On October 17, 2025, the National Center for Personal Data Protection (NCPDP) organized a training session in the field of personal data protection for representatives of the National Center for Sustainable Energy (NCSE), at their request.

       The training session aimed to familiarize NCSE officials with aspects related to the field of personal data protection in the public service, the regulation of processing procedures, the confidentiality and security regime of personal data in accordance with the legislation in force.

       During the event, important topics were discussed, such as: the definitions of the general notions related to the field of personal data protection; the rights of personal data subjects; the processing of special categories of personal data; the examination of requests for disclosure of personal data; the access to information of public interest from the perspective of personal data protection legislation, etc.

       In the current context of digitalization and the expansion of the use of information technologies in the energy field, public institutions are increasingly faced with challenges related to the management and security of personal data. The session offered participants the opportunity to gain a deeper understanding of the fundamental principles of data protection, the rights of data subjects and the obligations of data controllers.

       During the training, NCSE representatives had the opportunity to acquire practical knowledge regarding: correctly identifying the categories of personal data collected and processed in the institution’s activity; assessing the risks associated with data processing and applying appropriate protection measures; how to ensure transparency and correct information of data subjects and applying the principles of confidentiality, integrity and responsibility in the institution’s activities.

       By participating in the training session, NCSE representatives understood the need to implement clear internal policies on data protection, the role of continuous training in preventing security incidents and violations of the law, as well as the benefits of transparent and ethical communication with the public and institutional partners.

       Overall, the training activity contributed to strengthening interinstitutional cooperation and promoting a proactive approach to personal data protection – an essential aspect for good governance and public trust in state institutions.

       During the event, moderated by experts in the field of personal data protection from the NCPDP, 43 representatives of the NCSE were trained.

       On October 15, 2025, the National Center for Personal Data Protection (NCPDP) organized a training session in the field of personal data protection for representatives of the Border Police sector “Chisinau International Airport” of the General Inspectorate of Border Police (GIBP), according to the training plan within the GIBP subdivisions for 2025, approved and signed by the heads of NCPDP and GIBP on January 28 of this year.

       The purpose of the training session was to enhance the awareness of the employees of the Border Police Sector “Chisinau International Airport” of the GIBP on the principles of personal data protection, as well as to ensure the correct application of the legal provisions in the field, in the activity they carry out.

       Important topics were discussed during the event, such as: defining general notions related to the field of personal data protection; principles and legal grounds for the processing of personal data; rights of personal data subjects; processing of special categories of personal data; requirements regarding the protection of personal data in the exercise of official duties; ensuring the security and confidentiality of processed personal data, etc.

       The training session contributed significantly to strengthening the theoretical and practical knowledge of the participants regarding the correct application of national and european data protection legislation, especially in situations specific to the field of activity – state border control, document verification, inter-institutional cooperation and the use of information systems.

       Through the training, participants had the opportunity to clarify their responsibilities according to their competencies, as well as to more deeply understand the principles of legality, confidentiality, accuracy and proportionality in the process of processing personal data. At the same time, the training contributed to increasing the level of awareness regarding the risks associated with data processing in the context of the use of modern surveillance and control technologies, strengthening the institutional capacity to prevent data security incidents.

       Through this activity, NCPDP reaffirmed its role as a strategic partner of law enforcement institutions in promoting an organizational culture based on respecting the fundamental right to the protection of personal data, and for the representatives of the Border Police Sector “Chisinau International Airport” – the training represented an important step towards continuous alignment with european standards and good practices in the field.

       During the event, 50 representatives of the Border Police sector “Chisinau International Airport” of the GIBP were trained.

       The National Center for Personal Data Protection (NCPDP), for informational and practical purposes, reports on the fines imposed by the Italian Supervisory Authority (SA) in the amount of 3 million euros for the company Acea Energia spa and 850 00 euros to the agencies involved for violating art. 5 paragraph. (1), art. 6, art. 7, art. 13, art. 24, art. 25, art. 28, art. 29, art. 32 of the GDPR and art. 130 of the National Personal Data Protection Code.

       The Italian SA conducted investigations, together with the Guardia di Finanza, following a complaint regarding the illegal activity of unauthorized call centers. They were contacting people for offers regarding energy or telephony suppliers, using databases obtained without consent and without being registered in the Register of Communications Operators (ROC).

        Investigations revealed that the personal data of customers who had recently changed their energy supplier was being used to persuade them, through deceptive methods, to sign new contracts. The data came from the network of partner companies, without the information of the individuals concerned.

       Although representatives of the energy company were in contact with the telemarketing agencies, the company revoked the collaboration and applied corrective measures once it learned of the irregularities.

       In this context, the Italian SA imposed fines of 3 million euros on the Acea Energia company spa and 850 000 euros on the agencies involved. The company must notify affected individuals and verify the legality of sub-processors, and agencies can no longer use legally unjustified contact lists.

