I. Information and training activities carried out by NCPDP
In the second quarter of 2024 (April – June), the National Center for Personal Data Protection (NCPDP), continued to make progress in the part related to activities of informing and awareness-raising of general public with regard to the field of personal data protection.
During the reporting period, the organization of training courses for the subdivisions of the General Police Inspectorate (GPI) continued, according to the training plan approved and signed by the heads of the NCPDP and GPI on 26 January 2024. Their aim was to increase the awareness of the employees of the subdivisions of the GPI on the principles of personal data protection, as well as on ensuring the correct application of the relevant legal provisions in the work they perform. The events addressed important topics such as: Definition of general notions related to the field of personal data protection; the legal manner of personal data processing in the activity carried out by the employees of the GPI subdivisions; the requirements for the protection of personal data in the performance of their duties; the obligations of the police body as a data controller in relation to the data subject; the correct procedure for accessing personal data through the state information systems, as well as keeping correct audit records of such accesses; ensuring the security and confidentiality of the processed personal data, etc.
Thus, training courses were organized for the following subdivisions:
– May 21 – Chisinau Municipality Police Department;
– June 28 – “South” Patrol Directorate of the National Public Security Inspectorate.
In this context, about 155 representatives of the GPI subdivisions were trained.
At the same time, during the reporting period the information and awareness-raising campaign for school communities was continued under the title: “Personal data protection and child safety in the online environment“. The aim of the campaign was to provide the school community with high visibility on personal data protection and child safety online at local and national level by promoting empowerment and best practices for intervention and support. The topics covered in the trainings were: general notions on personal data; the correct use of photos/video online; risks and threats online; communication on social networks, etc.
Thus, several training courses were organized, such as:
– April 19 – Public Institution Theoretical High School “Liviu Rebreanu”;
– April 23 – Public Institution “Iulia Hașdeu” Theoretical High School.
The events took place in the framework of the Personal Development class, the target audience being the students of classes IV “A”, IV “B” and IV “C”.
About 200 students were trained in this context.
On February 21, 2024, the heads of the NCPDP and the General Inspectorate of the Border Police (GIBP) approved and signed the Training Plan in the field of personal data protection for Border Police staff, thus organizing several training courses. The aim was to raise the awareness of the employees of the GIBP’s subdivisions of the principles of personal data protection and to ensure the correct application of the relevant legal provisions in their work. Thus, training courses were organized for the following subdivisions:
– April 03 – Border Police Sector “Chisinau International Airport” of GIBP;
– April 10 – General Inspectorate of Border Police.
In this context, about 120 representatives of the GIBP subdivisions have been trained.
During the reporting period, the NCPDP manifested openness and cooperation, organizing multiple training courses for representatives of public institutions, at their request. The training courses were aimed at familiarizing public officials with the aspects related to the field of personal data protection in the public service, the regulation of processing procedures, as well as with the confidentiality and security regime of personal data in accordance with the legislation in force.
During the events important topics were discussed, such as: definition of general concepts related to the field of personal data protection; principles and legal grounds for personal data processing; rights of personal data subjects; processing of special categories of personal data; requirements for the protection of personal data in the exercise of official duties; ensuring the security and confidentiality of personal data processed; issues related to the appointment of the Data Protection Officer (DPO), as well as his/her duties and tasks; issues related to the Data Protection Impact Assessment (DPIA), as well as the steps of conducting a DPIA, etc. Thus, training courses were organized for the following institutions:
– April 04 – State Chancellery, territorial offices;
– April 16 – Single National Service for Emergency Calls 112;
– April 18 – State Pedagogical University “Ion Creangă”;
– 16 May – Standardization Institute of Moldova;
– May 30 – Electronic Governance Agency;
– June 05 – Chisinau City Hall;
– June 07 – Ministry of Foreign Affairs and European Integration;
– June 21 – State Tax Service;
– June 25 – Unified Center for the Provision of Public Services;
– June 26 – State Tax Service, territorial tax officials;
– June 27 – Land registration and evaluation project.
About 710 representatives of public institutions were trained in this context.
II. Control activity
In the period April – June 2024, the NCPDP launched compliance checks of personal data processing operations in 75 cases. During the reporting period, 83 decisions were issued, of which 34 cases were found to be in violation of the legal provisions, and 25 infringement reports were concluded, which were subsequently submitted to the court for decision.
III. Findings of the National Center for Personal Data Protection
I. The NCPDP examined the complaint of a data subject regarding the alleged fact of improper processing of personal data concerning him by the employees of a state institution, manifested by accessing/consulting personal information stored in state information resources – the State Register of Population and the State Register of Drivers. During the investigation it was determined that the petitioner, while driving the car he owned and traveling on a public road, was involved in a conflict with the driver and passenger of another car, contrary to the Road Traffic Regulation. At the same time, an employee of the Patrol Service accessed personal data concerning the data subject through the E-Data Module, claiming that it was an wrong access, since being after working hours, he would have been requested to identify the owner of a car that would have been parked irregularly.
