On October 17, 2024, the National Center for Personal Data Protection (NCPDP) organized a training course entitled “The legal regime of personal data protection” for the employees of the National Anti-Corruption Center (NAC), at their request.

The purpose of the training course was to increase the NAC employees’ awareness on the principles of personal data protection, in order to know and assimilate the best practices in the field, as well as to ensure the correct application of the legal provisions in the activity they perform.

During the event, important topics were discussed, such as: the definition of general concepts related to the field of personal data protection; the rights of personal data subjects; principles and legal grounds for processing personal data; the requirements for the protection of personal data in the exercise of the duties; ensuring the security and confidentiality of personal data processed; issues related to the appointment of the Data Protection Officer (DPO), as well as his obligations and tasks; issues related to the Data Protection Impact Assessment, etc.

At the same time, the topics related to the legal manner of processing personal data in the work carried out by NAC employees, the importance of personal data protection in the criminal prosecution actions carried out by them, the correct procedure for accessing personal data through state information systems and the records kept by the NAC of these accesses, the term of storage and use of personal data at the end of the processing operations, as well as access to information of public interest through the legislation on personal data protection, were of great interest to the participants.

About 170 NAC representatives were trained during the event.

On October 15, 2024, the National Center for Personal Data Protection (NCPDP) organized a training course in the field of personal data protection for representatives of the National Agency for Employment (ANOFM), at their request.

The purpose of the training course was to familiarize ANOFM officials with the aspects related to personal data protection in the public service, the regulation of processing procedures, as well as with the confidentiality and security of personal data in accordance with the legislation in force.

The event discussed topics of importance such as: 

• Definition of general notions related to the field of personal data protection; 

• Principles and legal grounds for processing personal data;

• The rights of personal data subjects; 

• Processing of special categories of personal data; 

• Requirements for the protection of personal data in the performance of official duties; 

• Ensuring the security and confidentiality of personal data processed; 

• Data Protection Officer (DPO) designation, duties and tasks; 

• Data Protection Impact Assessment (DPIA) issues as well as the steps involved in conducting a DPIA, etc.

The training course proved to be an interactive one, and the topics related to access to information of public interest from the point of view of the personal data protection legislation, the term of retention/storage and use of personal data at the end of processing operations, as well as the legality of requesting a copy of the identity card when submitting and/or examining an application, were of great interest to the representatives attending the course.

Around 200 ANOFM representatives were trained during the event, which took place both in person and online.

On October 10, 2024, the National Center for Personal Data Protection organized a training course in the field of personal data protection for internal auditors of public authorities, at the request of the Association of Internal Auditors.

The aim of the training was to raise the visibility of the role of internal audit in adding value and improving the entity’s activity, including risk management, control and governance processes, in the light of the data protection legislation.

During the event, important topics were discussed, such as: the definition of general notions related to the field of personal data protection; the rights of personal data subjects; the processing of special categories of personal data; the requirements for the protection of personal data in the exercise of official duties; ensuring the security and confidentiality of personal data processed; issues related to the Data Protection Officer (DPO); issues related to the Data Protection Impact Assessment, etc.

The training course was an interactive one and the trainers provided advisory support to the participants on the processing of personal data in the context of auditing public entities. At the same time, multiple practical examples were presented in order to increase the perception of internal auditors on the principles of personal data protection.

The event was held remotely with the participation of about 40 representatives of the Association of Internal Auditors.

On October 28, 2024, the National Center for Personal Data Protection (NCPDP) organized a training course in the field of personal data protection for the representatives of General Directorate of Education, Youth and Sport subdivisions (DGETS) of Chisinau Municipal Council, at their request.

The training course aimed to increase the awareness of DGETS employees on the principles of personal data protection, as well as to familiarize them with the confidentiality and security of personal data in accordance with the provisions of the legislation in force.

During the event, important topics were discussed, such as: the definition of general notions related to the field of personal data protection; the rights of personal data subjects; the processing of special categories of personal data; the principles and legal grounds for processing personal data; the requirements for the protection of personal data in the exercise of official duties; ensuring the security and confidentiality of personal data processed, etc.

The training course was interactive, and the topics related to the disclosure of information containing personal data, as well as the term of retention/storage and use of personal data at the end of the processing operations were of great interest to the course participants.

About 40 representatives of DGETS subdivisions were trained during the event.

On October 25, 2024, the National Center for Personal Data Protection (NCPDP) organized a training course for the representatives of the “North” Territorial General Directorate of the National Anti-Corruption Center, at their request.

