personal data – any information relating to an identified or identifiable natural person (‘personal data subject’). An identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity;
special categories of personal data – data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, social belonging, data concerning health or sex life, as well as data relating to criminal convictions, administrative sanctions or coercive procedural measures;
processing of personal data – any operation or set of operations which is performed upon personal data, whether or not by automatic means, such as collection, recording, organization, storage, keeping, restoring, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction;
controller – a natural or legal person governed by public law, or by private law, including public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data expressly provided by applicable law;
processor – a natural or legal person governed by public law, or by private law, including public authority and its territorial subdivisions, which processes personal data on behalf of the controller, on instructions from the controller;
third party – a natural or legal person governed by public law, or by private law, other than the personal data subject, the controller, the processor and the persons who, under the direct authority of the controller or the processor, are authorized to process the personal data;
recipient – a natural or legal person governed by public law, or by private law, including public authority and its territorial subdivisions, to whom personal data are disclosed, whether a third party or not. The bodies responsible for the national defence, state security and public order, the prosecution bodies and the courts, which may receive personal data in the framework of exercising their duties established by law, shall not be regarded as recipients;
personal data subject’s consent – any freely given, expressly and unconditionally indication of will, in written or electronic form, according to the requirements of the electronic document, by which the personal data subject signifies his agreement to personal data relating to him being processed;
1. The concept of “personal data”
Personal data is information about you. These can be your name, address or telephone number. Also, the work you do, the goods you buy, the institution where you went to school or the state of health. In other words, any information about an identified or identifiable person.
We all provide personal data to various organizations and authorities. For example, we provide our credit card information when shopping online, provide health information to insurance companies, or provide personal information to supermarkets in exchange for loyalty points or discount cards.
2. Why is it important to manage our personal data?
The information about you is valuable, so you should treat it like any other high-value item, including property.
Criminals may use your personal data to open bank accounts, carry out money laundering operations, benefit from credit cards and obtain public benefits in your name and on your behalf. Every day, you provide personal data in one way or another. Although, in most cases, it brings you benefits such as better health care or financial reinsurance, but sometimes it can cause problems. If your personal data is incorrect, inadequate or out of date, this could lead to you being unfairly denied a job, a home, benefits, loans, a place to study or even to get a passport.
In conclusion, you must think carefully before providing the personal data concerning you. Always ask why the organization / authority requests the information, why it requests it in a certain volume, why certain personal data are needed, such as: marital status, information about children, information about participation in elections, about the state of health or the criminal record.
3. How can you protect your personal data?
Find out how correct your attitude is towards the need to protect your personal data and follow some simple steps to protect it.
• keep documents that provide any personal data in a safe place;
• destroy all documents and copies of them that contain personal data before throwing them away;
• contact the Post Office for recommendations on the cost of secure mailing, if you want to send documents containing personal data;
• limit the number of documents that contain personal data that you carry with you;
• check your bank and credit card account statement carefully to identify unknown or dubious transactions;
• use different passwords and PINs for different accounts;
• be careful when using a public computer to access information about you;
• always remove personal data from the screen and uncheck “save password”;
• change passwords at the shortest possible time and keep them confidential;
• check your credit file regularly for any suspicious applications;
• always think about to whom and with whom you share personal data and why they would need it;
• protect your home computer with anti-virus, firewall and anti-spam software before online accessing;
• when you change your home address, forward all personal mail and inform your bank, the companies that provide you with various services and other organizations with which you have contacts, about the new address;
• request that the correspondence with banks, telephone companies or companies providing services to you be sent in envelopes to ensure the confidentiality of the content;
• do not “lend” discount cards to others, as personal information about the cardholder is indicated on the cardholder.
