On December 10, 2025, the National Center for Personal Data Protection (NCPDP) organized a training session in the field of personal data protection for representatives of the State Social Inspectorate, at their request.

       The goal of the training session was to provide participants with an in-depth understanding of the legal framework regarding the protection of personal data, as well as how it applies to activities specific to the social field. The training covered both theoretical aspects  processing principles, data subjects’ rights, responsibilities of controllers and processors  and practical components, oriented towards solving real situations encountered in professional activity.

       The importance of this training session derives from the growing need to ensure responsible management of personal data, especially in a sector where varied and sensitive categories of information are processed. In the context where the digitalization of public services is continuously expanding, and data security risks are becoming more complex, the training offered by NCPDP represents an essential tool for preventing incidents, protecting vulnerable people, and strengthening trust in state institutions.

       During the session, participants benefited from practical examples, personalized recommendations for their field of activity, as well as clarifications on the management of high-risk situations. Topics addressed included: assessing the compliance of processing processes; correct application of technical and organizational security measures; institutional responsibilities regarding the transparency and legality of processing; preventing breaches and managing security incidents, etc.

       Following the training session, representatives of the State Social Inspectorate obtained significant benefits, such as:

• improving the ability to correctly identify and manage personal data in operational processes;
• strengthening the skills of risk assessment and application of security measures;
• increasing the degree of accountability regarding compliance with the national and european legal framework;
• forming a unified perspective on how data protection contributes to the efficiency of institutional activity.

       NCPDP reaffirms its commitment to support public institutions in the process of correct implementation of data protection rules and to promote an institutional climate based on respect for the fundamental right to privacy.

       The event took place online, with 18 representatives of the State Social Inspectorate being trained.

       On December 3, the National Center for Personal Data Protection (NCPDP) held a training session for employees of the Ocnița Police Inspectorate (PI), thus marking the completion of the training program planned for 2025 within the subdivisions of the General Inspectorate of Police (GPI). The annual program was approved and signed by the heads of the NCPDP and the GPI on January 28, 2025.

       The main objective of the training session was to strengthen the capacities of PI Ocnița employees to correctly and responsibly apply the rules on personal data protection in operational and managerial activity. The NCPDP aimed to ensure a uniform understanding of the legislation, promote an organizational culture oriented towards respecting the rights of the data subjects and preventing security incidents.

       Participants were trained on: the fundamental principles of personal data processing and the obligations of law enforcement institutions; correct practices for collecting, storing and transmitting data in specific police activities; identification of high-risk situations and the necessary measures to reduce them; the importance of transparency, legality and data minimization in all operations carried out; reporting and response procedures in case of data security incidents.

       The training discussed real case studies and operational scenarios, which allowed participants to understand the impact of non-compliance with data protection rules and identify practical solutions applicable in everyday work.

       Completing this annual training program brings an important set of benefits to GPI subdivisions, such as:

•  Increasing the level of compliance with national and european data protection legislation;
• Reducing operational risks associated with the processing of sensitive data in law enforcement and investigative activities;
• Improving the quality of services provided to citizens by adopting responsible and transparent practices;
• Strengthening the organizational culture towards data protection and the protection of fundamental rights;
• Streamlining internal collaboration by clarifying roles, obligations and procedures in the field of data protection.

       The successful completion of all training sessions planned for 2025 confirms the joint commitment of the NCPDP and the GPI to promote a safe, professional and human rights-oriented environment in all personal data processing processes.

       During the event, 50 representatives of the Ocnița Police Inspectorate were trained.

       On November 25, 2025, the National Center for Personal Data Protection organized a training session entitled “Protection of personal data within data recording information systems” for deputies of the 12th legislature, staff from the offices of persons with public dignitaries, including civil servants from the Secretariat, at their request.

       The purpose of the training was to consolidate knowledge regarding legal requirements and good practices in the field of data protection, especially in the context of the use and administration of information systems that manage large volumes of personal data. Participants were familiarized with the institutional and individual obligations arising from national and european legislation, as well as with the essential principles of data processing – from legality and transparency, to security and accountability.