The purpose of the training course, entitled “The legal regime of personal data protection”, was to increase the NAC employees’ awareness on the principles of personal data protection, in order to know and assimilate the best practices in the field, as well as to ensure the correct application of the legal provisions in the activity they perform.

During the event, important topics were discussed, such as: the definition of general notions related to the field of personal data protection; the rights of personal data subjects; principles and legal grounds for processing personal data; requirements for the protection of personal data in the exercise of official duties; ensuring the security and confidentiality of personal data processed, etc.

The training course proved to be an interactive one, the participants asking multiple questions arising from their work, to which they received documented answers with practical examples from the trainers. At the same time, the topics related to the correct procedure for accessing personal data through the state information systems and the records kept by the NAC of such accesses, as well as access to information of public interest through the legislation on the protection of personal data, were of great interest to the course participants.

During the event about 20 representatives of the Territorial General Directorate “North” of the National Anticorruption Center were trained.

On 19 September 2024, the National Center for Personal Data Protection (NCPDP) organized a training course in the field of personal data protection for the employees of Briceni Border Police Sector of North Regional Directorate, in the context of the elaboration / implementation by the IGPF of the “Concept on the functional and decision-making autonomy of the Border Police patrol in the activity of state border surveillance“.

The aim of the training course was to increase the awareness of the employees of Briceni Border Police Sector of the North Regional Directorate, who supervise the border in order to combat illegal migration, trafficking in human beings and cross-border crime, on the principles of personal data protection and on ensuring the correct application of the legal provisions in the field in the work they perform.

• During the event topics of importance were discussed such as: 

• Definition of general notions related to the field of personal data protection; 

• Principles and legal grounds for processing personal data; 

• The rights of personal data subjects; 

• Processing of special categories of personal data; 

• Requirements for the protection of personal data in the performance of official duties; 

• Ensuring the security and confidentiality of personal data processed; 

• Data Protection Officer (DPO) designation issues;

• Data Protection Impact Assessment (DPIA) issues, etc.

The training course proved to be very useful, and the aspects related to the correct procedure of accessing personal data through the state information systems in order to identify persons who do not have identity documents in the border area, as well as the consequences of a non-compliant/illegal processing of personal data, were of great interest to the participants.

During the event about 40 representatives of Briceni Border Police Sector of the North Regional Directorate were trained.

The training courses are part of the training plan within the IGPF for the year 2024, approved and signed by the heads of NCPDP and IGPF on February 21 this year.

On 24 September 2024, the National Centre for Personal Data Protection (NCPDP) organized a training course in the field of personal data protection for the employees of the Sculeni Border Police Sector of the Western Regional Directorate, in the context of the elaboration / implementation by the IGPF of the “Concept on the functional and decision-making autonomy of the Border Police patrol in the activity of state border surveillance”.

The purpose of the training course was to increase the awareness of the employees of the Sculeni Border Police Sector of the West Regional Directorate, who supervise the border in order to combat illegal migration, trafficking in human beings and cross-border crime, on the principles of personal data protection and on ensuring the correct application of the legal provisions in the field in the work they perform.

During the event, important topics were discussed, such as: the definition of general concepts related to the field of personal data protection; principles and legal grounds for processing personal data; the rights of personal data subjects; the processing of special categories of personal data; the requirements for the protection of personal data in the exercise of official duties; ensuring the security and confidentiality of personal data processed; issues related to the appointment of the Data Protection Officer (DPO); issues related to the Data Protection Impact Assessment (DPIA), etc.

The training course proved to be interactive and useful, as the participants asked multiple questions, resulting from their work, to which they received documented answers with practical examples from the trainers. At the same time, issues related to the correct procedure for accessing personal data through state information systems, the correct procedure for identifying persons who do not have identity documents, as well as the examination of requests for disclosure of personal data, were of great interest to the course participants.

About 50 representatives of the Sculeni Border Police Sector of the Western Regional Directorate were trained during the event.

The training course is part of the training plan within the IGPF for the year 2024, approved and signed by the heads of the NCPDP and IGPF on February 21.

The National Center for the Protection of Personal Data (NCPDP), for information and enforcement purposes, communicates about the administrative fine of 30.5 million euro imposed by the Dutch Supervisory Authority (SA) on Clearview for violation of Article 6 Lawfulness of processing, Article 9 Processing of special categories of personal data, Article 12 Transparent  information, communication and modalities for the exercise of the rights of the data subject, Article 14 Information to be provided where personal data have not been obtained from the data subject, Article 15 Right to access by the data subject, Article 27 Representatives of controllers not established in the Union and Article 84 Penalties.

