I.  Information and training activities carried out by NCPDP

In the second quarter of 2024 (April – June), the National Center for Personal Data Protection (NCPDP), continued to make progress in the part related to activities of informing and awareness-raising  of general public with regard to the field of personal data protection.

During the reporting period, the organization of training courses for the subdivisions of the General Police Inspectorate (GPI) continued, according to the training plan approved and signed by the heads of the NCPDP and GPI on 26 January 2024. Their aim was to increase the awareness of the employees of the subdivisions of the GPI on the principles of personal data protection, as well as on ensuring the correct application of the relevant legal provisions in the work they perform. The events addressed important topics such as: Definition of general notions related to the field of personal data protection; the legal manner of personal data processing  in the activity carried out by the employees of the GPI subdivisions; the requirements for the protection of personal data in the performance of their duties; the obligations of the police body as a data controller in relation to the data subject; the correct procedure for accessing personal data through the state information systems, as well as keeping correct audit records of such accesses; ensuring the security and confidentiality of the processed personal data, etc.

Thus, training courses were organized for the following subdivisions:

– May 21 – Chisinau Municipality Police Department;

– June 28 – “South” Patrol Directorate of the National Public Security Inspectorate.

In this context, about 155 representatives of the GPI subdivisions were trained.

At the same time, during the reporting period the information and awareness-raising campaign for school communities was continued under the title: “Personal data protection and child safety in the online environment“. The aim of the campaign was to provide the school community with high visibility on personal data protection and child safety online at local and national level by promoting empowerment and best practices for intervention and support. The topics covered in the trainings were: general notions on personal data; the correct use of photos/video online; risks and threats online; communication on social networks, etc.

Thus, several training courses were organized, such as:

– April 19 – Public Institution Theoretical High School “Liviu Rebreanu”;

– April 23 – Public Institution “Iulia Hașdeu” Theoretical High School.

The events took place in the framework of the Personal Development class, the target audience being the students of classes IV “A”, IV “B” and IV “C”.

About 200 students were trained in this context.

On February 21, 2024, the heads of the NCPDP and the General Inspectorate of the Border Police (GIBP)  approved and signed the Training Plan in the field of personal data protection for Border Police staff, thus organizing several training courses. The aim was to raise the awareness of the employees of the GIBP’s subdivisions of the principles of personal data protection and to ensure the correct application of the relevant legal provisions in their work. Thus, training courses were organized for the following subdivisions:

– April 03 – Border Police Sector “Chisinau International Airport” of GIBP;

– April 10 – General Inspectorate of Border Police.

In this context, about 120 representatives of the GIBP subdivisions have been trained.

During the reporting period, the NCPDP manifested openness and cooperation, organizing multiple training courses for representatives of public institutions, at their request. The training courses were aimed at familiarizing public officials with the aspects related to the field of personal data protection in the public service, the regulation of processing procedures, as well as with the confidentiality and security regime of personal data in accordance with the legislation in force.

During the events important topics were discussed, such as: definition of general concepts related to the field of personal data protection; principles and legal grounds for personal data processing; rights of personal data subjects; processing of special categories of personal data; requirements for the protection of personal data in the exercise of official duties; ensuring the security and confidentiality of personal data processed; issues related to the appointment of the Data Protection Officer (DPO), as well as his/her duties and tasks; issues related to the Data Protection Impact Assessment (DPIA), as well as the steps of conducting a DPIA, etc. Thus, training courses were organized for the following institutions:

– April 04 – State Chancellery, territorial offices; 

– April 16 – Single National Service for Emergency Calls 112;

– April 18 – State Pedagogical University “Ion Creangă”;

– 16 May – Standardization Institute of Moldova;

– May 30 – Electronic Governance Agency;

– June 05 – Chisinau City Hall;

– June 07 – Ministry of Foreign Affairs and European Integration;

– June 21 – State Tax Service;

– June 25 – Unified Center for the Provision of Public Services;

– June 26 – State Tax Service, territorial tax officials;

– June 27 – Land registration and evaluation project.

About 710 representatives of public institutions were trained in this context.

