1. Information and training activities carried out by the NCPDP
During the first semester of 2023, the National Centre for Personal Data Protection (NCPDP) has achieved major progress in information and awareness activities for the general public in the field of personal data protection.
On 25 January 2023, the executives of the NCPDP and the General Police Inspectorate (GPI) approved and signed the training plan for the GPI subdivisions, therefore, several training courses were organised. The purpose of these courses was to increase the awareness of GPI subdivision employees about the principles of personal data protection and to ensure the accurate application of the relevant legal provisions in their work.
The important topics were discussed during the training courses, such as:
– general notions of the personal data protection field;
– the legal way of processing personal data in the activity carried out by the employees of the GPI subdivisions;
– the requirements of personal data protection used during the execution of their duties;
– the obligations of the police as a data controller in regard to the data subject;
– the correct procedure of accessing the personal data through the state information systems, as well as keeping accurate audit records of such kind of accesses,
– ensuring the security and confidentiality of processed personal data etc.
Thus, training courses were organised for the following subdivisions:
– On 1st February – Anenii Noi Police Inspectorate of the GPI;
– On 6th March – National Inspectorate of Investigation (NII) of the GPI;
– On 24th March – National Centre for Combating Trafficking in Human Beings of the NII;
– On 7th April – National Public Security Inspectorate, Regional Directorate “Centre” of the GPI;
– On 25th April – Buiucani Police Inspectorate of the Chișinău Police Department;
– On 5th May – Ciocana Police Inspectorate of the Chișinău Police Department;
– On 22nd May – Râșcani Police Inspectorate of the Chișinău Police Department;
– On 5th June – General Directorate for Criminal Prosecution of the GPI;
– On 23rd June – Police Department of ATU Gagauzia.
Also, the training courses were organized for a number of medical institutions on topic “Legal provisions in the field of personal data protection”. The aim of the training courses was the strengthening the capacities of medical staff through familiarising, raising awareness and informing them about personal data protection. The courses included topics such as: definition of personal data concerning health; processing of common categories of personal data; processing of special categories of personal data; legal grounds for processing personal data concerning health; principles of processing personal data; patients’ rights; obligation of personal data privacy; confidentiality and professional privacy; disclosure of personal data concerning health; obligation to ensure confidentiality and protection of personal data; minimization of data and limitation of storage, etc. Thus, the trainings took place:
– On 9th June at Public Health Institution ”Family Medics’ Centre”, Bălți municipality
– On 21st June at Public Health Institution ”Territorial Medical Association” district Centre
– On 28th June at University Primary Health Care Clinic public health institution of Nicolae Testemițanu SUMPh
During the reporting period, the information and awareness campaign for school communities, titled as “Personal data protection and children’s safety in the online environment” was continued. The campaign aimed to inform and raise awareness of the school community with the field of personal data protection and children’s safety in the online environment at local and national level by promoting empowerment and best practices for intervention and support.
The topics covered in the trainings included: general concepts on personal data; adequate use of pictures/videos online; online risks and threats; communication on social networks etc. Three training sessions were organised within the school community:
– On 27th January – Public Institution “Gheorghe Asachi Theoretical Lyceum”;
– On 17th May – Public Institution “Mircea Eliade Theoretical Lyceum”;
– On 18th May – Public Institution “Ion Creangă Theoretical Lyceum”.
Simultaneously, NCPDP organized training courses for specific categories, at their request:
– representatives of libraries in the Chișinau municipality and other districts of the Republic;
– representatives of the National Health Insurance Company;
– representatives of the Cahul General Directorate of Education;
– representatives of the State Tax Service;
– representatives of the Ministry of Internal Affairs and
– representatives of the National Agency of Road Transport.
In this context, in the first semester of the current year, the trainers of the NCPDP provided trainings for about 650 representatives of the GPI subdivisions, almost 210 representatives of medical institutions, around 120 pupils from educational institutions and approximately 575 representatives of other institutions.
During the same reference period, i.e., on 29th-30th March 2023, the NCPDP in collaboration with TAIEX project experts organized the TAIEX Expert Mission “Personal data processing for statistical purposes” in online format. The objective of the Expert Mission was to present the best European legal and operational practices on the mechanisms of processing and storage of personal data for statistical purposes by the National Bureau of Statistics (NBS), data exchange between the institutions and the NBS, as well as the regulations related to the security of these data. The event was attended by 24 representatives of public sector.
