The National Center for Personal Data Protection (NCPDP), for information and application purposes, communicates about the fine in the amount of 175 00 euros applied by the French Data Protection Authority (DPA) to UBEEQO International for the illegally processing of personal data.

This case is part of the priority control theme in 2020 relating to the new uses of geolocation data in the context of mobility. In this context, the French DPA controlled the company UBEEQO International, whose activity is the rental of vehicles for a short period. The investigations focused in particular on the data collected, the defined retention periods, the information provided to individuals and the security measures implemented.

Following the investigations, French DPA found several violations, such as:

·        Failure to comply with the obligation to ensure data minimisation (Article 5.1.c of the GDPR).

·        Failure to define and respect a proportionate data retention period (Article 5.1.e of the GDPR).

·        Failure to inform individuals (Article 12 of the GDPR).

 On the basis of these findings, the restricted committee – the CNIL’s body in charge of issuing sanctions – in cooperation with the other European authorities concerned (in Belgium, Denmark, Spain, Italy and Germany) imposed a fine of 175 000 euros to UBEEQO International, which was made public.

The NCPDP, as national supervisory authority for personal data processing, emphasizes the responsibility of personal data controllers to comply with the provisions of legal framework on personal data protection and to ensure that personal data processing operations are in accordance with the legislation in force.

The National Center for Personal Data Protection (NCPDP), for information and application purposes, communicates about the fine in the amount of 20 million euros applied by the Hellenic Data Protection Authority (DPA) to Clearview AI for violating the principles of lawfulness and transparency of personal data processing.

Hellenic DPA examined a complaint against Clearview AI, lodged by the civil non-profit organization “Homo Digitalis” on behalf of a complainant, who claimed that s/he has objections to the realisation of the right of access s/he exercised before the aforementioned company. In conjunction with the issues deplored, it was also requested that the practices of the defendant company be examined on the whole from the point of view of ensuring personal data protection.

Following the investigations, it was found that the company, which markets facial recognition services, violated the principles of lawfulness and transparency stipulated at Art. 5 paragraphs 1(a) and (2), 6, 9 GDPR and its obligations under Articles 12, 14, 15 and 27 of the GDPR.

In this context, Hellenic DPA imposed a fine of 20 million euros to Clearview AI for violating the principles of lawfulness and transparency on personal data processing. In addition, the DPA ordered the company to conform its activity so as to realise the right of access to personal data of data subjects, while imposing (on the same company) a prohibition on the collection and processing of personal data of subjects located in the Greek territory, using methods included in the facial recognition service. Finally, with this Decision, the Hellenic DPA ordered Clearview AI Inc. to delete the personal data of those subjects located in Greece, which the defendant collects and processes using the aforementioned methods.

The NCPDP, as national supervisory authority for personal data processing, emphasizes the responsibility of personal data controllers to comply with the provisions of legal framework on personal data protection and to ensure that personal data processing operations are in accordance with the legislation in force.

The National Center for Personal Data Protection (NCPDP) and Personal Data Protection Office of Poland signed a Collaboration Agreement in the field of personal data protection. The Agreement was signed by the Director of NCPDP, Ms Victoria Muntean and President of the Personal Data Protection Office, Mr Jan Nowak.

The Agreement provides for the development of cooperation relations between the two institutions in terms of achieving constant progress in the field of personal data protection and the promotion of good practices that will create favorable conditions for ensuring effective protection of personal data of Poland’s and Moldova’s citizens, which is significant in the context of the recent granting of the status of EU candidate country of the Republic of Moldova.

The NCPDP states that the agreement is aimed at various activities that will encourage the exchange of information on the application of European laws, regulations, standards and recommendations in the field of personal data protection, as well as the organization of activities focused on promoting the protection of privacy and personal data protection, cooperation in order to organize projects of common interest for both institutions at regional and national level, etc.

We remind you that the NCPDP has concluded another 17 national collaboration agreements with institutions from different fields of activity, as well as 9 international collaboration agreements with the Personal Data Protection Authorities from countries such as Romania, Ukraine, Georgia, Italy, Hungary, Latvia, Malta.

At the initiative of the General Department of Education, Youth and Sport of the Chisinau Municipal Council (GDEYS), the representatives of the National Centre for Personal Data Protection (NCPDP) participated as trainers in the training course entitled: “Requirements, principles and new trends in the field of personal data protection”, that was held on 20 July 2022.

