Assembly Square under the aegis of the Government, the Delegation of the European Union to the Republic of Moldova, together with the embassies of EU member states and EU-funded projects.

The National Centre for Personal Data Protection (NCPDP), alongside other institutions from the Republic of Moldova and the EU, participates every year in the celebration of Europe Day, organizing various events to raise public awareness about the EU.

Over the years, NCPDP has followed the European trajectory, collaborating closely with EU institutions and benefiting from their support. For example, in 2025, in partnership with the e-Government Academy, NCPDP organized, on January 28, the national conference “New Legal Provisions in the Field of Personal Data Protection in the Republic of Moldova,” for around 150 representatives from both public institutions and the private sector. The event, supported by the EU’s Cybersecurity Rapid Assistance 2.0 project, served as an opportunity to exchange experience and best practices with EU experts regarding raising awareness and informing the public and private sectors about personal data protection.

Although the field of personal data protection is relatively new for the society of the Republic of Moldova, significant progress has been made in recent years towards achieving the national objective of ensuring an adequate level of personal data protection, in line with the norms of the European Union and the Council of Europe, as well as guaranteeing the protection of fundamental rights and freedoms of citizens, especially the right to privacy regarding personal data processing.

In this context, on August 23, 2024, Law No. 195/2024 on Personal Data Protection was published in the Official Gazette of the Republic of Moldova. This law faithfully transposes the provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation – GDPR). The new legislation will enter into force two years after its publication in the Official Gazette.

Furthermore, international cooperation remains a key driver for the institutional development objectives of NCPDP. Successes in this area have been achieved thanks to the exchange of experience, knowledge, and best practices with data protection authorities, training provided by EU experts, and the adoption and practical implementation of international standards for the protection of personal data. Cooperation, both at the European and international levels, represents a strategic aspect requiring engagement in all ongoing initiatives.

Europe Day 2025 is about reaffirming the commitment to the values that unite us and make us strong: Peace, Prosperity, and Dignity; it is about the future of every European citizen, with the EU at the same time representing a democratic model of values and principles that have been-and remain-fundamental for their prosperity.

On April 15, 2025, the National Centre for Personal Data Protection (NCPDP) organized a training session in the field of personal data protection for the employees of the Briceni Police Inspectorate.

The purpose of the training session was to enhance the understanding of personal data protection principles among the Briceni Police Inspectorate staff, as well as to ensure the correct application of the legal provisions in this field, in the performance of their duties.

Key topics discussed during the event included: the definition of general concepts related to personal data protection; the rights of data subjects; the processing of special categories of personal data; the legal manner of processing personal data in the activities carried out by police authorities; data protection obligations in the performance of official duties; ensuring the security and confidentiality of processed personal data, etc.

The training session proved to be highly beneficial and interactive, with participants showing particular interest in topics such as the correct procedure for accessing personal data through State Information Systems, including the application of exceptions and restrictions regulated by Article 15 of Law No. 133/2011, as well as the legal aspects of processing personal data through video surveillance systems.

A total of 75 representatives of the Briceni Police Inspectorate took part in the event.

This training session is part of the 2025 training plan for the subdivisions of the General Inspectorate of Police (GIP), approved and signed by the heads of NCPDP and GIP on January 28 of the current year.

On 22 May 2025, the National Centre for Personal Data Protection (NCPDP) conducted a training session in the field of personal data protection for representatives of the Ungheni Refugee Council, at the request of the United Nations High Commissioner for Refugees (UNHCR).

The training aimed to inform participants about personal data protection, given that refugees are often exposed to security and confidentiality risks. Additionally, participants were provided with all the necessary tools to act in full compliance with applicable legislation and professional ethics.

The event addressed important topics, such as:

• Respecting fundamental principles regarding the collection, processing, and storage of personal data;

• Ensuring the confidentiality and security of sensitive data concerning refugees, asylum seekers, and other individuals registered with the UNHCR;

• Preventing and reporting data security incidents, etc.

In this context, members of the Refugee Councils strengthened the necessary competencies to manage personal data responsibly, thereby contributing to a safe, transparent, and dignified environment for beneficiaries.

Around 20 representatives took part in the training session, including Ukrainian refugees, local authorities, and members of UNHCR.

This event underscores the NCPDP’s commitment to developing a data protection framework that responds to the needs of an increasingly diverse and interconnected society. Through these training sessions, NCPDP aims to raise awareness and promote responsibility regarding data protection, both among authorities and international organizations supporting refugees.