2. Control Activity
In the period of January – June 2023, the NCPDP initiated compliance checks on the processing of personal data in 180 cases. In the reference period, 141 decisions were issued of which 73 cases were found to be in breach of the law, being concluded 34 minutes of infringement proceedings, which were subsequently submitted to the court for resolution.
3. Findings of the National Centre for Personal Data Protection
I. The NCPDP has examined the complaint of a personal data subject concerning the alleged non-compliant processing of personal data stored in the Real Estate Register (RER) and carried out by a Local Public Authority (LPA) and a Central Public Authority (CPA).
In this context, the decision found that the operations of accessing personal data relating to the data subject’s real estate were carried out by the CPA and LPA in breach of Article 4 para. (1) letters a), b) and art. 5 of Law no. 133 of 08.07.2011 on personal data protection, or these operations took place without a determined, explicit and legitimate purpose.
Thus, the main aspect that led to the finding of violation of the legal provisions by the LPA was the data access for personal purposes (for the research meant for master’s thesis) and the lack of record of personal data access in the automated systems by authorized users within the LPA.
Regarding the reason for the finding of violation of Law No. 133/2011 by the CPA, we note that the CPA did not ensure the information update on authorised users with the access to the state automated information system. Additionally, the CPA did not notify the competent authorities about changes in employment relationships (resignation of a former employee), which resulted in personal data access in the RER even after the resignation.
II. The NCPDP carried out an investigation on the basis of a complaint from a data subject, in which he pointed to alleged unlawful personal data processing operations concerning him, stored in the RER and carried out by a LPA, as well as the non-realization of the right of access to his personal data.
Following the examination of the case, by decision, the NCPDP found that the LPA failed to deny the presumption of illegality of the processing of personal data of the data subject, which led to the violation of Law No. 133/2011, as it was found that all authorized users within the LPA who had access to the central data bank of the RER used the same access account, which was assigned to a former employee of the LPA. This fact made it impossible for the controller to keep strict records of accesses. Regarding to the contribution of the right of access to the data subject’s personal data, it was established that there was no breach of this aspect, as it was established that the LPA had examined the request and had sent a reply to the data subject.
III. The NCPDP has examined the complaint of a personal data subject concerning the alleged unlawful personal data processing operations stored in the RER, which was carried out by the controller without data subject’s consent.
Following the examination, it was carried out that the operations of accessing the real estate data, which belong solely to the data subject by law, were made to create and register a co-owners’ association.
Also, during the examination of this case, the controller, in order to justify his actions of access/consulting the personal data through the RER, which belong solely to the data subject, made the reference to the contract for the provision of consulting services and collaboration, as well as to the provisions of the art. 5 of Law No. 133/2011 on personal data protection.
In this case, NCPDP has stated that the allegations invoked by the controller does not justify and does not demonstrate the necessity of processing the subject’s personal data, which was manifested through accessing the central data bank of RER, as well as processing of personal data is to be carried out with the conditions based on the provisions of the art. 5 of Law No. 133/2011 on personal data protection.
In this context, the decision found that the operations of accessing personal data regarding the immovable property of the data subject was carried out in violation of Article 4 para. (1) letters a), b) and art. 5 of Law no. 133 of 08.07.2011 by the data controller – legal person, in the absence of a specific, explicit and legitimate purpose.
IV. The NCPDP has examined the complaint of a personal data subject concerning allegedly inappropriate processing of personal data stored in the State Register of Population (SRP) by a public authority employee.
During the investigation, although a request was indicated as the cause for the processing operation of personal data, it was established that the request was made in the name of another person.
In this regard, the NCPDP has not identified any purpose and legal basis that would have allowed the authorised user within the public authority to process (by data retrieval) the personal data of the data subject without his/her consent and without having a file/request taken into consideration.
In this context, by decision it was found that, the personal data processing operation concerning the data subject, was carried out by the authorized user in violation of the provisions of Article 4 para. (1) letters a), b) and art. 5 of Law No. 133/2011 on personal data protection, in the absence of a specific, explicit and legitimate purpose and without the consent of the data subject.
