Newsletter

Newsletter No. 24

117 Views

I. Information and training activities carried out by NCPDP

In the last quarter of 2025 (October – December), the National Center for the Protection of Personal Data (NCPDP) continued to register important developments in the achievement of its objectives, placing particular emphasis on planning and carrying out activities aimed at informing and raising public awareness regarding the importance of personal data protection. In this sense, various initiatives of an educational nature and information campaigns have been implemented, aimed both at clarifying citizens’ rights regarding the processing of personal data and at encouraging the adoption of responsible behavior in protecting them.

Through these actions, NCPDP aimed not only to increase the level of knowledge of the applicable normative framework, but also to promote an organizational and social culture based on respect for data confidentiality and security. This approach aims both at ensuring compliance with national and European legislation and at strengthening citizens’ confidence in personal data protection mechanisms.

During the reference period, the organization of training courses for the subdivisions of the General Police Inspectorate (GPI) continued, according to the training plan approved and signed by the heads of the NCPDP and GPI, on January 28, 2025.

Thus, training courses were organized for the following subdivisions:

October 21 – Florești Police Inspectorate;
04 November – Leova Police Inspectorate;
18 November – Nisporeni Police Inspectorate;
December 3 – Ocnița Police Inspectorate.

In this context, 212 representatives from the GPI subdivisions were trained.

At the same time, the organization of training courses for the subdivisions of the General Inspectorate of the Border Police (GIBP) continued, according to the training plan approved and signed by the heads of the NCPDP and GIBP, on January 28, 2025. Thus, training courses were organized for the following subdivisions:

01 October – General Inspectorate of the Border Police, West Regional Department;
October 15 – Border Police Unit “Chisinau International Airport”;
December 17 – General Inspectorate of Border Police.

In this context, 213 representatives from the GIBP subdivisions were trained.

In the same way, the organization of training courses for employees within the structural, specialized and territorial subdivisions of the General Inspectorate for Migration (GIM) continued, according to the training plan approved and signed by the heads of the NCPDP and GIM, on January 27, 2025.

Thus, on November 21, the training course was organized for the Central Regional Department of GIM, training 16 representatives.

At the same time, during the reference period, NCPDP demonstrated openness and spirit of collaboration, organizing multiple training courses for representatives of public/private institutions, at their request.

Thus, training courses were organized for the following entities:

October 1 – Romanian Investors Association;
October 3 – Agency for Digitization in Justice and Judicial Administration;
October 6 – Refugee Council, Dondușeni;
13 October – Customs Service;
October 17 – National Center for Sustainable Energy;
October 22 – Military Academy of the Armed Forces „Alexandru cel Bun”;
31 October – Ministry of Finance;
06 November – Superior Council of Magistrates;
November 25 – Parliament of the Republic of Moldova;
10 December – State Social Inspectorate;
11 December – Ministry of Infrastructure and Regional Development;
December 12 – Ministry of Culture.

In this context, 633 representatives of the entities mentioned above were trained.

The purpose of the training courses aimed to familiarize with the aspects related to the field of personal data protection, the regulation of processing activities, as well as with the regime of confidentiality and security of personal data in accordance with the legislation in force. During the events, important topics were discussed, such as: defining the general notions related to the field of personal data protection; principles and legal grounds for the processing of personal data; the rights of personal data subjects; processing special categories of personal data; requirements regarding the protection of personal data, in the exercise of service duties; ensuring the security and confidentiality of processed personal data; aspects related to the appointment of the Data Protection Officer (DPO), as well as his obligations and tasks; aspects related to the Data Protection Impact Assessment (DPIA), as well as the stages of carrying out a DPIA, etc.

At the same time, the information and awareness campaign for the school community was continued with the generic: „Protection of personal data and safety of children in the online environment”. The aim of the campaign was to increase children’s awareness and education regarding: the importance of personal data protection; identifying risks in the online environment; adopting responsible, safe and informed behavior in the digital space to support children to browse the Internet safely, ethically and informed, reducing their vulnerability to online threats. The topics addressed during the trainings concerned: what is personal data; how to protect your personal data online; risks and threats in the online environment; safety on online communication and gaming platforms, etc.

Thus, several training courses were organized:

October 13 – PITHS „Tudor Vladimirescu”, Chisinau;
November 5 – PITHS „Universul”, Chisinau;
November 14 – PITHS „Ștefan cel Mare” , Chisinau;
December 3 – Art School, Ialoveni.

The events took place during the Personal Development class, the target audience being the 4th grade students. In this context, 163 students were trained.

II. Control activity

Between October – December 2025, NCPDP initiated the verification of the compliance of personal data processing operations in 55 cases. During the reference period, 106 decisions were issued, of which in 41 cases, violations of legal provisions were found. During the same period, 46 reports on the contravention were concluded, which were subsequently submitted to the court for resolution.

III. Findings of the National Center for the Protection of Personal Data

1. NCPDP examined the complaint of a personal data subject, which concerned the alleged non-compliant operations of processing personal data, manifested by the disclosure on the Facebook social network of the copy of the petitioner’s notification addressed to a public authority, which integrated the personal data of the data subject, namely: name, surname, home address and contact number.

The online publication of such data constitutes a form of personal data processing, within the meaning of Article 3 (1) of Law No 133/2011.

The social network Facebook, by its nature, does not provide effective control over access to published data, which causes a major risk of access, copying, distribution and reuse of information by third parties. Thus, the act of the controller was likely to expose the person concerned to harm to private life, dignity and personal security, which contravenes the principle guaranteed by art. 8 of the Charter of Fundamental Rights of the European Union and art. 4 paragraph (1) letter e) of Law no. 133/2011.

Although the controller has failed to provide information that would justify the purpose of publishing the information contained in the notification, it is noted that, even in the event of a possible desire to manifest its right to freedom of expression, the right to personal data protection must be reconciled with the right to freedom of expression and information and the controller is to ensure that the processing is proportionate, non-excessive necessary and justified for significant reasons of public interest.

Data that are not relevant to the goal achieved should not be published. Even if the information was obtained and kept correctly, it must be analyzed separately which information is correct to publish. It should be determined how much personal data needs to be published to properly relate a history, balanced against the level of intrusion into the privacy of data subjects and the potential harm this can cause. The controller should depersonalize personal data before publication, in situations where their disclosure is not necessary for the full presentation of the reported facts.

Thus, the NCPDP determined, in the case, the violation of the provisions of art. 4 paragraph (1) letter a), c) and art. 5 paragraph (1) of Law no. 133/2011 on personal data protection and in the case initiated the contravention procedure.

2. NCPDP examined the complaint of a personal data subject, which concerned the alleged non-compliant activities of personal data processing, carried out by the responsible person within a communal Council, manifested by the publication of a Decision regarding the designation of the candidates of the members for the establishment of the bodies electoral, with the annex containing confidential information of the members of the electoral bodies (name, surname, IDNP, year of birth, contact details), in the State Register of Local Acts (SRLA) and on the web page of the local public authority.

Thus, by the NCPDP Decision it was found that the processing of personal data concerning the data subject was carried out in violation of the provisions of art. 4 para. (1) letter a), b) and c), art. 5 and art. 29 para. (1) of Law no. 133/2011 on personal data protection, emphasizing that, administrative documents containing such personal data cannot be published/publicly viewed in their initial/full form, access to them in SRLA being restricted and viewing documents in full format is possible only for authorized employees in the manner established by Government Decision no. 672/2017 for the approval of the regulations regarding the State Register of Local Documents. In this context, the spectrum of information concerning the subject whose personal data have been processed does not correspond to the principles of proportionality, adequacy, relevance and non-excessive in terms of data processing.

3. The NCPDP received the complaint of a personal data subject regarding the alleged illegal processing of personal data concerning him carried out by an ascertaining agent of a specialized subdivision within a public authority, who, without a legal basis, accessed/processed and extracted personal data after adopting the solution on the side of a contravention process and concluding the minutes regarding the contravention, with the subsequent sending of the information to the court.

In these circumstances, the NCPDP initiated the verification of compliance with the provisions of Law no. 133/2011 on personal data protection, when processing the personal data of the data subject.

From the materials accumulated during the control procedure, it was established that the processing activity of the data subject personal data, manifested by the consultation and extraction of the information from an automated record information system by the ascertaining agent, aimed to prepare and remitt the contravention file in court, following the appeal against the minutes regarding the contravention submitted by the data subject.

Under these conditions, the lack of violation of the provisions of Law no. 133/2011 regarding the personal data protection by the ascertaining agent, or, the annexation and remittance by them, of some evidence/documents containing the personal data of the data subject to the court examining the appeal filed by the data subject against the minutes regarding the contravention, it cannot be qualified as non-compliant processing, as long as the court to which personal data is communicated uses it in the exercise of the powers established by law.

IV. Prevention activity

During the reference period, in order to carry out the advisory tasks, in addition to the multiple answers provided, for advisory purposes, 90 consultations were provided by phone, via e-mail or at the authority’s headquarters.

V. International and European News

– The NCPDP high management participated in the 109th Plenary Meeting of the European Data Protection Board (EDPB), which took place from 7 to 8 October 2025 in Brussels, Belgium.

During the meeting, the EDPB and the European Commission approved their first joint guidelines on the interaction between the Digital Markets Act (DMA) and the General Data Protection Regulation (GDPR). These guidelines have been developed to facilitate the consistent application of both normative acts and to strengthen legal certainty for authorities, companies, users and individuals.

In line with the EDPB Strategy 2024-2027 and the objectives of the Helsinki Declaration, the Committee cooperated with the European Commission, each within its competences, to support the coherent implementation of the DMA and the GDPR. Although DMA and GDPR pursue different goals – GDPR protects the rights and privacy of individuals, and DMA promotes fairness and accountability in digital markets – their goals complement each other, addressing interconnected challenges in the digital environment.

Several provisions of the DMA involve the processing of personal data by the persons responsible for data control, and certain articles make explicit reference to definitions and concepts provided for in GDPR.

Based on these first common guidelines, work continues to clarify the interregulatory framework and ensure coherent and consistent data protection safeguards. In this regard, the EDPB is working with the European Commission, including the European AI Office, to develop common guidelines on the interaction between the AI Act and EU data protection legislation.

-From November 3-5 this year, NCPDP representatives participated in the 49th plenary meeting of the Consultative Committee of the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (Convention 108), which took place in Strasbourg, France.

During the Meeting, topics of importance were discussed, including:
Convention 108+, current ratifications and accessions;
Cross-border flows of personal data;
Data protection in the context of large language models (LLMs);
Cooperation with other bodies and entities of the Council of Europe;
Major developments and activities in the field of data protection, etc.

At the same time, after a detailed analysis, the Committee adopted the Work Program for the period 2026–2029, which will be implemented starting from January 2026. The document outlines the strategic directions regarding: strengthening the legal framework of Convention 108+; addressing emerging risks in the field of AI and neurodigital technologies; development of international cooperation tools and technical assistance for member and partner states. The status of the development of the Data Protection Guide in the context of neuroscientific research was also presented, with Member States invited to submit comments by 21 November 2025 and the document will be analyzed in detail at the next plenary session.

The plenary meeting demonstrated the dynamic and evolving nature of the European data protection regulatory framework. The Consultative Committee of Convention 108 continues to play a critical role in guiding public policy, defining the ethical principles of digitization and promoting responsible data governance globally. Participation in this session constituted a valuable occasion for exchanging expertise and strengthening international cooperation, reaffirming our State’s commitment to protecting fundamental rights in the digital age.

-From 1 to 5 December, representatives of the NCPDP participated in the third edition of Data Protection Week, which took place in Brussels, Belgium, an event hosted by the European Commission and the EDPB.

The third edition of the Data Protection Week brought together the supervisory authorities from the Eastern Partnership states and the Western Balkans, with the objective of strengthening institutional capacities and facilitating continuous alignment with European standards in the field of data protection.

During the event, important topics were addressed, such as: international data flows and their global governance, analyzing recent developments regarding the European framework for international transfers, compliance and cooperation mechanisms with external partners, as well as strategic trends that define the role of the European Union in the global architecture of data governance; algorithmic decision-making processes, the experts illustrated the risks associated with the use of automated systems, addressing essential principles such as transparency, accuracy and avoidance of discrimination; EDPB surveillance activities in the field of artificial intelligence, highlighting the roles and responsibilities of EDPS and EDPB in the surveillance of AI systems and describing coordination mechanisms between national authorities and European institutions for the coherent application of regulatory standards; monitoring emerging technologies, EDPS experts presenting the tools and activities used to assess the impact of innovative digital solutions; data protection in the context of artificial intelligence, in which EDPS’s new responsibilities in the supervision of AI systems under the EU AI Act were analyzed. At the same time, activities dedicated to the exchange of experience between the data protection authorities of the Western Balkans and those of the Eastern Partnership were carried out, facilitated by GIZ and SIGMA experts, discussions aimed at strengthening institutional capacities, operational challenges encountered in the surveillance activity, as well as the identification of effective cooperation mechanisms between regions.

The participation of NCPDP representatives in the third Data Protection Week demonstrated the importance of the active involvement of the Republic of Moldova in regional and European initiatives in the field of data protection, contributing to the continuous alignment of the national framework with European Union standards and strengthening the institutional role of NCPDP in the process of European transition.

The event, organized within the Project “Public Administration Reform in the Eastern Partnership Countries”, phase III, implemented by GIZ and authorized by the Federal Ministry for Economic Cooperation and Development, brought together representatives of the Data Protection Authorities from Armenia, Moldova, Ukraine, Albania, Bosnia and Herzegovina, Kosovo, Montenegro, North Macedonia and Serbia.

VI. Other data protection authorities

-The Italian Data Protection Authority (SA) imposed fines in the amount of 3 million euros for the company Acea Energia spa and 850 00 euros to the agencies involved for violating art. 5 par. (1), art. 6, art. 7, art. 13, art. 24, art. 25, art. 28, art. 29, art. 32 of the GDPR and art. 130 of the Italian Data Protection Code.

The Italian SA carried out investigations, together with the Guardia di Finanza, following a complaint regarding the illegal activity of unauthorized call centers. They contacted people for offers regarding the energy or telephone provider, using databases obtained without consent and without being registered in the Register of Communications Controllers (RCC).

Investigations showed that the personal data of customers who had recently changed their energy supplier was being used to persuade them, through misleading methods, to sign new contracts. The data came from the network of partner companies, without informing the data subjects.

Although representatives of the energy company were in contact with telemarketing agencies, it revoked the collaboration and applied corrective measures once it learned of the irregularities.

In this context, Italian SA imposed fines in the amount of 3 million euros on the company Acea Energia spa and 850 00 euros on the agencies involved. The company must notify affected persons and verify the legality of subcontractors, and agencies can no longer use legally unjustified contact lists.

-Administrative fine in the amount of 4,022,773 euros for McDonald’s Polska and 43,680 euros for 24/7 Communication applied by the Polish Data Protection Authority (SA) for the violation of Article 5 (Principles related to the personal data processing), Article 24 (Responsibility of the controller), article 25 (Data protection by design and by default), article 28 (Processor), Article 32 (Security of processing), Article 34 (Communication of a personal data breach to the data subject) and Article 38 (Position of the data protection officer) of the GDPR.

McDonald’s company Polska sp. z o. o. (McDonald’s) notified a data security breach, as controller, finding that the following data of its employees and its franchisees were included in the shared file in the public catalogue: names, personal identification numbers (PESEL numbers), passport numbers (if the PESEL number is not available), McDonald’s restaurant number, start date and time, end date and time, number of hours worked, holidays, type of activity, etc.

Following the investigation, it was found that neither the controller (McDonald’s Polska) nor the processor (24/7 Communication) carried out a risk analysis and did not implement sufficient technical and organizational measures for personal data protection. In addition, the data protection officer was not properly involved and the partners’ audit and monitoring obligations were not fulfilled.

The Polish SA emphasized that responsibility for data protection lies both with the companies that collect and manage personal data and with their contractual partners. Security measures must be constantly checked and updated, not just at the beginning of data processing.

In this context, Polish SA imposed an administrative fine in the amount of 4,022,773 euros on McDonald’s Polska and 43,680 euros on 24/7 Communication.

-The administrative fine of 1.8 million euros applied by the Finnish Data Protection Authority (SA) to S-Bank for violating Article 5 (Principles related to processing of personal data), Article 25 (Data protection by design and by default) and Article 32 (Security of processing) of the GDPR.

Following the notification sent by S-Bank in August 2022, the Finnish SA initiated an investigation regarding a security breach that affected a significant number of the bank’s customers. The vulnerability occurred in April 2022, with the release of a new authentication mechanism. Due to a software error in the authentication service, logging into the online bank and access to digital services using strong authentication was possible using the login data of other customers. This technical failure remained exploitable for more than three months and some of the customers were directly affected.

Following the investigation, the lack of adequate security measures and appropriate technical and organizational controls by the bank was found. Deficiencies include: insufficient testing of new functionality before implementation; failure to identify vulnerability in the development and testing stage and inadequate response to customer alerts for authentication anomalies.

In this context, the Finnish SA imposed an administrative fine of 1.8 million euros to the controller for violating the provisions of articles 5(1)(f), 25(1), 32(1) and 32(2) of GDPR and issued a reprimand for non-compliance with data protection legislation.

When determining the amount of the fine, the Finnish SA took into account the need to protect the rights of the persons concerned, the general seriousness of the incident, as well as the fact that the bank had previously been warned about its obligations. The fine was also adjusted in the context of a separate penalty issued in May 2025 by the Finnish Financial Supervisory Authority, which imposed a fine of €7,670,000 on S-Bank for deficiencies in operational risk management in relation to the same set of events.

Newsletter No. 21

380 Views

I. Awareness-raising, communication and training activities carried out by the NCPDP

In the first quarter of 2025 (January-March), the National Center for Personal Data Protection (NCPDP) continued to make progress in the area of information and awareness-raising activities for the general public in the field of personal data protection.

During the reporting period, the organization of training courses for the subdivisions of the General Police Inspectorate (GPI) continued, according to the training plan approved and signed by the heads of the NCPDP and GPI on 28 January 2025.

Thus, training courses were organized for the following subdivisions:

February 04 – Anenii Noi Police Inspectorate;
March 11– Basarabeasca Police Inspectorate.

In this context, about 84 representatives of the GPI subdivisions were trained. At the same time, continued the organization of training courses for the subdivisions of the General Inspectorate of Border Police (GIBP), in accordance with the training plan approved and signed by the heads of the NCPDP and GIBP on January 28, 2025. Thus, on March 12, a training course was organized for the General Inspectorate of Border Police, with 45 representatives being trained.

On January 27, 2025, it was approved and signed by the leaders of the NCPDP and the General Inspectorate for Migration (IGM), training plan in the field of personal data protection for employees within the structural, specialized and territorial subdivisions of IGM.

Thus, training courses were organized for the following subdivisions:

February 26 – Southern Regional Directorate of IGM;
March 26 – Central Regional Directorate of IGM;
March 28 – Structural and Specialized Subdivisions of IGM.

In this context, 61 representatives from IGM subdivisions were trained.

During the reference period, NCPDP demonstrated openness and a spirit of collaboration, organizing multiple training courses for representatives of public/private institutions, at their request.

Thus, training courses were organized for the following institutions:

January 13 – State Enterprise “Moldelectrica”;
February 14 – maib;
March 13 – Higher School of Tourism and Hotel Services within ASEM;
March 18 – National Agency for the Prevention and Combating Violence against Women and Domestic Violence;
March 25 – National Agency for Solving Complaints;
March 26 – Chisinau Probation Office.

