On October 21, 2025, the National Center for Personal Data Protection (NCPDP) organized a training session in the field of personal data protection for employees of the Florești Police Inspectorate, according to the training plan within the General Police Inspectorate (GPI) subdivisions for 2025, approved and signed by the heads of the NCPDP and GPI on January 28 of this year.

       The purpose of the training session was to increase the level of perception of the employees of the Florești Police Inspectorate on the principles of personal data protection, as well as on ensuring the correct application of the legal provisions in the field, in the activity they carry out.

       Important topics were discussed during the event, such as: the definitions of general notions related to the field of personal data protection; the rights of personal data subjects; the processing of special categories of personal data; the legal way of processing personal data in the activity carried out by police bodies; requirements regarding the protection of personal data in the exercise of official duties; ensuring the security and confidentiality of processed personal data, etc.

       The training session stood out for its relevance and usefulness for the Florești Police Inspectorate, providing important support in developing the professional skills of employees and improving institutional mechanisms and procedures. Participants deepened their knowledge of the principles of legality, transparency and responsibility in the processing of personal data, discovered good practices applicable in institutional activity and better understood the obligations they have in their daily work.

       Following the training course, participants became aware of the importance of a proactive approach to personal data protection, recognizing the crucial role of compliance in maintaining a safe and fair environment. They learned how to identify risk situations, apply appropriate security measures, and manage data protection incidents in a responsible and transparent manner. At the same time, the training contributed to the development of an institutional culture based on respecting confidentiality and professional ethics, essential aspects for the proper functioning of public order institutions.

       By organizing these activities, NCPDP reconfirms its firm commitment to supporting the continuous professional development of staff within law enforcement institutions, providing them with the necessary tools for a better understanding and application of personal data protection legislation. At the same time, NCPDP aims to promote a unitary and responsible approach to the data processing process, thus contributing to the consolidation of an institutional culture based on respect for the fundamental rights of citizens and transparency in public activity.

       During the event, 69 representatives of the Florești Police Inspectorate were trained.

       On October 22, 2025, the National Center for Personal Data Protection (NCPDP) organized a training session in the field of personal data protection for representatives of the “Alexandru cel Bun” Military Academy of the Armed Forces (MAAF), at their request.

       The purpose of the training session was to strengthen the capacities of employees, pupils and students within the institution on the principles of personal data protection, as well as on the correct application of legal provisions in the field.

       Important topics were discussed during the event, such as:

• The definitions of general notions related to the field of personal data protection;
• The rights of personal data subjects;
• The principles and legal grounds for the processing of personal data;
• Ensuring the security and confidentiality of processed personal data, etc.

       The training session brought significant benefits to MAAF representatives, contributing to the consolidation of the necessary knowledge and skills in the field of personal data protection. Participants understood the importance of respecting the principles of confidentiality and responsibility in the process of processing personal data. At the same time, the training provided the opportunity to analyze practical examples, to identify risks related to improper management of personal data and to learn effective ways to prevent them.

       Following the event, the participants understood that the protection of personal data is a shared responsibility, which strengthens trust in the institution and they became aware of the need for continuous training to adapt to digital challenges and maintain a high standard of privacy protection.

       Through this training session, NCPDP contributes to the formation of an institutional culture based on responsibility, confidentiality and respect for the fundamental rights of the individual, while also providing support to teachers, pupils and students in correctly understanding how to protect their own and others’ personal data.

       Such training activities strengthen the partnership between NCPDP and institutions in the defense and education sectors, reflecting the shared commitment to promoting a secure, ethical and responsible environment in the use of information containing personal data.

       During the event, about 250 MAAF representatives were trained.

       On October 17, 2025, the National Center for Personal Data Protection (NCPDP) organized a training session in the field of personal data protection for representatives of the National Center for Sustainable Energy (NCSE), at their request.

