The National Center for Personal Data Protection (NCPDP), for information and application purposes, communicates about the fine in the amount of 4,3 million euros applied by the Portuguese Supervisory Authority (CBPD) to Portuguese National Statistics Institute (INE) for the infringement of article 9(1); article 12; article 13; article 28(1), (6) and (7); article 35(1), (2) and (3)(b); article 44 GDPR; article 46 and article 83 of GDPR.

In 2021, the CNPD received several complaints about the national census survey that was still undergoing at that moment. For the performance of the census, INE used the CDN (a content delivery network) services of a US company, Cloudflare, Inc., with over 200 data centres spread over 100 countries. In light of the complaints received, the CNPD opened an inquiry. At that point, circa 2.5 million forms, containing the personal data of over six million citizens residing in Portugal, had already been submitted to the INE. In view of its preliminary findings, the CNPD issued, under Article 58(2)(j) GDPR, an order for INE to suspend, in 12 hours, all data flows to the US and to any other third countries that did not offer an adequate level of protection, either via Cloudflare, Inc. or via any other company. After this corrective measure of cautionary nature, the inquiry went on about other aspects of the subject matter of the complaints.

As a result of the subsequent investigation, the CNPD identified five infringements of the GDPR in the context of the Census 2021 data processing, regarding the following issues: 

· Lack of lawfulness for the processing of special categories of personal data (article 9(1) GDPR).

· Lack of compliance with transparency obligations (articles 12 and 13 GDPR), in particular regarding the provision of any information concerning the processing operations, e.g. through the display of a privacy notice on the INE institutional website.

· Lack of a Data Protection Impact Assessment (article 35(1),(2) and (3)(b) GDPR).

· Lack of due diligence concerning the choice of the processor (article 28(1),(6) and (7)), namely by accepting a standard contract, that was not assessed in substance in what regards the requirements of  article 28(3) GDPR.

· Lack of compliance with the legal requirements for international data transfers (articles 44 and 46(2)), as interpreted by the CJEU in the Schrems II judgement.

In this context, as a result of the facts and the legal reasoning, the CNPD determined that the controller infringed different GDPR provisions in the context of the 2021 Census data processing and therefore decided, pursuant to article 58(2)(i) and article 83 GDPR and some national provisions, to apply one single fine of 4.3 million euros to the controller. This decision is final, but can be challenged in the national courts.

            The NCPDP, as national supervisory authority for personal data processing, emphasizes the responsibility of personal data controllers to comply with the provisions of legal framework on personal data protection and to ensure that personal data processing operations are in accordance with the legislation in force.

On December 20, 2022, the representatives of the National Center for Personal Data Protection (NCPDP) organized a training course for representatives of LPAs from Taraclia district. About 20 participants attended the event.

The aim of the training course was to inform, raise awareness and familiarize LPAs representatives with the latest aspects of personal data protection.

Thus, the following topics were discussed during the course: general notions of personal data; legal grounds for personal data processing; processing of special categories of personal data; depersonalization of data in the State Local Documents Registry; filming and transmission of district council meetings.

According to the action plan on trainings in the District Councils for 2022, the NCPDP has managed to train all LPAs in the Republic’s districts, thus covering a total of 938 participants.

On 13-14 December, the representatives of the National Centre for Personal Data Protection (NCPDP) attended the 72nd plenary meeting of the European Data Protection Board in Brussels, Belgium. Several topics were discussed during the plenary session, including: the outcome of the 71st plenary session; the preliminary agenda of the 73rd session; election of the Coordinator of the Coordinated Supervision Committee; decisions on the basis of legal acts approved by the European Committee, etc.

The 57th meeting of the T-PD Bureau also took place on 15-16 December in Strasbourg, France. During the meeting were discussed the report of the 56th meeting of the T-PD Bureau held on 21-23 September this year; the Committee’s work programme for 2022-2025; Convention 108+ state of play; Digital identity; Cooperation with other Council of Europe bodies and entities; Major developments and activities in the field of data protection.

Furthermore, the participants were informed about the next meetings planned for 2023.

“Requirements, principles and new trends in the field of personal data protection” were discussed today, December 9, during the training course organized for representatives of LPAs from Criuleni and Dubasari districts. The event was held at the headquarters of the Criuleni District Council and gathered 30 participants.

The aim of the training course was to familiarize, inform and raising – awareness for the representatives of LPAs with the latest and most current legal provisions in the field of personal data protection.

The training course covered the following topics: general notions of personal data; legal grounds for personal data processing; processing of special categories of personal data; depersonalization of personal data in the State Local Documents Registry; filming and transmission of district council meetings.

At the end of the course, the trainers from the NCPDP provided answers to all the questions given by the participants who showed interest in the course.

The National Center for Personal Data Protection (NCPDP), for information and application purposes, communicates about the administrative fine in the amount of 600 000 euros applied by the French Supervisory Authority (CNIL) to Électricité de France (EDF) for the infringement of articles 7, 13, 14, 32 of GDPR and of the Postal and Electronic Communications Code.