In this context, 251 representatives of the above-mentioned institutions were trained.

The aim of the training courses was to increase the NOSI employees’ awareness of the principles of personal data protection, as well as to familiarize them with the personal data confidentiality and security regime in accordance with the provisions of the legislation in force. During the events, important topics were discussed, such as: the definition of general notions related to the field of personal data protection; the rights of personal data subjects; the processing of special categories of personal data; principles and legal grounds for the processing of personal data; issues related to the appointment of the Data Protection Officer (DPO); aspects related to the Data Protection Impact Assessment; as well as the steps of carrying out a DPIA, etc.

In this regard, the information and awareness-raising campaign for the school community was continued under the title: “Personal data protection and child safety in the online environment“. The aim of the campaign was to provide the school community with high visibility on personal data protection and child safety online at local and national level by promoting empowerment and best practices for intervention and support. The topics covered in the trainings were: general notions on personal data; the correct use of photos/video online; risks and threats online; safety on online communication and gaming platforms, etc. Thus, several trainings were organized:

January 27 – IPLT “Ștefan cel Mare”, Chișinău;
March 27 – Fundul Galbenei Gymnasium, Hâncești;
March 27 – “Anton Bunduchi” Gymnasium, Hâncești

The events took place in the framework of the Personal Development class, the target audience being 4th grade students. In this context, 92 students were trained.

Furthermore, during the reference period, the NCPDP hosted two Study Visits:

February 25 – Study Visit for members of the European Law Students Association of the Republic of Moldova (ELSA);
March 26 – Study Visit of students of the Faculty of Law of the State University of Moldova.

The purpose of the actions carried out during the events was focused on raising the awareness of the young generation/university community regarding the field of personal data protection, strengthening knowledge in the field, as well as exploring the applicable legal framework, the rights and obligations of the parties involved and the importance of compliance with various areas. At the same time, the students were informed about the organization and functioning of the NCPDP, the attributions of the NCPDP subdivisions, the structure, the mission, as well as the role of the authority in monitoring compliance with the legislation on personal data protection. The events concluded with a question and answer session documented with practical examples, and the NCPDP aims to continue supporting such efforts to educate and raise awareness among young people about the importance of the field of personal data protection.

II. Control activity

In the period January – March 2025, the NCPDP initiated compliance checks of personal data processing operations in 85 cases. During the reporting period, 64 decisions were issued, of which 23 cases were found to be in violation of the legal provisions, and 40 infringement reports were concluded, which were subsequently submitted to the court for resolution.

III. Findings of the National Center for Personal Data Protection

1. The NCPDP has initiated proceedings, pursuant to art. 20 para. (1) let. a), i) and art. 27 para. (4) of Law no. 133 of 08.07.2011 on personal data protection, in the part relating to the alleged vulnerabilities of the website of a medical analysis laboratory, related to the breach of the security of special categories of personal data.

During the examination of the accumulated material, it was established that third parties, by accessing the “Company Organizational Chart” option and modifying the last 3 digits of the link, could view or even download files containing personal data of the data subjects, namely: name, surname, date, month, year of birth, home address (in some cases) and medical information regarding their health status.

Thus, based on the materials accumulated during the control initiated based on the self-report note, it was confirmed that the medical analysis laboratory did not implement the organizational and technical measures necessary to protect personal data against destruction, modification, blocking, copying, dissemination, as well as against other illicit actions, measures intended to ensure an adequate level of security with regard to the risks presented by the processing and the nature of the processed data.

In this context, it was found that the medical analysis laboratory processed the personal data of data subjects/patients in violation of the requirements set forth in art. 4 para. (1) let. a), art. 29 para. (1) and 30 para. (1) of the Law on Personal Data Protection no. 133 of 08.07.2011.

2. The NCPDP examined a notification from the Central Electoral Commission (CEC), regarding the collection of signatures by a person in support of a candidate for President of the Republic of Moldova.

During the investigation, it was determined that the initiative group, consisting of 100 people, for collecting signatures in support of a candidate nominated by a Political Party, was registered with the CEC, however, the person concerned was not found in the list of members of the initiative group who had the right to collect signatures of the respective candidate’s supporters. The following personal data were collected in the subscription lists: last name, first name, year of birth, signature, series and number of the identity card.

Based on the circumstances described, the NCPDP found that the collection of names, surnames, year of birth, domicile, series, identity card number and signature, as a form of personal data processing, must be carried out within an appropriate legal framework, in compliance with the legal regulations on data protection and with obtaining all necessary authorizations, otherwise, it is likely to infringe the fundamental rights of the data subjects concerned.

Thus, by collecting signatures without being part of a legally constituted initiative group and without obtaining prior authorization from the CEC, the person concerned violated the provisions of art. 4 para. (1) letter a) of Law no. 133/2011 on personal data protection, which regulates the fundamental principles of data processing.

IV. Prevention activity

During the reference period, in order to carry out the advisory tasks, in addition to the multiple answers provided, for advisory purposes, 379 telephone consultations were provided, either via e-mail or at the authority’s headquarters.

V. International and European news

Between February 4-5, 2025, in Brussels, Belgium, the TAIEX workshop on the transposition of the EU Digital Markets Law took place, organized by the General Directorate for Communications Networks, Content and Technology and the General Directorate for Competition, European Commission, in which a representative of the NCPDP participated.

The workshop aimed to familiarize participants with the legal framework of the Digital Markets Act (DMA), a key piece of the European Union’s digital strategy. It regulates large digital platforms, known as “gatekeepers”, setting clear obligations and restrictions to promote a fairer and more responsible digital sector.

The workshop was addressed to the beneficiary countries of the Western Balkans and the Eastern Partnership, including Albania, Bosnia and Herzegovina, Georgia, Kosovo, Moldova, Montenegro, North Macedonia, Serbia, Turkey and Ukraine.

The main objectives of the DMA are to safeguard competition, protect consumers and ensure fair access to digital markets.

For the candidate and neighbouring countries of the EU, it was underlined that alignment with the DMA is essential for integration into the European Union, and the necessary steps for this are still subject to debate and elaboration.

On February 12, the 102nd plenary meeting of the European Data Protection Board (EDPB) took place, which was organized with a physical presence in Brussels and in which the Republic of Moldova participated as an observer.

The EDPB adopted a statement on age assurance and decided to set up a working group on the application of AI. In addition, the Committee also adopted recommendations on the 2027 World Anti-Doping Code of the World Anti-Doping Agency (WADA). When processing personal data for anti-doping purposes, it is essential to respect and protect the personal data of athletes.

The EDPB’s main objective is to assess the compatibility of the WADA Anti-Doping Code and the International Standard for Data Protection (ISDP) with the GDPR. The Anti-Doping Code and Standards should subject National Anti-Doping Organizations (NADOS) subject to a standard equivalent to that of the GDPR when processing personal data for anti-doping purposes.

During the plenary session, the Board also decided to extend the scope of the ChatGPT task force to AI enforcement. In addition, the EDPB members underlined the need to coordinate DPAs’ actions regarding urgent sensitive matters and for that purpose will set up a quick response team.

Between February 20-21, 2025, in Brussels, Belgium, the Regional Workshop on the Implementation of the Second Protocol to the Convention on Cybercrime took place, organized by the joint project of the European Union and the Council of Europe CyberEast+ (Reunion).

The event was dedicated in particular to representatives of the Ministries of Foreign Affairs, Ministries of Justice, Prosecutors General’s Offices, National Police, Ministries of Interior and specialized investigative services/agencies within the Eastern Partnership (Armenia, Azerbaijan, Georgia, Moldova and Ukraine) in the context of discussing instruments for enhanced cooperation and disclosure of electronic evidence within the framework of the Second Additional Protocol to the Convention on Cybercrime (Budapest).

The Second Protocol was presented, implementation strategies were also discussed for Articles 6 and 7 (direct cooperation with service providers), exchange of data and Articles 8, 9 and 10 (cooperation between States, access to electronic evidence), the implementation of Articles 11 and 12 (judicial procedures for access to digital evidence), as well as Articles 13 and 14 (international cooperation and data protection).

Between March 3 and 7, 2025, in Paris, France was organized the Academy “Design and Delivery of Services in the Digital Age”. The aforementioned Academy was organized in close collaboration and synergy between OECD SIGMA and GIZ EAP Regional Fund for Public Administration Reform.

The Academy’s reasoning was that in the design and delivery of services, public administrations should not rely only on their own experience and knowledge, as is currently the case in the Eastern Partnership countries. Thus, users of public services should be involved in expressing their needs and expectations. Where traditional relations with citizen-users were/are bureaucratic and hierarchical, the new relations are to be more pluralistic and user-centred. This requires an approach by public administrations to engage citizens and businesses, with the aim of gaining insight into their perceptions, expectations and commitment through active participation.

The following aspects were discussed within the Academy: the objectives of the academy and the importance of digitizing public services, the principles of modern public administration and digital governance, (at the same time, OECD representatives presented recommendations for user-centered design in service delivery), was analyzed the “Services Publics +” Program implemented by the Interministerial Directorate of Public Transformation, the “Design Thinking” methodology and its impact on innovation in public services were explained, the concept of change management and its importance, aspects related to defining problems and mapping stakeholders.

VI. Other data protection authorities
The French Data Protection Authority (CNIL) imposed the administrative fine of 240 000 euros on KASPR for violation of Article 5 – Principles relating to processing of personal data, Article 6 – Lawfulness of processing, Article 12 – Transparent information, communication and modalities for the exercise of the rights of the data subject, Article 14 – Information to be provided where personal data have not been obtained from the data subject, Article 15 – Right of access by the data subject.

KASPR markets an extension for the Chrome browser that enables paying customers to obtain the professional contact details of people whose profiles they visit on the LinkedIn social network. To do this, the company builds a database of contact details from LinkedIn and other websites such as domain name registries. The contact details thus collected generally enable the company’s customers to contact the target persons, for example for commercial prospecting, recruitment or identity verification. KASPR’s database contains about 160 million contacts.

The French Supervisory Authority, CNIL received many complaints from people who had been canvassed by entities that obtained their contact details via the KASPR extension.

The CNIL found several breaches of the GDPR:

Failure to comply with the obligation to have a legal basis (Article 6 of the GDPR)
Failure to comply with the obligation to define and respect a data retention period proportionate to the purpose of the processing (Article 5-1-e of the GDPR)
Failure to comply with the obligation to provide transparency and information to individuals (Articles 12 and 14 of the GDPR)

In this context, CNIL imposed a fine of 240,000 euros on KASPR for all these breaches, and ordered the company to: cease collecting the data of persons who chose to limit the visibility of their contact details, and delete the data collected in this way. If it is impossible to distinguish the data whose visibility had been limited, the company will have to inform the persons concerned, within 3 months, of the processing of their data and of the possibility of objecting to it, and to use their data solely for this purpose; stop the automatic renewal of the storage of personal data of target persons; inform the people whose data is collected in a language they understand; respond to requests for access from individuals, providing all available information on the sources of data collection.

The Hamburg Supervisory Authority (SA) has imposed an administrative fine of 900,000 euros on a company in the field of credit collection services for violating Article 5 (Principles relating to the processing of personal data) and Article 6 (Lawfulness of processing) of the GDPR.

The Hamburg Supervisory Authority (SA) had audited companies with a strong market presence in the field of credit collection services as part of a targeted audit. Hamburg is a leading location in Europe in this sector. The data processed about defaulting debtors tends to be particularly sensitive and is regularly shared with other parties such as credit reference agencies and address investigation services. Therefore, the data subjects must be able to trust that their data will be handled responsibly. Regardless of individual complaints, the way in which debtors’ data is stored and processed by the respective service providers was examined. For this purpose, the companies were sent detailed questionnaires, the answers to which provided comprehensive insights into data storage. In addition, the companies were asked to provide meaningful documents such as the directory of processing activities, lists of security measures, and sample letters used.

For the most part, the Hamburg SA was able to determine a high degree of professionalism and sensitivity. During the dialogues, improvements in data storage and transparency towards data subjects were achieved.

However, in the case of one company, the team from the Hamburg DPA found during the on-site inspection that data records had continued to be stored without a legal basis, even though the deletion deadlines had long since expired, thus violating art. 5.1 letter (a) and 6 paragraph (1) of the GDPR.

Even though the originally processed data records were not passed on to third parties during this period, some of them had still not been deleted from the company’s database five years after the legal retention period had expired.

In this context, the Hamburg-based SA imposed an administrative fine of 900,000 euros. The decision is legally binding. The company admitted the violation and accepted the fine. It cooperated professionally with the supervisory authority in the follow-up, which is why the fine is comparatively low.

The Polish Data Protection Authority (SA) has imposed an administrative fine of EUR 330,000 on a medical company for violating Article 5 (Principles relating to the processing of personal data), Article 24 (Controller’s liability) and Article 32 (Security of processing) of the GDPR.

The IT infrastructure of the Company American Heart of Poland S.A. was attacked by hackers, who thus gained access to the detailed personal data of approximately 21 000 individuals. The incident covered a wide range of data, i.e.: surname, first name, parents’ first names, mother’s family name, date of birth, data on earnings or assets held, health data, bank account number, residence or stay address, personal identification number (PESEL number), username or password, ID card series and number, telephone number and email address.

The Polish Data Protection Authority, in the course of its activities, established that:

the company had not implemented all the necessary measures to protect the data it was processing, and was unable to determine the cause of the leakage;
the company did not comply with its own data security recommendations, i.e. it stored customers’ COVID test result information on network drives, whereas medical data should be stored on a dedicated system for processing health data;
the cloud platform used by the company was too poorly secured. Three servers running at the company’s headquarters did not have up-to-date technical support from the manufacturer (support ended in January 2020). The software on the company’s servers had not been updated through an oversight by IT staff, so a vulnerability was created in the IT system that could have contributed to hackers taking over the devices:
the company inadequately protected itself against ‘phishing’ attacks, which involve the person attacking the system impersonating another entity (person). According to the findings of the President of the Personal Data Protection Office, in all likelihood, this is how hackers got into the IT system.
The Finnish Data Protection Authority (SA) imposed an administrative fine of 950,000 euros on Sambla Group for violation of Article 5 – Principles relating to processing of personal data, Article 25 – Data protection by design and by default and Article 32 – Security of processing of the GDPR.

The Finnish SA launched an investigation based on a complaint filed by a customer. A technical investigation revealed serious data security issues with the controller’s loan comparison services. When the seriousness of the data security problems became apparent in spring of 2024, the company was ordered to immediately cease processing personal data relating to loan applicants in its e-services.

Sambla Group’s loan comparison services did not impose adequate restrictions to prevent third parties from accessing loan application data, thus violating the provisions of Art. 32, Art. 25 and Art. 5(1)(f) of the GDPR. Due to poor data security measures, the content of customer’ loan applications was accessible to third parties through personal customer URLs. Anyone with access to the URL and sufficient technical knowledge to exploit the security vulnerability had direct access to the data. The technical investigation revealed that the URLs had been targeted wit phishing and personal data had been disclosed to third parties. The information available through the links included at least the loan applicant’s contact details, as well as information on their income, housing costs, marital status and possible children.

In this context, the Finnish SA has imposed an administrative fine of €950 000 on the controller, being ordered to notify its customers of the incident. The controller has announced that it has stopped using the vulnerable URLs and has improved data security measures of its services.

Newsletter No. 20

553 Views

1. Information and training activities carried out by the NCPDP

During the fourth quarter of 2024 (October-December), the National Center for Personal Data Protection (NCPDP) continued to make progress in the area of information and awareness-raising activities for the general public in the field of personal data protection.

During the reporting period, continued the organization of training courses for the subdivisions of the General Inspectorate of Border Police (GIBP), in accordance with the training plan approved and signed by the heads of the NCPDP and GIBP on February 21, 2024. Thus, training courses were organized for employees of the Border Police Sector (BPS) in the context of the development / implementation by the GIBP of the “Concept on the functional and decision-making autonomy of the Border Police patrol in the activity of surveillance of the state border”. The aim was to increase the awareness of the BPS employees who supervise the border for the purpose of combating illegal migration, trafficking in human beings and cross-border crime, on the principles of personal data protection, as well as on ensuring the correct application of the legal provisions in the field of the activity they perform. Thus, training courses were organized for the following subdivisions:

October 02 – Border Police Sector Tudora – 1 of East Regional Directorate;
October 09 – Border Police Sector Valea – Perjei of the South Regional Directorate.

In this context, around 240 representatives from the GIBP subdivisions were trained.

On July 08, 2024, was approved and signed by the heads of the NCPDP and the National Office of Social Insurance (NOSI), the Training Plan in the field of personal data protection for employees of the structural subdivisions of NOSI. The aim of the training courses was to increase the NOSI employees’ awareness of the principles of personal data protection, as well as to familiarize them with the personal data confidentiality and security regime in accordance with the provisions of the legislation in force. During the events, important topics were discussed, such as: the definition of general notions related to the field of personal data protection; the rights of personal data subjects; the processing of special categories of personal data; principles and legal grounds for the processing of personal data; issues related to the appointment of the Data Protection Officer (DPO); aspects related to the Data Protection Impact Assessment; ensuring the security and confidentiality of personal data by NOSI employees, etc.

In this context, on October 1st, two training courses were organized for the Territorial Office of Social Insurance, South region, being trained 131 representatives.

During this period, the NCPDP showed openness and spirit of cooperation, organizing multiple training courses for representatives of public institutions, at their request. The training courses were aimed at familiarizing public officials with the aspects related to the field of personal data protection in the public service, the regulation of processing procedures, as well as with the confidentiality and security regime of personal data in accordance with the legislation in force. During the events important topics were discussed, such as: Definition of general concepts related to the field of personal data protection; principles and legal grounds for processing personal data; rights of personal data subjects; processing of special categories of personal data; requirements for the protection of personal data in the exercise of official duties; ensuring the security and confidentiality of personal data processed; issues related to the appointment of the Data Protection Officer (DPO), as well as his/her obligations and tasks; issues related to the Data Protection Impact Assessment (DPIA), as well as the steps of conducting a DPIA, etc. Thus, training courses were organized for the following institutions:

October 08 – Parliament Secretariat;
October 10 – Association of Internal Auditors;
October 15 – National Employment Agency;
October 17 – National Anti-Corruption Center;
October 18 – Customs Service;
October 24 – State Financial Control Inspectorate;
October 25 – Territorial General Directorate “North” of the National Anti-Corruption Center;
October 28 – General Directorate for Education, Youth and Sport of the Chisinau Municipal Council;
October 30 – General Directorate of Education, Youth and Sport, directors of early education institutions in the Chisinau municipality;
November 05 – General Directorate of Medical and Social Assistance;
November 06 – General Directorate of Education, Youth and Sport, directors of educational institutions in Chisinau municipality;
November 11 – State Tax Service;
November 12 – General Territorial Directorate “South” of the National Anticorruption Center;
November 13 – General Directorate for the Protection of Children’s Rights;
November 22 – General Inspectorate for Migration;
December 11 – Supreme Court of Justice.

In this context, about 1520 representatives of public institutions were trained.

In this regard, the information and awareness-raising campaign for the school community was continued under the title: “Personal data protection and child safety in the online environment“. The aim of the campaign was to provide the school community with high visibility on personal data protection and child safety online at local and national level by promoting empowerment and best practices for intervention and support. The topics covered in the trainings were: general notions on personal data; the correct use of photos/video online; risks and threats online; communication on social networks, etc. Thus, several trainings were organized:

October 04 – PITL “Constantin Negruzzi”, Chisinau;
November 12 – PITL “Mihai Eminescu”, Cahul;
December 03 – PITL “George Coșbuc”, Balti;
December 03 – PITL “Lucian Blaga”, Balti.