The most important topics covered in the course were: general concepts and principals of personal data protection; data protection impact assessment; the data protection officer; ensuring the security and confidentiality of personal data in information and filing systems.

The aim of the course was to inform the participants about the latest and most important aspects of the Law No 133/2011 on personal data protection.

The training course was attended by 64 participants, GDEYS employees and representatives of GDEYS institutions.

From 8 to 15 July this year, the National Centre for Personal Data Protection (NCPDP) has organized several activities dedicated to the Centre’s Day, marked annually on 10 July. In this regard, on Friday, July 8, on the official website of the NCPDP, a press release was placed – 14 years of activity of the NCPDP.

Also, on July 11, a street action was organized, 14 years since the founding of the NCPDP. In this regard, a group of employees of the Center went to the Central Park in Chisinau, where they distributed to passers-by leaflets and information sheets that are related to the field of personal data protection.

Similarly, on the official website of the NCPDP, the Newsletter no. 11 has been published. It covers the period from 1 April to 30 June 2022. The Newsletter includes information on: information and training activities; control activities; findings of the NCPDP; breaches of the rules on processing and storage of personal data; supervisory activities; International and European news and other data protection authorities. The Newsletter can be found at the following link: .

On Friday, July 15, according to the training plan, the training course “Requirements, principles and new trends in the field of personal data protection” was organized for representatives of LPAs from Nisporeni district.

Within the training course, the representatives of the NCPDP focused on topics related to: definition of personal data; processing of special categories of personal data; legal grounds for processing personal data; filming and online transmission of local council meetings.

At the same time, the representatives of the NCPDP addressed issues related to the personal data officer; depersonalization of data in the State Register of Local Acts; as well as data protection impact assessment as required by national legislation.

About 30 mayors and local councillors attended the course.

As a result, the aim of the actions organised by the NCPDP was to familiarise authorities and civil society with the field of personal data protection.

The National Center for Personal Data Protection (NCPDP), for information and application purposes, communicates about the administrative fine in the amount of 1 million euros applied by the French Supervisory Authority (CNIL) to TotalEnergies Électricité et Gaz France for the illegally processing of personal data.

CNIL has received several complaints concerning the difficulties encountered by individuals in having their requests for access to their data and opposition to receiving calls for the purposes of direct marketing taken into account by the French energy producer and supplier, TotalEnergies Électricité et Gaz France.

Following the investigations, CNIL found several violations, such as:

·         Failure to comply with the obligation to inform individuals solicited (article 14 of the GDPR).

·         Failure to respect the right of access to data (article 15 GDPR) and the right to object of data subjects (article 21 GDPR).

·         Failure to comply with the obligations relating to the modalities for exercising rights (Article 12 of the GDPR).

In this context, CNIL imposed to TotalEnergies Électricité et Gaz France an administrative fine in the amount of 1 million euros and made public the decision. The amount of this fine was decided in the light of the breaches identified as well as all the measures taken by the company during the procedure to bring itself into compliance.

The NCPDP, as national supervisory authority for personal data processing, emphasizes the responsibility of personal data controllers to comply with the provisions of legal framework on personal data protection and to ensure that personal data processing operations are in accordance with the legislation in force.

On 10 July, the National Centre for Personal Data Protection (NCPDP) celebrates 14 years of activity.

Throughout this period, the field of data protection has registered a considerable evolution in ensuring the security of personal data and respect for the right to privacy.

As an autonomous public authority, independent and impartial from other public authorities, natural persons and legal entities, the NCPDP aims to protect the fundamental freedoms and rights of natural persons, especially the right for private life regarding the processing and transborder transfer of personal data.

In order to achieve the basic objective, the NCPDP ensures the organization of training courses in the field of personal data protection, ensures the control and supervision activity, issues decisions, instructions and recommendations, concludes minutes on contravention, as well as finds violations of legal provisions in the field of personal data protection.

It also organises actions to prevent breaches of the legislation in this field, including by guiding data controllers in the context of the correct application of the legislation and by informing, raising awareness and educating society on the importance of personal data protection.

At the same time, more and more petitions from personal data subjects are adressed to the NCPDP and the dynamics of the last few years demonstrate this fact. The most frequent topics reflected in the complaints are:

– Realisation of personal data subjects’ rights (access, information, intervention, opposition);

– Processing of personal data through video/audio surveillance systems;

– Processing of personal data in the absence of consent of the personal data subject and in the absence of any other legal basis.

In this regard, the NCPDP will continue to provide support to both data subjects and controllers in order to comply with the regulatory framework in the field and will make every effort to achieve further progress in strengthening the field of personal data protection.

