The National Center for Personal Data Protection (NCPDP), for information and application purposes, communicates about the administrative fine in the amount of 600 000 euros applied by the French Supervisory Authority (CNIL) to Électricité de France (EDF) for the infringement of articles 7, 13, 14, 32 of GDPR and of the Postal and Electronic Communications Code.

The CNIL, has received many complaints regarding difficulties encountered by individuals in having their rights considered by the company EDF, which is the first electric utility in France.

Following the investigations, CNIL found several violations, such as:

Failure to collect consent of individuals to receive commercial prospecting by e-mail (Articles L. 34-5 of the French Postal and Electronic Communications Code and 7 of the GDPR)
Failures to inform (Articles 13 and 14 of the GDPR) and to respect the exercise of rights (Articles 13 and 14 of the GDPR)
Failure to ensure security of personal data (Article 32 of the GDPR).
In this context, CNIL imposed a fine in the amount of 600 000 euros to EDF and made it public. The amount of the fine was decided considering the breaches observed and the cooperation by the company and all the measures it has taken during the proceedings to reach compliance with all alleged breaches.

The NCPDP, as national supervisory authority for personal data processing, emphasizes the responsibility of personal data controllers to comply with the provisions of legal framework on personal data protection and to ensure that personal data processing operations are in accordance with the legislation in force.

On December 7, the National Center for Personal Data Protection organized a workshop for pupils of the 5th-6th grades of IPLT “Gheorghe Asachi” mun. Chişinău.

The workshop aimed to inform, raise awareness and provide pupils with a high visibility on personal data protection and child safety in the online environment by promoting empowerment and best practices for intervention and support.

The main topics addressed during the workshop were:

– General notions of personal data (for children’s understanding);

– Creative, useful and safe use of the internet;

– Risks of using the internet;

– Risky behaviours that can have negative consequences;

– Attitudes and practices when sending photos/videos online;

– Communication on social networks, etc.

The event was organised at the initiative of the institution, with around 120 students trained.

The trainers from the NCPDP also organised several interactive games for the pupils, discussions based on the presented materials, video spots were shown, questions were asked based on a game and at the end the students were asked questions related to the field of data protection.

It is worth mentioning that in April this year the NCPDP initiated an information and awareness campaign for the school community, in which trainings were organized for the students of the 4th grades of IPLT “Onisifor Ghibu” mun. Chişinău and aims to continue this campaign for other local and national institutions.

On November 22 and 24, 2022, the representative of the National Center for Personal Data Protection (NCPDP), Ms. Daniela Movila, Senior State Inspector of Prevention, Surveillance and Evidence Department, General Department for Surveillance and Conformity, conducted two webinars in online format, within the second edition of the program “Step in GDPR, Compliance and AML”, organized by OTP Bank S.A. and partners.

The most important topics covered in the events were: data protection impact assessment, prior consultation and personal data protection officer.

Participants had the opportunity to ask questions to the representative of the National Data Protection Authority about new trends in the field of personal data protection.

The webinar was attended by final year students, master students and teachers from the Moldova State University and Academy of Economic Studies of Moldova, with around 100 participants.

On December 2, the National Center for Personal Data Protection organized a training course for representatives of LPAs from Basarabeasca district.

The aim of the training course was to strengthen the capacities of LPAs representatives by familiarizing, raising – awareness and informing the participants with the field of personal data protection.

Several topics were discussed during the training course, such as: general notions on personal data; legal grounds for personal data processing; processing of special categories of personal data; filming and online transmission of local council meetings; depersonalization of data in the State Local Documents Registry.

At the end, the participants asked questions to the trainers regarding the practical application of the provisions of Law 133/2011 on personal data protection.

The event was held at the District Council headquarters, where the head of the Basarabeasca Police Inspectorate participated and showed interest in the topics discussed at the course.

The National Center for Personal Data Protection (NCPDP), for information and application purposes, communicates about the administrative fine in the amount of 265 million euros applied by the Irish Data Protection Authority (SA) to Meta Platforms for the infringement of Article 25(1) and 25(2) of GDPR.

The Irish SA commenced this inquiry on 14 April 2021, on foot of media reports into the discovery of a collated dataset of Facebook personal data that had been made available on the internet. The scope of inquiry concerned an examination and assessment of the Facebook Search, Facebook Messenger Contact Importer and Instagram Contact Importer tools in relation to processing carried out by Meta Platforms during the period between 25 May 2018 and September 2019. The material issues in this inquiry concerned questions of compliance with the GDPR obligation for Data Protection by Design and Default.

In this context it was found the infringement of Articles 25(1) and 25(2) of GDPR. The decision imposed a reprimand and an order requiring Meta Platforms to bring its processing into compliance by taking a range of specified remedial actions within a particular timeframe. In addition, the decision has imposed an administrative fine in the amount of 265 million euros to Meta Platforms.

The NCPDP, as national supervisory authority for personal data processing, emphasizes the responsibility of personal data controllers to comply with the provisions of legal framework on personal data protection and to ensure that personal data processing operations are in accordance with the legislation in force.