The events took place in the framework of the Personal Development class, the target audience being 4th grade students. In this context, 350 students were trained.

II. Control activity

In the period October – December 2024, the NCPDP initiated compliance checks of personal data processing operations in 63 cases. During the reporting period, 89 decisions were issued, of which 40 cases were found to be in violation of the legal provisions, and 35 infringement reports were concluded, which were subsequently submitted to the court for resolution.

III. Findings of the National Center for Personal Data Protection

1. The NCPDP examined the complaint of a data subject who alleged unauthorized and excessive processing of his personal data by an employee of a public authority, without any legal basis.

In the course of the investigation it was determined that the employee of the authority processed the personal data belonging to the petitioner through the governmental portal www.date.gov.md, generating the personal data of her first-degree relatives in a complementary/supplementary manner, in the order in which, in the report generated by the portal, personal data on the petitioner’s mother, husband and son are included, which, being printed, was attached to the material of the infringement proceedings initiated against the data subject.

Thus, it has been determined that the authority’s inspecting officer, in order to establish the identity and domicile of the person against whom the contravention case was initiated, accessed the personal data concerning the petitioner, and only those personal data that are necessary for the preparation of the contravention report were consulted, in strict compliance with art. 443 para. (1). p. c) Contravention Code.

In this context, it should be noted that, even if the extract/personal file, automatically generated by the government portal www.date.gov.md, includes the personal data of the relatives of the person to whom the administrative offence proceedings were initiated, the authority’s investigating officer was to take measures to depersonalize such data, if the file was to be attached to the administrative offence file, if it was not technically possible to separate them from the personal data subject in the system, which was necessary for the proper conduct of the administrative offence proceedings.

In this case, it is found that the employee of the authority has excessively processed personal data, in the circumstances in which the processing operation, manifested by printing and attaching the extract generated from the portal www.date.gov.md, to the contravention file, of the categories of personal data relating to the mother, husband and child of the petitioner, have no bearing on the case under examination and it was not necessary to attach them to the case materials, not having established the existence of a legal basis, a specific, explicit and legitimate purpose and the causal link between the purpose and the identifiers of the data subject, being found the violation by the employee of the Authority of the provisions of Art. 4 para. (1) p. a), c) and art. 5 of Law no. 133/2011 on personal data protection, which determined the existence of the constitutive elements of the offense provided for in Article 741 paragraph (1) of the Contravention Code (failure to comply with the basic conditions for the processing, storage and use of personal data).

2. The NCPDP has examined the complaint of a data subject, in which he alleged that the director of the kindergarten in which he was working had improperly processed his personal data – name, surname, health data – by disseminating/publishing the Decision of the Equality Council on the social network “Facebook“, without ensuring the confidentiality of these data.

In the course of the investigation, the director of the kindergarten acknowledged the fact of publication/dissemination of the Decision of the Equality Council, without depersonalization of personal data, on the user profile created and managed by her on the social network Facebook, for the purposes of transparency and to prevent discrimination against her personality, on the grounds that, when she was hired by the Pre-School Education Institution, the petitioner signed the agreement on the processing of personal data of employees.

According to Article 3 of the Law on personal data protection, any operation performed on personal data by automated or non-automated means, such as the collection, use, disclosure/dissemination, erasure of personal data, corresponding to the case under examination – name, surname, data concerning health status leading to the direct or indirect identification of the data subject, constitutes a form of processing of personal data. In terms of compliance with the basic conditions for processing personal data, the legislator has laid down in Article 4 para. (1) p. a) that personal data subject to processing must be processed fairly and in accordance with the provisions of the law. According to Art. 5 para. (1) of the aforementioned Law, the processing of personal data shall be carried out with the consent of the personal data subject.

Thus, it was determined that, although the director of the kindergarten, would have a legal basis for processing the personal data of employees, in the employment relationship, the processing of personal data concerning the petitioner, manifested by disseminating / publishing on the social network “Facebook” the Decision of the Council for Equality, which contains information such as name, surname, data on health cannot take place, and cannot be justified by the existence of the agreement on the processing of her personal data signed at the time of her employment, whereas, by this agreement, the data subject has expressed his consent to the processing of personal data by the employer for the purpose of keeping records of the employees and the fulfillment of the legal obligations arising from the employment relationship.

For these reasons, the NCPDP found that the controller processed the personal data – name, surname, health data of the complainant without a legal basis, not ensuring the confidentiality of the processed data, actions that contravene the provisions of art. 4 para. (1) p. (1) and art. (1) of the Law on personal data protection.

Subsequently, given the fact that the NCPDP has not identified the existence of a legal basis for the dissemination of personal data, pursuant to the provisions of Article 20 para. (2) of the above-mentioned normative law, it was ordered to delete the photo image of the Equality Council Decision containing the personal data of the data subject, published on the social network “Facebook“, or to depersonalize the personal data, so that the details of personal or material circumstances no longer allow their attribution to an identified or identifiable natural person or to allow attribution only in the conditions of an investigation requiring disproportionate expenditure of time, means and manpower.

IV. Supervisory activity

During the reporting period, the NCPDP issued some clarifications and recommendations for both data subjects and personal data controllers:

Warning! Personal data fraud

NCPDP repeatedly recommends maximum vigilance when transmitting personal data

In the context of the issues recently deplored including to the National Center for Personal Data Protection (NCPDP), regarding the collection of personal data recorded in identity cards, by the exponents of a political party, for the purpose of registration on the platform “PSB” to benefit from financial resources from banking institutions in the Russian Federation, as this essentially amounted to the identification of the existence of credits in the name of the data subjects to be repaid by the latter, the NCPDP repeatedly warns the data subjects and makes the following clarifications and recommendations to them:

The NCPDP has repeatedly urged data subjects to exercise the utmost caution when disclosing/transmitting personal data concerning them, because, identity documents (such as identity cards, passports), contain a multitude of personal data, which require effective protection by the holder/owner.

We reiterate that, if you are asked to present your identity documents and/or to provide copies of these documents, under different pretexts, you must trust the lawfulness of the collection of personal data and the subsequent use of these data. Contrary, the provision/transmission of the personal data on these documents by the data subject for purposes other than those expressly provided for by law may result in their unlawful use for purposes contrary to those originally intended, in the detriment of the data subject. Similarly, the data subject could lose control over his or her personal data.

The cases referred to the NCPDP clearly demonstrate that the submission of copies of their identity cards by data subjects for the alleged benefit of certain money has led to the opening of loans in their name at banking institutions in the Russian Federation, which are now claiming the repayment of the accumulated loan debts (for example, by the “Promsvyazbank” (PSB Bank) of the Russian Federation.

The NCPDP points out that, under the conditions of voluntary provision/transmission of personal data, the collection of such personal data is based on the consent of the personal data subject (Art. 5 para. (1) of Law 133/2011), even if the subsequent use of such data proves to be for other purposes/to the detriment of the data subject concerned.

The NCPDP, as the national supervisory authority for the processing of personal data, emphasizes the responsibility of each citizen to ensure the protection of personal data, therefor the security and confidentiality of such data must be a priority.

In attention personal data controllers!

The NCPDP, informs that, in accordance with the provisions of item 2.1 of the Government Decision no. 678/2024 on amending and repealing some Government Decisions (facilitating the activity of the business environment VI), which entered into force on November 15, 2024, the Government Decision no. 1123/2010 on the approval of the Requirements for ensuring the security of personal data when processing personal data within the framework of personal data information systems (Requirements) was repealed.

We emphasize that the repeal of the mentioned Requirements does not exclude the obligation of controllers, as well as their processors (if applicable), provided for in Articles 29 and 30 of Law no. 133/2011, to implement the necessary organizational and technical measures to protect personal data against destruction, alteration, blocking, blocking, copying, dissemination, and other unlawful actions, measures designed to ensure an adequate level of security in relation to the risks presented by the processing and the nature of the data processed, including ensuring their confidentiality.

In this context, we recommend that you consult the Guidelines on security measures for the protection and processing of personal data in information systems, which are published on the official website of the National Authority for Personal Data Protection in the chapter Recommendations of the NCPDP (https://datepersonale.md/data-controllers/ncpdp-guidelines/).

At the same time, we communicate that the obligation of personal data controllers to submit annually, by January 31, to the NCPDP generalized reports on security incidents of the personal data information systems managed by them, has been excluded by default.

For any further information, please contact the Prevention, Surveillance and Evidence Department of the General Surveillance and Conformity Department of the NCPDP, at the contact telephone number 022-811-801/811-802.

At the same time, in order to provide methodological and consultative support to personal data controllers and/or processors, more than 35 telephone consultations and 6 replies by e-mail were provided, with recommendations being proposed to eliminate discrepancies identified by personal data controllers.

V. International and European news

The 97th plenary meeting of the European Data Protection Board (EDPB) took place on 7-8 October 2024 with physical attendance. The representative of the NCPDP participated as usual as an observer.

At the meeting, the EDPB adopted a number of important documents, including:

Opinion on certain obligations following from the reliance on processors and sub-processor;
Guidelines on processing of personal data on the basis of legitimate interest;
Statement on the issuance of additional procedural rules for the enforcement of the GDPR.

The EDPB also adopted its work program for 2024-2025. This is the first of two work programs that will implement the EDPB’s strategy for 2024-2027 adopted in April 2024. The document is based on the priorities set out in the EDPB strategy and also takes into account the needs identified as most important for stakeholders.

On October 15-17, 2024, the delegation of the Republic of Moldova was in Brussels to present the progress of preparations for the adoption and implementation of the EU communautaire acquis in the framework of the bilateral screening on Chapter 23 “Justice and Fundamental Rights”, coordinated by the Ministry of Justice. In three days, around 25 professionals from various key legal institutions gave 26 presentations.

Specialists from the Ministry of Justice, the Anti-Corruption Prosecutor’s Office, the National Anti-Corruption Center, the National Penitentiary Administration, the Central Electoral Commission, the Ministry of Labor and Social Protection, the Audiovisual Council, the Agency for Geodesy, Cartography and Cadastre, and the Agency for Interethnic Relations explained to the European Commission the level of transposition of the communautaire acquis and answered to clarifying questions. At the same time, the representatives of the institutions informed about the planned actions for further harmonization of national legislation with EU legislation.

On 30 – 31 October 2024, the representatives of the NCPDP participated in a study visit to the Latvian State Data Inspectorate (Inspectorate), an event organized within the project entitled “Strengthening personal data protection in the Republic of Moldova. Phase I”.

The purpose of the study visit consisted in taking over the best legal and operational practices by the NCPDP representatives regarding the certification of Data Protection Officers (DPO), Data Protection Impact Assessment (DPIA), as well as in strengthening data protection mechanisms by aligning them with European standards and practices.

During the two days, important topics were discussed, such as:

Data Protection Officer certification: the purpose of DPO certification, who issues DPO certifications, who can apply for a DPO certification, what is the feedback from different stakeholders on these DPO certifications, etc.
Presentation of the DPO certification scheme: conception, development and introduction of DPO certification: experiences, failures, successes and lessons learned;
Privacy Impact Assessment in Latvia: how a DPIA is performed, who is obliged to perform a DPIA, the necessity of performing a DPIA, training of other persons such as employees of public authorities on issues related to the privacy of personal data, etc.

On November 4-6, 2024 in Strasbourg, France, took place the 47th plenary meeting of the Consultative Committee of Convention 108.

The main topics were focused on the current status of signatures and ratifications of the Protocol amending Convention 108 (CETS No. 223, referred to as Convention 108+), at the moment: 46 states have signed, of which 31 states have ratified it.

The Committee strongly encouraged all States Parties to sign and ratify Convention 108+ as soon as possible. A minimum of 38 ratifications is required for Convention 108+ to enter into force. Convention 108+ remains the only legally binding international instrument that protects personal data and the right to privacy, aiming to ensure adequate protection for all individuals in an ever-expanding digital age. The Committee organized a presentation on the current status of the signature and ratification process in the States Parties, took note of the information provided by the Committee members.

The Committee discussed the status of implementation of the 2022 – 2025 work program and decided to start working on privacy and data protection considerations in machine learning and large language models (LLMs) as the next topic.

The Committee organized elections for the Bureau. The composition of the new Bureau is as follows:

President: Beatriz de Anchorena (Argentina)
First Vice-President: Caroline Gloor Scheidegger (Switzerland)
Second Vice-President: Anamarija Mladinic (Croatia)

Bureau members:

Alessandra Pierucci (Italy)
Virpi Koivu (Finland)
Gonzalo Sosa Barreto (Uruguay)
Ousmane Thiongane (Senegal)

On November 29, 2024, the seminar “Artificial intelligence and data protection: complementarity and integrated approach” took place at the Council of Europe headquarters in Strasbourg. The event brought together international experts and representatives of Member States to analyze the interaction between data protection and the development of artificial intelligence (AI).

The seminar emphasized the complementarity between AI regulation and data protection, the need for human control in the use of the technologies and the importance of an integrated approach in regulation. It also discussed the risks of AI on fundamental rights and methods to assess the impact of these technologies.

It was concluded that: international collaboration and flexibility of regulations are essential to ensure a robust legal framework that supports technological innovation while respecting fundamental rights and democratic principles.

The seminar was organized with the support of the Committee for Artificial Intelligence (CAI) and the Consultative Committee of the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (T-PD), in collaboration with the University of Strasbourg.

The 99th plenary meeting of the European Data Protection Board took place in Brussels on December 2-3, 2024, an essential event for strengthening data protection regulations in Europe. The Republic of Moldova had the honor to participate as an observer, contributing to the discussions and decisions that will shape the future of this field.

On the agenda of the meeting were topics such as the approval of national certification criteria, the launch of the European Data Protection Seal and the publication of Guidelines on data transfers to third countries. These initiatives not only strengthen the European legislative framework but also promote transparency and trust in the way personal data is handled.

Also, there were addressed the challenges of emerging technologies such as artificial intelligence and the importance of the protection of minors in the digital environment, by the nomination of an EDPB representative to Working Party 6.

The decisions taken at this meeting represent significant steps towards a safer digital future, adapted to new technological challenges and ensuring that citizens’ fundamental rights are respected.

The European Case Handling Workshop (ECHW 2024) took place on 5-6 December 2024 in Tallinn, Estonia, and it was organized by the Estonian Data Protection Inspectorate. The main goal of the workshop was to share national experiences and good practices, as well as to get results following a specific case or investigation in the field of violations of the right to the protection of personal data and privacy.

The workshop represented a participatory dialogue between personal data protection authorities on the challenges they face and the solutions they apply in their daily practice.

The topics proposed to the participants for the exchange of experiences included the most important challenges in the field of personal data protection, such as video surveillance, the relationship between data controllers and processors, new IT security technologies in the processing of personal data, social networks, etc.

VI. Other data protection authorities

The French Data Protection Authority (CNIL) has imposed an administrative fine on COSMOSPACE – €250 000 and on TELEMAQUE – €150 000, for violation of Article 5 Principles relating to processing of personal data and Article 9 Processing of special categories of personal data of the GDPR.

COSMOSPACE and TELEMAQUE provide remote clairvoyance services, one by telephone and the other by online chat and text messages. Inspections carried out by the CNIL in 2021 revealed several breaches, including the collection of sensitive data without prior explicit consent (in particular health data and data relating to sexual orientation), the retention of data for an excessive period, the sending of commercial prospection communications to people who had not given their consent and, in the case of COSMOSPACE, systematic recording of telephone calls.

In this context, CNIL imposed a fine of €250,000 on COSMOSPACE and a fine of €150,000 on TELEMAQUE. These fines were adopted in cooperation with about fifteen European counterparts of the CNIL in both cases. The amounts of these fines were decided on the basis of the seriousness of the breaches, the number of people concerned – the database shared by the two companies containing the data of more than 1.5 million people – and the sensitivity of the data processed. The financial situations of the companies and their structures were also taken into account, in order to set dissuasive but proportionate fines.

The Finnish Data Protection Authority (SA) imposed an administrative fine of 2,4 million euro on Posti for violation of Article 6 (Lawfulness of processing), Article 13 (Information to be provided where personal data are collected from the data subject), Article 5 (Principles relating to processing of personal data) and Article 25 (Data protection by design and by default) of the GDPR.

The Finnish Supervisory Authority (SA) investigated the processing of personal data of Posti related to the creation of an electronic mailbox. The Finnish SA had received complaints about the forwarding of letters to Posti‘s online service without the customer’s consent. The controller had automatically created an electronic mailbox for customers without a separate request. The electronic mailbox had been linked to a wider set of services. The investigation showed that the customer could not choose whether to use it or not, as the different services were linked together in a single contract.

Following the investigation, the Finnish SA found out that the service requested by the customer could have been provided without the automatic creation of an electronic mailbox. Also, the controller did not inform its customers clearly about the activation of the electronic mailbox. There were also technical settings in the service that did not meet data protection requirements. These included an automatically activated selector function and a pre-ticked checkbox.

In this context, the Finnish SA imposed an administrative fine of €2,4 million on the controller for unlawful processing of personal data. At the same time, the controller was reprimanded for the shortcomings in informing the customers and was ordered to correct its unlawful practices and to take into account that electronic services must be built from the outset so that only necessary personal data is processed.

Ireland’s Data Protection Authority (DPA) has fined Meta Platforms Ireland Limited (Meta) €251 million following two investigations into a security breach that affected the personal data of 29 million users globally.

The incident, reported by Meta in September 2018, involved unauthorized access to a number of categories of personal data, such as: a user’s full name; email address; phone number; location; work; date of birth; religion; gender; timeline posts; groups a user belonged to; and children’s personal data. About three million of the affected users were from the European Union and the European Economic Area. The breach was caused by the exploitation of user tokens on the Facebook platform by unauthorized third parties. Although the breach was quickly remedied by Meta and its US parent company shortly after its discovery, the Irish DPA found that the tech giant had violated the General Data Protection Regulation (GDPR) by:

Failure to document the facts and measures taken to remedy them – Articles 33 (3) and 33 (5);
Failing to ensure that, by default, only personal data that are necessary for each specific purpose of the processing are processed – Articles 25(1) and 25(2).

In this context, the Irish DPA imposed a fine of 251 million euro on Meta. The amount underlines the European Union’s focus on holding large technology companies accountable, with the Irish Authority being the main regulator responsible for holding them to account. The company has announced it will appeal the decision.

Newsletter No 17

657 Views

I. Information and training activities carried out by the NCPDP

In the first quarter of 2024 (January – March), the National Centre for Personal Data Protection (NCPDP) continued to make progress in the area of information and awareness-raising activities in the field of personal data protection.

During the reporting period, the training courses for the subdivisions of the General Inspectorate of Police (GPI), initiated in 2023, has been continued to be organized, according to the training plan approved and signed by the heads of the NCPDP and GPI on 26 January 2024.

Their purpose was to increase the perception of GPI subdivision employees on the principles of personal data protection, as well as on ensuring the correct application of the legal provisions in this field and in the activity they carry out. During the events important topics were addressed, such as: definition of general notions related to the field of personal data protection; the legal way of processing personal data in the activity carried out by the employees of the GPI’s subdivisions; the requirements of personal data protection in the exercise of their duties; the obligations of the police body as a data controller in relation to the data subject; the correct procedure of accessing personal data through the state informational systems, as well as keeping correct records of the audit of such accesses; ensuring the security and confidentiality of personal data processed etc.

