Every year, on January 28, the European community celebrates “European Data Protection Day”, a landmark event, supported by the European Commission, which promotes the right to privacy and the protection of personal data. This day represents a moment of reflection on the importance of protecting information containing personal data in the digital age and provides an opportunity to strengthen awareness at the societal level regarding the fundamental rights of citizens.

       European Data Protection Day is important not only for the member states of the Council of Europe, but also for the entire global community involved in the field of data protection. In a time when personal information is processed and stored on a large scale, compliance with the principles of confidentiality and security becomes essential for protecting privacy and preventing data misuse.

       On this occasion, the National Center for Personal Data Protection (NCPDP) annually organizes a series of activities aimed at raising citizens’ awareness, promoting good practices in data protection and providing practical guidance to prevent situations of non-compliant processing of personal data.

       These activities also include street actions, through which NCPDP brings information directly to the community and interacts with the general public.

       In this context, on January 26, NCPDP employees carried out a street action in front of the Arc de Triomphe in Chisinau, distributing information materials to passersby and explaining the importance of personal data protection. Citizens were informed about the notion of personal data, the rights of data subjects, the security and confidentiality measures that must be respected, as well as the fundamental principles of data protection. In addition, citizens received practical recommendations on actions to be taken in the event of non-compliant processing of their personal data

       Such initiatives play a key role in educating the public, motivating citizens to be more attentive to how their data is collected and used. NCPDP aims to continue organizing information and awareness-raising actions this year, contributing to building a solid culture of personal data protection in the Republic of Moldova and creating a safe and informed environment, in which data protection is a priority for the entire community.

       Annually, on January 28, the european community celebrates European Data Protection Day, an important milestone for promoting the fundamental right to privacy and the protection of personal data. The year 2026 marks the 20th edition of this day and 45 years since the adoption of Convention No. 108 for the Protection of Individuals with regard to Automatic Processing of Personal Data, signed in Strasbourg on January 28, 1981.

       The purpose of Convention No. 108 is to guarantee, in the territory of each State Party, to every natural person, regardless of nationality or residence, respect for fundamental rights and freedoms, in particular the right to privacy with regard to the processing of personal data.Through its modernization, Convention 108+ remains an essential legal instrument, adapted to the challenges generated by technological developments and digital transformation.

       European Data Protection Day is a very special day not only for the member states of the Council of Europe, but also for the entire global data protection community and, above all, for every individual whose rights are protected by this fundamental regulatory framework.

       In this context, the member states of the Council of Europe, as well as other partner states and institutions, annually organize public activities and events dedicated to raising society’s awareness of the importance of the field of personal data protection. The National Center for Personal Data Protection (NCPDP) marks this day alongside european institutions by promoting accountability and best practices in prevention, intervention and support.

       In recent years, the Republic of Moldova has made significant progress towards achieving the national objective of ensuring an adequate level of data protection, in accordance with European Union and Council of Europe standards. These efforts directly aim to guarantee the fundamental rights and freedoms of individuals, in particular the right to privacy in the context of the processing of personal data.

       A key moment in this journey is the publication, on August 23, 2024, in the Official Gazette of the Republic of Moldova, of Law No. 195/2024 on the protection of personal data, a normative act that transposes the provisions of Regulation (EU) 2016/679 – General Data Protection Regulation (GDPR). Law No. 195/2024 is set to enter into force in August 2026, marking the transition to a modern, coherent and harmonized legal framework with european requirements.

       In the context of celebrating European Data Protection Day, NCPDP reaffirms its commitment to supporting both the public and private sectors in the preparation process for the application of the new legal provisions. Information, training and institutional dialogue activities remain priorities to ensure efficient and responsible implementation of the new regulatory framework.

       At the same time, strengthening inter-institutional collaboration at the national level constitutes a strategic direction of action, in order to amplify efforts to raise awareness among society regarding the importance of personal data protection and the correct and uniform application of legislation in the field by all actors involved in data processing.

