Notification on the processing of personal data
Guidelines on the procedure of registration of controllers and personal data filing systems
The article 23 and 28 of the Law on personal data protection, imposes the obligation that before the initiation of the operations of personal data processing in an automated or manual filing system, these should be notified to the National Center for Personal Data Protection (hereinafter – NCPDP).
At the same time, point 21 of the Regulation of the Register of records of personal data controllers, approved by Government Decision no. 296 of May 15, 2012 (hereinafter – Government Decision no. 296/2012) establishes that each personal data filing system is separately notified. In this regard, the personal data controller has the obligation to identify and record all the managed filing systems.
According to art. 3 of the Law on personal data protection:
• the personal data controller is the natural or legal person governed by public or private law, including public authority, any other institution or organization which, individually or jointly with others, establishes the purposes and the means of personal data processing expressly provided by the legislation in force;
• the processor is a natural or legal person governed by public law, or by private law, including public authority and its territorial subdivisions, which processes personal data on behalf of the controller, on instructions from the controller;
• personal data filing system is any structured set of personal data which are accessible according to specific criteria, whether centralized, decentralized or dispersed on a functional or geographical basis (for example: manual / automated / mixed system of employee records, manual / automated / mixed system of accounting records, automated video surveillance system, etc.).
Thus, in order to achieve the compliance of the activity related to the processing of personal data with the legal provisions set out above the controller and, as the case may be, the processor will take the following actions:
1. To designate the person (s) / subdivisions responsible for the protection of personal data by undertaking the appropriate measures to comply with the standards of the normative framework related to the personal data protection;
2. To exhaustively identify all personal data filing systems managed by the personal data controller;
3. To identify the person (s) empowered by the personal data controller and / as the case may be the revision of the contractual clauses or the provisions of the legal act by which the processors receive rigorous instructions regarding the processing of personal data on behalf and of the controller, as well as ensuring the confidentiality and security measures of personal data processing established by art. 29 and art. 30 of the Law on personal data protection;
4. To elaborate and approve the Security Policy regarding the personal data protection when processing them within the filing systems managed by the personal data controller, taking into account the provisions established by the Requirements regarding the security of personal data at their processing within the personal data information systems, approved by the Government Decision no. 1123 of December 14, 2010 (hereinafter – Government Decision no. 1123/2010);
5. To elaborate and approve the documents regarding the personal data security policy i.e. the Regulations that establish the modality of personal data processing in the filing systems to be notified to NCPDP, according to point 21 of the Government Decision no. 1123/2010;
6. To establish the legal basis for personal data processing in case the consent of the subject of this data is not required, taking into account the derogations provided by art. 5 paragraph (5) of the Law on personal data protection, including the case of personal data cross-border transmission.
In addition to the documents mentioned above, if necessary, other additional documents must be annexed, taking into account the specificity of the managed filing system, and namely:
• If the processing is based on the consent of the personal data subject, its model shall be annexed to the notification, by which the subject accepts the personal data processing that concerns it, and it is informed by the controller on the provisions of art. 12 of the Law on personal data protection and the manner of achieving the rights provided by Chapter III of the aforementioned law;
• If the processing is based on the execution of a contract to which personal data subject is a part or for taking measures before the conclusion of the contract, the model of the contract or the request is attached to the request;
• In the case of the video surveillance filing system, the schematic plan of the locations will be annexed, indicating the installation of the video surveillance cameras, their angle of capture, as well as the attachment of the video captures of each camera installed;
• In the case of the access control filing system, the schematic plan for the location of the access means will be annexed;
• In case the personal data processing is performed exclusively for journalistic, artistic or literary purposes, the provisions of art. 10 of the Law on the personal data protection and the Law on freedom of expression;
• In case the personal data processing is performed exclusively for historical or scientific research purposes, the documents corresponding to the provisions of the Code on science and innovation of the Republic of Moldova will be annexed;
• In case when the personal data processing is performed exclusively for statistical purposes, the provisions of the Law on official statistics will be taken into consideration;
• In case the processing is carried out on the basis of the state register, the regulation on how to maintain the information system will be annexed;
• In the case of personal data cross-border transmission, the agreement or the type contractual clauses concluded between the recipient and the supplier will be annexed, as well as the legal basis for the processing of personal data, if the consent of the subject of this data is not required, taking into account the derogations provided by art. 5 paragraph (5) of the Law on personal data protection;
At the same time, point 22 of the Government Decision no. 296/2012 establishes that the information indicated in the notification must correspond to the Regulations that describe in detail the way of personal data processing in the filing systems to be notified to the NCPDP.