Thus, training courses were organised for the following subdivisions:

30 January – National Public Security Inspectorate of the GPI (Operational Coordination Directorate, Patrol Police Directorate, Public Order Directorate etc.);
02 February – National Public Security Inspectorate of the GPI (Special Missions Escort Section, Patrol Section “Chisinau” of the Patrol Directorate “Centre” etc.);
26 February – Northern Patrol Directorate of National Public Security Inspectorate;
26 February – Directorate of National Investigation Inspectorate „North”.

In this context, about 200 representatives from the GPI subdivisions were trained.

At the same time, the information and awareness-raising campaign for school communities continued during the reporting period with the title: “Personal data protection and children’s safety online”. The aim of the campaign was to provide the school community with high visibility on data protection and child safety online at local and national level by promoting empowerment and best practices for intervention and support. The topics covered in the training included: general notions on personal data; correct use of pictures/video online; risks and threats online; communication on social networks etc. The training course was organised on 25 January for the Public Institution „Theoretical Lyceum „Spiru Haret”, Chisinau. The event took place within the Personal Development class, the target audience being the pupils of the 5th “B”class. In this context, 36 pupils were trained.

On 21 February 2024, the training plan in the field of personal data protection for Border Police staff was approved and signed by the heads of the NCPDP and the General Inspectorate of the Border Police (GIBP) for organizing several training courses. The purpose of these was to increase the awareness of the employees of the GIBP’s subdivisions on the principles of personal data protection, as well as on ensuring the correct application of the legal provisions in the field and in the activity they carry out. Thus, training courses were organised for the following subdivisions:

06 March – GIBP Northern Regional Directorate (2 training courses);
13 March – GIBP Southern Regional Directorate (2 training courses);
20 March – GIBP Eastern Regional Directorate (2 training courses);
27 March – GIBP West Regional Directorate (2 training courses).

In this context, about 250 representatives from GIBP subdivisions were trained.

During the reporting period, the NCPDP has shown openness and a spirit of cooperation, organising multiple training courses for representatives of public institutions at their request. The training courses aimed at familiarising public officials with the aspects of personal data protection in the public service, the regulation of processing procedures, as well as the personal data confidentiality and security regime in accordance with the legislation in force.

During the events important topics were discussed, such as: definition of general notions related to the field of personal data protection; principles and legal grounds for processing personal data; rights of personal data subjects; processing of special categories of personal data; requirements for the protection of personal data in the exercise of official duties; ensuring the security and confidentiality of personal data processed; issues related to the appointment of the Data Protection Officer (DPO) and his/her obligations and tasks; issues related to the Data Protection Impact Assessment (DPIA) and the steps to carry out a DPIA etc. Thus, training courses were organised for the following institutions:

07 February – Chisinau City Hall;
08 February – National Financial Market Commission;
23 February – Ministry of Health;
15 March – Râșcani District Court;
21 March – Chisinau Court;
22 March – Agency for Intervention and Payments for Agriculture;
26 March – Ministry of Economic Development and Digitalisation;

In this context, about 285 representatives of public institutions were trained.

II. Control activity

From January to March 2024, the NCPDP started the verification of compliance on personal data processing operations in 87 cases. During the reporting period, 96 decisions were issued, of which 34 cases were found to be in violation of the legal provisions, and 38 infringement notices were issued, which were subsequently handed over to the court for resolution.

III. Findings of the National Centre for Personal Data Protection

I. The NCPDP has examined the complaint of a data subject – the director of a technical educational institution concerning the alleged non-compliant processing of personal data of 96 employees of the institution by a former employee.

During the investigation, from the materials gathered, the NCPDP deduced that the latter, having access to the school’s archives during his period of activity, collected and disclosed information containing personal data of the institution’s employees such as: name, surname, position and salary to the Ministry of Education and Research in the form of a complaint regarding certain abuses committed by the administration of the institution during the period when he was employed, and the documents attached to the complaint served as evidentiary material to prove the allegations made by the latter.

The following is referred to the provisions of Art. 69 para. (2) of the Administrative Code, which stipulates that, in case of a petition, the public authority is obliged to initiate an administrative procedure.

In this context, the NCPDP points out that the disclosure of information containing personal data may not contravene the principles of protection of personal data, as long as it is necessary for the fulfilment of a legitimate interest of the individual towards the competent bodies, for the purpose of proving certain facts in order to defend his rights and interests or those of society as a whole, in the case which is under examination, the processing of personal data was relevant to the purpose for which they were disclosed, in the circumstances in which the situation complained of by the controller to the Ministry of Education and Research also concerned employees whose personal data were recorded in the documents annexed to the complaint.

In the circumstances set out above, it should be noted that, in the light of Art. 5(5)(b) of the Law 133/2011, the consent of the personal data subject is not required where the processing is necessary for the purposes of complying with a legitimate interest of the controller or of the third party to whom the personal data are disclosed, provided that this interest does not adversely affect the interests or fundamental rights and freedoms of the personal data subject.

Thus, the NCPDP found that the processing of personal data of the persons reflected in the lists submitted by the former employee to the Ministry of Education and Research was not in contradiction with the principles of protection of personal data, or such processing of personal data was based on a legitimate interest, which is provided for in Art. 5 para. (5) (e) of Law 133/2011.

II. The NCPDP received a complaint from an individual concerning the verification of the lawfulness of the processing of personal data by means of a video surveillance system that was installed in the staircase of a residential block as well as on the outside wall of the block by her neighbour.

In the case in question, the NCPDP found that the video surveillance system processes the personal data (image) of data subjects registered at the address of the apartment block and of visitors, since the angle of capture of the surveillance cameras monitors/records video of the space that is the common part of the block (the entrance to the block, the staircase of the block, the common courtyard and the public road) which is crossed daily by a large number of individuals (the tenants of other entrances), thereby infringing their fundamental rights and freedoms in excess of the declared purpose.

Thus, the NCPDP has found that if the video surveillance carried out by means of the video surveillance camera managed by the controller extends to the common space or public space and, consequently, is directed outside the private zone of the person processing personal data by these means, it cannot be considered as an activity exclusively “for personal or family needs”.

However, even if there is the consent/agreement of the tenants at the staircase to process personal data by means of the video surveillance system, it is noted that in the case of apartment blocks, a video surveillance system could only be installed by the Condominium Owners’ Association at the entrance/exit to/from the apartment blocks, on the external perimeter of the building, as well as in the spaces adjacent to them (parking spaces, access roads etc.).

Based on the provisions of Art. 34(3)(f) of the Condominium Act and Art. 546(1) and 546(2) of the Civil Code, if video surveillance takes place on a common area of the condominium, then only the Condominium Owners’ Association would have a legal basis to process personal data for this purpose.

Furthermore, it was determined that the video surveillance camera had an audio recording function.

Thus, it has been emphasised that, before installing video surveillance cameras with audio recording, the operator must always critically examine whether this measure is, firstly, appropriate to achieve the desired objective and, secondly, proportionate and necessary for its purposes, in relation to the fundamental rights and freedoms of the data subjects. However, during data processing, not only the private conversations of family members and data subjects, but also of third persons who come within the range of the video/audio recording devices are recorded and stored, thus breaching the principle of inviolability of privacy, enshrined in Art. 28 of the Constitution of the Republic of Moldova, according to which the State respects and protects the intimacy, as well as family and private life.

Therefore, the collection/recording of the image and voice of the personal data subjects by means of the video surveillance cameras in question constitutes an excessive and disproportionate measure in relation to the stated purpose.

In this regard, it was determined that the collection of the category of personal data, such as image and voice, by means of the video surveillance system complained of, was contrary to the provisions of Article 4(4) of the Personal Data Protection Act, and the processing of personal data through the video surveillance system complained of was ordered to cease.

III. The NCPDP examined the complaint of a personal data subject concerning the alleged non-compliant personal data processing operations carried out by an educational institution, manifested by the publication of an audio recording of him and his minor child on the institution’s social network “Facebook”, invoking the right of reply, followed by a media conflict.

In this context, the decision found that the processing of personal data concerning the data subject was carried out in breach of the provisions of Art. 4 para. (1) lit. a), b), c) and art. 5 of Law no. 133/2011 on the personal data protection, emphasizing that no legal basis was identified for the publication of personal data on the “Facebook” page, which is open to the general public, as well as the invocation of the right to reply is not relevant, however, the NCPDP did not question and did not deny the right of the controller to reply or to deny false reports, but all these actions were to be carried out in compliance with all the principles of personal data processing established by Law no. 133/2011. Moreover, given that the case involved a minor, the NCPDP held that the purpose invoked could be achieved through the use of harmless and less intrusive means in the minor’s private life.

IV. The NCPDP examined the complaint of a Public Association with a request for a verification of the lawfulness of the personal data processing by a public person, manifested by the publication of a video sequence on the channel ”Youtube”, which contains the personal data of a minor.

During the investigation it was determined that the image of the minor was clear and led to her identification, and several personal details of the minor were communicated, such as her name and surname, address, date and year of birth, age, sex, state of health etc.

Based on the circumstances described, the NCPDP found that the online placement of information containing the minor’s personal data was excessive and unfounded and took place contrary to the legal provisions set out in Articles 4, 5 and 29 of Law No. 133/2011 on the personal data protection.

However, the public person, as data controller, had to ensure the personal data confidentiality, the blurring of the facial image and the non-disclosure in the public domain of information leading to the identification of the minor.

IV. Supervisory activity

In order to provide methodological and advisory support to personal data controllers and/or processors, more than 30 telephone consultations and 10 responses via e-mail were provided and recommendations were proposed to resolve discrepancies identified by the data controller.

V. International and European news

On 26 January 2024, the NCPDP, in collaboration with TAIEX project experts, organised the national conference “Raising Awareness of Convention 108+“.

The aim of the conference is to raise awareness of both public institutions and the private sector about Convention 108 + as a viable tool to facilitate international data transfers, thus ensuring an adequate level of protection for data subjects globally.

The conference was moderated by data protection experts from Italy, Slovenia and Spain. Among the topics addressed by the experts were:

The impact of Convention 108+ on adequacy decisions and data transfers, with a focus on compliance with the EU acquis;
Convention 108+ as a viable tool to facilitate international data transfers while ensuring an adequate level of protection for individuals worldwide;
Convention 108+ as a bridge between legal regimes and countries;
The ratification process of Convention 108+
Lessons learned and advice from ratifying countries;
Convention 108+: Evaluation and Review Mechanism etc.

The event was attended by about 100 representatives from both public institutions and the private sector.

The event was organised and funded by the European Commission Technical Assistance and Information Exchange Instrument (TAIEX).

On 13-14 February, the representative of the NCPDP attended the 90th plenary meeting of the European Data Protection Board (EDPB), which was organised with physical attendance. During the meeting, there were discussed, analysed and adopted some important documents for the EDPB’s activity, which will be submitted as recommendations to the Data Protection Authorities later.

One of the working aspects of the plenary focused on the adoption of the Opinion on the notion of main establishment and on the criteria for the application of the One-Stop-Shop mechanism, following an Art. 64 (2) GDPR request by the French Data Protection Authority (DPA). It was specified that the EDPB considers that the One Stop Shop mechanism can only apply if there is evidence that one of the establishments of the controller in the Union takes decisions on the purposes and means for the relevant processing operations and has the power to have these decisions implemented. Therefore, where decisions on purposes, means and the power to implement those decisions are exercised outside the Union, there should be no principal place of business under Article 4(16)(a) of the GDPR and the one-stop shop mechanism should not apply.

The plenary session made clear how the Supervisory Authorities should apply Article 4(4) (16)(a) of the GDPR in practice in order to ensure its consistent application. Especially it was reiterated that the burden of proof as to where the relevant processing decisions are taken and where the power to implement such decisions exists in the Union ultimately lies with controllers and that they have an obligation to cooperate with supervisory authorities.

The next issue discussed at the EDPB plenary session was the adoption of the Statement on the legislative developments regarding the Proposal for a Regulation laying down rules to prevent and combat child sexual abuse. The Statement follows the EDPB-EDPS Joint Opinion on the European Commission’s Proposal for a Regulation and focuses on the latest legislative developments, in particular the position of the European Parliament of November 2023.

During the plenary, the EDPB also discussed the scope of the guidance related to the “Consent or Pay” model. In addition to the upcoming Art. 64 (2) Opinion, which will address the Consent or Pay model in the context of large online platforms, it was agreed that there is a need to consecutively develop Guidelines with a broader scope.

On 11-13 March 2024, representatives of the NCPDP participated in the “Learning and Networking Week in Estonia on Personal Data Protection in Digital Era”, which took place in Tallinn, Estonia.

The aim of the event was to present the Estonian experience in the GDPR implementation process, providing a comprehensive and practical overview of the challenges that have arisen in the implementation process.

At the same time, given that Estonia is known as a global leader in the digitisation of public services and ranks 3^rd in the Global Cybersecurity Index as the most secure country, the information was presented on how the processing of personal data is organised in public institutions, as well as new trends in the process of ensuring cybersecurity.

During the “ Learning and Networking Week in Estonia on Personal Data Protection in Digital Era”, some important topics were addressed, such as:

Challenges of the Estonian Data Protection Authority before and after the GDPR;
Processing of personal data in public databases: processing practices and access to such data;
GDPR case law: significant trends and findings from Estonian judicial and supervisory practice;
Privacy vs. data reuse in the context of a digitally modernised society: challenges and recommendations;
Data sharing and personal data protection;
Cybersecurity etc.

The event was organised by the Eastern Partnership Regional Fund for Public Administration Reform (implemented by the German International Cooperation Agency (GIZ) and funded by the German Federal Ministry for Economic Cooperation and Development (BMZ) and brought together representatives of Data Protection Authorities from Moldova, Armenia, Georgia and Ukraine.

From 11 to 13 March 2024, representatives of the NCPDP made the study visit “Processing of personal data through video surveillance systems“. The event was hosted by the Spanish Data Protection Authority (AEPD) – Agencia Española de Protección de Datos.

The purpose of the event was both to take up legal and operational best practices on the use of video surveillance means, and to provide employees of the NCPDP with the skills and resources necessary to effectively address issues related to the processing of personal data through video surveillance systems, in accordance with current legislation and in the interest of protecting the rights of data subjects.

During the study visit, moderated by experts in the field of personal data protection from the AEPD, topics of importance were analysed in depth, such as:

The evolution of video-surveillance regulations, the latest legislative changes and regulations related to personal data processing through video-surveillance systems, with a focus on GDPR regulations;
Data subjects’ rights and ethics in video-surveillance;
Reception and classification of complaints;
Inspection procedures and instructions;
Technical and organisational measures to ensure the security of personal data;
Promotion of technologies applied to video-surveillance etc.

The study visit was organised with the support of the EU TAIEX Project – Technical Assistance and Information Exchange Instrument, managed and funded by the Directorate-General for European Neighbourhood Policy and Enlargement Negotiations (DG NEAR) of the European Commission.

VI. Other data protection authorities

On 22 January, the final decision of the Belgian SA of 16 January 2024 was announced, imposing a fine of €174,640 for breach by Black Tiger Belgium of the Art. 5 Principles relating to processing of personal data, Art. 6 Lawfulness of processing, Art. 12 Transparent information, communication and modalities for the exercise of the rights of the data subject, Art. 14 Information to be provided where personal data have not been obtained from the data subject, Art. 15 Right to access by the data subject, Art. 24 Responsibility of the controller, Art. 25 Data protection by design and by default and Art. 30 Records of processing activities of the GDPR.

The Belgian SA received a complaint about the processing activities carried out by BISNODE BELGIUM, which was subsequently taken over by the French BLACK TIGER GROUP and renamed BLACK TIGER BELGIUM (hereinafter “BTB”), claiming that the company had indirectly collected and unlawfully processed personal data of the plaintiffs for over 15 years, without properly informing them beforehand.

Following the investigation, the Belgian SA found that BTB could not rely on its legitimate interests, since the personal data collected indirectly could not be deemed necessary to pursue the interest of maintaining updated records of the data subjects. At the same time, Belgian SA also found that the interests of BTB were overridden by the fundamental rights of the data subjects, due to the lack of information provided proactively and individually to them, the context of the processing and the nature of the personal data, as well as the retention period of 15 years. Moreover, BTB did not properly consider all the risks derived from the processing, including the risks of invisible discrimination of the data subjects, when balancing the interests at stake.

In addition, the Belgian SA established that BTB did not adequately respond to the plaintiffs’ requests under Article 15. Lastly, the Belgian SA found the record of processing activities to be incomplete.

In this context, Belgian SA imposed three administrative fines on BTB, amounting to a total of €174.640. These fines relate to the unlawful and unfair processing of personal data without informing data subjects in a proactive, individual and transparent manner; to the failure to respond appropriately to data access requests; and lastly to various infringements relating to the record of processing activities.

Additionally, the Belgian SA imposed several corrective measures on BTB, including a temporary ban of the processing of the personal data of data subjects for whom BTB possesses contact details, until BTB has individually notified them about the processing of their data and given them an opportunity to object to the processing.

Newsletter No 16

561 Views

I. Information and training activities carried out by the NCPDP

In the last quarter of 2023 (October – December), the National Centre for Personal Data Protection (NCPDP), continued to make progress in the aspect regarding information and awareness-raising activities in the field of personal data protection.

During the reporting period, the organization of training courses for the subdivisions of the General Inspectorate of Police (GPI) continued, according to the training plan approved and signed by the heads of the NCPDP and GPI on 25 January 2023.

The aim was to increase the awareness of the employees of the GPI’s subdivisions on the principles of personal data protection and on ensuring the correct application of the legal provisions in the field, in the activity they carry out. During the events important topics were addressed, such as: definition of general notions related to the field of personal data protection; the legal way of personalo data processing in the activity carried out by the employees of the GPI’s subdivisions; the requirements of personal data protection in the exercise of their duties; the obligations of the police body as a data controller in relation to the data subject; the correct procedure of accessing personal data through the state information systems, as well as keeping correct records of the audit of such accesses; ensuring the security and confidentiality of personal data processed, etc.

Thus, training courses were organised for the following subdivisions:

3 October – Telenesti Police Inspectorate of the GPI;
10 October – Taraclia Police Inspectorate of the GPI;
7 November – DAI, DCPI Interpolal GPI, DPC and DPI of GPI;
27 November – Central Police Inspectorate of the Police Directorate;
5 December – Police Department of Chisinau municipality.

In this context, about 200 representatives from GPI subdivisions were trained.

At the same time, training courses for medical institutions continued. On 3 November, a training course on “Legal provisions in the field of personal data protection” was held for the representatives of the “Chiril Draganiuc” Physiopneumology Institute, with the aim of strengthening the capacities of medical staff by familiarizing, raising their awareness and informing them about personal data protection.

During the event were addressed topics such as: definition of personal health data; processing of common categories of personal data; processing of special categories of personal data; legal grounds for processing personal health data; principles of processing personal data; patients’ rights; obligation of secrecy of personal data; confidentiality and professional secrecy; disclosure of personal health data; obligation to ensure confidentiality and security of personal data; data minimization and storage limitation, etc. About 80 representatives of the IMPS of Physiopneumology “Chiril Draganiuc” were trained during the event.

During the reporting period, the information and awareness-raising campaign for school communities continued under the title: “Personal data protection and children’s safety online“. The aim of the campaign, was to provide the school community with high visibility on data protection and child safety online at local and national level by promoting empowerment and best practice intervention and support. The topics covered in the training included: general notions on personal data; correct use of pictures/video online; risks and threats online; communication on social networks, etc. The training course was organized on December 7th for the public institution Liceul Teoretic “Dante Alighieri” from Chisinau. The event took place within the Personal Development class, the target audience being the students of the 5th class “B”. In this context, 37 students were trained.

