Newsletter No. 12

On 10 July 2022, the National Centre for Personal Data Protection (NCPDP) celebrated 14 years of activity. On this occasion, the NCPDP organized several activities related to data protection field. Amongst the activities was the street information activity organised on 11 July under the title: “14 years since the founding of the NCPDP”. The aim of the action was to disseminate useful information on the field of personal data protection to passers-by, to inform and encourage Moldovan citizens to pay more attention to this field.

At the same time, during the reporting period, the NCPDP continued the training process for the representatives of local public authorities (LPAs) and central public authorities (CPAs) in the field of personal data protection. The aim of the training courses was to familiarise, raise awareness and inform the representatives of the authorities with the latest data protection issues. The main topics covered referred to: general notions of personal data, legal grounds for personal data processing, processing of special categories of personal data, filming and online transmission of local council meetings, depersonalisation of data in the State Register of Local Acts, designation of the personal data officer, specifics of the function and tasks of the data protection officer. Thus, training courses were organised for the following authorities:

–         On 15 July – Nisporeni District Council;

–         On 20 July – Directorate-General for Education, Youth and Sport (DGEYS)

–         On 4 August – Strășeni District Council;

–         On 19 August – Hîncești District Council;

–         On 2 September – Anenii Noi District Council;

–         On 22 September – Leova District Council.

In this regard, in the third quarter of this year, the trainers of the NCPDP trained about 197 representatives from the above-mentioned LPAs and 64 representatives from DGEYS.

Also, during the same period, the NCPDP has developed a list of Recommendations for video surveillance installation service providers to provide advice to end-users when installing video surveillance systems. The recommendations are available on the official website of the institution and can be consulted at the Data Controller section, sub-component CNPDCP Recommendations.

In the period July-September of this year, the NCPDP initiated compliance checks on the processing of personal data in 53 cases and 54 decisions were issued, of which 33 cases were found to be in breach of the law. At the same time, during the same period, the NCPDP concluded 30 minutes of infringement proceedings, which were subsequently submitted to the court for resolution. 

I. The NCPDP examined the complaint of a personal data subject who alleged that personal data stored in the Real Estate Register were processed in a non-compliant manner by a local public administration.

   As a result of the complaint’s resolution, the NCPDP found that the local public administration did not take appropriate action regarding the organisational and technical measures necessary for the protection of personal data, contrary to the provisions of Article 4 para. (1) letter a), Art. 29 para. (1), Art. 30 para. (1) of Law no. 133/2011, not ensuring the confidentiality and security of personal data in relation to the risks presented by the processing and the nature/nature of the data processed within the Database of the of the real estate register, without monitoring and implementing compliance with the provisions of the agreement for the provision of information access services.

Consequently, it should be revealed that the local public authority mentioned above was ordered by Decision:

·      – Review the access rights of the users to the Real Estate Cadastre Database, after the change of status of the user/s (resignation, dismissal, detachment, etc.) by updating the list of users with access rights to the information, according to the agreement for providing information access services;

·      – Informing the P.I. “Public Services Agency” about the change of users, in order to revoke the identification/authentication codes of the authorized user within the public authority, as well as to block access to the information in the Real Estate Cadastre Database;

·       Establishment of a mechanism for authorised users to keep manual and/or electronic records of access/consultation of personal data through the Real Estate Cadastre Database, by recording the exact date and time of processing of personal data, justification of the purpose, basis and necessity of the operation performed, specification of the record system from which they were processed, categories of data processed;

·      – Informing/instructing the staff of the subordinate subdivision that unauthorised access/use of information from the Real Estate Cadastre Database and other information systems is not allowed.

II. The NCPDP has examined the complaint of two personal data subjects concerning the alleged non-compliant processing of personal data by a local public administration stored in the Real Estate Register.  

During the investigation it was found that the operations of accessing the real estate, which belonged by right of ownership to the data subjects, was carried out from the user account created in the name of a former employee of the local public administration, who had not worked in the entity for 3 years, and the account was used by an undetermined number of employees of the local public administration concerned.

          In this context, the decision of the NCPDP found that the operation of accessing the personal data of the data subjects was carried out in violation of Article 4 para. (1) (a), (b) and Art. 5, Art. 29 para. (1), Art. 30 para. (1) of Law 133/2011 on the protection of personal data, by the local public administration, in the absence of a determined, explicit and legitimate purpose, exclusively in the conditions that the access took place on a day officially declared not working.

III. The other case, following the checks carried out, the NCPDP found a violation of a data subject’s right of access to personal data by a public authority.

In fact, the circumstances that served as a reason for initiating the verification of the conformity of personal data processing operations was the complaint filed by a data subject who expressed his disagreement with the response provided by a subdivision of the Ministry of Internal Affairs (MAI), by not providing comprehensive information on the personal data concerning him, processed within the Automated Information System “Register of Forensic and Criminological Information”, an action that the complainant considered to be contrary to the provisions of Article 13 para. (1) of Law 133/2011 on the protection of personal data.

   As a result of the examination of the complaint, the NCPDP found a violation of Article 13 para. (1) of Law 133/2011 on the protection of personal data, ordering, by decision, that the Ministry of Internal Affairs shall take the actions required to ensure the realization of the right of access to personal data for data subjects, including the data processed in the Automated Information System “Register of forensic and criminological information”, without admitting confusion regarding the free nature in the realization of the right of access of any data subject, recognized and guaranteed by Art. 13 para. (1) of Law No 133/2011 on the protection of personal data.

In accordance with the provisions of Law No. 175/2021 on the amendment of certain normative acts, which entered into force on 10 January 2022, the obligation to designate the personal data officer has been established. Thus, during the reference period, the NCPDP received 49 letters, through which it is informed about the designation of the personal data officer from the entities concerned, mainly from private entities.