According to item 2 and item 1 sub-item 1 of the Regulation on the functioning of the data module of the automated information system “Records of traffic offenses, persons who have committed traffic offenses and penalty points applied”, the user of the module is obliged to access the information in strict accordance with the provisions of the Regulation, only from mobile and fixed equipment in the departmental possession and only during the performance of their duties.
Thus, in the light of the abovementioned rules, the NCPDP found that the employee of the Patrol Service acted independently, carrying out operations of personal data processing of the data subject, manifested by consulting, viewing personal information, such as: name, surname, surname, раtrоnimic, IDNP, number of vehicle registration, driving license data (license no. and category, penality points), information on whether the person is deprived or not of а special right to drive, etc., in the absence of a legal basis and without the соnsent of the data subject, ignoring the provisions of Art. 4 para. (1) lit. a), b), c) and Art. 5 para. (1) and Art. 9 of the Law on Personal Data Protection.
However, in this case, the justification of the employee of the patrol service, that he wrongly accessed, through the E-Data module, the data of the vehicle involved in the traffic conflict, whose number would be similar to the one parked irregularly, an obligation that comes in accordance with his duties, cannot be considered truthful, since the information in question was accessed out of the working hours.
II. Following a complaint filed by a data subject, the NCPDP has initiated by itself the alleged unlawful processing by a citizen of personal data of persons from different localities of the Republic of Moldova, manifested by the publication on social networks “Facebook” and “YouTube” of video footage, made via a mobile phone that causes the offering of food packages to elderly people, including bedridden, recording their image and voice, as well as data relating to their age and residence.
During the investigation, the Supervisory Authority found that, while performing charitable acts, he made numerous video recordings on the premises of data subjects’ real estate in different localities, without consent, deliberately disclosing/disclosing through social media posts the personal data of the data subjects concerned.
Respectively, using the user profile in the social network Facebook, as well as the YouTube channel that it manages, the controller has processed by disclosure to unrestricted public access, personal data concerning data subjects from different localities of the Republic of Moldova, such as: name, surname, age, domicile, as well as the image of persons, in the absence of a purpose and legal basis justifying the interference with the inviolability of the data subject’s privacy, in which case the personal data subjects did not express their consent for further processing of personal data.
The NCPDP therefore reiterates that any processing of personal data must be necessary for the intended purpose. This condition requires a link between the processing and the interests pursued. The requirement of necessity applies to ensure that the processing of personal data will not lead to an unduly broad interpretation of the need to process data. This means that consideration should be given to whether other less privacy-invasive means are available to serve the intended purpose.
The NCPDP does not deny the beneficial nature of charitable actions carried out, on a case-by-case basis, by the controller, but the publication on social networks/internet of personal data of data subjects, without their consent, for unrestricted public access, violates the principles of personal data protection, all more since in multiple cases, it is found that information on the health of data subjects is disclosed, which constitutes a special category of personal data, requiring a high level of protection.
Accordingly, the Supervisory Authority found that the processing of personal data of persons reflected in the video footage published by the controller is contrary to the principles of personal data protection, and such actions contravene the provisions of Art. 4 para. (1) and Article 29 para. (1) of Law No 133/2011 on personal data protection.
III. The NCPDP examined the complaint received from a state authority regarding the complaint of a personal data subject, who requested the verification of the lawfulness of the personal data processing operations concerning him, carried out by means of several automated record systems, by 13 data controllers, including a central specialized body of the local public administration (hereinafter – data controller), in accordance with the provisions of Law no. 133/2011 on the protection of personal data.
In these circumstances, NCPDP has initiated the verification of compliance with the provisions of Art. 4 letter. a) and b), Art. 5 and Art. 30 of Law no. 133/2011, when processing personal data of the data subject.
During the examination of the gathered material, it was found that the data controller did not take appropriate actions regarding the necessary organizational and technical measures for the protection of personal data, designed to ensure an adequate level of integrity, confidentiality and security in terms of processing risks and the nature/nature of the data processed in the Central Data Bank of the cadastre of immovable property, or, on termination of the employment relationship with the employee of the local public administration to whom a user account had been assigned at Central Data Bank of the cadastre of immovable property, for the performance of duties within that entity, his right of access to the said information resource was not withdrawn.
Thus, the given user, who currently holds a position of public dignity, carried out the personal data processing operations of the personal data subject for another purpose, using the account provided by the local public administration.
IV. The NCPDP examined the data subjects’ complaint regarding the alleged fact of improper processing of personal data, materialized by the publication of personal data by the mayor of the locality, in a group on the social network “Facebook”, of the pay list of employees of an institution subordinated to the Local Public Administration, which contained: name, surname, patronymic and salary amount per person.