In the last quarter of 2023, as throughout the year, the NCPDP showed openness and a spirit of collaboration, organising multiple training courses for representatives of public institutions, at their request. The training courses aimed at familiarising public officials with the aspects of personal data protection in the public service, the regulation of processing procedures, as well as the personal data confidentiality and security regime in accordance with the legislation in force.

During the events important topics were discussed, such as: definition of general notions related to the field of personal data protection; principles and legal grounds for personal data processing; rights of personal data subjects; processing of special categories of personal data; requirements for the protection of personal data in the exercise of official duties; ensuring the security and confidentiality of personal data processed; issues related to the appointment of the Data Protection Officer (DPO) and his/her obligations and tasks; issues related to the Data Protection Impact Assessment (DPIA) and the steps to be carried out by a DPIA, etc. Thus, training courses were organised for the following institutions:

02 October – General Inspectorate of Carabineers;
06 October – General Inspectorate Training Centre of Carabineers;
11 October – Regional Directorate “Centre” of the General Inspectorate of Carabineers;
12 October – Agency for Court Administration, Northern Region;
13 October – Agency for Court Administration, Centre Region;
18 October – Regional Directorate “Centru” of the General Inspectorate of Carabinieers;
20 October – Regional Directorate “SUD” of the General Inspectorate of Carabineers;
25 October – Regional Directorate “NORTH” of the General Inspectorate of Carabineers;
31 October – Ministry of Energy;
1 November – General Directorate for Education, Youth and Sport of the Chisinau Municipal Council;
9 November – National Integrity Authority;
16 November – State Chancellery;
17 November – Directors of early education institutions in Chisinau municipality;
22 November – Directors of educational institutions from Chisinau municipality;
23 November – Ministry of Infrastructure and Regional Development;
28 November – Ministry of Labour and Social Protection;
29 November – Republican Centre for Psycho-pedagogical Assistance;
6 December – State Protection and Guard Service;
08 December – Ministry of Agriculture and Food Industry;
18 December – National Agency for Food Safety.

In this context, about 1200 representatives of public institutions were trained.

II. Control activity

From October to December 2023, the NCPDP started the verification of compliance of personal data processing operations in 85 cases. During the reporting period, 89 decisions were issued, of which 43 cases were found to be in violation of the legal provisions, and 42 infringement notices were issued, which were subsequently handed over to the court for resolution.

III. Findings of the National Centre for Personal Data Protection

The NCPDP has examined the complaint of a data subject concerning the alleged non-compliant processing of personal data, materialized by the fraudulent storage and use of personal data belonging to him (name, surname, date/month/year of birth, IDNP). In the course of the investigation, the NCPDP found that personal data concerning the data subject had previously been transmitted by the complainant to the owner of a shop in order to support the payment of a fine via the RunPay terminal at the premises where he was working.

Subsequently, the data subject’s personal data were also used to apply for a loan by entering the IDNP and date/month/year of birth into the terminal. Although, the shop owner claimed that he had mistakenly entered the IDNP of the complainant, (believing that he had entered the personal data of the latter’s daughter), the NCPDP did not determine that there was any justification for entering the date/month/year of birth in the credit application, yet every parent knows the date of birth of their child.

It is imperative to point out that according to Article 11 of the Personal Data Protection Law the conditions and time limits for storing personal data are provided for by law, taking into account the provisions of Article 4 para. (1) letter e). At the end of personal data processing operations, if the subject of these data has not given his consent for another purpose or for further processing, they will be destroyed.

As the data subject did not consent to further processing of the personal data, the data subject’s identification data was to be destroyed immediately after the fine was paid via the terminal.

Thus, the NCPDP, verifying the fulfilment of the mandatory elements implying the conformity and legality of the personal data processing operations, established that there was no purpose and legal basis justifying the actions of the shop owner to store and further use the personal data of the data subject, manifested by their transmission to a credit company, actions contrary to the provisions of Article 4 para. (1) (a) and (e), Art. 5 para. (1) and Art. 11 of the Personal Data Protection Law.

II. The NCPDP has examined the complaint of a Public Authority submitted under its competence, requesting verification of the lawfulness of the processing of personal data of a data subject and his/her child, manifested by accessing/consulting/extracting personal information stored in a state information resource.

The investigation determined that from a user account that was assigned to a former employee of the authority, who resigned in 2019, using the work computer of a current employee, the data subject’s state border crossing information was searched, the information was saved in PDF format, then printed and transmitted to third parties.

Thus, it was established that the user account of the former employee was active even 3 years after the resignation of the employee, being disconnected only two months after the access referred to in the complaint.

Subsequently, it was determined that the work computer that was used for the processing of the data subject’s personal data was located in the common office of several employees and that the employee who was in charge of the computer was not at work at the time of the access. At the same time, it was established that other computers were connected under the IP-device (remote VPN user), and the service office where the computer is located serves as a common office for all employees of the section, with unrestricted physical access to the computer.

In these circumstances, it was not possible to identify with certainty the person/controller who processed the personal data of the data subjects, in which order the NCPDP found in rem that the processing of personal data of the data subjects concerned was carried out contrary to the provisions of Article 4 para. (1) (a), (b), (c) and Art. 5 para. (1) and para. (3) of the Personal Data Protection Law, in the absence of a legal basis and without the consent of the data subject, since the security incident was generated due to improper management and organization of the tasks set for the staff within the institution, which through malicious actions or even errors or negligence in the use of information resources generated the given incident, or the controller was obliged to review the access rights of users at regular intervals, as well: – review of access rights of the SIIV user – once in 6 months and after each change that occurred in the user’s activity, and review of granting access rights of privileged roles – once in 3 months.

At the same time, the Centre determined that the entity is liable for violation of Article 30 para. (1) of the Personal Data Protection Act, as it failed to ensure the necessary organisational and technical measures for the protection of the personal data made available to it, which consequently led to the unlawful processing of the personal data of the data subjects.

III. The NCPDP received, in accordance with its competence, a request from the police, which concerned the request of an individual to verify the lawfulness of the processing of personal data.

In fact, the data subject reported that he had received numerous phone calls from various lending companies in the Republic of Moldova informing him about the examination of applications for credit based on his personal data submitted through the online applications applied for.

Following the actions carried out during the control, in the light of Law no. 133/2011 on the personal data protection, the NCPDP identified the person who processed the personal data, thus falling under the notion of data controller and being responsible for the personal data processing operations, as well as for ensuring the confidentiality and security of personal data.

In this context, the Personal Data Protection Authority found that the processing of the data subject’s personal data, carried out by the data controller, by disclosing the name, surname, state identification number (IDNP) and contact details of the complainant to the credit companies, took place contrary to the legal provisions laid down in Article 4 para. (1) letters a), b), c), Art. 5 para. (1), Art. 9 and Art. 29 para. (1) of Law No. 133/2011 on personal data protection.

IV. The NCPDP was referred to by an initiative group, which alleged that Law No 356/2022 on the amendment of some normative acts introduced amendments to Law No 93/1998 on the entrepreneur’s patent, which would have created conditions for the violation of legal provisions on the protection of personal data of holders of entrepreneur’s patents.

Thus, entrepreneurs operating in the markets, who have complied with the new tax regime, have found that the tax receipts issued to buyers contain personal data, in particular, the state identification number, indicated in the tax code field – C. F.

From the stipulated provisions, it was determined that the tax legislation regulates the record of tax liabilities of individuals on the basis of tax codes assigned in the prescribed order, resulting from the exercise of independent economic activity.

Examining the existing legal bases in force, in particular – Art. 5(28), Art. 162 para. (1) letter b), art. 163 of the Tax Code, point 10 letter i) of the Instruction on Taxpayer Records, point 24 of the Regulation on the Single Register of Cash Register and Control Equipment, which frames the fact of processing the IDNP of individuals, in the context of self-employed activity, subject from 1 July 2023 to the documentation of the sale of goods and the use only of cash register and control equipment connected to the Automated Information System “Electronic Monitoring of Sales”, in conjunction with the provisions of Art. 5 para. (5) b), art. 9 b) of Law no. 133/2011, the personal data processing operations in the case in question are carried out for the fulfilment of an obligation incumbent on the controller under the law.

At the same time, it has been identified as vulnerable the fact that any self-employed natural person is required by the existing legal framework, in particular the one concerning the algorithm of operation of cash register and control equipment, to make public/known his IDNP in the tax receipts issued daily.

However, similar regulations have been subject to constitutional review by the Constitutional Court, which has assessed the positive obligation of the competent authorities to ensure, also in the case under examination by the NCPDP, the protection of the IDNP of data subjects who practice independent activity in an efficient and similar way.

As a result, the NCPDP has attested to the existence of a defective legal framework governing the legal regime of the tax records of self-employed individuals, namely, the fact of recording the IDNP in the tax receipt issued by the licence holder to each client, interferes with the privacy of the person, being a disproportionate measure in relation to the intended purpose.

Subsidiarily, it was recommended to the Ministry of Finance/State Tax Service to establish technical and organizational measures to ensure the protection of personal data of self-employed persons, by identifying and implementing appropriate and efficient mechanisms for keeping tax records, without prejudice to the right to protection of personal data, for example: by depersonalizing the IDNP of the self-employed individual recorded in the tax voucher or by assigning a new tax code separate from the IDNP, in the context of the circumstances highlighted in para. II of the finding part of this Decision, informing the NCPDP of the action taken in this respect.

IV. Surveillance activity

During the reporting period, the NCPDP continued to organise training courses for persons designated by the controller or the processor as Data Protection Officer. This obligation is stipulated by the provisions of Law no. 133/2011 on the protection of personal data, which establishes the duty of the controller and the processor to designate a Personal Data Protection Officer in the cases provided for in Article 25 of the aforementioned law.

The aim of the training course, which took place on 21 December, was to develop theoretical knowledge in the field of personal data protection and practical skills on the application of regulations and legislative requirements in the field. During the event, important topics were discussed, such as: definition of general notions related to the field of personal data protection; rights of personal data subjects; processing of special categories of personal data; principles and legal grounds for processing personal data; ensuring security and confidentiality of personal data processed; issues related to the Data Protection Officer (DPO); issues related to Data Protection Impact Assessment, etc. About 10 DPOs from both the public and private sectors were trained during the event.

At the same time, in order to provide methodological and advisory support to personal data controllers and/or processors, more than 50 telephone consultations and 15 responses via e-mail were provided, with recommendations being proposed to remove discrepancies identified by personal data controllers.

V. International and European news

On 17 October 2023, NCPDP’s representatives participated in the “GDPR4BUSINESS” Conference, organized by the National Association of ICT Companies within the ABA Rule of Law Initiative Project “Personal Data Protection – Rights and Obligations in the Republic of Moldova” in partnership with the European Business Association (EBA Moldova). The NCPDP’s expert addressed the topic “Data Protection Officer” (DPO), highlighting the most new and important issues required by the provisions of Law 133/2011 on the protection of personal data: appointment of DPO; DPO function; DPO tasks.

At the same time, the conference presented practices with applicable content for business and representatives of public authorities, such as:

– Key aspects of the draft law on Personal Data Protection;

– international and regional experience in applying the GDPR;

– solutions and responses to situations, cases and challenges faced by business and public authorities in implementing the harmonised legal framework.

The event was attended by state officials, national and international experts as speakers.

On 18-19 October 2023, representatives of the NCPDP carried out a study visit “Reconciling the right of access to information and personal data protection“. The event was hosted by the French National Commission for Information Technology and Liberties (CNIL) (Commission Nationale de l’Informatique et des Libertés).

The aim of the event was to take stock of the best legal and operational practices of the CNIL on mechanisms for reconciling the right of access to information and the protection of personal data.

During the study visit, moderated by experts in the field of personal data protection from the CNIL and CADA – Commission for Access to Administrative Documents, topics of importance such as: protection of personal data in the exercise of the right of access to information; reconciling the right of access to information and the right to protection of personal data; request for access to administrative documents or exercise of the right of access by the data subject, how to distinguish them and what is the impact; publication and re-use of data of public interest; re-use of data of public interest for scientific research purposes, etc.

The study visit was organised with the support of the EU TAIEX project – Technical Assistance and Information Exchange Instrument, managed and funded by the Directorate-General for European Neighbourhood Policy and Enlargement Negotiations (DG NEAR) of the European Commission.

From 1 to 3 November 2023, the NCPDP’s representative participated in the Internet Freedom Summit 2023, which took place in Ohrid, North Macedonia.

The event included interactive sessions, workshops, roundtables and training sessions, focusing on topical issues in the field of personal data protection and privacy, such as:

– Privacy in a connected world: Navigating and Challenges of Data Protection in the Digital Age;

– International data protection standards and the importance of harmonisation for efficient cross-border data transfers;

– Balancing privacy and technological innovation;

– The role of regulators in promoting a privacy-sensitive innovation culture;

– Strategies for monitoring and enforcing data protection regulations on online platforms;

– The role of data protection authorities in ensuring compliance and addressing detected breaches;

– The future of privacy: emerging technologies and trends, etc.

At the event, the NCPDP’s representative addressed the topic – “Balancing privacy and data protection from a South-East European perspective“. Participants also shared their views on strategies for monitoring and enforcing data protection regulations on online platforms, in particular, on the future of privacy in an era of artificial intelligence, blockchain and other new technologies impacting privacy.

The event, organised by ABA ROLI, brought together civil society representatives, academics, lawyers, journalists from North Macedonia, Romania, Moldova and Serbia.

From 8 to 9 November, the NCPDP’s representatives participated in the European Case Management Workshop 2023, held in Bern, Switzerland, an annual event that provides a forum for participatory dialogue between Data Protection Authorities on the challenges they face and the solutions they apply in their daily practice.

The aim of the event was to focus on topical issues in the field of personal data protection and privacy, in particular such as:

– Handling unfounded or excessive requests in an overt manner – as per Article 57 (4) of the GDPR;

– Essential personal data protection safeguards for law enforcement cooperation between data protection authorities in the EEA;

– GPS tracking in employment relationships;

– Facial recognition and detection through the lens of personal data protection;

– The concept of harm related to the protection of personal data of data subjects, etc.

The European Case Management Workshop 2023 was attended by 82 representatives from 29 countries and 37 Data Protection Authorities.

On 15-17 November, representatives of the NCPDP attended the 45th plenary meeting of the Consultative Committee of the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (Convention 108) in Strasbourg, France.

The meeting discussed important topics including:

– Convention 108+, ratifications and current accessions;

– Contractual clauses in the context of cross-border data flows;

– Interpretation of Article 11 of the modernised Convention 108;

– Protection of personal data in the electoral process;

– Cooperation with other Council of Europe bodies and entities;

– Major developments and activities in the field of data protection, etc.

The CNPDCP delegation reported on the status of ratification of the Protocol amending ETS 223 to Convention 108, indicating that the draft law on the ratification of the Protocol amending Convention No. 108 for the Protection of Individuals with regard to Automatic Processing of Personal Data and related documents have been submitted to the Ministry of Justice for the necessary procedures to ensure its submission to the Government of the Republic of Moldova for approval, after which it will be submitted to Parliament for ratification. Regarding the legislative review in the field of personal data protection, at the moment, the Republic of Moldova is in the process of ensuring the transposition of Regulation (EU) 2016/679 and Directive (EU) 2016/680 into national legislation.

The delegation of the NCPDP reported on the status of ratification of the Protocol amending CETS 223 to Convention 108, indicating that the draft law on the ratification of the Protocol amending Convention No. 108.

At the same time, the Moldovan delegation also mentioned developments and activities in the field of data protection at national level.

VI. Other data protection authorities

On 05 October, the Croatian Data Protection Authority decision was issued on the imposition of an administrative fine in the amount of €5,470,000 on the debt collection agency EOS Matrix for violation of Articles 5, 6, 9, 12, 13 and 32 of the GDPR.

The investigation was initiated following an anonymous petition alleging that there was unauthorised processing of a large amount of personal data of individuals (debtors) by EOS Matrix (data controller). The petition was accompanied by a USB stick containing 181641 personal data of individuals such as: name, surname, date of birth and personal identification number who had outstanding debts to credit institutions. In addition, the petition mentioned that 294 individuals included in the database were minors at the time of its compilation.

The investigation found that:

EOS Matrix Debt Collection Agency has not implemented sufficient technical measures in the processing system – the main database where personal data of approximately 370,000 data subjects are processed, contrary to the provisions stipulated in Article 32 of the GDPR.

The data controller also processed personal data of natural persons who are neither debtors nor legal representatives of heirs in debtor-creditor relationships, contrary to the provisions of Article 6(1) of the GDPR.

With regard to the processing of health data, it was established that the data controller actively recorded comments related to the debtor’s state of health contrary to the provisions stipulated in Article 9(2) of the GDPR. Examining the first three privacy policies (which were in force between May 2018 and October 2020), it was established that the data controller specified that it does not and will not process health data. Therefore, the processing of personal data was non-transparent, which is not in line with Articles 12(1) and 13(1) and (2) of the GDPR.

In addition, between May 2018 and January 2019, the data controller processed data relating to 49 850 data subjects by recording telephone conversations without having established the legal basis referred to in Article 6(1) of the GDPR, which also led to a breach of Article 5(2) of the GDPR.

On 12 October, the French Data Protection Authority (CNIL) issued a decision imposing an administrative fine of €600,000 on the controller GROUPE CANAL+ for violating the legal provisions stipulated in the GDPR.

The CNIL has received numerous complaints about difficulties encountered by individuals in having their rights taken into account by GROUPE CANAL+, which produces media channels and distributes pay-TV offers.

Based on the findings of the investigation, the CNIL considered that the controller did not comply with several obligations under the GDPR and the French Post and Electronic Communications Code (CPCE), such as:

Failure to comply with the obligation to obtain the consent of individuals to receive commercial prospecting by electronic means (Articles L. 34-5 of the CPCE and 7 of the GDPR);
Failure to comply with the obligation to provide information (Articles 13 and 14 GDPR) and failure to exercise the rights of data subjects (Articles 12 and 15 GDPR);
Failure to provide a contractual framework for processing operations carried out by a processor (Article 28.3 GDPR);
Failure to comply with the obligation to ensure the security of personal data (Article 32 GDPR);
Failure to comply with the obligation to notify the CNIL of a data breach (Article 33 of the GDPR).
The amount of this fine was decided on the basis of the breaches identified, as well as taking into account the cooperation of the data controller and all the measures the data controller has taken to comply with the legal provisions.

On 11 December, the final decision of the Norwegian Supervisory Authority (Datatilsynet) of 6 February 2023 was announced regarding the imposition of an administrative fine of NOK 10 million (approximately 850 thousand euros) on SATS for violation of Art. 5 Principles relating to the processing of personal data, Art. 6 Lawfulness of processing, Art. 12 Transparency of information, communications and the means of exercising the data subject’s rights, Art. 13 Information to be provided where personal data are collected from the data subject, Art. 15 Right of access of the data subject, Art. 17 Right to erasure of data (“right to be forgotten”) of the GDPR.

Datatilsynet has received several complaints regarding the company SATS during the period 2018-2021. These related to alleged breaches of complainants’ rights under the General Data Protection Regulation as customers of the Fitness Network, as well as the company’s failure to comply with access and deletion requests.

SATS is the largest fitness chain in the Scandinavian countries, with gyms in Norway, Sweden, Denmark and Finland. The company is headquartered in Norway and therefore Datatilsynet handled the case in cooperation with several supervisory authorities using the One Stop Shop mechanism. As the lead supervisory authority, Datatilsynet was primarily responsible for investigating, analysing and taking a decision in this case, being the lead supervisory authority.

