The National Center for the Protection of Personal Data (NCPDP), for information and enforcement purposes, communicates about the administrative fine of 100 000 euro imposed by the Belgian Data Protection Authority for violation of Article 12 Transparent information, communication and modalities for the exercise of the rights of the data subject and Article 15 Right of access by the data subject of the GDPR.

The complainant, a customer of a telecommunications controller, following a contractual incident, followed a mediation procedure with the controller. The controller admitted his fault, but the complainant nevertheless exercised his right of access to his personal data. He requested, inter alia, to know the identity of the employees who processed his personal data and the purposes of the processing. The request was sent via the controller’s messenger channel with the express request that it be forwarded to the Data Protection Officer (DPO). However, despite the fact that his request has been handled by two employees, it has not been satisfied, nor transferred to the DPO. The complainant subsequently lodged a complaint with the Belgian SA and received a response from the controller 14 months after his request for access to personal data.

Following the investigations, the Belgian DPA considered that the complainant’s request was largely satisfied. At the same time, the controller was found to have breached certain provisions of the GDPR because of the 14-month delay in responding and because the controller failed to forward the complainant’s request to its DPO. However, the penalty, amounting to €100 000, is based solely on the breach of Article 15 of the GDPR. The decision is not final and can be challenged by the parties.

The NCPDP, as the national supervisory authority for the processing of personal data, emphasizes the responsibility of personal data controllers to comply with the provisions of the legislative framework for the protection of personal data and to ensure that personal data processing operations comply with the legislation in force.

On September 18, 2024, the National Center for Personal Data Protection (NCPDP) organized a training course in the field of personal data protection for the employees of the Ceadir-Lunga Police Inspectorate (PI) of the Police Department of Gagauzia ATU.

The aim of the training course was to increase the IP employees’ awareness on the principles of personal data protection and to ensure the correct application of the legal provisions in the work they perform.

During the event, important topics were discussed, such as: the definition of general notions related to the field of personal data protection; the rights of personal data subjects; the processing of special categories of personal data; the legal way of processing personal data in the activity carried out by police bodies; the requirements for the protection of personal data in the exercise of their duties; the obligations of the police body as data controller in relation to the data subject; ensuring the security and confidentiality of personal data processed, etc.

The training course proved to be an interactive one, with participants asking multiple questions to which they received answers/explanations from the trainers in the field of personal data protection. At the same time, the legal way of processing personal data in the activity carried out by police bodies, as well as the correct procedure of accessing personal data through the State Information Systems, were of great interest for the participants.

About 45 representatives of the Ceadir-Lunga Police Inspectorate of the Police Department of Gagauzia ATU.

The training course is part of the training plan in the subdivisions of the GPI for the year 2024, approved and signed by the heads of the NCPDP and the GPI on January 26 this year.

The National Center for Personal Data Protection (NCPDP), for information and enforcement purposes, communicates about the administrative fine of 270 000 euro imposed by the Spanish Data Protection Authority on UNIQLO EUROPE, LTD for violation of Article 5 Principles relating to processing of personal data and 32 Security of processing of GDPR.

The complainant in this case, whose employment contract had been terminated, requested access to his payroll information for July 2022. Following the request, the controller sent an e-mail to the complainant that contained an attached PDF document that included his payroll and that of 446 other workers on the staff.

The documentation in the file offers clear indications that UNIQLO violated article 5.1.f) of the GDPR, by not duly guaranteeing the confidentiality and integrity of the personal data of its employees, having been brought to the attention of an unauthorized third party. This duty of confidentiality and integrity must be understood as having the purpose of preventing data leaks that are not consented by the data subject.

Also, the provisions of Article 32(1) of the GDPR have been violated due to the failure to adopt appropriate technical and organizational measures. 