In the course of the investigation, the NCPDP found that the personal data concerning 54 subjects had been published by the mayor on the social network in order to combat misinformation and falsehoods spread by the employees of the institution, such as that the mayor would restrict the right to receive the salary.
Thus, it was determined that the mayor was convinced that the data used, such as: name, surname and amount/value of salary are public data, being centered on the provisions of Law no. 148/2023. However, it was found that, the persons concerned in the published list are not civil servants and are not subject to the regulations stipulated by Law 148/2023, except for the director who is appointed on the basis of a competitive examination by the City Council and contractually employed by the Mayor. Moreover, Law 148/2023 entered into force on 08.01.2024.
As a result of the resolution of the complaint, the NCPDP found by decision the violation of art. 4 para. (1) letter (1) and Art. (1) of Law no. 133/2011 on the protection of personal data by the mayor of the municipality when processing the personal data of the data subjects concerned in the November 2023 Payment List.
At the same time, the NCPDP ordered the deletion by the mayor of the commune from the social network group “Facebook” of the image containing information on personal data of the data subjects referred to in the November 2023 Payment List.
IV. Surveillance activity
For the purpose of providing methodological and advisory support to personal data controllers and/or processors, more than 50 telephone consultations and 6 replies by e-mail were provided and recommendations were proposed to remove discrepancies identified by personal data controllers.
5. International and European news
-
An opinion following a referral under Article 64(2) of the GDPR on consent to data processing in behavioral advertising: authorities from the Netherlands, Norway and Hamburg requested an EDPB opinion on the “consent or pay” models used by large online platforms. The opinion concludes that these models usually do not provide valid consent, as users are forced to choose between consent to data processing or payment of a fee. The EDPB recommends that platforms offer users real alternatives, including free options without behavioral advertising.
-
EDPB strategy for the period 2024-2027, which defines four main pillars:
– Enhancing harmonization and promoting compliance.
– Strengthening a common enforcement culture and effective cooperation.
– Safeguarding data protection in the context of the developing digital landscape and cross regulation.
– Contributing to the global data protection dialog.
-
The EDPB adopted a Rules of Procedure, a public notice and model complaint forms to facilitate the implementation of the redress mechanisms in the EU-US Data Privacy Framework. These mechanisms deal with complaints related to national security and commercial purposes for data transmitted after July 10, 2023.
During the working sessions, topical topics were presented, such as:
– The role of Data Protection Authorities in the era of evolving digital regulation;
– Managing data protection and privacy in the era of emerging technologies and innovations;
– Health data protection in the age of digitization;
– Shaping data protection through the cooperative experience of Data Protection Authorities;
– Managing Anti-Money Laundering (AML) and General Data Protection Regulation (GDPR) regulations: challenges, cooperation and compliance;
– Enhancing AML and GDPR compliance through collaborative strategies.
For the second time during a Spring Conference of the European Data Protection Authorities, an open day was organized. This provided the opportunity for several institutions, NGOs or other organizations that expressed an interest in the topics addressed during the event to participate, including in online format.
The event was attended by 145 representatives from 43 countries such as: Austria, Belgium, Belgium, Bulgaria, Croatia, Denmark, France, Georgia, Germany, Greece, Hungary, Italy, Malta, Moldova, Portugal, Romania, Spain, Switzerland, Ukraine, etc. Representatives of four organizations were also present: FRA, EDPS, EDPB and the European Commission.
-
From June 3 to June 6, in Brussels, Belgium, representatives of the NCPDP participated in the event “Council for Progress on Governance in the Eastern Partnership Countries“, implemented by GIZ and co-financed jointly by the European Union and the German Federal Ministry for Economic Cooperation and Development.
The scope of the event was to facilitate a practical, expert-level dialog between selected institutions from the EaP countries on good governance. This includes the use of the benchmarks of the revised Principles of Public Administration in areas that align with aspects of good governance. These include government effectiveness, regulatory quality, rule of law, voice and accountability, political stability and anti-corruption measures. The event aimed to deepen the practice of applying the revised principles to good governance issues, emphasizing the importance of a citizen-centred approach, accountability, transparency and efficiency as key pillars of good governance.
During the event, participants were divided into 5 working groups, including:
– Group 1. Effective parliamentary oversight as a way to increase trust in government;
– Group 2: Increasing government effectiveness by improving policy and decision-making processes;
– Group 3: Building a professional public service;
– Group 4: Transformation through inclusive digitization;
– Group 5: Rule of Law.
-
In the period 4-6 June the 46th plenary meeting of the Consultative Committee of Convention 108 took place in Strasbourg, France.