The CNIL, has received many complaints regarding difficulties encountered by individuals in having their rights considered by the company EDF, which is the first electric utility in France.

Following the investigations, CNIL found several violations, such as:

Failure to collect consent of individuals to receive commercial prospecting by e-mail (Articles L. 34-5 of the French Postal and Electronic Communications Code and 7 of the GDPR)
Failures to inform (Articles 13 and 14 of the GDPR) and to respect the exercise of rights (Articles 13 and 14 of the GDPR)
Failure to ensure security of personal data (Article 32 of the GDPR).
In this context, CNIL imposed a fine in the amount of 600 000 euros to EDF and made it public. The amount of the fine was decided considering the breaches observed and the cooperation by the company and all the measures it has taken during the proceedings to reach compliance with all alleged breaches.

The NCPDP, as national supervisory authority for personal data processing, emphasizes the responsibility of personal data controllers to comply with the provisions of legal framework on personal data protection and to ensure that personal data processing operations are in accordance with the legislation in force.

On December 7, the National Center for Personal Data Protection organized a workshop for pupils of the 5th-6th grades of IPLT “Gheorghe Asachi” mun. Chişinău.

The workshop aimed to inform, raise awareness and provide pupils with a high visibility on personal data protection and child safety in the online environment by promoting empowerment and best practices for intervention and support.

The main topics addressed during the workshop were:

– General notions of personal data (for children’s understanding);

– Creative, useful and safe use of the internet;

– Risks of using the internet;

– Risky behaviours that can have negative consequences;

– Attitudes and practices when sending photos/videos online;

– Communication on social networks, etc.

The event was organised at the initiative of the institution, with around 120 students trained.

The trainers from the NCPDP also organised several interactive games for the pupils, discussions based on the presented materials, video spots were shown, questions were asked based on a game and at the end the students were asked questions related to the field of data protection.

It is worth mentioning that in April this year the NCPDP initiated an information and awareness campaign for the school community, in which trainings were organized for the students of the 4th grades of IPLT “Onisifor Ghibu” mun. Chişinău and aims to continue this campaign for other local and national institutions.

On November 22 and 24, 2022, the representative of the National Center for Personal Data Protection (NCPDP), Ms. Daniela Movila, Senior State Inspector of Prevention, Surveillance and Evidence Department, General Department for Surveillance and Conformity, conducted two webinars in online format, within the second edition of the program “Step in GDPR, Compliance and AML”, organized by OTP Bank S.A. and partners.

The most important topics covered in the events were: data protection impact assessment, prior consultation and personal data protection officer.

Participants had the opportunity to ask questions to the representative of the National Data Protection Authority about new trends in the field of personal data protection.

The webinar was attended by final year students, master students and teachers from the Moldova State University and Academy of Economic Studies of Moldova, with around 100 participants.

On December 2, the National Center for Personal Data Protection organized a training course for representatives of LPAs from Basarabeasca district.

The aim of the training course was to strengthen the capacities of LPAs representatives by familiarizing, raising – awareness and informing the participants with the field of personal data protection.

Several topics were discussed during the training course, such as: general notions on personal data; legal grounds for personal data processing; processing of special categories of personal data; filming and online transmission of local council meetings; depersonalization of data in the State Local Documents Registry.

At the end, the participants asked questions to the trainers regarding the practical application of the provisions of Law 133/2011 on personal data protection.

The event was held at the District Council headquarters, where the head of the Basarabeasca Police Inspectorate participated and showed interest in the topics discussed at the course.

The National Center for Personal Data Protection (NCPDP), for information and application purposes, communicates about the administrative fine in the amount of 265 million euros applied by the Irish Data Protection Authority (SA) to Meta Platforms for the infringement of Article 25(1) and 25(2) of GDPR.

The Irish SA commenced this inquiry on 14 April 2021, on foot of media reports into the discovery of a collated dataset of Facebook personal data that had been made available on the internet. The scope of inquiry concerned an examination and assessment of the Facebook Search, Facebook Messenger Contact Importer and Instagram Contact Importer tools in relation to processing carried out by Meta Platforms during the period between 25 May 2018 and September 2019. The material issues in this inquiry concerned questions of compliance with the GDPR obligation for Data Protection by Design and Default.

In this context it was found the infringement of Articles 25(1) and 25(2) of GDPR. The decision imposed a reprimand and an order requiring Meta Platforms to bring its processing into compliance by taking a range of specified remedial actions within a particular timeframe. In addition, the decision has imposed an administrative fine in the amount of 265 million euros to Meta Platforms.

The NCPDP, as national supervisory authority for personal data processing, emphasizes the responsibility of personal data controllers to comply with the provisions of legal framework on personal data protection and to ensure that personal data processing operations are in accordance with the legislation in force.