       The role of the NCPDP, as a national supervisory authority, is becoming increasingly important in the context of accelerated digital transformation. The annual marking of European Data Protection Day represents a relevant opportunity to bring to the public’s attention the importance of respecting data protection principles, the right to privacy and the right to the protection of personal data, as fundamental elements of a democratic and resilient society.

       The National Center for Personal Data Protection (NCPDP) continues to promote and strengthen inter-institutional collaboration in order to ensure a high level of protection of the rights of individuals with regard to the processing of personal data. Recognizing the importance of correct information and rigorous application of the legislation in the field, NCPDP, represented by Director Victoria MUNTEAN, signed, on January 28, 2026, two training Plans in the field of personal data protection: with the General Inspectorate of Police (GIP), represented by Chief Viorel CERNĂUȚEANU, and with the General Inspectorate of Border Police (GIBP), represented by Chief Ruslan GALUȘCA.

       The training plans are intended for the staff of the structural subdivisions of the GIP and GIBP and aim to develop an in-depth understanding of the fundamental principles of personal data protection. The main objective of this initiative is to increase employees’ awareness of their legal responsibilities and to ensure the correct and uniform application of legal provisions in daily activity.

       The planned training will be conducted offline, directly within the targeted subdivisions, thus facilitating an interactive learning process adapted to the specifics of each institution. The plans were developed and approved by mutual agreement, reflecting the parties’ commitment to professionalism, responsibility and compliance with the principles of personal data protection.

       Strengthening inter-institutional cooperation remains a strategic priority of the NCPDP for 2026. This aims both to intensify information and awareness-raising actions in society regarding the importance of the field of personal data protection, and to ensure a high level of interpretation and correct application of the legislation by all institutions involved in data processing. Through these actions, NCPDP aims to create a solid and coherent data protection framework, which supports both authorities and citizens in the responsible management of information containing personal data.

       The signed training plans are part of the activities planned in the context of the 20th edition of the European Data Protection Day, thus marking the continued commitment of the institutions involved to promoting the values ​​of transparency, accountability and personal data protection at the national level.

       On January 28, 2026, the National Center for Personal Data Protection (NCPDP) organized the National Conference “Implementation of the legal framework on data protection: challenges, benefits, resilience”, a landmark event dedicated to strengthening the personal data protection framework in the Republic of Moldova, in the context of its european integration path.

       The conference is organized also in the context of the Republic of Moldova’s exercise of the Presidency of the Committee of Ministers of the Council of Europe, marking the state’s responsibility and commitment to actively contribute to the consolidation of the European legal space based on respect for human rights, the rule of law and high standards of protection of privacy and personal data.

       The event took place at a crucial moment for the Republic of Moldova, as a candidate state for integration into the European Union, marked by the adoption of Law No. 195/2024 on the protection of personal data, which will enter into force on August 23, 2026 and which transposes the General Data Protection Regulation (GDPR). The new law establishes a modern data protection regime, applicable to both the public and private sectors, contributing to strengthening the fundamental rights of individuals and increasing trust in digital processes.

       At the opening of the conference, the Director of the NCPDP, Victoria MUNTEAN, emphasized that „the protection of personal data is not only a legal obligation, but a key element of the protection of human rights, digital resilience, cybersecurity and citizens’ trust in state institutions. In a context marked by accelerated digitalization and increasing cyber risks, the correct and coherent application of data protection rules becomes an essential condition for the sustainable and secure development of society.”

       The conference brought together representatives of public authorities, the business environment, national and international experts in the field of data protection and cybersecurity, as well as european partners, reflecting the interdisciplinary nature of the topic addressed.

       The event had as its main purpose to support public authorities and the private sector in the preparation process for the implementation of Law No. 195/2024, through:

• strengthening compliance with new legal obligations;
• clarifying the roles and responsibilities of data controllers, processors and data protection officers;
• promoting european best practices in supervision, control and sanctioning;
• highlighting the link between data protection, cybersecurity and risk management.