Newsletter No. 14

1058 Views

1. Information and training activities carried out by the NCPDP

During the first semester of 2023, the National Centre for Personal Data Protection (NCPDP) has achieved major progress in information and awareness activities for the general public in the field of personal data protection.

On 25 January 2023, the executives of the NCPDP and the General Police Inspectorate (GPI) approved and signed the training plan for the GPI subdivisions, therefore, several training courses were organised. The purpose of these courses was to increase the awareness of GPI subdivision employees about the principles of personal data protection and to ensure the accurate application of the relevant legal provisions in their work.

The important topics were discussed during the training courses, such as:

– general notions of the personal data protection field;

– the legal way of processing personal data in the activity carried out by the employees of the GPI subdivisions;

– the requirements of personal data protection used during the execution of their duties;

– the obligations of the police as a data controller in regard to the data subject;

– the correct procedure of accessing the personal data through the state information systems, as well as keeping accurate audit records of such kind of accesses,

– ensuring the security and confidentiality of processed personal data etc.

Thus, training courses were organised for the following subdivisions:

– On 1st February – Anenii Noi Police Inspectorate of the GPI;

– On 6th March – National Inspectorate of Investigation (NII) of the GPI;

– On 24th March – National Centre for Combating Trafficking in Human Beings of the NII;

– On 7th April – National Public Security Inspectorate, Regional Directorate “Centre” of the GPI;

– On 25th April – Buiucani Police Inspectorate of the Chișinău Police Department;

– On 5th May – Ciocana Police Inspectorate of the Chișinău Police Department;

– On 22nd May – Râșcani Police Inspectorate of the Chișinău Police Department;

– On 5th June – General Directorate for Criminal Prosecution of the GPI;

– On 23rd June – Police Department of ATU Gagauzia.

Also, the training courses were organized for a number of medical institutions on topic “Legal provisions in the field of personal data protection”. The aim of the training courses was the strengthening the capacities of medical staff through familiarising, raising awareness and informing them about personal data protection. The courses included topics such as: definition of personal data concerning health; processing of common categories of personal data; processing of special categories of personal data; legal grounds for processing personal data concerning health; principles of processing personal data; patients’ rights; obligation of personal data privacy; confidentiality and professional privacy; disclosure of personal data concerning health; obligation to ensure confidentiality and protection of personal data; minimization of data and limitation of storage, etc. Thus, the trainings took place:

– On 9th June at Public Health Institution ”Family Medics’ Centre”, Bălți municipality

– On 21st June at Public Health Institution ”Territorial Medical Association” district Centre

– On 28th June at University Primary Health Care Clinic public health institution of Nicolae Testemițanu SUMPh

During the reporting period, the information and awareness campaign for school communities, titled as “Personal data protection and children’s safety in the online environment” was continued. The campaign aimed to inform and raise awareness of the school community with the field of personal data protection and children’s safety in the online environment at local and national level by promoting empowerment and best practices for intervention and support.

The topics covered in the trainings included: general concepts on personal data; adequate use of pictures/videos online; online risks and threats; communication on social networks etc. Three training sessions were organised within the school community:

– On 27th January – Public Institution “Gheorghe Asachi Theoretical Lyceum”;

– On 17th May – Public Institution “Mircea Eliade Theoretical Lyceum”;

– On 18th May – Public Institution “Ion Creangă Theoretical Lyceum”.

Simultaneously, NCPDP organized training courses for specific categories, at their request:

– representatives of libraries in the Chișinau municipality and other districts of the Republic;

– representatives of the National Health Insurance Company;

– representatives of the Cahul General Directorate of Education;

– representatives of the State Tax Service;

– representatives of the Ministry of Internal Affairs and

– representatives of the National Agency of Road Transport.

In this context, in the first semester of the current year, the trainers of the NCPDP provided trainings for about 650 representatives of the GPI subdivisions, almost 210 representatives of medical institutions, around 120 pupils from educational institutions and approximately 575 representatives of other institutions.

During the same reference period, i.e., on 29th-30th March 2023, the NCPDP in collaboration with TAIEX project experts organized the TAIEX Expert Mission “Personal data processing for statistical purposes” in online format. The objective of the Expert Mission was to present the best European legal and operational practices on the mechanisms of processing and storage of personal data for statistical purposes by the National Bureau of Statistics (NBS), data exchange between the institutions and the NBS, as well as the regulations related to the security of these data. The event was attended by 24 representatives of public sector.

2. Control Activity

In the period of January – June 2023, the NCPDP initiated compliance checks on the processing of personal data in 180 cases. In the reference period, 141 decisions were issued of which 73 cases were found to be in breach of the law, being concluded 34 minutes of infringement proceedings, which were subsequently submitted to the court for resolution.

3. Findings of the National Centre for Personal Data Protection

I. The NCPDP has examined the complaint of a personal data subject concerning the alleged non-compliant processing of personal data stored in the Real Estate Register (RER) and carried out by a Local Public Authority (LPA) and a Central Public Authority (CPA).

In this context, the decision found that the operations of accessing personal data relating to the data subject’s real estate were carried out by the CPA and LPA in breach of Article 4 para. (1) letters a), b) and art. 5 of Law no. 133 of 08.07.2011 on personal data protection, or these operations took place without a determined, explicit and legitimate purpose.

Thus, the main aspect that led to the finding of violation of the legal provisions by the LPA was the data access for personal purposes (for the research meant for master’s thesis) and the lack of record of personal data access in the automated systems by authorized users within the LPA.

Regarding the reason for the finding of violation of Law No. 133/2011 by the CPA, we note that the CPA did not ensure the information update on authorised users with the access to the state automated information system. Additionally, the CPA did not notify the competent authorities about changes in employment relationships (resignation of a former employee), which resulted in personal data access in the RER even after the resignation.

II. The NCPDP carried out an investigation on the basis of a complaint from a data subject, in which he pointed to alleged unlawful personal data processing operations concerning him, stored in the RER and carried out by a LPA, as well as the non-realization of the right of access to his personal data.

Following the examination of the case, by decision, the NCPDP found that the LPA failed to deny the presumption of illegality of the processing of personal data of the data subject, which led to the violation of Law No. 133/2011, as it was found that all authorized users within the LPA who had access to the central data bank of the RER used the same access account, which was assigned to a former employee of the LPA. This fact made it impossible for the controller to keep strict records of accesses. Regarding to the contribution of the right of access to the data subject’s personal data, it was established that there was no breach of this aspect, as it was established that the LPA had examined the request and had sent a reply to the data subject.

III. The NCPDP has examined the complaint of a personal data subject concerning the alleged unlawful personal data processing operations stored in the RER, which was carried out by the controller without data subject’s consent.

Following the examination, it was carried out that the operations of accessing the real estate data, which belong solely to the data subject by law, were made to create and register a co-owners’ association.

Also, during the examination of this case, the controller, in order to justify his actions of access/consulting the personal data through the RER, which belong solely to the data subject, made the reference to the contract for the provision of consulting services and collaboration, as well as to the provisions of the art. 5 of Law No. 133/2011 on personal data protection.

In this case, NCPDP has stated that the allegations invoked by the controller does not justify and does not demonstrate the necessity of processing the subject’s personal data, which was manifested through accessing the central data bank of RER, as well as processing of personal data is to be carried out with the conditions based on the provisions of the art. 5 of Law No. 133/2011 on personal data protection.

In this context, the decision found that the operations of accessing personal data regarding the immovable property of the data subject was carried out in violation of Article 4 para. (1) letters a), b) and art. 5 of Law no. 133 of 08.07.2011 by the data controller – legal person, in the absence of a specific, explicit and legitimate purpose.

IV. The NCPDP has examined the complaint of a personal data subject concerning allegedly inappropriate processing of personal data stored in the State Register of Population (SRP) by a public authority employee.

During the investigation, although a request was indicated as the cause for the processing operation of personal data, it was established that the request was made in the name of another person.

In this regard, the NCPDP has not identified any purpose and legal basis that would have allowed the authorised user within the public authority to process (by data retrieval) the personal data of the data subject without his/her consent and without having a file/request taken into consideration.

In this context, by decision it was found that, the personal data processing operation concerning the data subject, was carried out by the authorized user in violation of the provisions of Article 4 para. (1) letters a), b) and art. 5 of Law No. 133/2011 on personal data protection, in the absence of a specific, explicit and legitimate purpose and without the consent of the data subject.

V. The NCPDP examined the request received from the State Tax Service (STS) informing that, as a result of the exercise of tax administration duties, an economic agent was found to be collecting and using personal data contrary to the provision of Article 5 para. (1) of the Law no. 133/2011 on personal data protection, which served as a reason for initiating the confirmation/investigation the compliance of personal data processing operations.

In fact, according to the materials attached to the STS request, it was found that the economic agent processed the personal data of 35 natural persons without their personal consent or the successors of deceased persons, as well as in the absence of any other legal basis provided by Article 5 para. (5) of the Law no. 133/2011 on personal data protection.

Following the investigations carried out by the NCPDP, in accordance with the provisions of Article 27 of Law no. 133/2011 on personal data protection, the NCPDP decision confirms the violation of the provisions of Article 4 para. (1) letter a), art. 5 para. (1), (4) and art. 12 of Law no. 133/2011 on personal data protection by the economic agent in the matter of the processing of personal data of the data subjects mentioned in the STS request.

At the same time, the NCPDP also ordered to stop of the processing operations of personal data of the data subjects concerned in the SFS and the destruction of the copies of the identity cards unlawfully used/obtained by the economic agent.

Consequently, in accordance with the provisions of Article 20 para. (1) letter m) of Law No. 133/2011 on personal data protection, the NCPDP has stated an order to the criminal prosecution body of the STS concerning the existence of reasonable indications of falsification of documents for the goods purchase, an act in accordance with the provisions of Article 3351 of the Criminal Code.

Moreover, following the finding of the violations mentioned above, the NCPDP interfered in the order of the contravention against the economic agent by initiating the minute on the contravention in accordance with the provisions of Article 741 para. (1) and (3) of the Contravention Code.

VI. The NCPDP was notified of the lawfulness of the activity of the website www.numar.md, where certain personal data of several natural persons were published by a representative of mass-media.

Following the analysis of the website www.numar.md, it was found that, any person could leave a comment, which is visible to everyone, about the owner of any mobile phone number in the Republic of Moldova. The comments on the web page contained various types of biographical information such as: name, surname, education, workplace, age, locality, home address, type of activity etc., as well as defamatory and insulting information. Disclosure of such information online for unrestricted viewing could seriously harm the constitutional rights and freedoms of citizens.

As a result of the control, the NCPDP has determined that the means provided for processing personal data are inappropriate by publishing on the website www.numar.md information containing personal data, such as: name, surname, education, workplace, age, locality, home address, type of activity etc., as it was not established the existence of a specific, explicit and legitimate purpose, nor the existence of a legal basis for processing personal data concerning the holders of mobile phone numbers in the Republic of Moldova. These actions are committed in conflict to the provisions of Article 4 para. (1) (a), (b), (c) and Art. 5 (1) (a), (b), (c) and Art. 5 (1) (b). (1) of Law no. 133/2011 on personal data protection.

In this context, taking into account the provisions of Art. 27 para. (3) and par. (5) of Law no. 133/2011 on personal data protection, the NCPDP issued a decision which states that the finding of violation of the provisions of Law no. 133/2011 on personal data protection in rem through the website www.numar.md, the outcome of unavailability on the Internet of the page www.numar.md, as well as the referral to the Public Institution “Information Technology Service and Cyber Security” in order to examine the possibility of intervening in the light of the competences set out in para. 33 p. 7) of the Regulation on Management of Top-Level Domain .md, approved by ANRCETI Decision no. 42/2020.

Finally, it is noted that the purpose of the Supervisory Authority’s self-reporting, manifested by the desire to counteract the non-compliant of personal data processing, was achieved with the unavailability/becoming inactive of the website www.numar.md, which was a source of abusive disclosure of personal information of a large number of data subjects.

4. Supervisory activity

On 10 January 2022, in accordance with the provisions of the Law no.175/2021 on the amendment of some normative acts, the obligation of the controller and the processor to designate a data protection officer was established, in the cases provided by of Art. 25 para. (6) of the Law no. 133/2011 on personal data protection.

In this regard, the NCPDP has launched a cycle of training courses for data protection officers. The main purpose of the trainings is to develop theoretical knowledge’s in the field of personal data protection and practical skills on the application of normative acts and legal requirements in this field. Thus, during the reference period, 28 persons were trained.

In accordance with the provisions of Art. 25 para. (6) of the Law no. 133/2011 on personal data protection, the controller or processor is obliged to publish the contact details of the data protection officer and communicate them to the NCPDP. Thus, during the reference period, the NCPDP received 21 letters, through which it was informed about the fact of the designation of the data protection officer from the respective entities, mainly from private entities.

At the same time, the following guidelines were developed and published on the official website of the NCPDP under the section “Data controller/NCPDP recommendations”: “Guidelines on personal data protection impact assessment (DPIA)” and “Guidelines on the processing of personal data through video devices”, in accordance with the provisions of the Law no. 187 of 14th July 2022 on the condominium.

In order to provide methodological and advisory support to personal data controllers and/or processors, more than 220 telephone consultations and 15 responses via e-mail were provided and recommendations were proposed to resolve discrepancies identified by the data controller.

5. International and European news

– As part of the collaboration between SIGMA and the GiZ Regional Fund for the Eastern Partnership, the first Academy, known as “Service design and delivery in a digital age”, was held in Paris on 6th-10th February 2023. The aim of the Academy was to create the opportunity for intensive networking and exchange on public service redesign:

a) at national level – between the key public institutions, such as public service development agencies and personal data protection institutions;

b) at regional level – between countries of Eastern Partnership; and

c) at international level – between Eastern Partnership countries and EU Member States.

Thus, in order to achieve the best practices within the Academy, a study visit to the French Ministry of Transformation and Public Service was also carried out, and the NCPDP representative was introduced to the current situation of public service transformation in France, as well as the public services improvement (human-centred digital public services), monitoring and transparency of the implementation of government reforms etc.

– In the first semester of 2023, the representatives of the NCPDP attended 3 plenary sessions of the European Data Protection Board (EDPB) and 3 online meetings. Several documents were discussed and adopted in their final version during these plenary meetings, including:

– Guidelines 05/2021 on the Interplay between the application of Article 3 and the provisions on international transfers as per Chapter V of the GDPR;

– Guidelines 07/2022 on certification as a tool for transfers;

– Procedure for the adoption of EDPB Opinions on national criteria for certification and European Data Protection Seals;

– Guidelines 01/2022 on data subject rights – Right of access;

– Guidelines 04/2022 on the calculation of administrative fines under the GDPR;

– Guidelines 05/2022 on the use of facial recognition technology in the area of law enforcement.

On 25th May, The EDPB has elected Anu Talus (FI DPA) as the new Chair of the European Data Protection Board (EDPB) and Irene Loizidou Nikolaidou (CY DPA) as new Deputy Chair. The European Data Protection Board (EDPB) is an independent European body, which contributes to the consistent application of data protection rules throughout the European Union, and promotes cooperation between the EU’s data protection authorities.

– On 10th-12th May 2023, the representatives of NCPDP participated in the 31st Spring Conference of the European Data Protection Authorities (EDPA) in Budapest, Hungary. This year the event was hosted by the Hungarian Data Protection Authority.

During the working sessions, topical data protection issues were presented, such as:

– New technologies – assessing the social impact of the use of new technologies in different areas;

– Interaction between data protection and competition law;

– Court decisions: resolutions and amendments to the Rules of Procedure;

– Best practices/case studies in enforcement cooperation between EEA and non-EEA countries.

For the first time at a Spring Conference of the EDPA, an Open Day was organised. This practice gave the opportunity to several institutions, NGOs or other organisations that expressed interest in the topics covered during the event to participate online.

The event was attended by the representatives of Central and Eastern European Data Protection Authorities, the Council of Europe, the European Data Protection Board, the European Data Protection Supervisor, where they had the opportunity to exchange experience and best practices in the field of personal data protection, including the role of the Data Protection Officer within a public or private entity.

– On 14th-16th June, the 44th plenary meeting of the Consultative Committee of the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (Convention 108) took place in Strasbourg, France. Several topics were discussed during the meeting, including:

– Convention 108+, ratifications and current accessions;

– data protection for the processing of personal data for anti-money laundering/countering financing of terrorism purposes;

– model contractual clauses for transborder data flows of personal data;

– interpretation of Article 11 of the modernised Convention 108;

– protection of personal data, including biometric data in the electoral process;

– cooperation with other Council of Europe bodies and entities;

– main developments and activities in the field of data protection etc.

At the same time, the NCPDP delegation reported on the status of ratification of the Protocol amending CETS no. 223 to Convention 108. It should be noted that on 9 February 2023, on the basis of Presidential Decree No. 757/2002, the Republic of Moldova signed the Protocol amending Convention 108 for the Protection of Individuals with regard to Automatic Processing of Personal Data, and the Action Plan of the Government of the Republic of Moldova for the current year includes the promotion of measures to ratify the Protocol.

6. Other data protection authorities

– On 22nd May, Following the EDPB’s binding dispute resolution decision of 13 April 2023, Meta Platforms Ireland Limited (Meta IE) was issued a €1.2 billion fine following an inquiry into its Facebook service, by the Irish Data Protection Authority (IE DPA), for serious breach of the legal provisions, stipulated in Regulation (EU) 2016/679 (GDPR). This fine, which is the largest GDPR fine to date, was imposed for personal data transfers made by Meta IE to the US under standard contractual clauses (SCCs) since 16 July 2020.

In its binding decision of 13 April 2023, the EDPB instructed the IE DPA to amend its draft decision and to impose a fine on Meta IE. Given the seriousness of the infringement, the EDPB found that the starting point for calculation of the fine should be between 20% and 100% of the applicable legal maximum. The EDPB also instructed the IE DPA to order Meta IE to bring processing operations into compliance with Chapter V GDPR, by ceasing the unlawful processing, including storage, in the U.S. of personal data of European users transferred in violation of the GDPR, within 6 months after notification of the IE SA’s final decision.

The IE DPA’s final decision incorporates the legal assessment expressed by the EDPB in its binding decision, adopted on the basis of Art. 65(1) (a) GDPR after the IE DPA, as lead supervisory authority (LSA), had triggered a dispute resolution procedure concerning the objections raised by several concerned supervisory authorities (CSAs). Among others, CSAs issued objections aiming to include an administrative fine and/or an additional order to bring processing into compliance.

– On 16th May, the final decision of the Croatian SA of 2nd May 2023 was announced regarding the imposition of the administrative fine on the data controller, the Debt Collection Agency B2 Kapital d.o.o., in the amount of 2,265,000.00 EUR due to violations of Articles 13, 28 and 32 of the GDPR

In December of 2022, the Croatian SA received an anonymous complaint in which it was stated that there was unauthorized processing of a large number of personal data of debtors, by the Debt Collection Agency B2 Kapital d.o.o. Together with the complaint, the B2 Kapital received the attached USB stick containing personal data for a total of 77 317 natural persons who had outstanding debts in credit institutions, and which were purchased by the Debt Collection Agency based on the cession agreement. The same personal data were delivered on a USB stick to a Croatian media outlet.

It was established that the violation has been going on since at least 2019 and that it has not been remedied to date, all because of not applying appropriate protective measures.