II. Control activity

In the period April – June 2024, the NCPDP launched compliance checks of personal data processing operations in 75 cases. During the reporting period, 83 decisions were issued, of which 34 cases were found to be in violation of the legal provisions, and 25 infringement reports were concluded, which were subsequently submitted to the court for decision.

III. Findings of the National Center for Personal Data Protection

I. The NCPDP examined the complaint of a data subject regarding the alleged fact of improper processing of personal data concerning him by the employees of a state institution, manifested by accessing/consulting personal information stored in state information resources – the State Register of Population and the State Register of Drivers. During the investigation it was determined that the petitioner, while driving the car he owned and traveling on a public road, was involved in a conflict with the driver and passenger of another car, contrary to the Road Traffic Regulation. At the same time, an employee of the Patrol Service accessed personal data concerning the data subject through the E-Data Module, claiming that it was an wrong access, since being after working hours, he would have been requested to identify the owner of a car that would have been parked irregularly.

According to item 2 and item 1 sub-item 1 of the Regulation on the functioning of the data module of the automated information system “Records of traffic offenses, persons who have committed traffic offenses and penalty points applied”, the user of the module is obliged to access the information in strict accordance with the provisions of the Regulation, only from mobile and fixed equipment in the departmental possession and only during the performance of their duties.

Thus, in the light of the abovementioned rules, the NCPDP found that the employee of the Patrol Service acted independently, carrying out operations of personal data processing of the data subject, manifested by consulting, viewing personal information, such as: name, surname, surname, раtrоnimic, IDNP, number of vehicle registration, driving license data (license no. and category, penality points), information on whether the person is deprived or not of а special right to drive, etc., in the absence of a legal basis and without the соnsent of the data subject, ignoring the provisions of Art. 4 para. (1) lit. a), b), c) and Art. 5 para. (1) and Art. 9 of the Law on Personal Data Protection.

However, in this case, the justification of the employee of the patrol service, that he wrongly accessed, through the E-Data module, the data of the vehicle involved in the traffic conflict, whose number would be similar to the one parked irregularly, an obligation that comes in accordance with his duties, cannot be considered truthful, since the information in question was accessed out of the working hours.

II.   Following a complaint filed by a data subject, the NCPDP has initiated by itself the alleged unlawful processing by a citizen of personal data of persons from different localities of the Republic of Moldova, manifested by the publication on social networks “Facebook” and “YouTube” of video footage, made via a mobile phone that causes the offering of food packages to elderly people, including bedridden, recording their image and voice, as well as data relating to their age and residence.

During the investigation, the Supervisory Authority found that, while performing charitable acts, he made numerous video recordings on the premises of data subjects’ real estate in different localities, without consent, deliberately disclosing/disclosing through social media posts the personal data of the data subjects concerned.

Respectively, using the user profile in the social network Facebook, as well as the YouTube channel that it manages, the controller has processed by disclosure to unrestricted public access, personal data concerning data subjects from different localities of the Republic of Moldova, such as: name, surname, age, domicile, as well as the image of persons, in the absence of a purpose and legal basis justifying the interference with the inviolability of the data subject’s privacy, in which case the personal data subjects did not express their consent for further processing of personal data.

The NCPDP therefore reiterates that any processing of personal data must be necessary for the intended purpose. This condition requires a link between the processing and the interests pursued. The requirement of necessity applies to ensure that the processing of personal data will not lead to an unduly broad interpretation of the need to process data. This means that consideration should be given to whether other less privacy-invasive means are available to serve the intended purpose.

The NCPDP does not deny the beneficial nature of charitable actions carried out, on a case-by-case basis, by the controller, but the publication on social networks/internet of personal data of data subjects, without their consent, for unrestricted public access, violates the principles of personal data protection, all more since  in multiple cases, it is found that information on the health of data subjects is disclosed, which constitutes a special category of personal data, requiring a high level of protection.

Accordingly, the Supervisory Authority found that the processing of personal data of persons reflected in the video footage published by the controller is contrary to the principles of personal data protection, and such actions contravene the provisions of Art. 4 para.  (1) and Article 29 para. (1) of Law No 133/2011 on personal data  protection.

