Newsletter No 17
I. Information and training activities carried out by the NCPDP
In the first quarter of 2024 (January – March), the National Centre for Personal Data Protection (NCPDP) continued to make progress in the area of information and awareness-raising activities in the field of personal data protection.
During the reporting period, the training courses for the subdivisions of the General Inspectorate of Police (GPI), initiated in 2023, has been continued to be organized, according to the training plan approved and signed by the heads of the NCPDP and GPI on 26 January 2024.
Their purpose was to increase the perception of GPI subdivision employees on the principles of personal data protection, as well as on ensuring the correct application of the legal provisions in this field and in the activity they carry out. During the events important topics were addressed, such as: definition of general notions related to the field of personal data protection; the legal way of processing personal data in the activity carried out by the employees of the GPI’s subdivisions; the requirements of personal data protection in the exercise of their duties; the obligations of the police body as a data controller in relation to the data subject; the correct procedure of accessing personal data through the state informational systems, as well as keeping correct records of the audit of such accesses; ensuring the security and confidentiality of personal data processed etc.
Thus, training courses were organised for the following subdivisions:
-
30 January – National Public Security Inspectorate of the GPI (Operational Coordination Directorate, Patrol Police Directorate, Public Order Directorate etc.);
-
02 February – National Public Security Inspectorate of the GPI (Special Missions Escort Section, Patrol Section “Chisinau” of the Patrol Directorate “Centre” etc.);
-
26 February – Northern Patrol Directorate of National Public Security Inspectorate;
-
26 February – Directorate of National Investigation Inspectorate „North”.
In this context, about 200 representatives from the GPI subdivisions were trained.
At the same time, the information and awareness-raising campaign for school communities continued during the reporting period with the title: “Personal data protection and children’s safety online”. The aim of the campaign was to provide the school community with high visibility on data protection and child safety online at local and national level by promoting empowerment and best practices for intervention and support. The topics covered in the training included: general notions on personal data; correct use of pictures/video online; risks and threats online; communication on social networks etc. The training course was organised on 25 January for the Public Institution „Theoretical Lyceum „Spiru Haret”, Chisinau. The event took place within the Personal Development class, the target audience being the pupils of the 5th “B”class. In this context, 36 pupils were trained.
On 21 February 2024, the training plan in the field of personal data protection for Border Police staff was approved and signed by the heads of the NCPDP and the General Inspectorate of the Border Police (GIBP) for organizing several training courses. The purpose of these was to increase the awareness of the employees of the GIBP’s subdivisions on the principles of personal data protection, as well as on ensuring the correct application of the legal provisions in the field and in the activity they carry out. Thus, training courses were organised for the following subdivisions:
-
06 March – GIBP Northern Regional Directorate (2 training courses);
-
13 March – GIBP Southern Regional Directorate (2 training courses);
-
20 March – GIBP Eastern Regional Directorate (2 training courses);
-
27 March – GIBP West Regional Directorate (2 training courses).
In this context, about 250 representatives from GIBP subdivisions were trained.
During the reporting period, the NCPDP has shown openness and a spirit of cooperation, organising multiple training courses for representatives of public institutions at their request. The training courses aimed at familiarising public officials with the aspects of personal data protection in the public service, the regulation of processing procedures, as well as the personal data confidentiality and security regime in accordance with the legislation in force.
During the events important topics were discussed, such as: definition of general notions related to the field of personal data protection; principles and legal grounds for processing personal data; rights of personal data subjects; processing of special categories of personal data; requirements for the protection of personal data in the exercise of official duties; ensuring the security and confidentiality of personal data processed; issues related to the appointment of the Data Protection Officer (DPO) and his/her obligations and tasks; issues related to the Data Protection Impact Assessment (DPIA) and the steps to carry out a DPIA etc. Thus, training courses were organised for the following institutions:
-
07 February – Chisinau City Hall;
-
08 February – National Financial Market Commission;
-
23 February – Ministry of Health;
-
15 March – Râșcani District Court;
-
21 March – Chisinau Court;
-
22 March – Agency for Intervention and Payments for Agriculture;
-
26 March – Ministry of Economic Development and Digitalisation;
In this context, about 285 representatives of public institutions were trained.
II. Control activity
From January to March 2024, the NCPDP started the verification of compliance on personal data processing operations in 87 cases. During the reporting period, 96 decisions were issued, of which 34 cases were found to be in violation of the legal provisions, and 38 infringement notices were issued, which were subsequently handed over to the court for resolution.
III. Findings of the National Centre for Personal Data Protection
I. The NCPDP has examined the complaint of a data subject – the director of a technical educational institution concerning the alleged non-compliant processing of personal data of 96 employees of the institution by a former employee.