       The event addressed a series of essential topics for strengthening good practice in the field of personal data protection, such as: clarifying general concepts specific to this field, exercising the rights of data subjects, the principles and legal bases governing data processing, and the responsibilities related to the designation and role of the Data Protection Officer. Particular emphasis was placed on access to information of public interest, analyzed from the perspective of data protection legislation. The discussions focused on how a balance can be ensured between the public’s right to information and the need to protect personal data, in particular by applying the principle of proportionality  when deciding to disclose information. At the same time, the rules regarding the correct limitation of access were examined, as well as the obligations related to the retention, storage and use of data after the completion of processing operations, so that their disclosure or archiving fully complies with legal requirements.

       Participants benefited from an interactive session, which resulted in several conclusions and strengthened skills, including: in-depth understanding of institutional and individual responsibilities regarding the protection of personal data; identification of typical risks associated with the use of information systems of record and ways to mitigate them; the need to implement appropriate technical and organizational measures, including access control, clear internal policies and periodic audit programs; the importance of respecting the principles of data minimization, accuracy and limited time retention and improving internal communication and cooperation with the Data Protection Officer for the correct management of processing situations.

       Through this initiative, NCPDP reaffirms its commitment to supporting public institutions in developing the necessary skills for secure, transparent and responsible management of personal data, thus contributing to protecting the fundamental rights of citizens.

       The event was attended by 90 representatives from the Secretariat of the Parliament, including staff from the offices of persons with public dignitaries and deputies from the 12th legislature.

       On December 3, the National Center for Personal Data Protection (NCPDP) continued the national campaign to inform and raise awareness among students regarding the protection of privacy in the digital environment. In this context, the institution organized the training course “Protection of personal data and children’s safety in the online environment”, intended for students of the Art School in Ialoveni.

       The main objective of the activity was to familiarize children with the notion of personal data, as well as to understand how this information should be managed in everyday life. NCPDP trainers focused on:

• explaining the difference between simple personal data, sensitive data and public information;
• identifying situations in which children’s data may be collected or used abusively;
• understanding the rights that minors have in relation to data protection and digital safety.

       The crucial goal of the session was to develop self-protection skills in the online environment, so that students would be aware of the importance of prudent and responsible behavior when interacting on the internet.

       In an ever-changing digital context, children are among the most exposed to various online risks – from excessive data collection to cyberbullying, phishing, or contact with unknown people. Through this course, students:

•  understood why data such as full name, address, phone number, photos, location or passwords must be carefully protected;
• found out how their information can be used by malicious individuals, including for manipulation or fraud purposes;
• discovered the role of privacy settings, strong passwords and checking sources before accessing a link or sharing content.

       The emphasis was on the idea that digital safety is a personal responsibility, and knowing how the online environment works helps them navigate with more confidence and protection.

       The course included interactive discussions, practical examples, and real-life situations that children may face in the digital environment. Among the most important concepts learned are: recognizing personal data and understanding its value; identifying the risks associated with the uncontrolled distribution of online information; critically evaluating digital content, unknown messages and suspicious requests; protective measures: correct use of passwords, activating two-step authentication, reporting abusive behavior; the role of trusted adults – the importance of asking for help when encountering uncomfortable or potentially dangerous situations. Students actively participated in the discussions, asked questions and provided examples from their own experiences, demonstrating interest and openness to the topics addressed.

       Through such activities, NCPDP reaffirms its mission to contribute to creating a culture of data protection among children and young people, promoting a safe, responsible and friendly digital environment. The institution will continue to conduct training in schools across the country, providing accessible information adapted to the age level of the students.

       The event was organized at the initiative of the National Council for the Protection of Children and Youth, training 55 students. At the same time, the information materials, as well as the gifts offered to the students, were developed with the support of the United Nations Children’s Fund (UNICEF).

       On November 21, 2025, the National Center for Personal Data Protection organized a training session in the field of personal data protection for employees of the General Inspectorate for Migration (GIM), Center Regional Directorate, according to the training plan within the GIM for 2025, approved and signed by the heads of the NCPDP and GIM on January 27 of this year.