III. The NCPDP examined the complaint received from a state authority regarding the complaint of a personal data subject, who requested the verification of the lawfulness of the personal data processing operations concerning him, carried out by means of several automated record systems, by 13 data controllers, including a central specialized body of the local public administration (hereinafter – data controller), in accordance with the provisions of Law no. 133/2011 on the protection of personal data.

In these circumstances,  NCPDP has initiated the verification of compliance with the provisions of Art. 4 letter. a) and b), Art. 5 and Art. 30 of Law no. 133/2011, when processing personal data of the data subject.

During the examination of the gathered material, it was found that the data controller did not take appropriate actions regarding the necessary organizational and technical measures for the protection of personal data, designed to ensure an adequate level of integrity, confidentiality and security in terms of processing risks and the nature/nature of the data processed in the Central Data Bank of the cadastre of immovable property, or, on termination of the employment relationship with the employee of the local public administration to whom a user account had been assigned at Central Data Bank of the cadastre of immovable property, for the performance of duties within that entity, his right of access to the said information resource was not withdrawn.

Thus, the given user, who currently holds a position of public dignity, carried out the personal data processing operations of the personal data subject for another purpose, using the account provided by the local public administration.

IV.  The NCPDP examined the data subjects’ complaint regarding the alleged fact of improper processing of personal data, materialized by the publication of personal data by the mayor of the locality, in a group on the social network “Facebook”, of the pay list of employees of an institution subordinated to the Local Public Administration, which contained: name, surname, patronymic and salary amount per person.

In the course of the investigation, the NCPDP found that the personal data concerning 54 subjects had been published by the mayor on the social network in order to combat misinformation and falsehoods spread by the employees of the institution, such as that the mayor would restrict the right to receive the salary.

Thus, it was determined that the mayor was convinced that the data used, such as: name, surname and amount/value of salary are public data, being centered on the provisions of Law no. 148/2023. However, it was found that, the persons concerned in the published list are not civil servants and are not subject to the regulations stipulated by Law 148/2023, except for the director who is appointed on the basis of a competitive examination by the City Council and contractually employed by the Mayor. Moreover, Law 148/2023 entered into force on 08.01.2024.

As a result of the resolution of the complaint, the NCPDP found by decision the violation of art. 4 para. (1) letter (1) and Art. (1) of Law no. 133/2011 on the protection of personal data by the mayor of the municipality when processing the personal data of the data subjects concerned in the November 2023 Payment List.

At the same time, the NCPDP ordered the deletion by the mayor of the commune from the social network group “Facebook” of the image containing information on  personal data of the data subjects referred to in the November 2023 Payment List.

IV. Surveillance activity

For the purpose of providing methodological and advisory support to personal data controllers and/or processors, more than 50 telephone consultations and 6 replies by e-mail were provided and recommendations were proposed to remove discrepancies identified by personal data controllers.

5. International and European news

• On April 16-17,  the representatives of the NCPDP attended the 92^nd plenary meeting of the European Data Protection Board (EDPB). During the meeting several topics were discussed and several key documents were adopted:

1. An opinion following a referral under Article 64(2) of the GDPR on consent to data processing in behavioral advertising: authorities from the Netherlands, Norway and Hamburg requested an EDPB opinion on the “consent or pay” models used by large online platforms. The opinion concludes that these models usually do not provide valid consent, as users are forced to choose between consent to data processing or payment of a fee. The EDPB recommends that platforms offer users real alternatives, including free options without behavioral advertising.

2.  EDPB strategy for the period 2024-2027, which defines four main pillars:

   – Enhancing harmonization and promoting compliance.

   – Strengthening a common enforcement culture and effective cooperation.

   – Safeguarding data protection in the context of the developing digital landscape and cross regulation.

   – Contributing to the global data protection dialog.

3. The EDPB adopted a Rules of Procedure, a public notice and model complaint forms to facilitate the implementation of the redress mechanisms in the EU-US Data Privacy Framework. These mechanisms deal with complaints related to national security and commercial purposes for data transmitted after July 10, 2023.

• In the period  14-16 May 2024, representatives of the NCPDP participated in the 32^nd Spring Conference of European Data Protection Authorities.