The National Center for Personal Data Protection (NCPDP), for information and application purposes, communicates about the compliance order applied to a personal data controller – private sector employer, issued by the Slovenian Data Protection Authority (SA) under Article 5.1(c) and 6.1(f) of the GDPR.

Following the investigation, the Slovenian SA determined that the controller carried out GPS tracking of eight company vehicles. The vehicles were used by employees as delivery vehicles and passenger delivery vehicles. Tracking was carried out by a special transmitter in the vehicle and monitored by an application that continuously recorded the distance travelled. Individuals were identifiable. Furthermore, a special record was being created containing a large amount of location data of employees. The data was processed continuously, systematically and automatically so that the employer could determine in any moment, where an individual traveling with one of the vehicles was located. The data could be accessed also retrospectively.  The employer could easily determine the employee who was using the company vehicle and to whom the location data is attributable.

Slovenian SA confirmed that providing safety of property can be in a legitimate interest of the data controller, but the controller did not demonstrate that the way the measure was carried out was appropriate and necessary. The GPS tracking was carried out also while the vehicle and the property in it were under constant and direct supervision of an employee. Slovenian SA decided that in the specific case GPS tracking could only be used in a way that the driver could turn on the GPS on the location where the vehicle, the equipment and the documents could be at risk and turn it off after returning to the vehicle, when the protected goods were again under direct supervision of an employee. Regarding safety of individuals in case of traffic accidents Slovenian SA decided that constant GPS tracking was disproportionate. The place of the accident is usually known, the location of the accident could also be reported by the driver himself. The controller should use a less intrusive measure on individual’s information privacy. In this context, Slovenian SA decided that the controller did not demonstrate legitimate interests according to Article 6.1 (f) and that the GPS tracking was not in accordance with the principle of data minimisation (Article 5.1 (c) of the GDPR) and ordered the controller to stop processing the data of employees that were collected by continuous, systematic and automatic GPS tracking.

The NCPDP, as national supervisory authority for personal data processing, emphasizes the responsibility of personal data controllers to comply with the provisions of legal framework on personal data protection and to ensure that personal data processing operations are in accordance with the legislation in force.

“Requirements, principles and new trends in the field of personal data protection” was the subject of discussion during the training course organized today, November 25, for representatives of LPAs of Ștefan Vodă district.

The aim of the training course was to familiarize and inform LPAs representatives with the field of personal data protection.

During the course, the following topics were addressed: general notions on personal data protection; legal grounds for personal data processing; depersonalization of personal data in the State Local Documents Registry; processing of special categories of personal data; filming and online transmission of local council meetings.

During the course, the participants asked many questions on the practical application of the regulatory framework in this field.

On 18-19 November 2022, the representatives of the National Centre for Personal Data Protection (NCPDP) participated in the European Case Handling Workshop 2022, held in Tbilisi, Georgia.

The event focused on actual issues in the field of personal data protection and privacy, in particular such as:

– The steps taken by employees of the authorities in investigations;

– Social data protection, guidelines and exceptions in national legislation;

– International transfers of personal data;

– Personal data and artificial intelligence;

– Main challenges faced by data supervisory authorities, etc.

Attending the event, the representatives of the NCPDP addressed the topic – “The experience of the Republic of Moldova and the methodology of examining the complaints having children as data subjects”.

The invitation to participate in the Workshop came from the Personal Data Protection Service of Georgia, which has been carrying out the control of the lawfulness of personal data processing since 2013.

The event brought together around 50 participants from 26 European countries.

The representatives of the National Centre for Personal Data Protection participated in the 43rd Plenary session of the Committee of Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (Convention 108), held in Strasbourg, France on 16-18 November. 

During the plenary meeting, the report of the 42nd plenary meeting, that took place on 17-19 November 2021, the report of the 55th Bureau meeting (23-25 March 2022) and the Committee’s work Programme for 2022-2025 were presented.

Also, aspects on consequences of the Russian Federation’s aggression against Ukraine; Convention 108+ current situation; digital identity; Interstate exchange of data for anti-money laundering/combating financing of terrorism; interpretation of article 11 of Convention 108+, model contractual clauses in the context of transborder data flows; cooperation with the Council of Europe and other entities, etc. were discussed.

The National Centre for Personal Data Protection organized on November 18, 2022, a training course for representatives of LPAs from Ocnița district.

The training course entitled: “Requirements, principles and new trends in the field of personal data protection”, aimed to familiarize and inform the LPAs representatives with the latest and most important issues in the field of personal data protection.

The topics addressed in the training were: general notions on personal data protection; legal grounds for personal data processing; processing of special categories of personal data; depersonalization of personal data in the State Local Documents Registry, filming and online transmission of local council meetings.

The event was attended by about 17 representatives, mayors and district councillors.

At the end, the participants asked questions to the trainers regarding the practical application of the provisions of Law 133/2011 on personal data protection.