Data exchange / interoperability of information systems, the rights and obligations of stakeholders, how to realize the rights of data subjects, the role and responsibilities of the e-Governance Agency in this regard, were the topics discussed at a training course held today, June 30, 2022, for the representatives of the National Center for Personal Data Protection (NCPDP), by the trainers within the e-Governance Agency (AGE).

The training took place at the initiative of the NCPDP, as more and more data subjects’ complaints submitted to the NCPDP concern access to personal data in state registers/information systems via the MConnect interoperability platform. Thus, the employees had the opportunity to familiarize themselves with the most important issues related to the above-mentioned subjects.

As trainers of the training were AGE representatives: Mrs Olga Tumuruc, AGE Director; Mr Sergiu Bedros, Head of Project Implementation Department; Mr Igor Arama, Head of Data Exchange and Interoperability Service; Mr Vadim Ventilă, Jurisconsult of the Project Implementation Department.

On June 28, the Conference on Personal Data Protection, organized by the National Association of ICT Companies (ATIC), took place within the framework of the ABA Rule of Law Initiative Project “Personal Data Protection – Rights and Obligations in the Republic of Moldova”, in collaboration with the National Centre for Personal Data Protection (NCPDP).

At the opening session, NCPDP Director Victoria MUNTEAN, thanked the National Association of ICT Companies (ATIC) for initiating and organizing this conference. At the same time, she welcomed the participation in the event of the IT business environment, civil society, academic field and representatives of public institutions, describing this as a testimony of the strengthening the cooperation relations in the field of personal data protection.

Furthermore, Ms. Victoria MUNTEAN specified that ” The current aspirations for the digitization of society, as well as the implementation of information technologies in the economic sectors greatly simplify the implementation of daily actions, but involve the need to ensure a high level of security of personal data and amplify the importance of provisions in the field of personal data protection”.

Also, during the above-mentioned conference, a Collaboration Agreement was signed between NCPDP and ATIC, which aims to implement national legislation and to apply the European standards in the field of personal data protection, as well as the joint organization of various events, conferences, workshops in order to promote the field of personal data protection.

On behalf of the NCPDP, the conference was also attended by Mr. Alexei STRAHOV, Head of Prevention, Surveillance and Evidence Department within the General Department of Surveillance and Conformity of the NCPDP, who addressed the topic “Data Protection Officer in institutions”, where pointed out the newest and most important aspects imposed by the provisions of Law 133/2011 on personal data protection.

State officials and dignitaries, experts and representatives of international forums participated as speakers at the event. The most important topics discussed were focused on:

·        Digitization 2022 in the Republic of Moldova: novel context of rights and obligations for subjects involved in digital services;

·        Changing personal data protection framework: international trends and national context;

·        Impact Assessment;

·        Obligations of Data Protection Officer.

The National Center for Personal Data Protection (NCPDP), for information purpose, communicates about the participation of National Center for Personal Data Protection management at the 66th Plenary Session of the European Data Protection Board (EDPB), which was held on 14-15 June at Brussels, Belgium.

 During the Plenary, the EDPB adopted several documents, among which:

·        Guidelines on certification as a tool for transfers. The main purpose of these guidelines is to provide further clarification on the practical use of this transfer tool. The guidelines are composed of four parts, each focusing on specific aspects regarding certification as a tool for transfers, such as the purpose, scope and the different actors involved; implementing guidance on accreditation requirements for certification bodies; specific certification criteria for the purpose of demonstrating the existence of appropriate safeguards for transfers; and the binding and enforceable commitments to be implemented. The guidelines will be subject to public consultation until the end of September.

·        A dispute resolution decision on the basis of Art. 65 GDPR. The binding decision seeks to address the lack of consensus on certain aspects of a draft decision issued by the French SA as lead supervisory authority (LSA) regarding Accor SA, a company specialised in the hospitality sector whose main establishment is located in France, and the subsequent objections expressed by one of the concerned supervisory authorities. The decision addresses the merits of the part of the objection found to be “relevant and reasoned” in line with the requirements of Art. 4(24) GDPR. The LSA shall adopt its final decision, addressed to the controller, on the basis of the EDPB decision, without undue delay and at the latest one month after the EDPB has notified its decision.

The NCPDP, as national supervisory authority for personal data processing, emphasizes the importance of the participation of the Republic of Moldova in the Plenary Sessions organized by the EDPB, as well as the weight of adopted documents.