The last meeting of the Committee discussed the work program for the years 2022-2025 and the state of play regarding the signature and ratification of the Protocol amending Convention 108+, necessary for the protection of personal data. Of the 46 signatory states, 31 have ratified the Protocol, with 38 ratifications needed for entry into force. The delegation of the Republic of Moldova presented the progress in the ratification of the Protocol and the approval of a new data protection law, transposing the GDPR, by the Parliament. The Ministry of Justice mentioned that the ratification of the Protocol will be achieved after the adoption of the new law.
The Committee took note of Costa Rica’s commitment for accession and discussed the model contractual clauses for transborder data flows and adopted the final document. The revised draft interpretation of Article 11 of the modernized Convention 108 was also presented. Professor Colin J. Bennett presented a paper on data processing in the electoral process, subsequently adopted by the Committee.
Cooperation with other Council of Europe bodies was discussed, welcoming the adoption of the new Framework Convention on AI. The Bureau took note of the expert report and urged the development of guidelines on neuroscience and data protection. The delegation of the Republic of Moldova reported on the national conference “Raising awareness on Convention 108+”, organized in collaboration with TAIEX experts.
The plenary meeting was attended by representatives from 54 countries, the next meeting is scheduled for November 4-6, 2024, and the next Bureau meeting for September 11-13, 2024.
-
In the period 18-19 June 2024, the 94th Plenary Session of the European Data Protection Board took place in Brussels, Belgium, where the Republic of Moldova participated as observer. During the meeting, Zdravko Vukić, Director of the Croatian Data Protection Agency, was elected as EDPB’s Vice-Chair, succeeding Aleid Wolfsen. Vukić, together with Irene Loizidou Nikolaidou and Anu Talus, will ensure consistent application of EU data protection rules and promote cooperation between data protection authorities in the European Economic Area.
The meeting adopted Guidelines 01/2023 on Article 37 of the Enforcement Directive. These guidelines provide guidance on the appropriate safeguards to be applied by competent authorities under Article 37 LED and the expectations of the EDPB in negotiations between Member States and third parties or international organizations.
It also discussed best practices for the organization of EDPB plenary meetings, emphasizing the importance of transparency, efficiency of procedures, consensus in decisions and follow-up of their implementation. Recommendations included respect for the principle of transparency, effective use of digital tools, promotion of constructive dialog and regular evaluation of the effectiveness of meetings. These practices are essential to ensure effective governance and adequate protection of personal data in the European Union.
6. Other data protection authorities
-
On May 08, it was announced about the decision of the Finnish Data Protection Authority (FI SA) to impose an administrative fine of 856 000 euro on Verkkokauppa.com for breach of Art. 5 Principles relating to the processing of personal data and Art. 25 Ensuring data protection by design and by default of the GDPR.
FI SA investigated the activities of online retailer Verkkokauppa.com following a complaint from a customer. The controller had asked the customer to register as a customer before shopping online. Shopping in the online shop was not possible without creating a customer account.
The investigation found that the controller did not specify the storage period of the data collected for the customer accounts in its online shop and that the data was stored indefinitely. Furthermore, the controller’s practice of requiring the creation of a customer account in order to make online purchases violated data protection legislation. The creation of a customer account or the storage of personal data resulting from such creation may not be a mandatory requirement to make individual purchases online.
In this context, the FI SA imposed an administrative fine of € 856 000 on the controller for not defining the storage period for personal data on customer accounts. The controller was required to specify an appropriate storage period for customer account data and to rectify its mandatory registration practice. Verkkokauppa.com was also reprimanded for practices in breach of data protection legislation.
-
On May 02, it was announced about the decision of the Czech Data Protection Authority (SA) of April 10, 2024 to impose an administrative fine of €13.9 million to a company registered in the Czech Republic for violation of Art. 6 Lawfulness of processing and Art. 13 Information to be provided where personal data is collected from the data subject of the GDPR.
The case concerns the controller’s transfer of personal data collected by the controller from users of its antivirus software to an affiliated company. The proceedings were initiated on the basis of media reports and an anonymous file.
Following the investigation, the Czech SA found that the controller transferred personal data of users of anti-virus software and browser extensions to the affiliated company without having a legal basis for such processing. The transferred data related to approximately 100 million users and included in particular the pseudonymized web browsing history of the users linked to a unique identifier. In addition, the Czech SA found that the controller misinformed its users (data subjects) about these data transfers, as it claimed that the transferred data were anonymized and used exclusively for statistical sales analysis. At the same time, the Czech Data Protection Authority concluded that Internet browsing history, even if not complete, may constitute personal data, as re-identification of at least some of the data subjects could occur. The controller’s breach is all the more serious as it is one of the leading experts in the field of cybersecurity, providing the public with data protection and privacy tools.
An administrative fine of €13.9 million (CZK 351 million) was imposed on the data controller. The decision is final and enforceable.
26 Views