       NCPDP, as the national supervisory authority for the processing of personal data, emphasizes the responsibility of personal data controllers to comply with the provisions of the legislative framework on the protection of personal data and to ensure that personal data processing operations comply with the legislation in force.

       The National Center for Personal Data Protection (NCPDP), for informational and practical purposes, reports on the administrative fine in the amount of 4,375,273 euros imposed by the Polish Data Protection Authority (SA) on the company ING Bank Śląski S.A. for violating Article 5 (Principles related to the processing of personal data) and Article 6 (Lawfulness of processing) of the GDPR.

      Between April 1, 2019 and September 23, 2020, the bank systematically collected copies of ID cards, without verifying whether this practice was justified by Act on Counteracting Money Laundering and Financing of Terrorism (AML Law). In many cases, the provision of banking services was conditional on scanning the identity document, even in situations that did not require financial security measures (for example, in processing a complaint at an ATM).

       Following the investigation, it was found that the bank did not conduct an individual AML/CFT risk assessment, did not justify the need to scan documents in all cases, and processed personal data without an appropriate legal basis.

       In this context, the Polish SA imposed an administrative fine of EUR 4 375 273 on ING Bank Śląski for violating Article 5 (1) a), b), c) – the principles of lawfulness, purpose limitation and data minimization and Article 6 (1) – the lawfulness of processing of the GDPR.

       NCPDP, as the national supervisory authority for the processing of personal data, emphasizes the responsibility of personal data controllers to comply with the provisions of the legislative framework on the protection of personal data and to ensure that personal data processing operations comply with the legislation in force.

       The National Center for Personal Data Protection (NCPDP), for informational and practical purposes, reports on the administrative fine of 4 022 773 euros for McDonald’s Polska Limited Liability Company (LLC) and 43,680 euros for 24/7 Communication LLC applied by the Polish Data Protection Authority (SA) for violating Article 5 (Principles related to the processing of personal data), Article 24 (Responsibility of the controller), Article 25 (Data protection by design and by default), Article 28 (Processor), Article 32 (Security of processing), Article 34 (Communication of a personal data breach to the data subject) and Article 38 (Position of the data protection officer) of the GDPR.

       McDonald’s Polska LLC notified a data security breach, as a controller, finding that the following data of its employees and franchisees were included in the shared file in the public catalogue: names, personal identification numbers (PESEL numbers), passport numbers (if the PESEL number is not available), McDonald’s restaurant number, date and time of starting work, date and time of ending work, number of hours worked, holidays, type of work, etc.

       The investigation found that neither the controller (McDonald’s Polska) nor the processor (24/7 Communication) had conducted a risk analysis and had not implemented sufficient technical and organizational measures to protect personal data. Furthermore, the data protection officer was not properly involved, and the audit and monitoring obligations of the partners were not respected.

       The Polish SA emphasized that the responsibility for data protection lies with both companies that collect and manage personal data and their contractual partners. Security measures must be constantly checked and updated, not just at the beginning of data processing.

       In this context, the Polish SA imposed an administrative fine of 4 022 773 euros on McDonald’s Polska LLC and 43 680 euros on 24/7 Communication LLC.

       NCPDP, as the national supervisory authority for the processing of personal data, emphasizes the responsibility of personal data controllers to comply with the provisions of the legislative framework on the protection of personal data and to ensure that personal data processing operations comply with the legislation in force.

       On October 13, 2025, the National Center for Personal Data Protection (NCPDP) organized a training session in the field of personal data protection for debutants customs officials, at the request of the Customs Service (CS).

       The purpose of the training session was to increase the level of perception of debutants customs officials on the principles of personal data protection, as well as to familiarize them with the confidentiality and security regime of personal data in accordance with the provisions of the legislation in force.  

       Important topics were discussed during the event, such as: defining general notions related to the field of personal data protection; principles and legal grounds for the processing of personal data; rights of personal data subjects; processing of special categories of personal data; requirements regarding the protection of personal data in the exercise of official duties; ensuring the security and confidentiality of processed personal data; aspects related to the Data Protection Impact Assessment (DPIA), etc.

       The training provided participants with a clear perspective on how the principles of legality, transparency and security of personal data must be respected in daily activity.  Through practical examples and interactive discussions, debutants customs officials learned how to recognize the risks of unauthorized data processing and how to apply effective protection measures. The training also represented an important step in strengthening the relationship of trust between customs officials and citizens. By correctly understanding data protection principles and applying them in their daily work, they become promoters of an organizational culture based on integrity, responsibility and respect for the confidentiality of the information managed.

       25 debutants customs officials were trained during the event.    

     On September 25, 2025, the National Center for Personal Data Protection (NCPDP), organized a training session in the field of personal data protection for representatives of the Investment Agency, at their request.