       The training aimed to familiarize participants with the fundamental principles of data protection, strengthening knowledge regarding institutional and individual obligations in the process of processing personal data, identify risks and apply appropriate security measures, as well as increase the level of responsibility in relation to the management of data of citizens and foreigners undergoing migration procedures.

       For GIM representatives, training is a fundamental element in guaranteeing:

• Operational compliance with data protection legislation, given the essential role of the GIM in managing migration flows, documentation and record-keeping processes, as well as specific databases.
•  Increasing the level of institutional security, by reducing the risk of security incidents and by strengthening an internal culture of accountability and transparency.
• Continuous capacity-building for employees, which contributes to a more efficient execution of job duties and to the improvement of services provided to citizens, asylum seekers and migrants.
• Adapting to new regulatory and technological developments, in a context in which the digitalization of processes and the inter-institutional exchange of information are becoming increasingly complex.

       Participants benefited from an interactive session, which resulted in several conclusions and strengthened skills, including: in-depth understanding of data processing principles and their application in daily work, including in documenting migrants, managing files and using internal information systems; awareness of the importance of data minimization, limited access only to authorized persons and the need to justify each processing operation; acquisition of practical knowledge on preventing incidents, such as unauthorized disclosures or illegal access to systems; understanding of the institution’s obligations regarding the communication of security incidents, including the procedures for notifying the NCPDP and informing data subjects when necessary; strengthening the skills to respect the rights of data subjects, especially in complex situations specific to the field of migration, where transparency and fairness of data processing are essential for protecting vulnerable persons.

       During the event, 16 representatives from GIM, Center Regional Directorate, were trained.

       Through such training, NCPDP reaffirms its commitment to constantly support GIM employees in the correct application of data protection rules, to provide them with professional support and practical tools for secure information management, and to contribute to the development of a responsible institutional culture in the field of personal data protection.

       On November 18, 2025, the National Center for Personal Data Protection (NCPDP) organized a training session in the field of personal data protection for the employees of the Nisporeni Police Inspectorate, according to the training plan within the IGP subdivisions for 2025, approved and signed by the leaders of the NCPDP and IGP on January 28 of this year.

       The purpose of the training session was to strengthen the professional capacities of the employees of the Nisporeni Police Inspectorate in the field of personal data protection, by deepening the applicable regulatory framework, as well as by familiarizing them with European standards and good practices in the field.

       The training session aimed to ensure a uniform and correct application of data protection legislation in specific police activities, in the context in which IGP representatives manage sensitive information on a daily basis, in exercising their duties of preventing, detecting and investigating crimes. Therefore, the session focused on developing a consolidated institutional culture in the field of data protection, aimed at supporting both employee professionalism and respect for the fundamental rights of data subjects.

       During the session, NCPDP trainers addressed an extensive set of topics relevant to police activity, such as: the application of the principles of legality, fairness, proportionality and data minimization in current operations; the particularities of processing sensitive data and information regarding persons at risk; the obligation to rigorously document processing activities and the importance of internal registers; the responsibilities of employees in daily activity, as well as the role of the Data Protection Officer; prevention and reporting of security incidents, with an emphasis on prompt response and institutional cooperation.

       The importance of training for employees of the Nisporeni Police Inspectorate derives from the need for responsible, legal and proportionate management of citizens’ personal data, in a complex operational context, characterized by accelerated digitalization, inter-institutional information exchanges and exposure to risks associated with data security. The training contributes to strengthening the capacity of the Nisporeni Police Inspectorate to prevent security incidents, ensure the transparency of internal processes, and maintain a high level of public trust in police activity.

       Among the lessons learned from the training are: strengthening the understanding of the need to strictly comply with data protection legislation in all operational activities; awareness of the risks associated with data processing without legal basis or outside the established limits; recognition of the essential role of transparency and accountability in internal processes; appreciation of the importance of effective communication with the NCPDP and continuous training as a fundamental element in ensuring compliance.

       The NCPDP reaffirms its commitment to support, through systematic training and specialized expertise, all IGP subdivisions in the joint effort to promote compliance, professionalism and the protection of the fundamental rights of the citizens of the Republic of Moldova.

       During the event, 57 representatives of the Nisporeni Police Inspectorate were trained.