       The conference agenda included plenary sessions and four thematic panels, focused on:

• operationalization of compliance and record-keeping of processing activities;
• application of the principles of „Privacy by Design” and „Security by Design”;
• exercise of data subjects’ rights, risk prevention and data protection impact assessment;
• control procedures, liability mechanisms and sanctions in EU candidate countries.

       The debates benefited from the contributions of experts from European Union member states, including Estonia, Latvia, Lithuania and Romania, as well as interventions from representatives of the private sector and the IT sector, providing participants with practical perspectives and applicable solutions in the process of implementing the new legislation.

       An interactive online tool allowed for the active involvement of participants, facilitating the asking of questions and the exchange of opinions in real time, thus contributing to an open and constructive dialogue.

       The conference highlighted that the effective implementation of the legal framework on data protection is an essential condition for strengthening cross-border cooperation, for the secure exchange of data with european entities and for the integration of the Republic of Moldova into the EU’s digital single market.

       NCPDP reaffirms its commitment to continue the dialogue with public authorities, the private sector and international partners, in order to ensure a coherent, proportionate and efficient application of the new legislation in the field of data protection.

       The event was organized by the National Center for Personal Data Protection, with the support of the project „Improving cyber resilience in Eastern Partnership countries”, implemented by the e-Governance Academy (eGA) and funded by the European Union, as well as with the support of the European Union Partnership Mission to the Republic of Moldova (EUPM Moldova).

       NCPDP thanks all partners and participants for their valuable contribution to the success of the conference and for the common commitment to building a modern, secure and european framework for the protection of personal data in the Republic of Moldova.

       Between January 19 and 21, representatives of the National Center for Personal Data Protection (NCPDP) conducted a study visit entitled “Mechanisms for exercising control and establishing pecuniary sanctions”, held in the Republic of Estonia.

       The purpose of the event was to adopt european best practices regarding control mechanisms, the application of corrective measures and the establishment of pecuniary sanctions in the field of personal data protection, as well as to strengthen the professional capacities of NCPDP employees in the context of the development of european digital law and digital transformation.

       The visit agenda included working sessions and meetings with relevant institutions in Estonia, opening with a presentation by the e-Governance Academy (eGA), focused on the impact of e-governance projects at the international level, the activities carried out in the Republic of Moldova and the objectives of the study visit program.

       At the same time, the NCPDP delegation had a meeting with representatives of the State Information Systems Authority (RIA), the institution responsible for managing critical IT services at the national level.

       The discussions focused on the management of cyber incidents involving personal data, as well as inter-institutional cooperation in the field of cybersecurity and personal data protection.

       An important point of the visit was the meeting with representatives of the Estonian Data Protection Inspectorate, during which aspects related to institutional control mechanisms and supervisory procedures were analyzed, including planning and prioritizing inspections based on risk criteria, types of controls performed (on-site inspections, documentary checks, thematic investigations), initiating investigations based on complaints, self-referrals, as well as internal cooperation between investigative, legal and IT structures.

       At the same time, the discussions focused on the procedures for finding violations and applying pecuniary sanctions, including the stages of the sanctioning process, the criteria for assessing the seriousness of the facts, the application of the principle of proportionality, the mechanisms for calculating fines, the means of appeal, the collection and enforcement of sanctions, inter-institutional and cross-border cooperation, the use of digital tools in supervision, preventive and educational measures, as well as good practices and lessons learned from relevant cases handled by the Estonian authority.

       The agenda also included a meeting with representatives of the Chancellor of Justice Office of Estonia, addressing topics related to the role and powers of this institution, its involvement in procedures aimed at the protection of personal data and the use of digital technologies in the exercise of the institutional mandate.

       The study visit provided a valuable framework for the exchange of experience, the analysis of advanced practices and the consolidation of institutional cooperation, contributing to strengthening the capacities of the NCPDP for the effective enforcement of personal data protection legislation.

       The study visit was organized with the support of the EU’s Cybersecurity Rapid Assistance 2.0 project, implemented by the Estonian E-Government Academy.