       The purpose of the training course was to increase the level of perception of the Investment Agency employees on the principles of personal data protection, as well as to familiarize them with the confidentiality and security regime of personal data in accordance with the provisions of the legislation in force.

       Important topics were addressed during the event, such as: the definition of general concepts related to the field of personal data protection; the rights of data subjects; the processing of special categories of personal data; the principles and legal grounds for the processing of personal data; the aspects related to the appointment of the Data Protection Officer (DPO); ensuring the security and confidentiality of personal data by employees of the Investment Agency; examining requests for disclosure of personal data and access to information of public interest from the perspective of the legislation on the protection of personal data, etc.

       The training provided by NCPDP was particularly useful for the representatives of the Investment Agency as they gained a better understanding of the requirements provided by national and European data protection legislation, thus allowing the institution to prevent potential legal risks and sanctions. At the same time, the knowledge acquired will contribute to improving internal processes, such as integrating data protection principles into information collection, storage and processing activities, while optimizing internal work procedures, and the correct application of data protection standards will contribute to strengthening the image of the Investment Agency as a modern, transparent and responsible institution, an essential aspect in the relationship with investors, partners and the general public.

       During the event, 20 representatives of the Investment Agency were trained.

       On September 19, 2025, the National Center for Personal Data Protection organized a training session in the field of personal data protection for representatives of the General Inspectorate for Migration (GIM), South Regional Directorate, in accordance to the training plan within the GIM for 2025, approved and signed by the heads of the NCPDP and the GIM on January 27th.

       The purpose of the training course was to increase the level of perception of GIM employees, South Regional Directorate, on the principles of personal data protection, as well as to familiarize them with the confidentiality and security regime of personal data in accordance with the provisions of the legislation in force.

       Important topics were discussed during the event, such as:

• The definition of general concepts related to personal data protection;
• The rights of personal data subjects;
• The processing of special categories of personal data;
• The principles and legal grounds for data processing;
• Requirements regarding the personal data protection in the exercise of official duties;
• Aspects related to the appointment of the Data Protection Officer (DPO);
• Obligations and tasks of a DPO;
• Ensuring the security and confidentiality of processed personal data, etc.

       The training course proved to be interactive, with participants asking multiple questions to which they received thorough answers/explanations related to the field of personal data protection from the trainers.

       The event took place online, being trained 17 representatives from GIM, South Regional Directorate.

       On September 17, 2025, the National Center for Personal Data Protection (NCPDP) organized a training session in the field of personal data protection for the representatives of structural and specialized subdivisions of the General Inspectorate for Migration (GIM) according to the training plan within the GIM for 2025, approved and signed by the heads of the NCPDP and GIM on January 27 of this year.

       The aim of the training course was to increase the GIM employees’ awareness on the principles of personal data protection, as well as to familiarize them with the personal data confidentiality and security regime in accordance with the provisions of the legislation in force.

       During the event, important topics were discussed, such as: the definition of general notions related to the field of personal data protection; the rights of personal data subjects; the processing of special categories of personal data; the principles and legal grounds for processing personal data; the requirements for personal data protection in the exercise of their duties; aspects related to the appointment of the Data Protection Officer (DPO); the obligations and tasks of a DPO; ensuring the security and confidentiality of personal data processed, etc.

       The training course was an interactive one, and the aspects related to the proper procedure of accessing personal data through the State Information Systems, including the application of exceptions and restrictions regulated in article 15 of Law 133/201, the correctness of examining inquiries containing personal data, as well as the requirements regarding the protection of personal data in the exercise of official duties, were of great interest to the course participants.

       The event was attended by around 14 representatives from the structural and specialized subdivisions of the General Inspectorate for Migration.

       On September 11, 2025, the National Center for Personal Data Protection (NCPDP) organized a training course in the field of personal data protection for employees of the Moldova Post Office, at their request.

       The purpose of the training course was to increase the awareness of Moldova Post Office employees regarding the principles of personal data protection, as well as to familiarize them with the confidentiality and security regime for personal data in accordance with the provisions of the legislation in force.

       During the event, important topics were discussed, such as:

• The definitions of general concepts related to the field of personal data protection;
• The rights of personal data subjects;
• The processing of special categories of personal data;
• The principles and legal grounds for processing personal data;
• The aspects related to the appointment of the Data Protection Officer (DPO);
• The obligations and tasks of a DPO;
• Aspects related to the Data Protection Impact Assessment (DPIA);
• The stages and obligation to carry out a DPIA, etc.

       The training course was interactive, with participants asking multiple questions regarding the legal processing of personal data in the daily activities carried out by company employees, the most important changes introduced by Law 195/2024 on personal data protection, ensuring the security and confidentiality of processed personal data, as well as the access to information of public interest in the context of personal data protection legislation.

       About 60 representatives from the Moldova Post Office participated in the event.