Clearview is an American company that offers facial recognition services. Customers of Clearview can provide camera images to find out the identity of people shown in the images. For this purpose, Clearview has a database of more than 30 billion photos of people. The company automatically collects these photos from the internet and then converts them into a unique biometric code for each face without the person’s knowledge or consent.

As a result of its investigations, the Dutch SA finds that for the purpose of their ‘Clearview for law-enforcement and public defenders’ service, Clearview processes, without a legal basis to do so, personal data of data subjects who are within the territory of the Netherlands. In doing so, Clearview violates Article 5(1), opening words and subsection (a) of the GDPR, read in conjunction with Article 6(1) GDPR. Clearview also infringes Article 9(1) of the GDPR by processing a special category of personal data (biometric data) of data subjects located in the Netherlands. 

The Dutch SA has determined that Clearview does not adequately inform data subjects, acting in this case contrary to Article 12(1) in conjunction with Article 14(1) and (2) and contrary to Article 5(1)(a) of the GDPR. 

Last but not least, violated Article 12(3) GDPR, read in conjunction with Article 15 GDPR by not responding to two access requests by data subjects. And fifth of all, since Clearview does not facilitate data subjects within the territory of the Netherlands in exercising their right of access, they violate Article 12(2) GDPR, read in conjunction with Article 15 GDPR. The fact that Clearview has not designated a representative in the European Union within the meaning of Article 4, paragraph 17 GDPR, although they are obliged to do so pursuant to Article 27(1) GDPR, also constitutes a violation of the GDPR.

In this context, the Dutch SA has imposed on Clearview an administrative fine of €30.5 million and four measures subject to a penalty for non-compliance, which relate to the cessation of the infringements still in progress. If Clearview fails to do so, the company will have to pay non-compliance penalties totaling up to a maximum of €5.1 million in addition to the fine.

The NCPDP, as the national supervisory authority for the processing of personal data, emphasizes the responsibility of personal data controllers to comply with the provisions of the legal framework for the protection of personal data and to ensure that personal data processing operations comply with the legislation in force.

On September 25, 2024, the National Center for the Protection of Personal Data (NCPDP) organized a training course in the field of personal data protection for the employees of Vulcănești Police Inspectorate (PI) of the DP of UTA Găgăuzia.

The purpose of the training course was to increase the degree of perception of  Vulcănești PI employees on the principles of personal data protection, as well as on ensuring the correct application of the legal provisions in the field, in the activity they carry out.

During the event, important topics were discussed, such as:

• Definition of general notions related to the field of personal data protection;

• Rights of personal data subjects;

• Processing of special categories of personal data;

• The legal way of processing personal data in the activity carried out by police bodies;

• The requirements regarding the protection of personal data, in the exercise of service duties;

• Obligations of the police body as a data controller in relation to the data subject;

• Ensuring the security and confidentiality of processed personal data, etc.

The training course proved to be very useful and interactive, the trainers from the NCPDP providing the participants with practical answers to the multiple questions asked by them. At the same time, the aspects related to the correct procedure for accessing personal data through state information systems, such as the examination of requests for disclosure of personal data, showed increased interest for the participants.

About 20 representatives of Vulcănești Police Inspectorate of the DP of UTA Găgăuzia were trained during the event.

The training course is part of the training plan within the GPI subdivisions for 2024, approved and signed by the heads of the NCPDP and GPI on January 26.

On 26 September 2024, the representatives of the National Center for Personal Data Protection organized a training course for the employees of the Psychiatric Clinical Hospital, at their request.   The aim of the course was to strengthen the capacities of medical staff by sensitizing, familiarizing and informing them with the field of personal data protection.

The event addressed topics of importance such as: 

• Defining personal health data; 

• Processing special categories of personal data; 

• Legal grounds for processing personal health data; 

• Patients’ rights; 

• Mandatory secrecy of personal data;

• Disclosure of personal health data; 

• Data minimization and storage limitation; 

• Processing of personal data in the work of healthcare professionals; 

• Obligation to ensure confidentiality and security of data processing; etc.

The training course proved to be a useful one, with participants asking multiple questions to the trainers and receiving documented answers with practical examples. At the same time, the topics related to the processing of personal data in the work of medical staff, the patient’s right to confidentiality of information related to medical secrecy, as well as the disclosure of such data, were of great interest to the participants.

About 60 representatives of the Clinical Psychiatric Hospital were trained during the event.