       The training session aimed to familiarize NCSE officials with aspects related to the field of personal data protection in the public service, the regulation of processing procedures, the confidentiality and security regime of personal data in accordance with the legislation in force.

       During the event, important topics were discussed, such as: the definitions of the general notions related to the field of personal data protection; the rights of personal data subjects; the processing of special categories of personal data; the examination of requests for disclosure of personal data; the access to information of public interest from the perspective of personal data protection legislation, etc.

       In the current context of digitalization and the expansion of the use of information technologies in the energy field, public institutions are increasingly faced with challenges related to the management and security of personal data. The session offered participants the opportunity to gain a deeper understanding of the fundamental principles of data protection, the rights of data subjects and the obligations of data controllers.

       During the training, NCSE representatives had the opportunity to acquire practical knowledge regarding: correctly identifying the categories of personal data collected and processed in the institution’s activity; assessing the risks associated with data processing and applying appropriate protection measures; how to ensure transparency and correct information of data subjects and applying the principles of confidentiality, integrity and responsibility in the institution’s activities.

       By participating in the training session, NCSE representatives understood the need to implement clear internal policies on data protection, the role of continuous training in preventing security incidents and violations of the law, as well as the benefits of transparent and ethical communication with the public and institutional partners.

       Overall, the training activity contributed to strengthening interinstitutional cooperation and promoting a proactive approach to personal data protection – an essential aspect for good governance and public trust in state institutions.

       During the event, moderated by experts in the field of personal data protection from the NCPDP, 43 representatives of the NCSE were trained.

       On October 15, 2025, the National Center for Personal Data Protection (NCPDP) organized a training session in the field of personal data protection for representatives of the Border Police sector “Chisinau International Airport” of the General Inspectorate of Border Police (GIBP), according to the training plan within the GIBP subdivisions for 2025, approved and signed by the heads of NCPDP and GIBP on January 28 of this year.

       The purpose of the training session was to enhance the awareness of the employees of the Border Police Sector “Chisinau International Airport” of the GIBP on the principles of personal data protection, as well as to ensure the correct application of the legal provisions in the field, in the activity they carry out.

       Important topics were discussed during the event, such as: defining general notions related to the field of personal data protection; principles and legal grounds for the processing of personal data; rights of personal data subjects; processing of special categories of personal data; requirements regarding the protection of personal data in the exercise of official duties; ensuring the security and confidentiality of processed personal data, etc.

       The training session contributed significantly to strengthening the theoretical and practical knowledge of the participants regarding the correct application of national and european data protection legislation, especially in situations specific to the field of activity – state border control, document verification, inter-institutional cooperation and the use of information systems.

       Through the training, participants had the opportunity to clarify their responsibilities according to their competencies, as well as to more deeply understand the principles of legality, confidentiality, accuracy and proportionality in the process of processing personal data. At the same time, the training contributed to increasing the level of awareness regarding the risks associated with data processing in the context of the use of modern surveillance and control technologies, strengthening the institutional capacity to prevent data security incidents.

       Through this activity, NCPDP reaffirmed its role as a strategic partner of law enforcement institutions in promoting an organizational culture based on respecting the fundamental right to the protection of personal data, and for the representatives of the Border Police Sector “Chisinau International Airport” – the training represented an important step towards continuous alignment with european standards and good practices in the field.

       During the event, 50 representatives of the Border Police sector “Chisinau International Airport” of the GIBP were trained.

       The National Center for Personal Data Protection (NCPDP), for informational and practical purposes, reports on the fines imposed by the Italian Supervisory Authority (SA) in the amount of 3 million euros for the company Acea Energia spa and 850 00 euros to the agencies involved for violating art. 5 paragraph. (1), art. 6, art. 7, art. 13, art. 24, art. 25, art. 28, art. 29, art. 32 of the GDPR and art. 130 of the National Personal Data Protection Code.

       The Italian SA conducted investigations, together with the Guardia di Finanza, following a complaint regarding the illegal activity of unauthorized call centers. They were contacting people for offers regarding energy or telephony suppliers, using databases obtained without consent and without being registered in the Register of Communications Operators (ROC).