V. The NCPDP examined the request received from the State Tax Service (STS) informing that, as a result of the exercise of tax administration duties, an economic agent was found to be collecting and using personal data contrary to the provision of Article 5 para. (1) of the Law no. 133/2011 on personal data protection, which served as a reason for initiating the confirmation/investigation the compliance of personal data processing operations.
In fact, according to the materials attached to the STS request, it was found that the economic agent processed the personal data of 35 natural persons without their personal consent or the successors of deceased persons, as well as in the absence of any other legal basis provided by Article 5 para. (5) of the Law no. 133/2011 on personal data protection.
Following the investigations carried out by the NCPDP, in accordance with the provisions of Article 27 of Law no. 133/2011 on personal data protection, the NCPDP decision confirms the violation of the provisions of Article 4 para. (1) letter a), art. 5 para. (1), (4) and art. 12 of Law no. 133/2011 on personal data protection by the economic agent in the matter of the processing of personal data of the data subjects mentioned in the STS request.
At the same time, the NCPDP also ordered to stop of the processing operations of personal data of the data subjects concerned in the SFS and the destruction of the copies of the identity cards unlawfully used/obtained by the economic agent.
Consequently, in accordance with the provisions of Article 20 para. (1) letter m) of Law No. 133/2011 on personal data protection, the NCPDP has stated an order to the criminal prosecution body of the STS concerning the existence of reasonable indications of falsification of documents for the goods purchase, an act in accordance with the provisions of Article 3351 of the Criminal Code.
Moreover, following the finding of the violations mentioned above, the NCPDP interfered in the order of the contravention against the economic agent by initiating the minute on the contravention in accordance with the provisions of Article 741 para. (1) and (3) of the Contravention Code.
VI. The NCPDP was notified of the lawfulness of the activity of the website www.numar.md, where certain personal data of several natural persons were published by a representative of mass-media.
Following the analysis of the website www.numar.md, it was found that, any person could leave a comment, which is visible to everyone, about the owner of any mobile phone number in the Republic of Moldova. The comments on the web page contained various types of biographical information such as: name, surname, education, workplace, age, locality, home address, type of activity etc., as well as defamatory and insulting information. Disclosure of such information online for unrestricted viewing could seriously harm the constitutional rights and freedoms of citizens.
As a result of the control, the NCPDP has determined that the means provided for processing personal data are inappropriate by publishing on the website www.numar.md information containing personal data, such as: name, surname, education, workplace, age, locality, home address, type of activity etc., as it was not established the existence of a specific, explicit and legitimate purpose, nor the existence of a legal basis for processing personal data concerning the holders of mobile phone numbers in the Republic of Moldova. These actions are committed in conflict to the provisions of Article 4 para. (1) (a), (b), (c) and Art. 5 (1) (a), (b), (c) and Art. 5 (1) (b). (1) of Law no. 133/2011 on personal data protection.
In this context, taking into account the provisions of Art. 27 para. (3) and par. (5) of Law no. 133/2011 on personal data protection, the NCPDP issued a decision which states that the finding of violation of the provisions of Law no. 133/2011 on personal data protection in rem through the website www.numar.md, the outcome of unavailability on the Internet of the page www.numar.md, as well as the referral to the Public Institution “Information Technology Service and Cyber Security” in order to examine the possibility of intervening in the light of the competences set out in para. 33 p. 7) of the Regulation on Management of Top-Level Domain .md, approved by ANRCETI Decision no. 42/2020.
Finally, it is noted that the purpose of the Supervisory Authority’s self-reporting, manifested by the desire to counteract the non-compliant of personal data processing, was achieved with the unavailability/becoming inactive of the website www.numar.md, which was a source of abusive disclosure of personal information of a large number of data subjects.
4. Supervisory activity
On 10 January 2022, in accordance with the provisions of the Law no.175/2021 on the amendment of some normative acts, the obligation of the controller and the processor to designate a data protection officer was established, in the cases provided by of Art. 25 para. (6) of the Law no. 133/2011 on personal data protection.
In this regard, the NCPDP has launched a cycle of training courses for data protection officers. The main purpose of the trainings is to develop theoretical knowledge’s in the field of personal data protection and practical skills on the application of normative acts and legal requirements in this field. Thus, during the reference period, 28 persons were trained.