       The National Center for Personal Data Protection (NCPDP), for information and application purposes, communicates about the administrative fine of 1.8 million euros imposed by the Finnish Data Protection Authority (SA) on the company S-Bank for violating Article 5 (Principles related to the processing of personal data), Article 25 (Data protection by design and by default) and Article 32 (Security of processing) of the GDPR.

       Following the notification sent by S-Bank in August 2022, the Finnish SA initiated an investigation into a security breach that affected a significant number of the bank’s customers. The vulnerability appeared in April 2022, with the launch of a new authentication mechanism. Due to a software error in the authentication service, logging into online banking and accessing digital services using strong authentication was possible using the login details of other customers. This technical failure remained exploitable for more than three months, and some customers were directly affected.

       Following the investigation, it was found that the bank lacked adequate security measures and appropriate technical and organizational controls. Deficiencies include: insufficient testing of new functionalities before implementation; failure to identify vulnerabilities during development and testing, and inadequate response to customer reports of authentication anomalies.

       In this context, the Finnish SA imposed an administrative fine of EUR 1.8 million on the controller for violating the provisions of Articles 5(1)(f), 25(1), 32(1) and 32(2) of the GDPR and issued a reprimand for non-compliance with data protection legislation.

       When determining the amount of the fine, the Finnish SA took into account the need to protect the rights of the individuals concerned, the overall seriousness of the incident, as well as the fact that the bank had previously been warned about its obligations. The fine was also adjusted in the context of a separate sanction issued in May 2025 by the Finnish Financial Supervisory Authority, which imposed a fine of 7,670,000 euros on S-Bank for deficiencies in operational risk management in relation to the same set of events.

       NCPDP, as the national supervisory authority for the processing of personal data, emphasizes the responsibility of personal data controllers to comply with the provisions of the legislative framework on the protection of personal data and to ensure that personal data processing operations comply with the legislation in force.

       The National Center for Personal Data Protection (NCPDP), for information and application purposes, communicates about the administrative fine of 865,000 euros imposed by the Finnish Data Protection Authority (SA) on Aktia Bank for violating Article 5 (Principles relating to processing of personal data), Article 25 (Data protection by design and by default) and Article 32 (Security of processing) of the GDPR.

       Aktia Bank’s strong electronic authentication service suffered an outage due to a technical change in January 2023. During the short-term outage, some people who logged into various services using Aktia Bank’s online banking credentials had access to the personal data of other customers because the service confused the identities of the people. The security breach affected various public services, unemployment funds, insurance companies, and healthcare providers. Many of these services contain highly confidential information, such as health and financial data, thus affecting approximately 350 people. To date, no misuse of this data has been reported.

       The investigation highlighted deficiencies in: the design and implementation of the technical change, insufficient testing of the new system, and the lack of adequate change management. More extensive testing and the use of standard methods could have prevented the incident.

       In this context, the Finnish SA imposed an administrative fine of EUR 865,000 on the controller for failure to comply with the requirements of data protection legislation regarding the safe processing of personal data and data protection from the moment of design and by default. A reprimand was also issued.

       NCPDP, as the national supervisory authority for the processing of personal data, emphasizes the responsibility of personal data controllers to comply with the provisions of the legislative framework on the protection of personal data and to ensure that personal data processing operations comply with the legislation in force.

       The National Center for Personal Data Protection (NCPDP), for information and application purposes, communicates about the administrative fine of 100,000 euros applied by the Italian Data Protection Authority (SA) to the company Banco Bilbao Vizcaya Argentaria SA for violating Article 12 (Transparent information, communication and modalities for the exercise of the rights of the data subject) and Article 15 (Right of access by the data subject) of the GDPR.

       A bank customer, a victim of fraud, requested access to the records of calls made to the customer service, which were essential for contesting a transfer of approximately 10,000 euros and for clarifying the circumstances of the incident. As the bank did not provide a satisfactory response within the legal deadline, the customer filed a complaint with the Italian SA. The records were only transmitted after the Authority initiated an investigation, thus exceeding the 30-day deadline provided for by the GDPR.