        Investigations revealed that the personal data of customers who had recently changed their energy supplier was being used to persuade them, through deceptive methods, to sign new contracts. The data came from the network of partner companies, without the information of the individuals concerned.

       Although representatives of the energy company were in contact with the telemarketing agencies, the company revoked the collaboration and applied corrective measures once it learned of the irregularities.

       In this context, the Italian SA imposed fines of 3 million euros on the Acea Energia company spa and 850 000 euros on the agencies involved. The company must notify affected individuals and verify the legality of sub-processors, and agencies can no longer use legally unjustified contact lists.

       NCPDP, as the national supervisory authority for the processing of personal data, emphasizes the responsibility of personal data controllers to comply with the provisions of the legislative framework on the protection of personal data and to ensure that personal data processing operations comply with the legislation in force.

       The National Center for Personal Data Protection (NCPDP), for informational and practical purposes, reports on the administrative fine in the amount of 4,375,273 euros imposed by the Polish Data Protection Authority (SA) on the company ING Bank Śląski S.A. for violating Article 5 (Principles related to the processing of personal data) and Article 6 (Lawfulness of processing) of the GDPR.

      Between April 1, 2019 and September 23, 2020, the bank systematically collected copies of ID cards, without verifying whether this practice was justified by Act on Counteracting Money Laundering and Financing of Terrorism (AML Law). In many cases, the provision of banking services was conditional on scanning the identity document, even in situations that did not require financial security measures (for example, in processing a complaint at an ATM).

       Following the investigation, it was found that the bank did not conduct an individual AML/CFT risk assessment, did not justify the need to scan documents in all cases, and processed personal data without an appropriate legal basis.

       In this context, the Polish SA imposed an administrative fine of EUR 4 375 273 on ING Bank Śląski for violating Article 5 (1) a), b), c) – the principles of lawfulness, purpose limitation and data minimization and Article 6 (1) – the lawfulness of processing of the GDPR.

       NCPDP, as the national supervisory authority for the processing of personal data, emphasizes the responsibility of personal data controllers to comply with the provisions of the legislative framework on the protection of personal data and to ensure that personal data processing operations comply with the legislation in force.

       The National Center for Personal Data Protection (NCPDP), for informational and practical purposes, reports on the administrative fine of 4 022 773 euros for McDonald’s Polska Limited Liability Company (LLC) and 43,680 euros for 24/7 Communication LLC applied by the Polish Data Protection Authority (SA) for violating Article 5 (Principles related to the processing of personal data), Article 24 (Responsibility of the controller), Article 25 (Data protection by design and by default), Article 28 (Processor), Article 32 (Security of processing), Article 34 (Communication of a personal data breach to the data subject) and Article 38 (Position of the data protection officer) of the GDPR.

       McDonald’s Polska LLC notified a data security breach, as a controller, finding that the following data of its employees and franchisees were included in the shared file in the public catalogue: names, personal identification numbers (PESEL numbers), passport numbers (if the PESEL number is not available), McDonald’s restaurant number, date and time of starting work, date and time of ending work, number of hours worked, holidays, type of work, etc.

       The investigation found that neither the controller (McDonald’s Polska) nor the processor (24/7 Communication) had conducted a risk analysis and had not implemented sufficient technical and organizational measures to protect personal data. Furthermore, the data protection officer was not properly involved, and the audit and monitoring obligations of the partners were not respected.

       The Polish SA emphasized that the responsibility for data protection lies with both companies that collect and manage personal data and their contractual partners. Security measures must be constantly checked and updated, not just at the beginning of data processing.

       In this context, the Polish SA imposed an administrative fine of 4 022 773 euros on McDonald’s Polska LLC and 43 680 euros on 24/7 Communication LLC.