In order to provide methodological and advisory support to personal data controllers and/or processors, more than 195 telephone consultations and 26 responses via e-mail were provided and recommendations were proposed to address discrepancies identified by the data controller.

–      During the reporting period, a Cooperation Agreement in the field of personal data protection was signed between the National Centre for Personal Data Protection (NCPDP) and the Data Protection Office of the Republic of Poland.

–      On 12 July, the 67th plenary meeting of the European Data Protection Board (EDPB) took place online.

•  During the plenary session, EDPB and the European Data Protection Supervisor (EDPS) have adopted their Joint Opinion on the European Commission’s Proposal for the European Health Data Space (EHDS). The Proposal aims to facilitate the creation of a European Health Union and to enable the EU to make full use of the potential offered by a safe and secure exchange, use and reuse of health data. The EDPB and EDPS acknowledge that the infrastructure for the exchange of electronic health data foreseen in this EHDS Proposal aims at facilitating the exchange of health data. However, due to the large quantity of electronic health data that would be processed, their highly sensitive nature, the risk of unlawful access and the necessity to fully ensure effective supervision by independent data protection authorities, the EDPB and the EDPS call on the European Parliament and, on the Council, to add to the Proposal a requirement to store the electronic health data in the EEA, without prejudice to further transfers in compliance with Chapter V of the GDPR.

–      On 28 July, the 68th plenary meeting of the European Data Protection Board took place online. During the meeting a number of documents were discussed and adopted, which will be a recommendation for data protection authorities, namely:

• EDPB and EDPS adopted a Joint Opinion on the Proposal for a Regulation to prevent and combat child sexual abuse. The Proposal aims to impose obligations related to detecting, reporting, removing and blocking known and new online child sexual abuse material, as well as the solicitation of children, on providers of hosting services, interpersonal communication services, software application stores, internet access services and other relevant services. The EDPB and EDPS consider child sexual abuse as a particularly serious and heinous crime. Limitations to the rights to private life and data protection must, however, respect the essence of these fundamental rights and remain limited to what is strictly necessary and proportionate

• Two letters in response to Access Now and BEUC concerning TikTok. In these letters, the EDPB highlights the swift action taken by the Irish, Italian and Spanish Supervisory Authorities (SAs) following TikTok’s announcement that it would no longer seek users’ consent to send personalised advertisements, but that the legal basis for this would be the legitimate interest of TikTok and its partners.

• A dispute resolution decision on the basis of Art. 65 GDPR. The binding decision seeks to address the lack of consensus on certain aspects of a draft decision issued by the Irish SA as lead supervisory authority regarding Instagram (Meta Platforms Ireland Limited (Meta IE)) and the subsequent objections expressed by some of the concerned supervisory authorities.

–  On 12-13 September, the 69th Plenary Session of the European Data Protection Board took place in Brussels, Belgium. During the Plenary, the EDPS adopted several documents, including:

• A Statement on the European Commission’s proposal for an EU Police Cooperation Code. This proposal aims to enhance law enforcement cooperation across Member States, in particular the information exchange between the competent authorities. The code is comprised of three main measures: proposal for a Prüm II Regulation, proposal for a Police Information Exchange Directive and the proposal for a Council Recommendation on operational police cooperation.

• EDPB decided upon the topic for its second coordinated enforcement action, which will concern the designation and position of the data protection officer. In a coordinated action, the EDPB prioritises a certain topic for data protection authorities to work on at the national level. The results of these national actions are then bundled and analysed, generating deeper insight into the topic and allowing for targeted follow-up on both the national and the EU level.

–   On 7 July, the French Data Protection Authority (DPA) issued a fine of 175 000 euros to UBEEQO International for illegally processing of personal data. This case is part of the priority control theme in 2020 relating to the new uses of geolocation data in the context of mobility. In this context, the French DPA controlled the company UBEEQO International, whose activity is the rental of vehicles for a short period. The investigations focused in particular on the data collected, the defined retention periods, the information provided to individuals and the security measures implemented. Following the investigations, French DPA found several violations, such as:

·  Failure to comply with the obligation to ensure data minimisation (Article 5.1.c of the GDPR).

·  Failure to define and respect a proportionate data retention period (Article 5.1.e of the GDPR).

·  Failure to inform individuals (Article 12 of the GDPR).

–   On 19 July, the Hellenic Data Protection Authority (DPA) issued a fine of 20 000 euros to the Debt Management Company for unlawful processing of personal data and failure to consider the rights of objection and erasure. Following the investigation, the Hellenic DPA found that in this particular case, the respondent company unjustifiably prevented the exercise of the complainant’s rights in violation of the provisions stipulated in Article 12(2) of the GDPR and that the processing in question took place without a lawful basis, given that there was already a judicial relief from the complainant’s debts in violation of the provisions of Articles 5(1)(a), 5(2) and (6) of GDPR.

–   On 8 September, the French Data Protection Authority (CNIL) issued a fine of 250 000 euros to INFOGREFFE for the infringement of Article 5.1.e and Article 32 of the GDPR. Following a complaint, CNIL, carried out an online investigation of the infogreffe.fr website, which allows users to consult legal information on companies and order documents certified by the commercial court registries. The investigations focused in particular on the data retention periods defined and the security measures implemented by the economic interest group INFOGREFFE, which provides the legal information publishing service on companies via the website. Following the investigation was found:

·  Failure to comply with the obligation to keep data for a period of time proportionate to the purpose of the processing (Article 5.1.e of the GDPR);

·  Failure to comply with the obligation to ensure the security of personal data (Article 32 of the GDPR).