The National Center for Personal Data Protection (NCPDP), for information and application purposes, communicates about the fine in the amount of EUR 3 000 000 applied by Spanish Data Protection Agency (AEPD) to CAIXABANK PAYMENTS & CONSUMER EFC, EP, S.A.U. for lack of specific and informed consent regarding profiling for commercial purposes.

An investigation was initiated following several indications that there might be an incorrect practice in relation to the automated profiling and decision-making of the controller in the context of its commercial activity (the controller is a financial establishment and payment institution).

CAIXABANK PAYMENTS & CONSUMER EFC, EP, S.A.U is an entity acting as a financial establishment and payment institution whose business consists of marketing credit or debit cards, credit accounts with or without a card.

In the framework of its commercial activity, Caixabank makes profiles for the following purposes:

·        Analyse the risk of default upon application for a product;

·        Analyse the risk of default during the application for a product;

·        Selection of target audience.

Consent is requested in the various channels of prescribers and agents for study and profiling purposes. Thus, consent is requested in the following terms: “I authorise the CaixaBank Group to use my data for study and profiling purposes”. In the present case, the interested party is provided only with generic information on the different profiling treatments and with this information the interested party is not able to know exactly what the treatment is you are consenting to. Nor is there any provision for the person concerned to express his or her choice on all purposes for which the data are processed.  

In this regard, AEPD fine of EUR 3 000 000 to CAIXABANK PAYMENTS & CONSUMER EFC, EP, S.A.U. for lack of specific and informed consent regarding profiling for commercial purposes and ordered the controller to bring processing operations into compliance with the provisions of the GDPR within six months of this decision.

The NCPDP, as national supervisory authority for personal data processing, emphasizes the responsibility of personal data controllers to comply with the provisions of legal framework on personal data protection and to ensure that personal data processing operations are in accordance with the legislation in force.

The National Center for Personal Data Protection (NCPDP) trained, on February 11, the representatives of the local public authorities (LPA) from Edineț district. The event took place online.

The training course aimed to strengthen the capacities of LPA representatives by familiarizing, raising awareness and inform them with the field of personal data protection.

The topics addressed in the training were: general notions on personal data protection; legal grounds for personal data processing, recording and live streaming of local councils’ meetings and the correct depersonalization of personal data contained in the administrative acts of local public authorities published in the State Local Documents Registry.

The training was organized at the initiative of NCPDP, the event being attended by mayors and local councilors of Edineț district.

The event, moderated by two experts in the field of personal data protection within NCPDP, was a dynamic and productive one, the participants in the training asking questions regarding the practical application of the legislation in the field of personal data protection, including providing access to information containing personal data.

The National Center for Personal Data Protection (NCPDP), for information and application purposes, communicates about the total fine in the amount of EUR 9 250 000 applied by Hellenic Data Protection Authority (DPA) to telecommunications companies COSMOTE and OTE S.A. due to personal data breach and illegal data processing.

Following a personal data breach notification (subscriber call data leakage between 01/09/2020 and 05/09/2020) by COSMOTE S.A., the Hellenic DPA investigated the circumstances under which the breach took place and, in this regard, examined the lawfulness of record-keeping in relation to leaked data, as well as the security measures applied. The investigation of the case revealed that COSMOTE had infringed the principles of legality and transparency due to the provision of unclear and insufficient information to subscribers. The company was also found responsible for poor data protection impact assessment, poor anonymisation, inadequate security measures taken, and failure to allocate the roles of the two companies (COSMOTE / OTE) in relation to the processing in question. In addition, ΟΤΕ S.A. was found to have infringed Article 32 of the GDPR due to inadequate security measures taken in relation to the infrastructure used in the context of the breach.

The Hellenic DPA, on the one hand, fined COSMOTE a total of EUR 6 000 000, and imposed the sanction of stopping the processing and destroying the data, and, on the other, fined OTE S.A. a total of EUR 3 250 000.

The NCPDP, as national supervisory authority for personal data processing, emphasizes the responsibility of personal data controllers to comply with the provisions of legal framework on personal data protection and to ensure that personal data processing operations are in accordance with the legislation in force.

The National Center for Personal Data Protection (NCPDP) trained, on February 4, the representatives of the local public authorities (LPA) from Telenețti district. The event took place online.

The training course aimed to strengthen the capacities of LPA representatives by familiarizing, raising awareness and inform them with the field of personal data protection.

The topics addressed in the training were: general notions on personal data protection; legal grounds for personal data processing, recording and live streaming of local councils’ meetings and the correct depersonalization of personal data contained in the administrative acts of local public authorities published in the State Local Documents Registry.

The training was organized at the initiative of NCPDP, the event being attended by 80 mayors and local councilors of Telenești district. There was a significant increase in the number of participants at the event, which shows an increased interest on the part of LPAs to comply with the legal provisions in the field of personal data processing.

The event, moderated by two experts in the field of personal data protection within NCPDP, was a dynamic and productive one, the participants in the training asking questions regarding the practical application of the legislation in the field of personal data protection, including providing access to information containing personal data.

Today, January 28, the National Center for Personal Data Protection (NCPDP) in collaboration with TAIEX project experts organizes the National Conference “Challenges of international data transfers from the perspective of the Convention 108+ and GDPR”, held online.

The aim of the Conference is to present information, examples of good practices and innovative solutions on raising awareness and informing the public sector about the challenges of cross-border data transfer.