During the working sessions, topical topics were presented, such as:

– The role of Data Protection Authorities in the era of evolving digital regulation;

– Managing data protection and privacy in the era of emerging technologies and innovations;

– Health data protection in the age of digitization;

– Shaping data protection through the cooperative experience of Data Protection Authorities;

– Managing Anti-Money Laundering (AML) and General Data Protection Regulation (GDPR) regulations: challenges, cooperation and compliance;

– Enhancing AML and GDPR compliance through collaborative strategies.

For the second time during a Spring Conference of the European Data Protection Authorities, an open day was organized. This provided the opportunity for several institutions, NGOs or other organizations that expressed an interest in the topics addressed during the event to participate, including in online format.

The event was attended by 145 representatives from 43 countries such as: Austria, Belgium, Belgium, Bulgaria, Croatia, Denmark, France, Georgia, Germany, Greece, Hungary, Italy, Malta, Moldova, Portugal, Romania, Spain, Switzerland, Ukraine, etc. Representatives of four organizations were also present: FRA, EDPS, EDPB and the European Commission.

• From June 3 to June 6, in Brussels, Belgium, representatives of the NCPDP participated in the event “Council for Progress on Governance in the Eastern Partnership Countries“, implemented by GIZ and co-financed jointly by the European Union and the German Federal Ministry for Economic Cooperation and Development.

  The scope of the event was to facilitate a practical, expert-level dialog between selected institutions from the EaP countries on good governance. This includes the use of the benchmarks of the revised Principles of Public Administration in areas that align with aspects of good governance. These include government effectiveness, regulatory quality, rule of law, voice and accountability, political stability and anti-corruption measures. The event aimed to deepen the practice of applying the revised principles to good governance issues, emphasizing the importance of a citizen-centred approach, accountability, transparency and efficiency as key pillars of good governance.

  During the event, participants were divided into 5 working groups, including: 

  – Group 1. Effective parliamentary oversight as a way to increase trust in government;

  – Group 2: Increasing government effectiveness by improving policy and decision-making processes;

  – Group 3: Building a professional public service;

  – Group 4: Transformation through inclusive digitization;

  – Group 5: Rule of Law.

• In the period 4-6 June the 46th plenary meeting of the Consultative Committee of Convention 108 took place  in Strasbourg, France.

  The last meeting of the Committee discussed the work program for the years 2022-2025 and the state of play regarding the signature and ratification of the Protocol amending Convention 108+, necessary for the protection of personal data. Of the 46 signatory states, 31 have ratified the Protocol, with 38 ratifications needed for entry into force. The delegation of the Republic of Moldova presented the progress in the ratification of the Protocol and the approval of a new data protection law, transposing the GDPR, by the Parliament. The Ministry of Justice mentioned that the ratification of the Protocol will be achieved after the adoption of the new law.

  The Committee took note of Costa Rica’s commitment for accession and discussed the model contractual clauses for transborder data flows and adopted the final document. The revised draft interpretation of Article 11 of the modernized Convention 108 was also presented. Professor Colin J. Bennett presented a paper on data processing in the electoral process, subsequently adopted by the Committee.

  Cooperation with other Council of Europe bodies was discussed, welcoming the adoption of the new Framework Convention on AI. The Bureau took note of the expert report and urged the development of guidelines on neuroscience and data protection. The delegation of the Republic of Moldova reported on the national conference “Raising awareness on Convention 108+”, organized in collaboration with TAIEX experts.

  The plenary meeting was attended by representatives from 54 countries, the next meeting is scheduled for November 4-6, 2024, and the next Bureau meeting for September 11-13, 2024.

• In the period 18-19 June 2024, the 94^th Plenary Session of the European Data Protection Board took place in Brussels, Belgium, where the Republic of Moldova participated as observer. During the meeting, Zdravko Vukić, Director of the Croatian Data Protection Agency, was elected as EDPB’s Vice-Chair, succeeding Aleid Wolfsen. Vukić, together with Irene Loizidou Nikolaidou and Anu Talus, will ensure consistent application of EU data protection rules and promote cooperation between data protection authorities in the European Economic Area.

  The meeting adopted Guidelines 01/2023 on Article 37 of the Enforcement Directive. These guidelines provide guidance on the appropriate safeguards to be applied by competent authorities under Article 37 LED and the expectations of the EDPB in negotiations between Member States and third parties or international organizations.