As a result of the preparation of the set of documents mentioned above, it is necessary notify immediately to the NCPDP, the filing systems in which personal data are processed, managed by the requesting entity (including the presentation of the Security Policy and the Regulations which describe each filing system and how the personal data processing within it is performed and other additional documents upon notification) and their registration in the Register of records of personal data controllers.
Important: According to point 25 of the Government Decision no. 296/2012, the electronic notification is completed on the official website of the NCPDP www.datepersonale.md, at the Section- Notification on personal data processing.
Important: The procedure for filling in the notification is described in the controller’s manual and in the Video Guide on notification in the Register of Personal Data Controllers, which can be consulted at the section Electronic filing of the notification.
In addition, point 20 and 26 of the Government Decision no. 296/2012 establish that, after completing the notification in electronic format, it can be signed by applying the digital signature or printed on paper, signed holographical by the applicant and sent / presented at the one-stop shop, accompanied by the confirmatory documents, necessary for the registration of the information objects in the Register of records of personal data controllers.
At the same time, the documents annexed to the notification are to be brought in accordance with point 14 of the Government Decision no. 296/2012, namely: “In case the documents are not signed with digital signature, they are presented in electronic format, with the attachment on paper, signed holographically and, as the case may be, confirmed with the stamp of the applicant for the registration of a legal person. If the information presented on paper is contained on several sheets, they will be sewn with the application, on each one, of the signature and, as the case may be, of the stamp of applicant of the respective registration”.
Attention: In its activity, the NCPDP according to art. 20 paragraph 2 letter a) and b) of the Law on personal data protection, is entitled to request additional information or other documents needed when examining the notification, as well as in the process of the prior verification, according to point 39 of the Government Decision no. 296/2012.
During the completion of the preliminary verification, the NCPDP issues the decision regarding the authorization or the refusal to authorize the categories of operations of personal data processing that present special risks for the rights and freedoms of the persons specified in art. 24 paragraph (2) of the aforementioned law.
Subsequently, according to the provisions of point 29 of the Government Decision no. 296/2012, the NCPDP issues a decision to register or refuse the registration of the controller and / or the personal data filing systems.
Important: According to point 43 and point 44 of the Government Decision no. 296/2012, the information about the issuance of the decision is sent to the e-mail address of the registration applicant by which the user’s account was created. Later, this decision can be viewed through the user’s account, accessing the “Notifications list” section and clicking on the “Request ID” section which has the status “Approved” or “Rejected”.
At the same time, art. 28 paragraph (2) of the Law on personal data protection and point 12 of the Government Decision no. 296/2012, establish that the information stored in the Register of Records of Personal Data Controllers is public, except for the measures taken to ensure the security of the personal data processing and can be consulted by any interested person at: https: // register. datepersonale.md/web/guest/cautare-in-baza-de-date-cndpc.
Additionally, for any other information regarding the notification procedure, you should contact the Prevention, Surveillance and Evidence Directorate within the General Directorate for Surveillance and Compliance of the NCPDP, on the telephone number (0-22) 811-801 or visit the NCPDP headquarters, from 08: 30 a.m. till 14: 00 p.m., lunch break 12: 00 p.m.-13: 00 p.m.
Notification on the processing of personal data