4.Access to information
Any personal data subject has the right to obtain from the controller, upon request, without delay and free of charge:
• confirmation as to whether or not data relating to him are being processed and information as to the purposes of the processing, the categories of data concerned, and the recipients or categories of recipients to whom the data are disclosed;
• communication to him in an intelligible form and in a way that does not require additional equipment, of the data undergoing processing, and of any available information as to their source;
• information on the logic involved in any automatic processing of data concerning the personal data subject;
• information on legal consequences for the personal data subject generated by processing of these data;
• information on the exercise of the right of intervention upon the personal data
5. Correct information
If you believe that your personal data processed by a certain authority / institution is incorrect, you have the right to obtain from the controller or the processor, upon request and free of charge:
• the rectification, update, blocking or erasure of personal data, the processing of which does not comply with the Law on personal data protection, in particular because of their incomplete or inaccurate nature;
• notification of the third parties to whom the personal data have been disclosed, about any operations of rectification, update, blocking or erasure of personal data, except where such notification proves to be impossible or involves disproportionate effort towards the legitimate interest that might be violated.
In order to benefit from this right, you must submit a written request stating what you consider to be incorrect with regard to your personal data.
There is no particular form of expression necessary to be used at the time of writing the request, the condition is to be clear who you are, what personal data are wrong and what should be done to correct them.
Keep a copy of the letter and the answers you receive. If you do not agree with the decision taken by that entity, you can contact the National Center for Personal Data Protection (Center), or in the courts.
6. About what and under what conditions should you be informed without submitting a request?
I. If personal data is collected directly from you, the controller or the processor must inform you about:
• the identity of the controller or of the processor, as the case may be;
• the purpose of processing for which the data are collected;
• additional information (such as: recipients or categories of recipients of personal data; existence of the rights of access to data, the right of intervention upon data and the right to object, as well as conditions under which such rights may be exercised; whether the answers to the questions intended to collect data are mandatory or voluntary, as well as the possible consequences of denial to respond).
Exceptions to the above are cases in which you already know the information.
II. Where the personal data are not collected directly from you, the controller or the processor must, at the time of data collection or, if a disclosure to the third parties is envisaged, no later than the time when the data are first disclosed provide you with information on the categories of personal data which are intended to be collected or disclosed, as well as with the information specified in the first case, except the answers to the questions intended to collect data are mandatory or voluntary, as well as the possible consequences of denial to respond.
Exceptions to the above are cases where:
• you already know that information;
• processing of personal data is carried out for statistical, historical or scientific-research purposes;
• provision of information that proves to be impossible or involves disproportionate effort towards the legitimate interest that might be violated;
• recording or disclosure of personal data is expressly stipulated by law.
7. The right to object
You have the right to object at any time and free of charge on compelling legitimate grounds relating to your particular situation to the processing of personal data, save where otherwise provided by law. Where there is a justified objection, the processing instigated by the controller may no longer involve those data.
You have also the right to object at any time and free of charge without any justification to the processing of your personal data for the purpose of direct marketing. The controller or the processor is obliged to inform you about the right to object such operation before your personal data are to be disclosed to third parties.
In these cases, you will address a written request to the respective authority / entity, with the possibility to challenge the answer received, at the Center or in the court.
8. Decisions taken as a result of automated processing of personal data
As personal data subject, you shall have the right to request for the rescinding, in whole or in part, of any individual decision which produces legal effects concerning your rights and freedoms, and which is based solely on automated processing of data intended to evaluate certain personal aspects relating to you such as his performance at work, creditworthiness, conduct, or other similar aspects.
9. What can you do to stop this kind of processing?
You may not object to all personal data processing operations that involve automated decisions. Thus, you do not have the right to object if:
• the decision is authorized by a law which also lays down measures to safeguard the personal data subject’s legitimate interests;
• the decision is taken in the course of the entering into or performance of a contract, provided that the request for the entering into or the performance of the contract, lodged by the data subject, has been satisfied.
10. Collection of your personal data
Public or private entities that collect, hold and process personal information about you must use it correctly, maintain the confidentiality and security of its processing, ensure that the information is accurate and update it regularly. You have the right to ask this of them.
Please note that the processing of your personal data, as a rule, must be performed with your consent.
Consent will not be required in cases where processing it is necessary for :
• the processing is necessary for the performance of a contract to which the personal data subject is party, in order to take steps at your the request to entering into a contract;
• the processing is necessary for carrying out an obligation of the controller, under the law;
• the processing is necessary in order to protect the life, physical integrity or health of the personal data subject;
• the processing is necessary for the performance of tasks carried out in the public interest or in the exercise of public authority prerogatives vested in the controller or in a third party to whom the personal data are disclosed;
• the processing is necessary for the purposes of the legitimate interest pursued by the controller or by the third party to whom personal data are disclosed, except where such interest is overridden by the interests for fundamental rights and freedoms of the personal data subject;
• the processing is necessary for statistical, historical or scientific-research purposes, except where the personal data remain anonymous for longer period of processing.