  It also discussed best practices for the organization of EDPB plenary meetings, emphasizing the importance of transparency, efficiency of procedures, consensus in decisions and follow-up of their implementation. Recommendations included respect for the principle of transparency, effective use of digital tools, promotion of constructive dialog and regular evaluation of the effectiveness of meetings. These practices are essential to ensure effective governance and adequate protection of personal data in the European Union.

  6. Other data protection authorities

• On May 08, it was announced about the decision of the Finnish Data Protection Authority (FI SA) to impose an administrative fine of 856 000 euro on Verkkokauppa.com for breach of Art. 5 Principles relating to the processing of personal data and Art. 25 Ensuring data protection by design and by default of the GDPR.

FI SA investigated the activities of online retailer Verkkokauppa.com following a complaint from a customer. The controller had asked the customer to register as a customer before shopping online. Shopping in the online shop was not possible without creating a customer account. 

The investigation found that the controller did not specify the storage period of the data collected for the customer accounts in its online shop and that the data was stored indefinitely. Furthermore, the controller’s practice of requiring the creation of a customer account in order to make online purchases violated data protection legislation. The creation of a customer account or the storage of personal data resulting from such creation may not be a mandatory requirement to make individual purchases online.

In this context, the FI SA imposed an administrative fine of € 856 000 on the controller for not defining the storage period for personal data on customer accounts. The controller was required to specify an appropriate storage period for customer account data and to rectify its mandatory registration practice. Verkkokauppa.com was also reprimanded for practices in breach of data protection legislation.

• On May 02, it was announced about the decision of the Czech Data Protection Authority (SA) of April 10, 2024 to impose an administrative fine of €13.9 million to a company registered in the Czech Republic for violation of Art. 6 Lawfulness of processing and Art. 13 Information to be provided where personal data is collected from the data subject of the GDPR.

  The case concerns the controller’s transfer of personal data collected by the controller from users of its antivirus software to an affiliated company. The proceedings were initiated on the basis of media reports and an anonymous file.

  Following the investigation, the Czech SA found that the controller transferred  personal data of users of anti-virus software and browser extensions to the affiliated company without having a legal basis for such processing. The transferred data related to approximately 100 million users and included in particular the pseudonymized web browsing history of the users linked to a unique identifier. In addition, the Czech SA found that the controller misinformed its users (data subjects) about these data transfers, as it claimed that the transferred data were anonymized and used exclusively for statistical sales analysis. At the same time, the Czech Data Protection Authority concluded that Internet browsing history, even if not complete, may constitute personal data, as re-identification of at least some of the data subjects could occur. The controller’s breach is all the more serious as it is one of the leading experts in the field of cybersecurity, providing the public with data protection and privacy tools.

  An administrative fine of €13.9 million (CZK 351 million) was imposed on the data controller. The decision is final and enforceable.

The National Center for Personal Data Protection (NCPDP), for information and application purposes, communicates about the issuance of a decision regarding the establishment of the non-compliant processing of personal data by the mayor of a locality.

The non-compliant processing of personal data of the data subject who notified the National Authority for personal data protection, was materialized by multiple accesses by the mayor of the locality, the data contained in the Real Estate Register, without having a purpose and legal basis, as well as in the absence of the data subject’s consent.

At the same time, during the examination of the audit of personal data accesses by the mayor, NCPDP found that the mayor made 134 personal data accesses, from 10 different IP addresses, of which multiple accesses were made outside the work schedule and on weekends.

Thus, following the control of those notified, was found the violation of art. 4, art. 5 and art. 29 of the Law 133/2011 on personal data protection.

Therefore, from the content of the related circumstances, it results the fact of the existence in the actions / inactions of the mayor of the contravention provided by art. 741 para. (2) Contravention Code.

In the light of the above, the NCPDP, as national supervisory authority for personal data processing, emphasizes the responsibility of personal data controllers to comply with the provisions of legal framework on personal data protection and to ensure that personal data processing operations are in accordance with the legislation in force.

At the same time, the NCPDP established prescriptions for the mayor concerned, to remove the non-conformities found in the decision, and to inform the NCPDP about the actions performed, within the established terms.