UNIQLO EUROPE, LTD justifies a series of technical and organisational measures to preserve the security and privacy of its information systems. However, these measures were not appropriate to avoid the facts that are the subject of the complaint.  A series of measures adopted subsequently have been provided, such as allowing former employees access to their payrolls for a period of 60 days after the termination of the contract or the review of the payroll process by the human resources department, as well as redesigning the internal protocols of said department. These measures cannot be taken into consideration for the purposes of assessing UNIQLO’s responsibility in the facts.

In this context, the Spanish Data Protection Authority has imposed on UNIQLO EUROPE, LTD a total fine of €450,000 for the infringement of the legal provisions mentioned above, which was reduced to €270,000, based on the provisions of national law, which allow for a reduction of the fine when a controller voluntarily pays the fine and acknowledges responsibility for the violation.

The NCPDP, as the national supervisory authority for the processing of personal data, emphasizes the responsibility of personal data controllers to comply with the provisions of the legal framework for the protection of personal data and to ensure that personal data processing operations comply with the legislation in force.

On 17 September 2024, the National Center for Personal Data Protection organized two training courses in the field of personal data protection for the representatives of the Territorial Social Insurance House (CTAS), North region, at the request of the National Social Insurance House.

The purpose of the training course was to increase the CTAS employees’ awareness of the principles of personal data protection, as well as to familiarize them with the confidentiality and security regime of personal data in accordance with the provisions of the legislation in force.

The event discussed important topics such as: 

• definition of general notions related to the field of personal data protection; 

• rights of personal data subjects; 

• processing of special categories of personal data; 

• principles and legal grounds for processing personal data; 

• requirements relating to the protection of personal data in the performance of official duties; 

• ensuring the security and confidentiality of personal data by CTAS employees, etc.

The training courses proved to be interactive and the topics related to the legality of requests for disclosure of personal data to third parties, as well as the correct procedure for accessing personal data through the State Information Systems, were of great interest to the course participants.

During the events, which took place both in person and online, 216 CTAS representatives from Balti, Briceni, Drochia, Dondușeni, Dondușeni, Fălești, Edineț, Florești, Glodeni, Râșcani, Ocnița, Soroca and Sângerei were trained.

The training courses are part of the training plan within the CNAS structural subdivisions for the year 2024, approved and signed by the heads of NCPDP and CNAS on July 08.

The National Center for Personal Data Protection (NCPDP), for information and enforcement purposes, communicates about the administrative fine of 1 300 000 euro imposed by the Swedish Data Protection Authority (SA) on Avanza Bank AB for breach of Article 5 Principles relating to processing of personal data, Article 32 Security of processing and Article 83 General conditions for imposing administrative fines of the GDPR.

A Swedish bank has reported a personal data breach to the Swedish SA. The notification states that the bank has used the Facebook pixel (now the Meta Pixel) on its website and in its app to optimize the bank’s marketing on Facebook. An incorrect setting of the Meta Pixel meant that personal data was transferred to Meta over a longer period of time. The bank’s notification states that during November 15, 2019 and to June 2, 2021, personal data of up to one million customers was wrongly transferred to Meta.

When the bank became aware of the incident, the Meta pixel was deactivated and the personal data collected through the pixel was deleted by Meta. The bank also revised its internal procedures to ensure correct and secure processing of personal data.

Avanza Bank AB has violated the legal provisions stipulated in the GDPR by failing to implement appropriate technical and organizational measures to ensure an adequate level of security for the personal data of website visitors and app users.

In this context the Swedish SA has imposed an administrative fine of approx. 1 300 000 euro on Avanza Bank AB.

As the national supervisory authority for the processing of personal data, the NCPDP emphasizes the responsibility of personal data controllers to comply with the provisions of the legal framework for the protection of personal data and to ensure that personal data processing operations comply with the legislation in force.

From 9 to 13 September, representatives of the National Center for Personal Data Protection (NCPDP) participated in the Data Protection Academy of the Western Balkans and Eastern Partnership Region, which took place in Brussels, Belgium.

The Data Protection Academy is a project set up by the European Commission (DG JUST) to provide support and training for Data Protection Authorities (DPAs) from  Non -EU countries, giving them a platform to exchange views, best practices and lessons learned with their counterparts in the EU.