       On November 14, the National Center for Personal Data Protection (NCPDP) continued its information and awareness campaign for the school community, organizing the training session “Personal data protection and children’s safety in the online environment” for the Public Institution “Ștefan cel Mare”, Theoretical High School in Chișinău. The event took place during the Personal Development class, the target audience being students of the “A” 3rd grade.

       The aim of the training session was to familiarize children with the notion of personal data and develop a clear understanding of why this information needs to be protected. Given that students increasingly use the internet for educational, recreational or communication activities, developing a cautious and responsible attitude becomes essential. The session aimed to help children become aware of the risks of the online environment and adopt good digital security practices from an early age.

       During the training, NCPDP specialists used real-life examples, educational games, and interactive activities to facilitate understanding of concepts in an accessible and attractive way for the young audience. Students were encouraged to ask questions, share their own experiences using the internet, and reflect on situations where risks may arise.

       As a result of the activity, students learned and understood:

• What is personal data and how it can be identified in everyday life – name, surname, phone number, home address, photos, passwords, or other information that can identify them.
• Why is it important to protect this data, especially in the online environment, where information can be easily accessed, copied or used for improper purposes?
• How to avoid potential dangers, such as conversations with unknown people, accessing suspicious links or files, or sharing information containing personal data on social networks.
• Essential rules for online safety, including using strong passwords, keeping those passwords confidential, limiting the information shared on social media, checking privacy settings, and seeking help from a trusted adult when encountering unclear or worrying situations.
• The importance of responsible and respectful behavior in the digital environment, understanding that personal safety and that of colleagues depends, in large part, on how they communicate and interact online.

       Through this activity, NCPDP emphasized the importance of early digital education, emphasizing that risk prevention is much more effective when children are informed correctly and on time. In the context of the constant increase in the use of technology by children, training dedicated to them is becoming a necessity for developing a culture of data protection and safety in the online environment.

       NCPDP reaffirms its commitment to continue educational initiatives aimed at students, contributing to the formation of a generation capable of navigating safely and responsibly in the digital space.

       The event was organized at the initiative of the National Council for the Protection of Children and Youth, training 37 students. At the same time, the information materials, as well as the gifts offered to the students, were developed with the support of the United Nations Children’s Fund (UNICEF).

       It should be noted that the information and awareness campaign for the school community was launched on April 15, 2022, and the NCPDP aims to continue this training format both in school institutions in Chișinău and in those in the districts of the Republic of Moldova.

       Between November 3-5, representatives of the National Center for Personal Data Protection (NCPDP) participated in the 49th plenary meeting of the Consultative Committee of the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (Convention 108), which took place in Strasbourg, France.

       Important topics were discussed during the Meeting, including:

• Convention 108+, current ratifications and accessions;
• Transborder data flows of personal data;
• Data protection in the context of large language models (LLMs);
• Cooperation with other Council of Europe bodies and entities;
• Major developments and activities in the field of data protection, etc.

       At the same time, after a detailed analysis, the Committee adopted the Work Programme for the period 2026-2029, which will be implemented starting in January 2026. The document outlines strategic directions regarding: strengthening the legal framework of Convention 108+; addressing emerging risks in the field of AI and neurodigital technologies; developing international cooperation tools and technical assistance for member states and partners. The state of development of the Guidelines on data protection in the context of neuroscience research was also presented, with Member States invited to submit comments by November 21, 2025, and the document will be analyzed in detail at the next plenary session.

       The plenary meeting demonstrated the dynamic and evolving nature of the European data protection regulatory framework. The Consultative Committee of Convention 108 continues to play a key role in guiding public policies, defining ethical principles of digitalisation and promoting responsible data governance globally. Participation in this session was a valuable opportunity to exchange expertise and strengthen international cooperation, reaffirming our state’s commitment to protecting fundamental rights in the digital age.

       The NCPDP, as the national supervisory authority for the processing of personal data, emphasizes the importance of the participation of the Republic of Moldova in the plenary meetings of the Consultative Committee of the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, as well as the weight of the documents adopted within them.