During the investigation, from the materials gathered, the NCPDP deduced that the latter, having access to the school’s archives during his period of activity, collected and disclosed information containing personal data of the institution’s employees such as: name, surname, position and salary to the Ministry of Education and Research in the form of a complaint regarding certain abuses committed by the administration of the institution during the period when he was employed, and the documents attached to the complaint served as evidentiary material to prove the allegations made by the latter.
The following is referred to the provisions of Art. 69 para. (2) of the Administrative Code, which stipulates that, in case of a petition, the public authority is obliged to initiate an administrative procedure.
In this context, the NCPDP points out that the disclosure of information containing personal data may not contravene the principles of protection of personal data, as long as it is necessary for the fulfilment of a legitimate interest of the individual towards the competent bodies, for the purpose of proving certain facts in order to defend his rights and interests or those of society as a whole, in the case which is under examination, the processing of personal data was relevant to the purpose for which they were disclosed, in the circumstances in which the situation complained of by the controller to the Ministry of Education and Research also concerned employees whose personal data were recorded in the documents annexed to the complaint.
In the circumstances set out above, it should be noted that, in the light of Art. 5(5)(b) of the Law 133/2011, the consent of the personal data subject is not required where the processing is necessary for the purposes of complying with a legitimate interest of the controller or of the third party to whom the personal data are disclosed, provided that this interest does not adversely affect the interests or fundamental rights and freedoms of the personal data subject.
Thus, the NCPDP found that the processing of personal data of the persons reflected in the lists submitted by the former employee to the Ministry of Education and Research was not in contradiction with the principles of protection of personal data, or such processing of personal data was based on a legitimate interest, which is provided for in Art. 5 para. (5) (e) of Law 133/2011.
II. The NCPDP received a complaint from an individual concerning the verification of the lawfulness of the processing of personal data by means of a video surveillance system that was installed in the staircase of a residential block as well as on the outside wall of the block by her neighbour.
In the case in question, the NCPDP found that the video surveillance system processes the personal data (image) of data subjects registered at the address of the apartment block and of visitors, since the angle of capture of the surveillance cameras monitors/records video of the space that is the common part of the block (the entrance to the block, the staircase of the block, the common courtyard and the public road) which is crossed daily by a large number of individuals (the tenants of other entrances), thereby infringing their fundamental rights and freedoms in excess of the declared purpose.
Thus, the NCPDP has found that if the video surveillance carried out by means of the video surveillance camera managed by the controller extends to the common space or public space and, consequently, is directed outside the private zone of the person processing personal data by these means, it cannot be considered as an activity exclusively “for personal or family needs”.
However, even if there is the consent/agreement of the tenants at the staircase to process personal data by means of the video surveillance system, it is noted that in the case of apartment blocks, a video surveillance system could only be installed by the Condominium Owners’ Association at the entrance/exit to/from the apartment blocks, on the external perimeter of the building, as well as in the spaces adjacent to them (parking spaces, access roads etc.).
Based on the provisions of Art. 34(3)(f) of the Condominium Act and Art. 546(1) and 546(2) of the Civil Code, if video surveillance takes place on a common area of the condominium, then only the Condominium Owners’ Association would have a legal basis to process personal data for this purpose.
Furthermore, it was determined that the video surveillance camera had an audio recording function.
Thus, it has been emphasised that, before installing video surveillance cameras with audio recording, the operator must always critically examine whether this measure is, firstly, appropriate to achieve the desired objective and, secondly, proportionate and necessary for its purposes, in relation to the fundamental rights and freedoms of the data subjects. However, during data processing, not only the private conversations of family members and data subjects, but also of third persons who come within the range of the video/audio recording devices are recorded and stored, thus breaching the principle of inviolability of privacy, enshrined in Art. 28 of the Constitution of the Republic of Moldova, according to which the State respects and protects the intimacy, as well as family and private life.
Therefore, the collection/recording of the image and voice of the personal data subjects by means of the video surveillance cameras in question constitutes an excessive and disproportionate measure in relation to the stated purpose.
In this regard, it was determined that the collection of the category of personal data, such as image and voice, by means of the video surveillance system complained of, was contrary to the provisions of Article 4(4) of the Personal Data Protection Act, and the processing of personal data through the video surveillance system complained of was ordered to cease.
III. The NCPDP examined the complaint of a personal data subject concerning the alleged non-compliant personal data processing operations carried out by an educational institution, manifested by the publication of an audio recording of him and his minor child on the institution’s social network “Facebook”, invoking the right of reply, followed by a media conflict.