In accordance with the provisions of Art. 25 para. (6) of the Law no. 133/2011 on personal data protection, the controller or processor is obliged to publish the contact details of the data protection officer and communicate them to the NCPDP. Thus, during the reference period, the NCPDP received 21 letters, through which it was informed about the fact of the designation of the data protection officer from the respective entities, mainly from private entities.
At the same time, the following guidelines were developed and published on the official website of the NCPDP under the section “Data controller/NCPDP recommendations”: “Guidelines on personal data protection impact assessment (DPIA)” and “Guidelines on the processing of personal data through video devices”, in accordance with the provisions of the Law no. 187 of 14th July 2022 on the condominium.
In order to provide methodological and advisory support to personal data controllers and/or processors, more than 220 telephone consultations and 15 responses via e-mail were provided and recommendations were proposed to resolve discrepancies identified by the data controller.
5. International and European news
– As part of the collaboration between SIGMA and the GiZ Regional Fund for the Eastern Partnership, the first Academy, known as “Service design and delivery in a digital age”, was held in Paris on 6th-10th February 2023. The aim of the Academy was to create the opportunity for intensive networking and exchange on public service redesign:
a) at national level – between the key public institutions, such as public service development agencies and personal data protection institutions;
b) at regional level – between countries of Eastern Partnership; and
c) at international level – between Eastern Partnership countries and EU Member States.
Thus, in order to achieve the best practices within the Academy, a study visit to the French Ministry of Transformation and Public Service was also carried out, and the NCPDP representative was introduced to the current situation of public service transformation in France, as well as the public services improvement (human-centred digital public services), monitoring and transparency of the implementation of government reforms etc.
– In the first semester of 2023, the representatives of the NCPDP attended 3 plenary sessions of the European Data Protection Board (EDPB) and 3 online meetings. Several documents were discussed and adopted in their final version during these plenary meetings, including:
– Guidelines 05/2021 on the Interplay between the application of Article 3 and the provisions on international transfers as per Chapter V of the GDPR;
– Guidelines 07/2022 on certification as a tool for transfers;
– Procedure for the adoption of EDPB Opinions on national criteria for certification and European Data Protection Seals;
– Guidelines 01/2022 on data subject rights – Right of access;
– Guidelines 04/2022 on the calculation of administrative fines under the GDPR;
– Guidelines 05/2022 on the use of facial recognition technology in the area of law enforcement.
On 25th May, The EDPB has elected Anu Talus (FI DPA) as the new Chair of the European Data Protection Board (EDPB) and Irene Loizidou Nikolaidou (CY DPA) as new Deputy Chair. The European Data Protection Board (EDPB) is an independent European body, which contributes to the consistent application of data protection rules throughout the European Union, and promotes cooperation between the EU’s data protection authorities.
– On 10th-12th May 2023, the representatives of NCPDP participated in the 31st Spring Conference of the European Data Protection Authorities (EDPA) in Budapest, Hungary. This year the event was hosted by the Hungarian Data Protection Authority.
During the working sessions, topical data protection issues were presented, such as:
– New technologies – assessing the social impact of the use of new technologies in different areas;
– Interaction between data protection and competition law;
– Court decisions: resolutions and amendments to the Rules of Procedure;
– Best practices/case studies in enforcement cooperation between EEA and non-EEA countries.
For the first time at a Spring Conference of the EDPA, an Open Day was organised. This practice gave the opportunity to several institutions, NGOs or other organisations that expressed interest in the topics covered during the event to participate online.
The event was attended by the representatives of Central and Eastern European Data Protection Authorities, the Council of Europe, the European Data Protection Board, the European Data Protection Supervisor, where they had the opportunity to exchange experience and best practices in the field of personal data protection, including the role of the Data Protection Officer within a public or private entity.
– On 14th-16th June, the 44th plenary meeting of the Consultative Committee of the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (Convention 108) took place in Strasbourg, France. Several topics were discussed during the meeting, including:
– Convention 108+, ratifications and current accessions;
– data protection for the processing of personal data for anti-money laundering/countering financing of terrorism purposes;
– model contractual clauses for transborder data flows of personal data;
– interpretation of Article 11 of the modernised Convention 108;
– protection of personal data, including biometric data in the electoral process;
– cooperation with other Council of Europe bodies and entities;
– main developments and activities in the field of data protection etc.