I.                  Information and training activities carried out by the NCPDP

       During the third quarter of 2025 (July – September), the National Center for Personal Data Protection (NCPDP) continued to make significant progress in achieving its objectives, focusing particularly on the development and implementation of activities aimed at informing and raising awareness of the general public regarding the importance of the field of personal data protection. In this context, a series of educational initiatives and awareness campaigns were carried out aimed, on the one hand, at explaining citizens’ rights regarding the management of their personal data, and on the other hand, at promoting responsible behavior regarding their protection.

       Through these actions, NCPDP aimed not only to increase the degree of understanding of the legal regulations in the field, but also to cultivate an organizational and social culture in which respecting confidentiality and data security becomes an integrated practice in the daily life of every citizen. This approach aims to ensure not only compliance with national and European legislation, but also to strengthen the general public’s trust in the personal data protection process.

       During the reference period, the organization of training sessions for the subdivisions of the General Inspectorate of Police (GIP) continued, according to the training plan approved and signed by the heads of the NCPDP and GIP, on January 28, 2025.

       Thus, training sesssions were organized for the following subdivisions:

• July 15 – Căușeni Police Inspectorate;
• August 5 – Criuleni Police Inspectorate;
• September 23 – Dubăsari Police Inspectorate.

       In this context, 225 representatives from the GIP subdivisions were trained.

       Likewise, the organization of training sessions for employees within the structural, specialized and territorial subdivisions of the General Inspectorate for Migration (GIM) continued, according to the training plan approved and signed by the heads of the NCPDP and GIM, on January 27, 2025.

       Thus, training sessions were organized for the following subdivisions:

• September 17 – Structural and Specialized Subdivisions of the GIM;
• September 19 – Southern Regional Directorate of the GIM.

       In this context, 31 representatives from GIM subdivisions were trained.

       During the reference period, NCPDP demonstrated openness and a spirit of collaboration, organizing multiple training sessions for representatives of public/private institutions, at their request.

       Thus, training sessions were organized for the following entities:

• July 1 –  Moldtelecom;
• July 02 – The National Energy Regulatory Agency (NERA);
• July 03 – Moldovan Banks Association;
• July 12 – School of Building Administrators;
• July 19 – School of Building Administrators;
• September 02 – National Office of Social Insurance;
• September 08 – Customs Service;
• September 11 – Post of Moldova.

       In this context, 325 representatives of the above-mentioned entities were trained.

       The training sessions aimed to familiarize with aspects related to the field of personal data protection, the regulation of processing procedures, as well as the confidentiality and security regime of personal data in accordance with the legislation in force. Important topics were discussed during the events, such as: defining general notions related to the field of personal data protection; principles and legal grounds for the processing of personal data; rights of personal data subjects; processing of special categories of personal data; requirements regarding the personal data protection in the exercise of job duties; ensuring the security and confidentiality of processed personal data; aspects related to the appointment of the Data Protection Officer (DPO), as well as his obligations and tasks; aspects related to the Data Protection Impact Assessment (DPIA), as well as the stages of conducting a DPIA, etc.

       At the same time, the information and awareness campaign for the school community was continued with the theme: “Personal data protection and children’s safety in the online environment”. The goal of the campaign was to raise awareness and educate children regarding: the importance of protecting personal data; identifying risks in the online environment; adopting responsible, safe and informed behavior in the digital space to support children to browse the internet in a safe, ethical and informed manner, reducing their vulnerability to online threats. The topics addressed during the trainings focused on: what personal data is; how to protect your personal data online; risks and threats in the online environment; safety on communication platforms and online games, etc. The training session was organized on July 7, 2025 for the Class of the Future, with 38 students being trained.

II.               Control activity

       Between July and September 2025, NCPDP initiated verification of the compliance of personal data processing operations in 116 cases. During the reference period, 97 decisions were issued, of which 44 cases found a violation of legal provisions, with 36 reports being issued regarding the contravention, which were subsequently submitted to the court for resolution.

III.           Findings of the National Center for Personal Data Protection

1.        The NCPDP examined the complaints of several petitioners from the Gagauzia Autonomous Region, in which they reported receiving several messages mentioning the allocation of financial sources in their names from banks in the Russian Federation.