The National Center for Personal Data Protection (NCPDP), for information and application purposes, communicates about the fine in the amount of EUR 40 000 applied by Norwegian Data Protection Authority to Coop Finnmark SA, for unlawful distribution of a camera recording from a shop.

After examining the case, the Norwegian Data Protection Authority found that the Coop Finnmark had no legal basis for the distribution of those video sequences. Bjørn Erik Thon, Director-General of the Norwegian Data Protection Authority, mentioned: “The requirement for a legal basis is a basic principle of the General Data Protection Regulation, and any violation of this principle is considered serious”.

The Norwegian Data Protection Authority finds that this case is so severe that a fine is the appropriate corrective measure. The Authority has given weight to the fact that the camera footage showed children, and that the distribution potentially entailed a major risk to their privacy. The fine amount was calculated on the basis of an overall assessment of the severity of the violation and the financial situation of the organization.

The NCPDP, as national supervisory authority for personal data processing, emphasizes the responsibility of personal data controllers to comply with the provisions of legal framework on personal data protection and to ensure that personal data processing operations are in accordance with the legislation in force.

The National Center for Personal Data Protection (NCPDP), for information and application purposes, communicates about the administrative fine in the amount of EUR 250 000 applied by Swedish Authority for Privacy Protection to Police Authority, for unlawfully use of application Clearview AI for facial recognition in order to identify people.

The investigation carried out by Swedish Authority for Privacy Protection concluded that Clearview AI has been used by a few employees without any prior authorisation. The Police Authority has failed to implement sufficient organisational measures to ensure and be able to demonstrate that the processing of personal data in this case has been carried out in compliance with the Criminal Data Act, unlawfully processing biometric data for facial recognition as well as having failed to conduct a data protection impact assessment which this case of processing would require. There are clearly defined rules and regulations on how the Police Authority may process personal data and it is the responsibility of the Police  Authority to ensure that employees are aware of those rules.

Furthermore, to the fine mentioned above, Police Authority will conduct further training and education of its employees in order to avoid any future unlawfully processing of personal data. In addition, will inform the data subjects, whose data has been disclosed to Clearview AI, when confidentiality rules so allows. Finally, the Police Authority will  ensure, to the extent possible, that any personal data transferred to Clearview AI is erased.

The NCPDP, as national supervisory authority for personal data processing, emphasizes the responsibility of personal data controllers to comply with the provisions of legal framework on personal data protection and to ensure that personal data processing operations are in accordance with the legislation in force.

The year 2021 marks 40 years since the adoption, in 1981, in Strasbourg, of Convention 108 for the Protection of Individuals with regard to Automatic Processing of Personal Data.

The Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data represents an international instrument that engages responsibility and protects individuals from abuses that may occur during data collection and processing, and raises the task of regulating the cross-border data flows.

The Republic of Moldova signed this Convention 108 on May 4, 1998 and ratified it by the Parliament Decision No. 483-XIV of July 2, 1999, and it is in force in our country since June 1, 2008. The Republic of Moldova has designated the National Center for Data Protection with Personal Character as a competent authority for the implementation of the provisions of the Convention and for maintaining relations of mutual assistance with other Parties.

In this context, the National Center for Personal Data Protection (Center) informs that the objective of the authority remains the same – informing data subjects about their rights and holding personal data controllers responsible for complying with the relevant legislation.

The retrospective of the year 2020 indicates the following basic aspects in the activity of the Personal Data Protection Authority:

The Center examined 833 complaints submitted by individuals – subjects of personal data, i.e. 12% more compared to the previous year. Most complaints concerned the following topics:

– realization of the rights of personal data subjects (access, information, intervention, opposition),

– processing of personal data through video / audio surveillance systems,

– processing of personal data stored in various state information resources, etc.

During 2020, the Center examined 1472 notifications submitted for registration in the Register of evidence of personal data controllers, both personal data controllers and filing systems stored in automated and / or manual form in which personal data are processed.

Regarding the control of compliance of personal data processing with the requirements of the Law on personal data protection, in 2020, more than 300 control materials were initiated and examined, both based on complaints of personal data subjects, notifications / self-notifications , as well as on the basis of requests for authorization of the cross-border transmission of personal data.