At the same time, the NCPDP delegation reported on the status of ratification of the Protocol amending CETS no. 223 to Convention 108. It should be noted that on 9 February 2023, on the basis of Presidential Decree No. 757/2002, the Republic of Moldova signed the Protocol amending Convention 108 for the Protection of Individuals with regard to Automatic Processing of Personal Data, and the Action Plan of the Government of the Republic of Moldova for the current year includes the promotion of measures to ratify the Protocol.
6. Other data protection authorities
– On 22nd May, Following the EDPB’s binding dispute resolution decision of 13 April 2023, Meta Platforms Ireland Limited (Meta IE) was issued a €1.2 billion fine following an inquiry into its Facebook service, by the Irish Data Protection Authority (IE DPA), for serious breach of the legal provisions, stipulated in Regulation (EU) 2016/679 (GDPR). This fine, which is the largest GDPR fine to date, was imposed for personal data transfers made by Meta IE to the US under standard contractual clauses (SCCs) since 16 July 2020.
In its binding decision of 13 April 2023, the EDPB instructed the IE DPA to amend its draft decision and to impose a fine on Meta IE. Given the seriousness of the infringement, the EDPB found that the starting point for calculation of the fine should be between 20% and 100% of the applicable legal maximum. The EDPB also instructed the IE DPA to order Meta IE to bring processing operations into compliance with Chapter V GDPR, by ceasing the unlawful processing, including storage, in the U.S. of personal data of European users transferred in violation of the GDPR, within 6 months after notification of the IE SA’s final decision.
The IE DPA’s final decision incorporates the legal assessment expressed by the EDPB in its binding decision, adopted on the basis of Art. 65(1) (a) GDPR after the IE DPA, as lead supervisory authority (LSA), had triggered a dispute resolution procedure concerning the objections raised by several concerned supervisory authorities (CSAs). Among others, CSAs issued objections aiming to include an administrative fine and/or an additional order to bring processing into compliance.
– On 16th May, the final decision of the Croatian SA of 2nd May 2023 was announced regarding the imposition of the administrative fine on the data controller, the Debt Collection Agency B2 Kapital d.o.o., in the amount of 2,265,000.00 EUR due to violations of Articles 13, 28 and 32 of the GDPR
In December of 2022, the Croatian SA received an anonymous complaint in which it was stated that there was unauthorized processing of a large number of personal data of debtors, by the Debt Collection Agency B2 Kapital d.o.o. Together with the complaint, the B2 Kapital received the attached USB stick containing personal data for a total of 77 317 natural persons who had outstanding debts in credit institutions, and which were purchased by the Debt Collection Agency based on the cession agreement. The same personal data were delivered on a USB stick to a Croatian media outlet.
It was established that the violation has been going on since at least 2019 and that it has not been remedied to date, all because of not applying appropriate protective measures.
– On 21st March, the final decision of the Finnish SA of 17th February 2023 was announced regarding the imposition of the administrative fine in the amount of 440,000 EUR on the data controller, Suomen Asiakastieto Oy, for failing to erase inaccurate payment default entries saved into the credit information register due to inadequate practices. The SA pointed out that a payment default entry has a significant impact on the rights and freedoms of an individual.
In 2021, the Finnish SA ordered the controller to rectify its practices in registering payment default entries based on final decisions and to erase all inaccurate payment default entries which had resulted from such practices. The controller did not appeal the decision. The Finnish SA contacted the controller in January 2023 for sanction assessment. The controller stated that it had interpreted the SA’s order incorrectly and had now erased all payment default entries based on final decisions from its register. The SA finds that the controller has consciously decided not to comply with the SA’s order. The inaccurate payment default entries could have been erased because the Legal Register Centre discloses payment default information based on final decisions to the controller in the format in which they are saved in the register of court decisions. Decisions can be retrieved from the register for 10 years from their date of issue.
– The French Data Protection Authority (CNIL) imposed an administrative fine in the amount of 5,2 million euros on the data controller CLEARVIEW AI for illegal data procession via facial recognition technology.
CLEARVIEW AI collected photographs from a wide range of websites, including social networks, and sells access to its database of images of people through a search engine in which an individual can be searched using a photograph. The company offered this service to law enforcement authorities. Facial recognition technology is used to query the search engine and find an individual based on its photograph.