       During the investigation, all the petitioners claimed that they did not participate in meetings organized by political parties in 2023–2024 and did not transmit their personal data to anyone, and that the social assistance received from the state was provided through the Post Office or through another secure method. Thus, the petitioners assume that members of a political party group would have made registrations on platforms used by banking entities in the Russian Federation, using information obtained from the Directorate of Health and Social Assistance of the Gagauzia Autonomous Region.

       During the inspection, it was determined that, in the context of the operations complained about by the petitioners, the applications/platforms “Centrify”, “Qsms” and “Authentify” are products of companies not headquartered in the Republic of Moldova. At the same time, from the information presented in the public space, including by the competent law enforcement agencies, it was noted that personal data were collected and transferred cross-border to entities in the Russian Federation, namely, entities in this country could make transfers in Russian rubles.

       Based on the circumstances described, from the materials accumulated in the given case, it was not possible to specifically determine the person(s)/entities who transmitted the personal data cross-border in the situations complained of by the petitioners.

       However, it is certain that there has been processing of personal data manifested by their cross-border transmission to a state that does not ensure an adequate level of protection, for purposes that may prejudice the fundamental rights and freedoms of the individual with regard to the personal data protection.

       Thus, in rem, the NCPDP found a violation of the provisions of art. 32 paragraph (5) of Law no. 133/2011 on the personal data protection, in the processing through cross-border transmission of the personal data of the petitioners.

2.         The NCPDP received a complaint from a personal data subject, who requested verification of the legality of the personal data processing operations concerning him, carried out by a company (hereinafter – data controller), through the Real Estate Registry, in accordance with the provisions of Law No. 133/2011 on the personal data protection.

       In these circumstances, the NCPDP initiated the verification of compliance with the provisions of art. 4 para. (1) p. a) and b) and art. 13 of the Law in question, when processing the personal data of the data subject.

       During the examination of the accumulated material, it was found that the data controller consulted the information referring to 3 real estate properties containing data about the owner of the real estate properties; the basis for registration – the name and dates of the act by which the ownership right was acquired.

       Therefore, data processing was to be subject to the consent of the personal data subject and, respectively, to his/her right to decide freely and unequivocally whether or when personal data concerning him/her may be processed by the data controller in compliance with the provisions of Law No. 133/2011 on the personal data protection.

       Moreover, the NCPDP did not consider as well-founded the argument invoked by the data controller that it had consulted the public part of the Real Estate Register, but the public part of the Register does not provide information about the ownership of the real estate and the method of acquiring it.

       Thus, during the investigations, the NCPDP found that the data controller processed the personal data of the data subject without complying with the requirements set out in art. 4 para. (1) p. a) and b) of Law no. 133/2011.

       Subsequently, the data controller did not resolve the data subject’s request regarding the exercise of the right of access, not providing a substantiated/pointed response justifying the personal data processing operations carried out by the latter, including the violation of Article 13 of Law 133/2011. In the case, the NCPDP initiated the contravention procedure.

3.        The NCPDP, initiated proceedings following the receipt of a request from a district councilor, thus examining the case in light of legal powers, namely, investigating an alleged illegal processing of the special category of personal data of data subjects, caused by the inappropriate actions/inactions of the District President.

       Following the accumulation of evidence, it was established that the President of the district issued and signed a response addressed to the district councilors regarding the behavior of medical personnel from some medical facilities in the district.

        To justify the response, the District President attached extracts from the medical records of some patients, containing: name and surname, date of birth, IDNP, home address and information on health status.

       As part of the control initiated by the Control Authority, the District President submitted two declarations of consent signed by some patients, considering that he had a legal basis for data processing.

       However, the NCPDP analysis revealed that consents were obtained from only two data subjects, while the attached documents contained the data of several people. At the same time, the wording in the consents was general and unclear, not meeting the conditions of a valid consent (free, specific, informed, unambiguous).

       Furthermore, the NCPDP revealed that the transmission of medical records to counselors was not necessary and proportionate to the intended purpose, as the verification and subsequent justification of the work schedule of medical personnel in the response to counselors could have been achieved through non-intrusive administrative means.