The aim of the event was to present the experience of the relevant EU institutions and bodies in implementing the GDPR, providing a comprehensive and practical overview of the challenges encountered in the GDPR implementation process.

In the framework of Data Protection Academy for the Western Balkans and Eastern Partnership Region, topics of importance were addressed, such as:

• Key data protection issues as of September 2023, with focus on legislation, implementation and international cooperation;

• Principles of public administration, with a focus on service delivery and the digital sphere, the role of privacy and personal data protection;

• The role of an Independent Data Protection Authority in the data protection ecosystem;

• The role of Data Protection Officers;

• Data protection in the era of digitization of services and artificial intelligence;

• Balancing data protection legal requirements and freedom of information legislation;

• Data protection in the context of cooperation agreements with EUROPOL and Eurojust;

• EU Digital Regulation: interaction between GDPR and new European data regulations (DSA, DMA, DGA, Data Act);

• International transfers and regulation of global data flows, etc.

The event, organized by the European Commission in cooperation with the SIGMA program, the Eastern Partnership Regional Fund for Public Administration Reforms of GIZ, the Regional Cooperation Council and the Regional School of Public Administration, brought together representatives of Data Protection Authorities from 10 countries such as: Albania, Armenia, Bosnia and Herzegovina, Georgia, Kosovo, Georgia, Kosovo, Moldova, Montenegro, North Macedonia, Serbia and Ukraine.

The National Center for Personal Data Protection (NCPDP), for information and enforcement purposes, informs about the administrative fine in the amount of 2 385 276 euro imposed by the Lithuanian Data Protection Authority (SA) on the controller of the online platform  Vinted, UAB for trading and exchange of second-hand clothes. The controller breached Article 5 – Principles relating to the processing of personal data, Article 6 – Lawfulness of processing, Article 12 – Transparency of information, communication and arrangements for exercising the data subject’s rights and Article 83 – General conditions for imposing administrative fines, of the GDPR.

Lithuanian SA initiated an investigation following complaints from applicants (users of the Vinted platform) submitted by French SA and Polish SA in 2021 and 2022, respectively, alleging that the company did not properly implement their requests regarding the right to erasure (“right to be forgotten”) and the right of access.

Upon investigation, the Lithuanian SA found that the company in its responses to the requests for erasure of personal data stated that it would not act on a specific request because the applicant in question did not identify a specific ground under Article 17(1) of the GDPR and did not identify all the purposes for which the applicants’ specific personal data would continue to be processed after the request was submitted.

At the same time, in order to ensure the security of the platform and its users, the company unlawfully applied “shadow blocking” (the processing of personal data with the intention that a person who is alleged to be in breach of the Vinted Platform Operating Principles would leave the platform without being aware of this processing of their personal data) in respect of some of the applicants in breach of the principles of fairness and transparency, and the improper implementation of these principles adversely affected the ability of platform users to exercise their other rights and seek redress under the GDPR.

In addition, the company did not ensure sufficient technical and organizational measures to implement the principle of accountability and to be able to demonstrate that it has taken (or reasonably refused to take) measures with respect to the right of access.

In this context, the Lithuanian SA decided to impose an administrative fine in the amount of EUR 2 385 276 on Vinted, UAB. When deciding on the amount of the fine, the Lithuanian SA relied on the European Data Protection Board’s Guidelines 04/2022 of May 24, 2023 on the calculation of administrative fines under the GDPR and took into account the cross-border scope of the processing carried out by the company, the fact that the breaches affected a large number of data subjects and lasted for a long period of time. 

As the national supervisory authority for the processing of personal data, the NCPDP emphasizes the responsibility of personal data controllers to comply with the provisions of the legal framework for the protection of personal data and to ensure that personal data processing operations comply with the applicable legislation.