11. What are some other exceptions?
It is prohibited to collect and process special categories of your personal data (data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, social belonging, data concerning health or sex life, as well as data relating to criminal convictions), except cases where :
• the personal data subject has given his consent (where the personal data subject is physically or legally incapable of giving his consent, the processing of special categories of personal data shall be carried out only with the written consent of his legal representative);
• processing is necessary for the purposes of carrying out the obligations and specific rights of the controller in the field of employment law, providing safeguards set by law, as well as taking into account that possible disclosure of the personal data processed for this purpose to a third party may take place only if there is an appropriate legal obligation of the controller;
• processing is necessary to protect your life, physical integrity or health or of another person where you are physically or legally incapable of giving your consent;
• processing is carried out in the course of its legitimate activities by a foundation, association or any other non-profit organization with a political, philosophical, religious or trade-union aim, and on condition that processing relates solely to the members of the body or to persons who have regular contact with it in connection with its purposes and that the data are not disclosed to a third party without your the consent;
• processing relates to data which are voluntary and manifestly made public by yourself;
• processing is necessary to establish, exercise or defend of your legal claims;
• processing is necessary for the purposes to ensure national security, where the processing is unlikely adversely to affect your rights and the other appropriate safeguards provided for in this law.
12. What is an information about the processing of your personal data?
The information about the processing of your personal data is a statement, which, in essence, tells you who collects information about you, as well as what is the purpose of their further processing. This information takes a number of forms, for example: a site ad or a phone-reading script (document).
In fact, the information must be written in clear language, be truthful and contain:
• the identity of the controller or of the processor, as the case may be;
• the purpose of processing for which the data are collected;
• additional information (such as: recipients or categories of recipients of personal data; existence of the rights of access to data, the right of intervention upon data and the right to object, as well as conditions under which such rights may be exercised; whether the answers to the questions intended to collect data are mandatory or voluntary, as well as the possible consequences of denial to respond)
13. Why is your personal data transmitted to third parties or to others entities?
This is done for several reasons. For example:
• The medical center where the personal data subject has undergone surgery, transmits the information to the family doctor, so that the patient can be treated properly, after being discharged;
• a teacher, social worker or nurse transmits information about a child, taking into account the interests and needs of the child;
• a local public authority transmits the information to the Employment Agency and to the National Social Insurance House, in order to solve the applicants’ requests;
• the police and a local public authority exchange information to ensure public order in the area; or
• banks send information to credit bureaus to update the financial situation of the personal data subject, when applying for a loan, etc.
The transmission of information usually takes place when the provision of a service involves a number of different entities, for example at the time of employment.
14. Do you have to give your consent for the transmission of your personal data?
The transmission of information may take place without your consent, provided that the operation is reasonable and predictable. However, it must be clear what information is transmitted and who is the recipient. This could be the case if information about the transmission process could, for example, be prejudicial to a criminal investigation.
If the entities / authorities wish to transmit your personal data, they will need your consent, as in the case of the transmission of information to the Credit History Offices.
If you are required to consent to the transmission of your personal data, you must have a genuine and free choice.
15. What should you do if you are disturbed by the transmission of information about you?
The first thing to do is to contact the authority / entity you think is the source of your personal data transmission. It should answer you if it has transmitted your personal data. If so, then, to the extent necessary, it must communicate to you what information, to whom and for what purpose was transmitted your personal data.
The quality of the information transmitted is important. For example, the information must be correct and up to date. If you have any doubts about the quality of the transmitted data, or if you have any other concerns, you should cooperate with the Center.
16. Know your right to privacy and personal data protection
The more you know about your rights as personal data subject, the easier it will be to secure your privacy.
For more information about your rights, visit our official website: www.datepersonale.md or call the trusted telephone number: +37322 820-807.