       As a result of the findings, the NCPDP invoked the following relevant provisions of Law no. 133/2011 on the personal data protection: art. 4 para. (1) p. a), c), e) – processing must be correct, pertinent, not excessive and limited to the purpose; art. 6 para. (1) – prohibits the processing of special categories of data, including those regarding health, with the exceptions expressly provided for by law; art. 29 para. (1) – imposes the obligation to ensure the confidentiality of data and to prevent unauthorized disclosure.

       Therefore, concluding the above, the NCPDP found that the President of the district did not respect the principles of legality, proportionality and confidentiality in the process of processing patient data.

       By transmitting medical records containing sensitive data to counselors, without the consent of the data subjects and without a valid legal basis, an unauthorized disclosure of personal data occurred, which constitutes a violation of the principles of personal data protection. In the case, the NCPDP initiated the contravention procedure.

4.        The NCPDP examined the complaint of a personal data subject, through which he complained about the processing of personal data belonging to him by a company.

       Thus, during the investigation, it was found that the data subject, over a period of time, had concluded a contract with the company in question, however, the personal data processing operations carried out by the controller (legal entity) were carried out automatically, in the absence of the data subject’s consent after the expiry of the contract concluded between them.

       Based on the materials presented by the controller, it was found that the data subject did not give his/her consent to the processing of his/her personal data by the company in question, following the conclusion/closure of the contract, and another legal basis for the processing of personal data, if applicable, was not identified.

       Therefore, through the actions described, the data controller violated the provisions of art. 4 para. (1) p. a), e) and art. 5 para. (1) of Law no. 133/2011. In the case, the NCPDP initiated the contravention procedure.

IV.            Prevention activity

       During the reference period, in order to carry out the advisory tasks, in addition to the multiple answers provided, for advisory purposes, 70 consultations were provided by telephone, via e-mail or at the authority’s headquarters.

V.               International and European news

• Between July 2-3, 2025, representatives of the National Center for Personal Data Protection (NCPDP) participated in the 75th meeting of the International Working Group on Data Protection in Technology (known as the “Berlin Group”), which took place in the city of Tbilisi, Georgia.

       The aim of the event was to bring together international experts in the field of data protection to discuss and analyze the impact of new technologies on privacy and personal data security. During the meeting, participants exchanged good practices, presented national innovations, and addressed emerging challenges such as neurodata, 6G technology, and digital identity, with a view to developing common recommendations to support the improvement of data protection standards at the international level.

       During the two working days, important topics were addressed, such as:

• Neurodata and the implications for privacy;
• The evolution of 6G technology and the related challenges in the field of data protection;
• Digital identity;
• Government digital services and data protection within them (e.g. MY.GOV.GE – the unified portal of electronic services in Georgia);
• National presentations on innovations and good practices in the field of data protection.

       The event represented a valuable framework for the international exchange of experience, strengthening cooperation between supervisory authorities and identifying common directions of action facing new technological challenges, bringing together representatives from 14 countries, as well as delegates from the European Data Protection Supervisor and the Electronic Privacy Information Center.

• On September 11, representatives of the NCPDP participated in the plenary meeting of the European Data Protection Board (EDPB) that took place online. During the plenary meeting, the EDPB adopted the guidance on the interaction between the Digital Services Act (DSA) and the General Data Protection Regulation (GDPR).

       This guide is the first of its kind and aims to ensure consistent application of both regulations, given that some provisions of the DSA involve the processing of personal data. Essentially, the DSA complements the GDPR, guaranteeing the protection of users’ fundamental rights in the digital environment and regulating online services such as search engines and digital platforms.

       The guide details how the GDPR should be applied within the framework of DSA obligations, in areas such as reporting illegal content, automated content recommendations, protection of minors and advertising transparency. They also support cooperation between regulators to provide legal certainty to online service providers and protect users’ rights. The guide will be subject to a public consultation, giving stakeholders the opportunity to provide feedback.