On August 29, 2024, the National Center for Personal Data Protection (NCPDP) organized a training course in the field of personal data protection for the employees of the Police Inspectorate (PI) of the Riscani District of the Police Directorate of the Chisinau municipality.

The aim of the training course was to increase the PI employees’ awareness on the principles of personal data protection, as well as to ensure the correct application of the legal provisions in the field in the activity they perform.

The event discussed topics of importance such as:

Definition of general concepts related to the field of personal data protection;

Rights of personal data subjects;

Processing of special categories of personal data;

Principles and legal grounds for processing personal data;

The lawful way of processing personal data in the work of law enforcement bodies;

Requirements for the protection of personal data in the performance of police duties;

Ensuring the security and confidentiality of personal data processed, etc.

The training course proved to be very useful and interactive. The trainers from the NCPDP provided practical answers to the many questions asked by the participants. At the same time, the issues related to the disclosure of information containing personal data, the analysis carried out by the data controller in terms of access to these data, the correct procedure for accessing personal data through the State Information Systems and the correct auditing of these accesses, as well as the term of retention/storage and use of personal data at the end of the processing operations, were of great interest to the participants.

During the event were trained about 75 representatives of the Police Inspectorate of the Riscani District.

The training course is part of the training plan 2024 for the GPI subdivisions, approved and signed by the heads of the NCPDP and the GPI on January 26.

On 08 August 2024, the National Center for Personal Data Protection organized two training courses in the field of personal data protection for the representatives of the central office of the National Social Insurance House (CNAS), at their request.

The aim of the training course was to increase the CNAS employees’ awareness on the principles of personal data protection, as well as to familiarize them with the confidentiality and security regime of personal data in accordance with the provisions of the legislation in force.

The event discussed topics of importance such as:

Definition of general notions related to the field of personal data protection;

The rights of personal data subjects;

Processing of special categories of personal data;

Principles and legal bases for the processing of personal data;

Data Protection Officer (DPO) designation issues;

Data Protection Impact Assessment issues;

Ensuring security and confidentiality of personal data by CNAS employees, etc.

The training course was an interactive one. The participants asked the trainers multiple questions regarding the processing of personal data in the daily work carried out by the CNAS representatives, the legality of requests for disclosure of personal data to third parties, the correct procedure for accessing personal data through the State Information Systems, as well as the conditions for restricting access to personal data and the unrestricted conditions for providing them.

During the events, which took place both in person and online, about 250 representatives of both the central office of CNAS and the territory offices were trained.

The training courses are part of the training plan within the CNAS structural subdivisions for the year 2024, approved and signed by the heads of NCPDP and CNAS on July 8.

On 9 August 2024, the National Center for Personal Data Protection organized two training courses in the field of personal data protection for the representatives of the Territorial Social Insurance House (CTAS), at the request of the National Social Insurance House.

The purpose of the training course was to increase the CTAS employees’ awareness of the principles of personal data protection, as well as to familiarize them with the confidentiality and security regime of personal data in accordance with the provisions of the legislation in force.

During the event, important topics were discussed, such as: the definition of general notions related to the field of personal data protection; the rights of personal data subjects; the processing of special categories of personal data; principles and legal grounds for processing personal data; the requirements for the protection of personal data in the exercise of their duties; ensuring the security and confidentiality of personal data by CTAS employees; issues related to the appointment of the Data Protection Officer; issues related to the Data Protection Impact Assessment, etc.

The training course proved to be interactive, and the topics related to the disclosure of information containing personal data, as well as the analysis carried out by the data controller (CNAS), in terms of access to these data, the term of storage and use of personal data at the end of processing operations, as well as ensuring technical and organizational measures in accordance with the provisions of the legislation in the field, were of great interest to the participants.

About 165 CTAS representatives from Chisinau, Anenii Noi, Ialoveni, Causeni, Hâncesti and Stefan Voda municipalities were trained during the events, which took place both in person and online.

The training courses are part of the training plan within the CNAS structural subdivisions for the year 2024, approved and signed by the heads of NCPDP and CNAS on July 08.