In this context, the decision found that the processing of personal data concerning the data subject was carried out in breach of the provisions of Art. 4 para. (1) lit. a), b), c) and art. 5 of Law no. 133/2011 on the personal data protection, emphasizing that no legal basis was identified for the publication of personal data on the “Facebook” page, which is open to the general public, as well as the invocation of the right to reply is not relevant, however, the NCPDP did not question and did not deny the right of the controller to reply or to deny false reports, but all these actions were to be carried out in compliance with all the principles of personal data processing established by Law no. 133/2011. Moreover, given that the case involved a minor, the NCPDP held that the purpose invoked could be achieved through the use of harmless and less intrusive means in the minor’s private life.
IV. The NCPDP examined the complaint of a Public Association with a request for a verification of the lawfulness of the personal data processing by a public person, manifested by the publication of a video sequence on the channel ”Youtube”, which contains the personal data of a minor.
During the investigation it was determined that the image of the minor was clear and led to her identification, and several personal details of the minor were communicated, such as her name and surname, address, date and year of birth, age, sex, state of health etc.
Based on the circumstances described, the NCPDP found that the online placement of information containing the minor’s personal data was excessive and unfounded and took place contrary to the legal provisions set out in Articles 4, 5 and 29 of Law No. 133/2011 on the personal data protection.
However, the public person, as data controller, had to ensure the personal data confidentiality, the blurring of the facial image and the non-disclosure in the public domain of information leading to the identification of the minor.
IV. Supervisory activity
In order to provide methodological and advisory support to personal data controllers and/or processors, more than 30 telephone consultations and 10 responses via e-mail were provided and recommendations were proposed to resolve discrepancies identified by the data controller.
V. International and European news
-
On 26 January 2024, the NCPDP, in collaboration with TAIEX project experts, organised the national conference “Raising Awareness of Convention 108+“.
The aim of the conference is to raise awareness of both public institutions and the private sector about Convention 108 + as a viable tool to facilitate international data transfers, thus ensuring an adequate level of protection for data subjects globally.
The conference was moderated by data protection experts from Italy, Slovenia and Spain. Among the topics addressed by the experts were:
-
The impact of Convention 108+ on adequacy decisions and data transfers, with a focus on compliance with the EU acquis;
-
Convention 108+ as a viable tool to facilitate international data transfers while ensuring an adequate level of protection for individuals worldwide;
-
Convention 108+ as a bridge between legal regimes and countries;
-
The ratification process of Convention 108+
-
Lessons learned and advice from ratifying countries;
-
Convention 108+: Evaluation and Review Mechanism etc.
The event was attended by about 100 representatives from both public institutions and the private sector.
The event was organised and funded by the European Commission Technical Assistance and Information Exchange Instrument (TAIEX).
-
On 13-14 February, the representative of the NCPDP attended the 90th plenary meeting of the European Data Protection Board (EDPB), which was organised with physical attendance. During the meeting, there were discussed, analysed and adopted some important documents for the EDPB’s activity, which will be submitted as recommendations to the Data Protection Authorities later.
One of the working aspects of the plenary focused on the adoption of the Opinion on the notion of main establishment and on the criteria for the application of the One-Stop-Shop mechanism, following an Art. 64 (2) GDPR request by the French Data Protection Authority (DPA). It was specified that the EDPB considers that the One Stop Shop mechanism can only apply if there is evidence that one of the establishments of the controller in the Union takes decisions on the purposes and means for the relevant processing operations and has the power to have these decisions implemented. Therefore, where decisions on purposes, means and the power to implement those decisions are exercised outside the Union, there should be no principal place of business under Article 4(16)(a) of the GDPR and the one-stop shop mechanism should not apply.
The plenary session made clear how the Supervisory Authorities should apply Article 4(4) (16)(a) of the GDPR in practice in order to ensure its consistent application. Especially it was reiterated that the burden of proof as to where the relevant processing decisions are taken and where the power to implement such decisions exists in the Union ultimately lies with controllers and that they have an obligation to cooperate with supervisory authorities.
The next issue discussed at the EDPB plenary session was the adoption of the Statement on the legislative developments regarding the Proposal for a Regulation laying down rules to prevent and combat child sexual abuse. The Statement follows the EDPB-EDPS Joint Opinion on the European Commission’s Proposal for a Regulation and focuses on the latest legislative developments, in particular the position of the European Parliament of November 2023.
During the plenary, the EDPB also discussed the scope of the guidance related to the “Consent or Pay” model. In addition to the upcoming Art. 64 (2) Opinion, which will address the Consent or Pay model in the context of large online platforms, it was agreed that there is a need to consecutively develop Guidelines with a broader scope.
-
On 11-13 March 2024, representatives of the NCPDP participated in the “Learning and Networking Week in Estonia on Personal Data Protection in Digital Era”, which took place in Tallinn, Estonia.