VI.            Other data protection authorities

• On June 23, 2025, The Polish Data Protection Authority issued a final decision imposing administrative fines of EUR 4,022,773 on McDonald’s Polska and EUR 43,680 on 24/7 Communication for violating Article 5 (Principles related to the processing of personal data), Article 24 (Responsibility of the controller), Article 25 (Data protection by design and by default), Article 28 (Processor), Article 32 (Security of processing), Article 34 (Communication of a personal data breach to the data subject) and Article 38 (Position of the data protection officer) of the GDPR.

        McDonald’s Polska LLC notified a data security breach, as a controller, finding that the following data of its employees and franchisees were included in the shared file in the public catalogue: names, personal identification numbers (PESEL numbers), passport numbers (if the PESEL number is not available), McDonald’s restaurant number, date and time of starting work, date and time of ending work, number of hours worked, holidays, type of work, etc.

       The investigation found that neither the controller (McDonald’s Polska) nor the processor (24/7 Communication) had conducted a risk analysis and had not implemented sufficient technical and organizational measures to protect personal data. Furthermore, the data protection officer was not properly involved, and the audit and monitoring obligations of the partners were not respected.

       The Polish SA emphasized that the responsibility for data protection lies with both companies that collect and manage personal data and their contractual partners. Security measures must be constantly checked and updated, not just at the beginning of data processing.

        In this context, the Polish SA imposed an administrative fine of 4 022 773 euros on McDonald’s Polska LLC and 43 680 euros on 24/7 Communication LLC.

• The Italian parliament has adopted a new law on artificial intelligence (AI), becoming the first country in the European Union to have comprehensive AI regulations aligned with EU law. The law aims to promote “human-centric, transparent and safe use of AI”, with a focus on “innovation, cybersecurity and privacy protection”.

       The new legislation provides:

• Prison sentences (1–5 years) for the illegal dissemination of AI-generated content (such as deepfakes) when it causes harm; harsher penalties if the technology is used for fraud or identity theft.
• Protection of minors: children under 14 will only be able to use AI applications with parental consent.
• Strict transparency and human oversight rules for the use of AI that will regulate how the technology is used in the workplace and in sectors such as health, education, justice and sports.
• Copyright: works created with the help of AI are protected only if there is a real intellectual contribution; automatic analysis of texts and data will only be allowed for free content or for scientific research carried out by authorized institutions.
• Financial support: The government is allocating up to €1 billion (£870 million) from a state-backed fund for equity investments in small and medium-sized enterprises, as well as large companies active in the fields of artificial intelligence, cybersecurity, quantum technologies and telecommunications.

       The government designated the Agency for Digital Italy and the National Cybersecurity Agency to enforce the legislation, which received final approval in parliament after a year of debate.

       On November 12-13, 2025, representatives of the National Center for Personal Data Protection (NCPDP) participated in the Moldova Cyber ​​Summit 2025: Stronger Together, an event dedicated to strengthening digital resilience and international cooperation in the field of cybersecurity.

       The summit explored the strategic, technical and human dimensions of cybersecurity, transforming local and international lessons into concrete actions and highlighting Moldova’s growing role as a regional leader in cyber resilience and European integration.

       Victoria Muntean, Director of NCPDP, delivered a welcoming message at the opening of the summit, noting that, “cyber threats know no borders, and data protection and digital resilience can only be achieved through joint efforts of all — data controllers from the public and private sectors, civil society and international partners. The Republic of Moldova is strengthening, with responsibility and determination, its status as a credible regional partner in the field of cybersecurity and personal data protection, constantly advancing on the path of harmonizing these priority areas with European standards. In this context, today’s event is a significant stage in the process of digital modernization based on trust, transparency and responsibility.”

Several topics were addressed during the summit, such as:

• Strengthening Moldova’s national cybersecurity governance and institutional capacity;
• Supporting legislative and operational alignment with European standards;
• Sharing regional and international experiences in safeguarding critical systems, individuals and democratic processes;
• Promoting public trust and fostering partnerships among government, the private sector and international allies.

       The event brought together over 150 leaders and experts from government institutions, critical infrastructure sectors, the European Union, NATO and the cybersecurity community, and was organized by the E-Governance Academy (eGA), in partnership with the Ministry of Economic Development and Digitalization of the Republic of Moldova, and funded by the European Union through the Moldova Cybersecurity Rapid Assistance project.