The event was opened by the Director of the NCPDP, Ms. Victoria Muntean: “ In the context of globalization, the increasing of the need for information exchange through the various means made available by current technology, as well as the rapid technological developments widely used by both EU and other countries, the cross-border transfer of personal data needs to be regulated by new instruments, designed to facilitate the international circulation of data, with the guarantee of respect for the fundamental rights of data subjects and in conformity with data protection legislation, in particular with EU standards, the General Data Protection Regulation and Convention 108+”.

The workshop is conducted by personal data protection experts from Italy, Germany, Austria and the representatives of European Commission. Amongst the topics addressed by the experts are: cross-border transfers of personal data from the perspective of Convention 108+ and global trends, overview of the grounds for the cross-border transfers of personal data under the GDPR and the type of safeguards needed, challenges of cross-border data transfers from the perspective of the EU supervisory authorities, cross-border data transfers in the area of law enforcement cooperation, General information on the concept of adequacy and Substantive and procedural aspects of adequacy decisions.

The event is attended by about 70 representatives of the public sector.

The workshop is organized and funded by the Technical Assistance and Information Exchange Instrument of the European Commission (TAIEX).

People´s personal data are being processed every second – at work, in their relations with public authorities, in the health field, when they buy goods or services, travel or surf the internet.

This year, January 28 marks the 41st anniversary of Convention 108, which was opened for signature on 28 January 1981, and the 16th European Data Protection Day. It is a very special day, not only for the Council of Europe, but for the entire global Data Protection community, and above all, for each and every individual protected by this essential right.

The Republic of Moldova marks this event together with all European states.  Although the field of personal data protection is a relatively new one for the society of the Republic of Moldova, in the last decade we have managed to make great steps in ensuring respect for the right to privacy, as well as regarding our efforts to comply with European standards in the field of personal data protection.

Our role as the National Data Protection Authority is becoming increasingly important and the annual celebration of this day is an opportunity to bring to the attention of the general public the importance of respecting the principles of personal data processing, the right to privacy and the right to personal data protection, enshrined as fundamental rights.

The team of the National Centre for Personal Data Protection wishes you an

EXCELLENT DATA PROTECTION DAY!

The National Center for Personal Data Protection (NCPDP) trained, on January 27, the representatives of the local public authorities (LPA) from Ialoveni district, the event took place online.

The training course aimed to strengthen the capacities of LPA representatives by familiarizing, raising awareness and inform them with the field of personal data protection.

The topics addressed in the training were: general notions on personal data protection; legal grounds for personal data processing, recording and live streaming of local councils’ meetings and the correct depersonalization of personal data contained in the administrative acts of local public authorities published in the State Local Documents Registry.

The training was organized at the initiative of NCPDP, the event being attended by 55 mayors and local councilors of Ialoveni district.

The event, moderated by two experts in the field of personal data protection within NCPDP, was a dynamic and productive one, the participants in the training asking questions regarding the practical application of the legislation in the field of personal data protection, including providing access to information containing personal data.

Every year, on January 28, European Data Protection Day is celebrated by all Council of Europe member states, with the support of the European Commission to promote the right to privacy and the right to personal data protection.

On the occasion of this day, the National Data Protection Authorities are organizing specific activities to raise awareness and promote privacy and data protection best practices. These activities include street actions aimed to raise awareness and inform the general public about the field of personal data protection.

In this context, today, January 26, a few employees of National Center for Personal Data Protection (NCPDP) distributed to passers-by, near the Cathedral Square, information materials, raising awareness among citizens about the concept of personal data, the rights of personal data subjects, security and confidentiality measures when processing data. At the same time, they were informed about the possible situations in which personal data are not processed in accordance with the provisions of national legislation in this field, providing them with practical guidance and recommendations that should be undertaken in such situations.

This year, NCPDP aims to organize more information and awareness-raising activities for the general public in order to educate, motivate and encourage Moldovan citizens to pay more attention to the protection of their personal data.

On 10 December 2021, Law No. 175 of 11 November 2021 on the amendment of certain legal acts was published in the Official Gazette of the Republic of Moldova, which contains amendments in the field of personal data protection.

By the mentioned normative act, some provisions of the Law no. 133/2011 on personal data protection were amended, including:

–         New wording of the notion “consent of the data subject”, being excluded the obligation to express consent in written or electronic form.

–         Exclusion of the obligation for personal data controllers to notify the National Centre for Personal Data Protection (NCPDP). Thus, the notification procedure has been replaced by an obligation for the controller to carry out a Data Protection Impact Assessment, if personal data processing is likely to result in an increased risk to the rights and freedoms of individuals.

–          Introduction of the obligation for the controller and for the processor to designate the Data Protection Officer.

–         Repeal of art. 28 of Law 133/2011 on personal data protection, following that the Record Register of personal data controllers will be deleted, within two months from the publication of Law no. 175/2021 in the Official Gazette.

–         Rewording of Article 32 of Law 133/2011 on personal data protection, with amendments relating to the cross-border transfer of personal data and approval of the list of states ensuring an adequate level of personal data protection.

Similarly, amendments have been made to the provisions of the Contravention Code of the Republic of Moldova, in terms of contraventions attributable to the processing of personal data in violation of the legislation on personal data protection.

It should be noted that Law no. 175/2021 will enter into force within 30 days of its publication in the Official Gazette.