– On 21st March, the final decision of the Finnish SA of 17th February 2023 was announced regarding the imposition of the administrative fine in the amount of 440,000 EUR on the data controller, Suomen Asiakastieto Oy, for failing to erase inaccurate payment default entries saved into the credit information register due to inadequate practices. The SA pointed out that a payment default entry has a significant impact on the rights and freedoms of an individual.

In 2021, the Finnish SA ordered the controller to rectify its practices in registering payment default entries based on final decisions and to erase all inaccurate payment default entries which had resulted from such practices. The controller did not appeal the decision. The Finnish SA contacted the controller in January 2023 for sanction assessment. The controller stated that it had interpreted the SA’s order incorrectly and had now erased all payment default entries based on final decisions from its register. The SA finds that the controller has consciously decided not to comply with the SA’s order. The inaccurate payment default entries could have been erased because the Legal Register Centre discloses payment default information based on final decisions to the controller in the format in which they are saved in the register of court decisions. Decisions can be retrieved from the register for 10 years from their date of issue.

– The French Data Protection Authority (CNIL) imposed an administrative fine in the amount of 5,2 million euros on the data controller CLEARVIEW AI for illegal data procession via facial recognition technology.

CLEARVIEW AI collected photographs from a wide range of websites, including social networks, and sells access to its database of images of people through a search engine in which an individual can be searched using a photograph. The company offered this service to law enforcement authorities. Facial recognition technology is used to query the search engine and find an individual based on its photograph.

Newsletter No. 13

659 Views

1. Information and training activities carried out by the NCPDP

During the fourth quarter of 2022, the National Center for Personal Data Protection (NCPDP) organized 8 training courses for local public authorities (LPAs) attended by about 226 persons and 5 training courses for central public authorities (CPAs) and other entities where about 425 representatives were trained, as well as 125 participants from the Academy of Public Administration and Mobiasbanca (OTP Bank).

For LPAs the training was conducted as follows:

– On 11 October – Cimișlia District Council;

– On 27 October – Șoldănești District Council;

– On 04 November – Cantemir District Council;

– On 25 November – Ștefan Vodă District Council;

– On 18 November – Ocnița District Council;

– On 2 December – Basarabeasca District Council;

– On 9 December – Criuleni and Dubăsari District Councils;

– On 20 December – Taraclia District Council.

As for other entities, the NCPDP has organized trainings for:

– representatives of the National Bank of Moldova on 10 and 17 October;

– Academy of Public Administration – on 18 October;

– Mobiasbanca (OTP Bank) – on 22 and 24 November;

– Customs Service – on 17 October, as well as on 19-21 December.

Thus, during this period, the NCPDP managed to train a significant number of people across the country.

Moreover, it is worth mentioning that during 2022 training of all LPAs in the Republic of Moldova was ensured.

Also, during the same period, in order to disseminate the field of personal data protection, the NCPDP organized a Workshop for pupils of the 5th-6th grades of IPLT “Gheorghe Asachi” mun. Chișinău. The workshop aimed to inform and raise awareness of pupils with the field of personal data protection and children’s safety in the online environment by promoting empowerment of best practices for intervention and support.

2. Control Activity

In the period October – December 2022, the NCPDP initiated compliance checks on the processing of personal data in 53 cases. In the reference period, 57 decisions were issued of which 17 cases were found to be in breach of the law, being concluded 31 minutes of infringement proceedings, which were subsequently submitted to the court for resolution.

3. Findings of the National Centre for Personal Data Protection

I. The NCPDP has examined the complaint of a personal data subject concerning the alleged non-compliant processing of personal data stored in the Real Estate Register and carried out by a natural person.

During the investigation, it was found that the operations to access the real estate, which belongs to the data subject by right of ownership, was carried out with the purpose of purchasing a real estate located in the same area, but no evidence confirming the allegations was presented by the controller.

Furthermore, the NCPDP found that in the mentioned case, the personal data controller did not provide statements that would justify, in particular, the necessity of the access carried out in relation to the personal data of the data subject and the demonstration of the causal link between the personal data of the owner of the property and the purpose of the access.

In this context, by decision it was found that the operation of accessing personal data relating to the data subject’s real estate was carried out in breach of Article 4 para. (1) letters a), b) and art. 5 of Law no. 133 of 08.07.2011 on personal data protection, by a natural person, without a determined, explicit and legitimate purpose.

II. The NCPDP received a complaint from a personal data subject, who requested verification of the lawfulness of personal data processing operations concerning him, carried out by 8 (eight) entities (hereafter – data controllers), manifested by accessing personal data stored in several automated record systems (RSP, RST, RBI, etc.), being more than 400 accesses, as well as the failure to exercise the right of access to personal data concerning the complainant.

In these circumstances, the NCPDP ordered the examination of the lawfulness of the processing operations of the data subject’s personal data carried out by each controller.

Thus, as a result of the investigations, with regard to three data controllers, the NCPDP found that the data controllers processed the personal data of the data subject in compliance with the requirements of Law No. 133 /2011, while in the case of five data controllers, the NCPDP found a violation of the provisions of the aforementioned Law, as the data controllers could not justify the purpose and legal basis of the processing operations of the data subject’s personal data, or could not identify the data of the users who carried out certain consultation/viewing operations of the data subject’s personal data and, respectively, it was not possible to identify the purpose of the processing.

Furthermore, with regard to a data controller-legal entity, the NCPDP established that, although the complainant exercised his right of access to his personal data processed by the entity, by sending a request pursuant to Article 13 of Law 13/2011 to the controller, the latter did not provide him with a response to what he had requested, contrary to the aforementioned legal provisions.

III. The NCPDP has examined the complaint received from the Effective Inspection Department of the General Inspectorate of Police complaining about alleged unlawful acts admitted in the processing of personal data of a data subject by police employees of a territorial Police Inspectorate.

In the context, the NCPDP determined that the characterization and criminal record on behalf of the data subject, documents reflecting personal data – year of birth, state identification number (IDNP), data from the registration certificate, family status, home/residence address, behavior (characterizes the person), personal data relating to the imposed traffic offences were issued and released by the person in charge within the public authority, without a legal basis and the consent of the data subject, without an address/request from the data subject, the lawyer in his/her interests, including without a request by the court to release these documents, actions which are contrary to the legal conditions provided for in Art. 4 para. (1) (a), art. 5, art. 8 and art. 9 of Law no. 133 of 8 July 2011 on personal data protection.

4. Supervisory activity

In accordance with the provisions of Art. 25 para. (6) of the Law no. 133/2011 on personal data protection, the controller or processor is obliged to publish the contact details of the data protection officer and communicate them to the NCPDP. Thus, during the reference period, the NCPDP received 11 letters, through which it was informed about the fact of the designation of the data protection officer from the respective entities, mainly from private entities.

In order to provide methodological and advisory support to personal data controllers and/or processors, more than 204 telephone consultations and 21 responses via e-mail were provided and recommendations were proposed to resolve discrepancies identified by the data controller.

5. International and European news

On 10 October, the 70th Plenary Session of the European Data Protection Board (EDPB) took place in Brussels, Belgium.

During the Plenary, the EDPB adopted several documents, including:

· One of the main topics concerned the adoption by the EDPB of a list of aspects in national procedural law that it wishes to see harmonised at EU level to facilitate GDPR enforcement. This “wish list” is one of the key actions set out in the EDPB’s Vienna statement on enforcement cooperation.

· An Opinion on the approval by the Board of the Europrivacy certification criteria submitted by the Luxembourg data protection authority. This Opinion marks the approval of the very first European Data Protection Seal by the EDPB pursuant to Art. 42 (5) GDPR. The Europrivacy certification mechanism is a general scheme that targets a large range of different processing operations performed by both controllers and processors from various sectors. The scheme includes specific criteria that make it scalable and applicable to specific processing operations or sectors of activity.

· A statement on the digital euro. In its statement, the EDPB reiterates the importance of ensuring privacy and data protection by design and by default in this project, recommending that the digital euro is made available both online and offline, along a threshold below which no tracing is possible, to allow full anonymity of daily transactions.

On 19-20 October, the meeting of the Moldova-EU Subcommittee on Freedom, Security and Justice (LSJ Subcommittee) took place in Brussels, Belgium.

During the meeting, topics discussed included developments in the field of personal data protection, justice sector reform, preventing and combating organised crime, corruption and other illegal activities, money laundering and terrorist financing.

The meeting also presented the progress made in the above-mentioned areas since the last meeting held on 12-13 October 2021, online. The meeting included representatives of several authorities of the Republic of Moldova, such as: the National Anti-Corruption Centre; the General Prosecutor’s Office; the National Integrity Authority; the Ministry of Internal Affairs; the National Institute of Justice; the Office for Prevention and Combating of Money Laundering.

On 9 – 11 November, the OSCE Mission to Moldova, in cooperation with the OSCE Mission for Conflict Prevention in Vienna, continued the project entitled “Joint Expert Working Group” started last year. The event took place in Vienna, Austria and aimed at capacity building for female leaders. The objective of the project was to enable women co-chairs and women in key positions to participate more effectively in the work of the Joint Expert Working Group in the Transnistrian settlement process by improving technical skills and strengthening personal relationships between the representatives of the parties. The event addressed a number of topics, including: gender dynamics; gender analysis of conflicts; negotiation behaviour; enlarging the space for maneuver in negotiation processes; etc.

On 14 November, the 71st Plenary Session of the European Data Protection Board took place online. During the plenary session, the EDPB adopted the Recommendations on the application for approval and on the elements and principles to be found in Controller Binding Corporate Rules (BCR-C). BCR-Cs are a transfer tool that can be used by a group of undertakings or enterprises, engaged in a joint economic activity, to transfer personal data outside the European Economic Area to controllers or processors within the same group. BCRs create enforceable rights and set out commitments to establish a level of data protection essentially equivalent to the one provided by the GDPR. The aim of these recommendations is to:

· provide an updated standard application form for the approval of BCR-Cs;

· clarify the necessary content of BCR-Cs and provide further explanation;

· make a distinction between what must be included in a BCR-C and what must be presented to the BCR lead data protection authority in the BCR application;

A second set of recommendations for BCR-processors is currently being developed.

The 43rd Plenary Meeting of the Consultative Committee of Convention 108 for the Protection of Individuals with regard to Automatic Processing of Personal Data took place on 16-18 November, in Strasbourg, France. The event, held in person after three years of online/hybrid meetings, brought together around 80 participants from all regions of the world for three days to work and exchange views on various topical issues in the field of personal data protection and to contribute to the development of common policies.

Among the topics discussed during this session were:

· Digital identity;

· Model contractual clause for the transfer of personal data;

· Cooperation with other Council of Europe bodies and entities;

· The Committee organised elections and elected the new Bureau;

· Observers – The Committee examined and approved two requests to attend the Committee’s meetings respectively introduced by the Organisation of American States and the Burkina Faso Data Protection Authority;

· Upcoming 2022 and 2023 meetings – the Committee reported on the dates of the next plenary meetings, to be held on 14-16 June 2023 and 15-17 November 2023, as well as the next Bureau meetings on 15-16 December 2022, 22-24 March 2023, 27-29 September 2023 and 12-14 December 2023;

· Stefano Rodotà Award – The two winners of the 2022 Rodotà Award presented their work to the Committee and received their awards.

On 18-19 November 2022, the representatives of the NCPDP participated in the European Case Handling Workshop 2022, held in Tbilisi, Georgia.

The event focused on actual issues in the field of personal data protection and privacy, in particular such as:

· The steps taken by employees of the authorities in investigations;

· Social data protection, guidelines and exceptions in national legislation;

· International transfers of personal data;

· Personal data and artificial intelligence;

· Main challenges faced by data supervisory authorities, etc.

Attending the event, the representatives of the NCPDP addressed the topic – “The experience of the Republic of Moldova and the methodology of examining the complaints having children as data subjects”. The invitation to participate in the Workshop came from the Personal Data Protection Service of Georgia, which has been carrying out the control of the lawfulness of personal data processing since 2013. The event brought together around 50 participants from 26 European countries.

On 12-14 December, the Cyber East project meeting took place: Action on Cybercrime for Resilience in the Eastern Partnership Region and included two major events, namely, the 6th EU-CoE CyberEast Project Steering Committee Meeting and the Regional Cyber Reporting and Data Sharing Session which aims to support Eastern Partnership countries in building and maintaining partnerships with private sector entities, mainly Internet Service Providers (ISP), to strengthen cooperation and trust mechanisms between the private sector, citizens and criminal justice authorities, in Tbilisi, Georgia. The meeting addressed several topics, including:

· Cybercrime/Cybersecurity Reporting. Reporting challenges;

· Classification of cyber incidents/cybercrimes. Use of taxonomies and their necessity;

· Examples of reporting systems: ideas for improvement for national systems;

· National SOPs and segregation of duties;

· Public-private cooperation in Ukraine: focus on new procedural legislation and use of procedures/models;

· Which types of data and how they can be shared by CSIRTs.

The 73rd Plenary Session of the European Data Protection Board took place on 13-14 December, in Brussels, Belgium. During the meeting, the EDPB adopted a statement on the recent judgment C-817/19 of the Court of Justice of the European Union (CJEU) on the use of passenger name record (PNR) data for the prevention, detection, investigation and prosecution of terrorist offences and serious crime, under the PNR Directive 2016/681. In its statement, the EDPB calls on EU Member States to take all necessary steps at legislative and/or administrative level to ensure that their respective national transposition and implementation of the PNR Directive are in line with the Charter as interpreted by the CJEU. In this regard, the EDPB notes that Data Protection Authorities are fully competent to investigate compliance with EU data protection requirements at national level.

The 57th Meeting of the Bureau of the Consultative Committee of Convention 108 for the Protection of Individuals with regard to Automatic Processing of Personal Data, took place on 15-16 December. Several topics were discussed during the meeting, including:

· Convention 108+, state of play;

· Digital identity;

· Data protection for the processing of personal data for Anti-Money Laundering /

Countering Financing of Terrorism purposes;

· Model contractual clauses for the transfer of personal data;

· Interpretation of Article 11 of the modernised Convention 108;

· Major developments and activities in the field of data protection;

· Cooperation with other Council of Europe bodies and entities.

6. Other data protection authorities

On 19 October, the French Data Protection Authority (CNIL) issued an administrative fine in the amount of 20 million euros to Clearview AI for the infringement of Articles 6, 12, 15, 17 and 31 of GDPR.

The CNIL has received numerous complaints from individuals about Clearview AI facial recognition software and has launched an investigation.

As a result of the investigation, the CNIL found several violations, such as:

· Unlawful processing of personal data (breach of article 6 of the GDPR)

· Individuals’ rights not respected (articles 12, 15 and 17 of the GDPR)

· Lack of cooperation with the CNIL (Article 31 of the RGPD)

On the basis of the information brought to its attention, CNIL decided to impose a maximum financial penalty of 20 million euros, according to article 83 of the GDPR.

Regarding the very serious risks to the fundamental rights of the data subjects resulting from the processing carried out by the company, CNIL decided to order Clearview AI to stop collecting and processing data of individuals residing in France without a legal basis and to delete the data of these persons that it has already collected, within a period of two months, adding to this injunction a penalty of 100,000 euros per day of delay beyond these two months.

On 24 November, the French Data Protection Authority (CNIL) issued an administrative fine in the amount of 600,000 euros to Electricité de France (EDF) for r the infringement of articles 7, 13, 14, 32 of GDPR and of the Postal and Electronic Communications Code.

The CNIL, has received many complaints regarding difficulties encountered by individuals in having their rights considered by the company EDF, which is the first electric utility in France.

Following the investigations, CNIL found several violations, such as:

· Failure to collect consent of individuals to receive commercial prospecting by e-mail (Articles L. 34-5 of the French Postal and Electronic Communications Code and 7 of the GDPR)

· Failures to inform (Articles 13 and 14 of the GDPR) and to respect the exercise of rights (Articles 13 and 14 of the GDPR)

· Failure to ensure security of personal data (Article 32 of the GDPR).

The amount of the fine was decided considering the breaches observed and the cooperation by the company and all the measures it has taken during the proceedings to reach compliance with all alleged breaches.

On 2 November, the Portuguese Data Protection Authority (CNPD) issued a fine in the amount of 4.3 million euros to Portuguese National Statistics Institute (INI) for the infringement of article 9(1); article 12; article 13; article 28(1), (6) and (7); article 35(1), (2) and (3)(b); article 44; article 46; article 83 of GDPR.

The CNPD received several complaints about the national census survey that was still undergoing at that moment. For the performance of the census, INE used the CDN (a content delivery network) services of a US company, Cloudflare, Inc., with over 200 data centres spread over 100 countries. In light of the complaints received, the CNPD opened an inquiry. At that point, circa 2.5 million forms, containing the personal data of over six million citizens residing in Portugal, had already been submitted to the INE.

As a result of the subsequent investigation, the CNPD identified five infringements of the GDPR in the context of the Census 2021 data processing, regarding the following issues:

· Lack of lawfulness for the processing of special categories of personal data (article 9(1) GDPR).

· Lack of compliance with transparency obligations (articles 12 and 13 GDPR), in particular regarding the provision of any information concerning the processing operations, e.g. through the display of a privacy notice on the INE institutional website.

· Lack of a Data Protection Impact Assessment (article 35(1),(2) and (3)(b) GDPR).

· Lack of due diligence concerning the choice of the processor (article 28(1),(6) and (7)), namely by accepting a standard contract, that was not assessed in substance in what regards the requirements of article 28(3) GDPR.

· Lack of compliance with the legal requirements for international data transfers (articles 44 and 46(2)), as interpreted by the CJEU in the Schrems II judgement.

In this context, as a result of the facts and the legal reasoning, the CNPD determined that the controller infringed different GDPR provisions in the context of the 2021 Census data processing and therefore decided, pursuant to article 58(2)(i) and article 83 GDPR and some national provisions, to apply one single fine of 4.3 million euros to the controller. This decision is final, but can be challenged in the national courts.

Newsletter No. 12

708 Views

Information and training activities carried out by the NCPDP

On 10 July 2022, the National Centre for Personal Data Protection (NCPDP) celebrated 14 years of activity. On this occasion, the NCPDP organized several activities related to data protection field. Amongst the activities was the street information activity organised on 11 July under the title: “14 years since the founding of the NCPDP”. The aim of the action was to disseminate useful information on the field of personal data protection to passers-by, to inform and encourage Moldovan citizens to pay more attention to this field.

At the same time, during the reporting period, the NCPDP continued the training process for the representatives of local public authorities (LPAs) and central public authorities (CPAs) in the field of personal data protection. The aim of the training courses was to familiarise, raise awareness and inform the representatives of the authorities with the latest data protection issues. The main topics covered referred to: general notions of personal data, legal grounds for personal data processing, processing of special categories of personal data, filming and online transmission of local council meetings, depersonalisation of data in the State Register of Local Acts, designation of the personal data officer, specifics of the function and tasks of the data protection officer. Thus, training courses were organised for the following authorities:

–         On 15 July – Nisporeni District Council;

–         On 20 July – Directorate-General for Education, Youth and Sport (DGEYS)

–         On 4 August – Strășeni District Council;

–         On 19 August – Hîncești District Council;

–         On 2 September – Anenii Noi District Council;

–         On 22 September – Leova District Council.

In this regard, in the third quarter of this year, the trainers of the NCPDP trained about 197 representatives from the above-mentioned LPAs and 64 representatives from DGEYS.