       During the investigation, the Italian SA emphasized that, in accordance with the Guideline 01/2022 of the European Data Protection Board on the right of access, including telephone calls between customers and banks constitute personal data. Therefore, they must be made available to the data subject upon request, while respecting the rights of any third parties involved.

       In this context, the Italian SA imposed an administrative fine of 100,000 euros on the company Banco Bilbao Vizcaya Argentaria SA. When setting the amount of the fine, the Authority took into account the bank’s turnover, its cooperation during the investigation and the absence of previous infringements.

       NCPDP, as the national supervisory authority for the processing of personal data, emphasizes the responsibility of personal data controllers to comply with the provisions of the legislative framework on the protection of personal data and to ensure that personal data processing operations comply with the legislation in force.

       On December 11, 2025, the National Center for Personal Data Protection (NCPDP) held a training session in the field of personal data protection for representatives of the Ministry of Infrastructure and Regional Development (MIRD), organized at the request of the institution.

       The event aimed to strengthen the capacities of MIRD staff in terms of the correct and responsible implementation of legal requirements in the field of data protection, thus ensuring a high level of compliance and a unified approach in internal processes for processing information containing personal data.

       During the training session, the most relevant aspects of the national and european regulatory framework were analyzed and explained, including: the fundamental principles of personal data processing; the legal grounds that allow data processing in the activity of public authorities; the responsibilities of the controller and the authorized persons; risk assessment and application of appropriate technical and organizational measures; transparency and information of data subjects; management of security incidents and their notification.

       The training contributed to harmonizing MIRD’s internal practices with the regulations in force, facilitating an institutional culture based on personal data protection and accountability. The event provided participants with clarity on how they can prevent processing errors, but also on their obligations in their daily activities.

       Participants highlighted the following key benefits of the training:

• the need to review and update internal procedures;
• the importance of properly documenting processing processes;
• the critical role of cross-departmental cooperation in ensuring compliance;
• the relevance of applying a proactive approach in preventing security incidents and protecting the rights of data subjects.

       NCPDP reaffirms its commitment to supporting public authorities in the correct implementation of data protection standards and remains open to future collaborations dedicated to strengthening the culture of personal data protection in the Republic of Moldova.

       The event was attended by 38 representatives from the Ministry of Infrastructure and Regional Development.

       On December 12, 2025, the National Center for Personal Data Protection (NCPDP) held a training session in the field of personal data protection for representatives of the Ministry of Culture (MC), organized at the request of the institution.

       The purpose of the training session was to strengthen the level of knowledge and application of legal norms regarding data protection in the current activities of the MC, especially in the context of managing information regarding employees, beneficiaries, artists, participants in cultural projects and other categories of data subjects.

       During the session, NCPDP experts presented essential topics such as: the fundamental principles of personal data processing; the legal bases applicable to activities specific to the cultural sector; the technical and organizational measures necessary to ensure data protection; good practices in data management within cultural events and projects; institutional obligations regarding transparency, data security and notification of security incidents.

       The training was of significant importance for MC, given the multitude of situations in which personal data is processed in the cultural and administrative activities of the institution. Compliance with legal requirements contributes to: protecting the rights of data subjects; secure management of sensitive information; increasing public trust in public institutions; alignment with national and european standards in the field of data protection.

       The lessons learned from the training course highlighted the need to:

• strengthening an organizational culture oriented towards data protection;
• updating internal procedures regarding the collection, storage and use of personal data;
• increasing attention to the risks associated with non-compliant processing;
• ensuring transparent communication with data subjects;
• continuously developing staff skills to meet the challenges of the cultural sector.

       NCPDP reaffirms its commitment to supporting public institutions through training and specialized assistance, contributing to the development of an efficient data protection system at the national level.

       During the event, 32 representatives from the Ministry of Culture were trained.