       NCPDP, as the national supervisory authority for the processing of personal data, emphasizes the responsibility of personal data controllers to comply with the provisions of the legislative framework on the protection of personal data and to ensure that personal data processing operations comply with the legislation in force.

       On October 13, 2025, the National Center for Personal Data Protection (NCPDP) organized a training session in the field of personal data protection for debutants customs officials, at the request of the Customs Service (CS).

       The purpose of the training session was to increase the level of perception of debutants customs officials on the principles of personal data protection, as well as to familiarize them with the confidentiality and security regime of personal data in accordance with the provisions of the legislation in force.  

       Important topics were discussed during the event, such as: defining general notions related to the field of personal data protection; principles and legal grounds for the processing of personal data; rights of personal data subjects; processing of special categories of personal data; requirements regarding the protection of personal data in the exercise of official duties; ensuring the security and confidentiality of processed personal data; aspects related to the Data Protection Impact Assessment (DPIA), etc.

       The training provided participants with a clear perspective on how the principles of legality, transparency and security of personal data must be respected in daily activity.  Through practical examples and interactive discussions, debutants customs officials learned how to recognize the risks of unauthorized data processing and how to apply effective protection measures. The training also represented an important step in strengthening the relationship of trust between customs officials and citizens. By correctly understanding data protection principles and applying them in their daily work, they become promoters of an organizational culture based on integrity, responsibility and respect for the confidentiality of the information managed.

       25 debutants customs officials were trained during the event.    

     On September 25, 2025, the National Center for Personal Data Protection (NCPDP), organized a training session in the field of personal data protection for representatives of the Investment Agency, at their request.

       The purpose of the training course was to increase the level of perception of the Investment Agency employees on the principles of personal data protection, as well as to familiarize them with the confidentiality and security regime of personal data in accordance with the provisions of the legislation in force.

       Important topics were addressed during the event, such as: the definition of general concepts related to the field of personal data protection; the rights of data subjects; the processing of special categories of personal data; the principles and legal grounds for the processing of personal data; the aspects related to the appointment of the Data Protection Officer (DPO); ensuring the security and confidentiality of personal data by employees of the Investment Agency; examining requests for disclosure of personal data and access to information of public interest from the perspective of the legislation on the protection of personal data, etc.

       The training provided by NCPDP was particularly useful for the representatives of the Investment Agency as they gained a better understanding of the requirements provided by national and European data protection legislation, thus allowing the institution to prevent potential legal risks and sanctions. At the same time, the knowledge acquired will contribute to improving internal processes, such as integrating data protection principles into information collection, storage and processing activities, while optimizing internal work procedures, and the correct application of data protection standards will contribute to strengthening the image of the Investment Agency as a modern, transparent and responsible institution, an essential aspect in the relationship with investors, partners and the general public.

       During the event, 20 representatives of the Investment Agency were trained.

       On September 19, 2025, the National Center for Personal Data Protection organized a training session in the field of personal data protection for representatives of the General Inspectorate for Migration (GIM), South Regional Directorate, in accordance to the training plan within the GIM for 2025, approved and signed by the heads of the NCPDP and the GIM on January 27th.

       The purpose of the training course was to increase the level of perception of GIM employees, South Regional Directorate, on the principles of personal data protection, as well as to familiarize them with the confidentiality and security regime of personal data in accordance with the provisions of the legislation in force.

       Important topics were discussed during the event, such as:

• The definition of general concepts related to personal data protection;
• The rights of personal data subjects;
• The processing of special categories of personal data;
• The principles and legal grounds for data processing;
• Requirements regarding the personal data protection in the exercise of official duties;
• Aspects related to the appointment of the Data Protection Officer (DPO);
• Obligations and tasks of a DPO;
• Ensuring the security and confidentiality of processed personal data, etc.

       The training course proved to be interactive, with participants asking multiple questions to which they received thorough answers/explanations related to the field of personal data protection from the trainers.

       The event took place online, being trained 17 representatives from GIM, South Regional Directorate.