Also, during the same period, the NCPDP has developed a list of Recommendations for video surveillance installation service providers to provide advice to end-users when installing video surveillance systems. The recommendations are available on the official website of the institution and can be consulted at the Data Controller section, sub-component CNPDCP Recommendations.
Control activity
In the period July-September of this year, the NCPDP initiated compliance checks on the processing of personal data in 53 cases and 54 decisions were issued, of which 33 cases were found to be in breach of the law. At the same time, during the same period, the NCPDP concluded 30 minutes of infringement proceedings, which were subsequently submitted to the court for resolution.
Findings of the National Centre for Personal Data Protection

I. The NCPDP examined the complaint of a personal data subject who alleged that personal data stored in the Real Estate Register were processed in a non-compliant manner by a local public administration.

   As a result of the complaint’s resolution, the NCPDP found that the local public administration did not take appropriate action regarding the organisational and technical measures necessary for the protection of personal data, contrary to the provisions of Article 4 para. (1) letter a), Art. 29 para. (1), Art. 30 para. (1) of Law no. 133/2011, not ensuring the confidentiality and security of personal data in relation to the risks presented by the processing and the nature/nature of the data processed within the Database of the of the real estate register, without monitoring and implementing compliance with the provisions of the agreement for the provision of information access services.

Consequently, it should be revealed that the local public authority mentioned above was ordered by Decision:

·      – Review the access rights of the users to the Real Estate Cadastre Database, after the change of status of the user/s (resignation, dismissal, detachment, etc.) by updating the list of users with access rights to the information, according to the agreement for providing information access services;

·      – Informing the P.I. “Public Services Agency” about the change of users, in order to revoke the identification/authentication codes of the authorized user within the public authority, as well as to block access to the information in the Real Estate Cadastre Database;

·      Establishment of a mechanism for authorised users to keep manual and/or electronic records of access/consultation of personal data through the Real Estate Cadastre Database, by recording the exact date and time of processing of personal data, justification of the purpose, basis and necessity of the operation performed, specification of the record system from which they were processed, categories of data processed;

·      – Informing/instructing the staff of the subordinate subdivision that unauthorised access/use of information from the Real Estate Cadastre Database and other information systems is not allowed.

II. The NCPDP has examined the complaint of two personal data subjects concerning the alleged non-compliant processing of personal data by a local public administration stored in the Real Estate Register.

During the investigation it was found that the operations of accessing the real estate, which belonged by right of ownership to the data subjects, was carried out from the user account created in the name of a former employee of the local public administration, who had not worked in the entity for 3 years, and the account was used by an undetermined number of employees of the local public administration concerned.

          In this context, the decision of the NCPDP found that the operation of accessing the personal data of the data subjects was carried out in violation of Article 4 para. (1) (a), (b) and Art. 5, Art. 29 para. (1), Art. 30 para. (1) of Law 133/2011 on the protection of personal data, by the local public administration, in the absence of a determined, explicit and legitimate purpose, exclusively in the conditions that the access took place on a day officially declared not working.

III. The other case, following the checks carried out, the NCPDP found a violation of a data subject’s right of access to personal data by a public authority.

In fact, the circumstances that served as a reason for initiating the verification of the conformity of personal data processing operations was the complaint filed by a data subject who expressed his disagreement with the response provided by a subdivision of the Ministry of Internal Affairs (MAI), by not providing comprehensive information on the personal data concerning him, processed within the Automated Information System “Register of Forensic and Criminological Information”, an action that the complainant considered to be contrary to the provisions of Article 13 para. (1) of Law 133/2011 on the protection of personal data.

   As a result of the examination of the complaint, the NCPDP found a violation of Article 13 para. (1) of Law 133/2011 on the protection of personal data, ordering, by decision, that the Ministry of Internal Affairs shall take the actions required to ensure the realization of the right of access to personal data for data subjects, including the data processed in the Automated Information System “Register of forensic and criminological information”, without admitting confusion regarding the free nature in the realization of the right of access of any data subject, recognized and guaranteed by Art. 13 para. (1) of Law No 133/2011 on the protection of personal data.
Supervisory activity

In accordance with the provisions of Law No. 175/2021 on the amendment of certain normative acts, which entered into force on 10 January 2022, the obligation to designate the personal data officer has been established. Thus, during the reference period, the NCPDP received 49 letters, through which it is informed about the designation of the personal data officer from the entities concerned, mainly from private entities.

In order to provide methodological and advisory support to personal data controllers and/or processors, more than 195 telephone consultations and 26 responses via e-mail were provided and recommendations were proposed to address discrepancies identified by the data controller.
International and European news

–      During the reporting period, a Cooperation Agreement in the field of personal data protection was signed between the National Centre for Personal Data Protection (NCPDP) and the Data Protection Office of the Republic of Poland.

–      On 12 July, the 67th plenary meeting of the European Data Protection Board (EDPB) took place online.

• During the plenary session, EDPB and the European Data Protection Supervisor (EDPS) have adopted their Joint Opinion on the European Commission’s Proposal for the European Health Data Space (EHDS). The Proposal aims to facilitate the creation of a European Health Union and to enable the EU to make full use of the potential offered by a safe and secure exchange, use and reuse of health data. The EDPB and EDPS acknowledge that the infrastructure for the exchange of electronic health data foreseen in this EHDS Proposal aims at facilitating the exchange of health data. However, due to the large quantity of electronic health data that would be processed, their highly sensitive nature, the risk of unlawful access and the necessity to fully ensure effective supervision by independent data protection authorities, the EDPB and the EDPS call on the European Parliament and, on the Council, to add to the Proposal a requirement to store the electronic health data in the EEA, without prejudice to further transfers in compliance with Chapter V of the GDPR.

–      On 28 July, the 68th plenary meeting of the European Data Protection Board took place online. During the meeting a number of documents were discussed and adopted, which will be a recommendation for data protection authorities, namely:

• EDPB and EDPS adopted a Joint Opinion on the Proposal for a Regulation to prevent and combat child sexual abuse. The Proposal aims to impose obligations related to detecting, reporting, removing and blocking known and new online child sexual abuse material, as well as the solicitation of children, on providers of hosting services, interpersonal communication services, software application stores, internet access services and other relevant services. The EDPB and EDPS consider child sexual abuse as a particularly serious and heinous crime. Limitations to the rights to private life and data protection must, however, respect the essence of these fundamental rights and remain limited to what is strictly necessary and proportionate

• Two letters in response to Access Now and BEUC concerning TikTok. In these letters, the EDPB highlights the swift action taken by the Irish, Italian and Spanish Supervisory Authorities (SAs) following TikTok’s announcement that it would no longer seek users’ consent to send personalised advertisements, but that the legal basis for this would be the legitimate interest of TikTok and its partners.

• A dispute resolution decision on the basis of Art. 65 GDPR. The binding decision seeks to address the lack of consensus on certain aspects of a draft decision issued by the Irish SA as lead supervisory authority regarding Instagram (Meta Platforms Ireland Limited (Meta IE)) and the subsequent objections expressed by some of the concerned supervisory authorities.

– On 12-13 September, the 69th Plenary Session of the European Data Protection Board took place in Brussels, Belgium. During the Plenary, the EDPS adopted several documents, including:

• A Statement on the European Commission’s proposal for an EU Police Cooperation Code. This proposal aims to enhance law enforcement cooperation across Member States, in particular the information exchange between the competent authorities. The code is comprised of three main measures: proposal for a Prüm II Regulation, proposal for a Police Information Exchange Directive and the proposal for a Council Recommendation on operational police cooperation.

• EDPB decided upon the topic for its second coordinated enforcement action, which will concern the designation and position of the data protection officer. In a coordinated action, the EDPB prioritises a certain topic for data protection authorities to work on at the national level. The results of these national actions are then bundled and analysed, generating deeper insight into the topic and allowing for targeted follow-up on both the national and the EU level.
Other data protection authorities

–   On 7 July, the French Data Protection Authority (DPA) issued a fine of 175 000 euros to UBEEQO International for illegally processing of personal data. This case is part of the priority control theme in 2020 relating to the new uses of geolocation data in the context of mobility. In this context, the French DPA controlled the company UBEEQO International, whose activity is the rental of vehicles for a short period. The investigations focused in particular on the data collected, the defined retention periods, the information provided to individuals and the security measures implemented. Following the investigations, French DPA found several violations, such as:

· Failure to comply with the obligation to ensure data minimisation (Article 5.1.c of the GDPR).

· Failure to define and respect a proportionate data retention period (Article 5.1.e of the GDPR).

· Failure to inform individuals (Article 12 of the GDPR).

–   On 19 July, the Hellenic Data Protection Authority (DPA) issued a fine of 20 000 euros to the Debt Management Company for unlawful processing of personal data and failure to consider the rights of objection and erasure. Following the investigation, the Hellenic DPA found that in this particular case, the respondent company unjustifiably prevented the exercise of the complainant’s rights in violation of the provisions stipulated in Article 12(2) of the GDPR and that the processing in question took place without a lawful basis, given that there was already a judicial relief from the complainant’s debts in violation of the provisions of Articles 5(1)(a), 5(2) and (6) of GDPR.

–   On 8 September, the French Data Protection Authority (CNIL) issued a fine of 250 000 euros to INFOGREFFE for the infringement of Article 5.1.e and Article 32 of the GDPR. Following a complaint, CNIL, carried out an online investigation of the infogreffe.fr website, which allows users to consult legal information on companies and order documents certified by the commercial court registries. The investigations focused in particular on the data retention periods defined and the security measures implemented by the economic interest group INFOGREFFE, which provides the legal information publishing service on companies via the website. Following the investigation was found:

· Failure to comply with the obligation to keep data for a period of time proportionate to the purpose of the processing (Article 5.1.e of the GDPR);

· Failure to comply with the obligation to ensure the security of personal data (Article 32 of the GDPR).

Newsletter No. 11

726 Views

1. Information and training activities carried out by the NCPDP

During the second quarter of 2022, the National Center for Personal Data Protection (NCPDP), has made progress in the part related to training activities for representatives of local public authorities (LPAs) and central public authorities (CPAs). Thus, the training courses aimed at strengthening the capacities of representatives by familiarizing, raising awareness and informing them with the field of personal data protection. The most important topics covered were, as appropriate: general notions of personal data; processing of categories of personal data; legal grounds for personal data processing; filming and online transmission of local council meetings; depersonalisation of data in the State Register of Local Acts; the personal data protection officer; data protection impact assessment and prior consultation; designation of the function and tasks of the data protection officer. Training courses were conducted for the following institutions/authorities:

– 8 April – Balti Municipal Council;

– 19 April – Rezina District Council;

– 06 May – Floresti District Council;

– 20 May – Sîngerei District Council;

– June 3 – Ungheni District Council;

– 17 June – Calarasi District Council.

In this regard, the NCPDP has trained about 215 LPA representatives from the above-mentioned regions.

Regarding training for representatives of LPAs, the NCPDP organised trainings for about 1310 representatives of: Customs Service; State Tax Service; National Agency for Food Safety and Secretariat of the Parliament of the Republic of Moldova.

On 15 April this year, the NCPDP launched an information and awareness campaign for school communities entitled: “Personal data protection and children’s safety online”. The first training course was organized at Lyceum “Onisifor Ghibu” in Chisinau, the target audience being 4th grade pupils. The aim of the campaign is to provide the school community with high visibility on personal data protection and child safety online at local and national level by promoting empowerment and best practices for intervention and support. Subsequently, two more training sessions were held within the school community on 6 May.

The topics covered in the trainings were: general notions on personal data; correct use of photos/videos online; risks and threats online; communication on social networks.

Also, during the same period, the NCPDP signed two Collaboration Agreements with the “Academy of Public Administration” and the “National Association of ICT Companies”.

2. Control activity

In the period April-June 2022, the NCPDP stared the verification of compliance of personal data processing operations on 76 cases and 50 decisions were issued, of which 32 cases were found to be in breach of legal provisions. At the same time, 34 infringement reports were concluded and subsequently submitted to the court for resolution. Similarly, during the same period, 37 contraventions were found.

3. Findings of the National Centre for Personal Data Protection

I. Processing of personal data without legal basis, manifested by accessing data through the Real Estate Register and violation of the personal data subject’s right of access to personal data.

The NCPDP, in the context of the examination of a petition filed by a data subject, issued a decision finding a violation of Article 4 para. (1) (a) and (b), Art. 5 para. (1) and Art. 13 para. (1) of the Law no. 133/2011 on personal data protection by a real estate company, in the processing of personal data of the petitioner, manifested both by accessing the personal data of the data subject, stored in the Teal Estate Register, and ignoring the request of the data subject, whereby the latter requested information on the reasons, the purpose for processing personal data concerning him, realizing his right of access to personal data.

Thus, following the examination of the case, it was determined that the personal data controller processed the personal data of the data subject, stored in the Real Estate Register, without a legal basis and without the consent of the personal data subject, and it was found that the real estate company violated the provisions of Article 4 para. (1) (a) and (b) and Art. 5 para. (1) of Law no. 133 of 08.07.2011 on the protection of personal data.

Moreover, the real estate company ignored the data subject’s request, failing to grant him the right of access to personal data concerning the data subject provided for by Article 13 para. (1) of the personal data protection Law.

II. Breach of the rules on processing and storage of personal data.

The NCPDP was notified by a personal data subject that a data controller, without the consent of the data subject, makes payments on behalf of the data subject to the bank account of the legal entity, thus processing personal data – name, surname, state identification number.

Throughout the investigation it was found that an employee of a bank, during the year 2021, used a template of a cash collection order in favor of a legal entity, but with a member of the cooperative as the payer. In the mentioned orders the employee only changed the amount and the corresponding date, but omitted to change the data/information of the payer, although at the conclusion of the transaction the latter verified the identity of the administrator of the cooperative without him providing a copy of the identity card of the data subject.

We note that, according to Art. 4 para. (1) of Law no. 133 of 08.07.2011 on the personal data protection, personal data subject to processing must be: a) processed fairly and lawfully; b) collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes. […]. According to Art. 5 of the same normative act, the processing of personal data is carried out with the consent of the subject of the personal data, except in the cases exhaustively stated in para. (5) of the same article. According to Article 9 of the aforementioned normative act, the processing of the State identification number (IDNP) of the natural person, […] or other personal data having an identification function of general applicability may be carried out under the following conditions: a) the subject of the personal data has given his consent; b) the processing is expressly provided for by law.

In this context, the decision found that the bank employee, during 2021, violated the provisions of Art. (1) (a) and (b), Art. 5 para. (1) and art. 9 of Law no. 133 of 08.07.2011 on the personal data protection.

Moreover, the NCPDP has ordered by the decision of the banking institution to initiate training of employees/staff involved in the processing of personal data, in order to train them to perform their functional duties in accordance with the legislation in the field of personal data protection, as well as internal documents/regulations approved in this regard.

4. Supervisory activity

In accordance with the provisions of Law No. 175/2021 on the amendment of certain normative acts, which entered into force on 10 January 2022, the obligation to designate the personal data officer has been established. Thus, during the reference period, the NCPDP received 24 letters, through which it is informed about the designation of the personal data officer from the entities concerned, mainly from private entities.

At the same time, the following recommendations/opinions have been developed and posted on the official website of the NCPDP: Considerations in relation to the increasing use of video surveillance systems with audio recording functions; Practical and legal aspects in relation to the installation and management of video surveillance means.

In order to provide methodological and advisory support to personal data controllers and/or processors, more than 315 telephone consultations and 20 responses via e-mail were provided and recommendations were proposed to address discrepancies identified by the data controller.

At the same time, the NCPDP has informed 34 public authorities and institutions about the need to designate the personal data officer.

5. International and European news

– The 63rd plenary meeting of the European Data Protection Board (EDPB) was held online on 6 April. During the session, several topics were discussed, including a Statement on the announcement of a new Trans-Atlantic Data Privacy Framework. The EDPB welcomes the commitments made by the U.S. to take ‘unprecedented’ measures to protect the privacy and personal data of individuals in the European Economic Area when their data are transferred to the U.S.

– The 64th plenary meeting of the European Data Protection Board was held online on 4 May, at which was discussed the adoption of the EDPB-EDPS Joint Opinion 2/2022 on the Proposal of the European Parliament and of the Council on harmonised rules on fair access to and use of data (Data Act).

– The 65th plenary meeting of the European Data Protection Board took place online on 12 May. The plenary session focused on two topics, namely:

· They were adopted new Guidelines on the calculation of administrative fines, harmonising the methodology data protection authorities (DPAs) use. The guidelines also include harmonised ‘starting points’ for the calculation of a fine. Hereby, three elements are considered: the categorisation of infringements by nature, the seriousness of the infringement and the turnover of a business.

· The EDPB also adopted Guidelines on the use of facial recognition technology in the area of law enforcement. The guidelines provide guidance to EU and national law makers, as well as to law enforcement authorities, on implementing and using facial recognition technology systems.

– On May 18-20, the 30th edition of the Spring Conference of European Data Protection Supervisors took place in Cavtat, Croatia. The event was hosted by the Croatian Agency for the Protection of Personal Data, thus encouraging the participation of about 40 countries. The agenda of the event included topical issues in the field of personal data protection, such as Convention 108+, mutual assistance and global convergence, data protection in ECHR case law: latest developments. Member authorities adopted a Resolution on the need for a prompt ratification of the “Convention 108+”, the modernised version of Convention 108. The Resolution calls upon the governments of the member states of the Council of Europe, the governments of third countries to the Council of Europe, the European Union and International Organisations to speed up the signature and ratification of Convention 108+.

– The 66th plenary meeting of the European Data Protection Board took place on 14-15 June in Brussels, Belgium. During the Plenary, the EDPB adopted several documents, among which: Guidelines on certification as a tool for transfers. The main purpose of these guidelines is to provide further clarification on the practical use of this transfer tool and will be subject to public consultation until the end of September.

6. Other data protection authorities

· On 4 April, the Danish Supervisory Authority has reported Danske Bank to the Danish police and proposed a fine of 1.3 million EUR for the infringement of Article 5 (2) of the GDPR. During the Danish SA’s investigation, it has become clear that the bank in more than 400 systems has not been able to document whether rules have been laid down for deletion and storage of personal data, or whether manual deletion of personal data has been carried out. These systems process personal data of millions of people.

· On April 15, the administrative fine in the amount of 1,5 million euros applied by the French Lead Supervisory Authority (CNIL) to Dedalus Biologie for the infringement of articles 28, 29 and 32 of GDPR. Based on the elements collected during the investigations, CNIL identified three breaches. First, in the context of the migration of a software package to another tool, requested by two laboratories using the services of Dedalus Biologie, the latter extracted a larger volume of data than required. The company therefore processed data beyond the instructions given by the data controller and had failed to comply with Article 29 GDPR. Second, the company had not ensured security of personal data within the meaning of Article 32 GDPR. Furthermore, were also established that the general conditions of sale proposed by the company Dedalus Biologie and the contracts of maintenance transmitted to the CNIL did not contain the mentions provided for in Article 28 (3) GDPR.

· On 3 May, the Icelandic Supervisory Authority imposed a fine of € 35,000 on the municipality of Reykjavík for using the Seesaw education system, which is an American cloud-based service. Following the investigation, it was found that: the processing agreement between Reykjavík and Seesaw was insufficient, that the municipality could not demonstrate a specified, explicit and legitimate purpose for the processing in question, which was therefore considered unlawful, that the processing was neither fair nor transparent, that the principles of data minimisation and storage limitations were not implemented nor data protection by design and by default, taking into consideration the amount of data collected, the extent of their processing, the period of their storage and their accessibility, that the data protection impact assessment did not meet the minimum requirements, that the municipality did not demonstrate that it had ensured appropriate security of the personal data in question and that the data was being transferred to the United States without appropriate safeguards. The Icelandic SA furthermore concluded that all processing in the Seesaw educational system should be seized and students’ data deleted.