Even though 2020 was a year of challenges, emerging from the global pandemic situation, the Center sought to focus on strengthening bilateral and multilateral relations with external partners, both within international organizations and individually. To achieve this, the Centre’s staff participated in the working meetings of the European Data Protection Board and the plenary meetings of the Council of Europe. At the same time, during 2020, the Center applied and obtained the support from the TAIEX Project – on the organization of the workshop: “Processing and protection of personal data in the field of public health, in the context of possible global challenges! (COVID-19 pandemic) ”. This event is currently taking place in online format (January 26-28).

In terms of training, the Center held multiple working meetings with representatives of public and private institutions on issues related to: assistance in developing codes of conduct in various areas of activity, examination of sectoral laws, guidance and consulting, etc. At the same time, the representatives of the Center organized trainings attended by about 500 people both from Chisinau and from the districts of the Republic of Moldova.

The storage period as well as the disclosure of health data in the context of the COVID-19 pandemic – among the topics of interest discussed during the workshop “Processing and protection of personal data in the field of public health in the context of possible global challenges! (COVID – 19 pandemic)”, conducted online over three days (January 26,27,28).

Denis Coțofan, Deputy Head of the Legal Department, NCPDP spoke during the event about the requirements of personal data protection legislation in the health sector at national level, the processing of special categories of personal data, as well as the legal grounds of the processing of health data. In this context, Mr. Coțofan answered the questions of the participants regarding the video surveillance in hospitals, the storage period of the information obtained after the video surveillance containing personal data, but also regarding the processing of health data in the context of the pandemic COVID-19. Furthermore, recommendations were presented for employees in the health sector in order to apply security measures related to the personal data protection.

Jelena Siminiati, Assistant Director of Legal Affairs Clinical Hospital Center Rijeka, Croatia mentioned during the workshop about the EU experience on the legality of personal data processing  by the competent public authorities in the context of the pandemic COVID – 19, patients’ rights, obligation of confidentiality, as well as the balance between public health and security and the right to the personal data protection.

An important aspect in combating the pandemic COVID – 19, according to Mr. David Balla, Director of Reimbursement system, DRG Team, Ministry of Health, Slovakia, would be use of location data and contact tracing tools. Furthermore, Mr. Balla exposed himself on topics such as disclosure of personal data, data minimisation and storage limitation.

The workshop was moderated by personal data protection experts from Croatia, Slovakia and representatives of the NCPDP and was organized for three regions of the country: central, northern and southern. The event was attended by about 200 persons.

The workshop was organized and funded by the Technical Assistance and Information Exchange instrument of the European Commission (TAIEX).

Personal data are processed at any time worldwide – at work, by public authorities and private entities, in the field of health, when trading goods or services, while traveling outside the country or when data subjects surf the Internet.

Data Protection Day is celebrated every year, on January 28. On this occasion, the national authorities responsible for ensuring the protection of personal data organize specific activities to draw attention to the rights and responsibilities regarding the personal data protection. These activities include campaigns aimed at the general public.

Thus, in the context of Data Protection Day, a few employees of the National Center for Personal Data Protection (NCPDP) distributed to passers-by, near the Cathedral Square, information materials on the importance of personal data protection. During the action, citizens were informed about personal data, the rights of personal data subjects, security and confidentiality measures when processing data. At the same time, people have been made aware of possible abuses and consequences of situations in which personal data may be taken by violating the provisions of national law in the field by personal data controllers.

This year, NCPDP aims at organizing several activities to inform the public about the protection of personal data, but also to ensure the development of a constructive and permanent dialogue with all stakeholders in order to identify optimal solutions for the correct application of legal rules in the field of data protection.

Dear citizens,

January 28 is a special day for the personal data protection. On 28 January 1981, in Strasbourg, was adopted the Convention no. 108 for the protection of individuals with regard to the automatic processing of personal data. Subsequently, on 26 April 2006, the Committee of Ministers of the Council of Europe decided to launch a Data Protection Day, which would be celebrated every year on 28 January. Thus, January 28 was declared – Data Protection Day. Every year, the member states of the Council of Europe organize various public activities and events to celebrate this day.