The aim of the event was to present the Estonian experience in the GDPR implementation process, providing a comprehensive and practical overview of the challenges that have arisen in the implementation process.
At the same time, given that Estonia is known as a global leader in the digitisation of public services and ranks 3rd in the Global Cybersecurity Index as the most secure country, the information was presented on how the processing of personal data is organised in public institutions, as well as new trends in the process of ensuring cybersecurity.
During the “ Learning and Networking Week in Estonia on Personal Data Protection in Digital Era”, some important topics were addressed, such as:
-
Challenges of the Estonian Data Protection Authority before and after the GDPR;
-
Processing of personal data in public databases: processing practices and access to such data;
-
GDPR case law: significant trends and findings from Estonian judicial and supervisory practice;
-
Privacy vs. data reuse in the context of a digitally modernised society: challenges and recommendations;
-
Data sharing and personal data protection;
-
Cybersecurity etc.
The event was organised by the Eastern Partnership Regional Fund for Public Administration Reform (implemented by the German International Cooperation Agency (GIZ) and funded by the German Federal Ministry for Economic Cooperation and Development (BMZ) and brought together representatives of Data Protection Authorities from Moldova, Armenia, Georgia and Ukraine.
-
From 11 to 13 March 2024, representatives of the NCPDP made the study visit “Processing of personal data through video surveillance systems“. The event was hosted by the Spanish Data Protection Authority (AEPD) – Agencia Española de Protección de Datos.
The purpose of the event was both to take up legal and operational best practices on the use of video surveillance means, and to provide employees of the NCPDP with the skills and resources necessary to effectively address issues related to the processing of personal data through video surveillance systems, in accordance with current legislation and in the interest of protecting the rights of data subjects.
During the study visit, moderated by experts in the field of personal data protection from the AEPD, topics of importance were analysed in depth, such as:
-
The evolution of video-surveillance regulations, the latest legislative changes and regulations related to personal data processing through video-surveillance systems, with a focus on GDPR regulations;
-
Data subjects’ rights and ethics in video-surveillance;
-
Reception and classification of complaints;
-
Inspection procedures and instructions;
-
Technical and organisational measures to ensure the security of personal data;
-
Promotion of technologies applied to video-surveillance etc.
The study visit was organised with the support of the EU TAIEX Project – Technical Assistance and Information Exchange Instrument, managed and funded by the Directorate-General for European Neighbourhood Policy and Enlargement Negotiations (DG NEAR) of the European Commission.
VI. Other data protection authorities
-
On 22 January, the final decision of the Belgian SA of 16 January 2024 was announced, imposing a fine of €174,640 for breach by Black Tiger Belgium of the Art. 5 Principles relating to processing of personal data, Art. 6 Lawfulness of processing, Art. 12 Transparent information, communication and modalities for the exercise of the rights of the data subject, Art. 14 Information to be provided where personal data have not been obtained from the data subject, Art. 15 Right to access by the data subject, Art. 24 Responsibility of the controller, Art. 25 Data protection by design and by default and Art. 30 Records of processing activities of the GDPR.
The Belgian SA received a complaint about the processing activities carried out by BISNODE BELGIUM, which was subsequently taken over by the French BLACK TIGER GROUP and renamed BLACK TIGER BELGIUM (hereinafter “BTB”), claiming that the company had indirectly collected and unlawfully processed personal data of the plaintiffs for over 15 years, without properly informing them beforehand.
Following the investigation, the Belgian SA found that BTB could not rely on its legitimate interests, since the personal data collected indirectly could not be deemed necessary to pursue the interest of maintaining updated records of the data subjects. At the same time, Belgian SA also found that the interests of BTB were overridden by the fundamental rights of the data subjects, due to the lack of information provided proactively and individually to them, the context of the processing and the nature of the personal data, as well as the retention period of 15 years. Moreover, BTB did not properly consider all the risks derived from the processing, including the risks of invisible discrimination of the data subjects, when balancing the interests at stake.
In addition, the Belgian SA established that BTB did not adequately respond to the plaintiffs’ requests under Article 15. Lastly, the Belgian SA found the record of processing activities to be incomplete.
In this context, Belgian SA imposed three administrative fines on BTB, amounting to a total of €174.640. These fines relate to the unlawful and unfair processing of personal data without informing data subjects in a proactive, individual and transparent manner; to the failure to respond appropriately to data access requests; and lastly to various infringements relating to the record of processing activities.
Additionally, the Belgian SA imposed several corrective measures on BTB, including a temporary ban of the processing of the personal data of data subjects for whom BTB possesses contact details, until BTB has individually notified them about the processing of their data and given them an opportunity to object to the processing.