Respectively, the Republic of Moldova celebrates this event together with all European states. Although the field of personal data protection is a relatively new one for the society of the Republic of Moldova, however, in the last decade we have managed to make great steps in ensuring respect for the right to privacy, in terms of personal data processing, as well as regarding our efforts to comply with European standards in the field of personal data protection.

This year, NCPDP will continue to inform data subjects and to hold controllers accountable for complying with the provisions of the relevant legislation. Although the year 2020 was marked by the COVID-19 pandemic, NCPDP representatives continued to conduct online training, both in Chisinau and in the country. Over 500 people from various fields were trained within these activities. The trainings were focused most on the following fields: central and local public administration, health, police, social sphere and labor law.

For 2021, the objectives of the NCPDP are: continuation of information campaigns in the country, training and education of personal data protection officials in the public and private sector. We will ally with parents to raise awareness of personal data protection, we will continue to monitor how data protection rights are respected, we will continue to promote the new draft law on personal data protection for voting in final reading by the Parliament of the Republic of Moldova.
Dear citizens, for me it is important to involve everyone! I urge you to pay special attention to the protection of personal data and the rights of personal data subjects, and if you have noticed situations of improper processing of data concerning you, contact the National Center for Personal Data Protection.

Take care of your data!

The National Center for Personal Data Protection (NCPDP), for information and application purposes, communicates about the administrative fine, equivalent to 460 thousand euros applied by the Poland Personal Data Protection Office (UODO) to the Polish mobile phone company, Virgin Mobile Polska for the lack of adequate technical and organizational measures implemented to ensure the security of the processed data.

UODO stated that the company infringed the principles of data confidentiality and accountability. Virgin Mobile did not carry out regular and comprehensive tests, measurements and evaluations of the effectiveness of the technical and organisational measures applied to ensure the security of the data processed. Activities in this regard were only undertaken when there were suspicions of vulnerability or in connection with organisational changes. Moreover, no tests were carried out to verify safeguards related to the transfer of data between applications related to the servicing of buyers of prepaid services. In addition, the vulnerability associated with data exchange in these systems was used by an unauthorised person to obtain data from some of the company’s clients.

In connection with a data breach, as a result of which an unauthorised person obtained customers data from one of the databases, the Supervisory Authority carried out the inspection at the company. As a result of the irregularities found, the authority instituted administrative proceedings finalised with the imposition of a fine.

The Supervisory Authority considered that the implementation of a data processing system for use without proper validation of assumed parameters was a flagrant breach by the controller.

However, given the scale and gravity of the breaches, the UODO considered that it would be disproportionate to apply remedies other than an administrative fine.

The NCPDP, as the national authority for the supervision of personal data processing, emphasizes the responsibility of personal data controllers to comply with the provisions of the legislative framework on personal data protection and to ensure that personal data processing operations are in accordance with the legislation in force.

Today, the National Center for Personal Data Protection (NCPDP) in collaboration with TAIEX project experts organizes the online workshop – “Processing and protection of personal data in the field of public health in the context of possible global challenges” (pandemic COVID – 19). The event will last three days (January 26,27,28).

The aim is to strengthen and enhance the skills of public health representatives on possible challenges that may arise globally (in the context of the pandemic COVID – 19), while respecting the fundamental rights and freedoms of individuals on personal data protection. This includes: when the processing is necessary for reasons of public interest in the area of public health, in adopting good practices based on relevant case law; setting a balance between the processing, storage, and disclosure of health data and the right to privacy; promoting clarity and specialized analysis, oriented towards the provisions of the law on personal data protection in the specific field of application. Concerning health, aim is familiarization of medical representatives with the new challenges related to the processing of personal data.

The workshop will be conducted by personal data protection experts from Croatia, Slovakia and representatives of the NCPDP and will be organized for three regions of the country: central, northern and southern. Amongst the topics addressed by the experts are: the definition of personal health data, the processing of special categories of personal data and the legal basis for the processing of personal health data.

About 300 people from the three regions of the country are expected to participate in the event.

The workshop is organized and funded by the Technical Assistance and Information Exchange Instrument of the European Commission (TAIEX).