Newsletter No. 13
1. Information and training activities carried out by the NCPDP
During the fourth quarter of 2022, the National Center for Personal Data Protection (NCPDP) organized 8 training courses for local public authorities (LPAs) attended by about 226 persons and 5 training courses for central public authorities (CPAs) and other entities where about 425 representatives were trained, as well as 125 participants from the Academy of Public Administration and Mobiasbanca (OTP Bank).
For LPAs the training was conducted as follows:
– On 11 October – Cimișlia District Council;
– On 27 October – Șoldănești District Council;
– On 04 November – Cantemir District Council;
– On 25 November – Ștefan Vodă District Council;
– On 18 November – Ocnița District Council;
– On 2 December – Basarabeasca District Council;
– On 9 December – Criuleni and Dubăsari District Councils;
– On 20 December – Taraclia District Council.
As for other entities, the NCPDP has organized trainings for:
– representatives of the National Bank of Moldova on 10 and 17 October;
– Academy of Public Administration – on 18 October;
– Mobiasbanca (OTP Bank) – on 22 and 24 November;
– Customs Service – on 17 October, as well as on 19-21 December.
Thus, during this period, the NCPDP managed to train a significant number of people across the country.
Moreover, it is worth mentioning that during 2022 training of all LPAs in the Republic of Moldova was ensured.
Also, during the same period, in order to disseminate the field of personal data protection, the NCPDP organized a Workshop for pupils of the 5th-6th grades of IPLT “Gheorghe Asachi” mun. Chișinău. The workshop aimed to inform and raise awareness of pupils with the field of personal data protection and children’s safety in the online environment by promoting empowerment of best practices for intervention and support.
2. Control Activity
In the period October – December 2022, the NCPDP initiated compliance checks on the processing of personal data in 53 cases. In the reference period, 57 decisions were issued of which 17 cases were found to be in breach of the law, being concluded 31 minutes of infringement proceedings, which were subsequently submitted to the court for resolution.
3. Findings of the National Centre for Personal Data Protection
I. The NCPDP has examined the complaint of a personal data subject concerning the alleged non-compliant processing of personal data stored in the Real Estate Register and carried out by a natural person.
During the investigation, it was found that the operations to access the real estate, which belongs to the data subject by right of ownership, was carried out with the purpose of purchasing a real estate located in the same area, but no evidence confirming the allegations was presented by the controller.
Furthermore, the NCPDP found that in the mentioned case, the personal data controller did not provide statements that would justify, in particular, the necessity of the access carried out in relation to the personal data of the data subject and the demonstration of the causal link between the personal data of the owner of the property and the purpose of the access.
In this context, by decision it was found that the operation of accessing personal data relating to the data subject’s real estate was carried out in breach of Article 4 para. (1) letters a), b) and art. 5 of Law no. 133 of 08.07.2011 on personal data protection, by a natural person, without a determined, explicit and legitimate purpose.
II. The NCPDP received a complaint from a personal data subject, who requested verification of the lawfulness of personal data processing operations concerning him, carried out by 8 (eight) entities (hereafter – data controllers), manifested by accessing personal data stored in several automated record systems (RSP, RST, RBI, etc.), being more than 400 accesses, as well as the failure to exercise the right of access to personal data concerning the complainant.
In these circumstances, the NCPDP ordered the examination of the lawfulness of the processing operations of the data subject’s personal data carried out by each controller.
Thus, as a result of the investigations, with regard to three data controllers, the NCPDP found that the data controllers processed the personal data of the data subject in compliance with the requirements of Law No. 133 /2011, while in the case of five data controllers, the NCPDP found a violation of the provisions of the aforementioned Law, as the data controllers could not justify the purpose and legal basis of the processing operations of the data subject’s personal data, or could not identify the data of the users who carried out certain consultation/viewing operations of the data subject’s personal data and, respectively, it was not possible to identify the purpose of the processing.
Furthermore, with regard to a data controller-legal entity, the NCPDP established that, although the complainant exercised his right of access to his personal data processed by the entity, by sending a request pursuant to Article 13 of Law 13/2011 to the controller, the latter did not provide him with a response to what he had requested, contrary to the aforementioned legal provisions.
III. The NCPDP has examined the complaint received from the Effective Inspection Department of the General Inspectorate of Police complaining about alleged unlawful acts admitted in the processing of personal data of a data subject by police employees of a territorial Police Inspectorate.
In the context, the NCPDP determined that the characterization and criminal record on behalf of the data subject, documents reflecting personal data – year of birth, state identification number (IDNP), data from the registration certificate, family status, home/residence address, behavior (characterizes the person), personal data relating to the imposed traffic offences were issued and released by the person in charge within the public authority, without a legal basis and the consent of the data subject, without an address/request from the data subject, the lawyer in his/her interests, including without a request by the court to release these documents, actions which are contrary to the legal conditions provided for in Art. 4 para. (1) (a), art. 5, art. 8 and art. 9 of Law no. 133 of 8 July 2011 on personal data protection.
4. Supervisory activity
In accordance with the provisions of Art. 25 para. (6) of the Law no. 133/2011 on personal data protection, the controller or processor is obliged to publish the contact details of the data protection officer and communicate them to the NCPDP. Thus, during the reference period, the NCPDP received 11 letters, through which it was informed about the fact of the designation of the data protection officer from the respective entities, mainly from private entities.
At the same time, the following guidelines were developed and published on the official website of the NCPDP under the section “Data controller/NCPDP recommendations”: “Guidelines on personal data protection impact assessment (DPIA)” and “Guidelines on the processing of personal data through video devices”.
In order to provide methodological and advisory support to personal data controllers and/or processors, more than 204 telephone consultations and 21 responses via e-mail were provided and recommendations were proposed to resolve discrepancies identified by the data controller.
5. International and European news
On 10 October, the 70th Plenary Session of the European Data Protection Board (EDPB) took place in Brussels, Belgium.
During the Plenary, the EDPB adopted several documents, including:
· One of the main topics concerned the adoption by the EDPB of a list of aspects in national procedural law that it wishes to see harmonised at EU level to facilitate GDPR enforcement. This “wish list” is one of the key actions set out in the EDPB’s Vienna statement on enforcement cooperation.
· An Opinion on the approval by the Board of the Europrivacy certification criteria submitted by the Luxembourg data protection authority. This Opinion marks the approval of the very first European Data Protection Seal by the EDPB pursuant to Art. 42 (5) GDPR. The Europrivacy certification mechanism is a general scheme that targets a large range of different processing operations performed by both controllers and processors from various sectors. The scheme includes specific criteria that make it scalable and applicable to specific processing operations or sectors of activity.
· A statement on the digital euro. In its statement, the EDPB reiterates the importance of ensuring privacy and data protection by design and by default in this project, recommending that the digital euro is made available both online and offline, along a threshold below which no tracing is possible, to allow full anonymity of daily transactions.
On 19-20 October, the meeting of the Moldova-EU Subcommittee on Freedom, Security and Justice (LSJ Subcommittee) took place in Brussels, Belgium.
During the meeting, topics discussed included developments in the field of personal data protection, justice sector reform, preventing and combating organised crime, corruption and other illegal activities, money laundering and terrorist financing.
The meeting also presented the progress made in the above-mentioned areas since the last meeting held on 12-13 October 2021, online. The meeting included representatives of several authorities of the Republic of Moldova, such as: the National Anti-Corruption Centre; the General Prosecutor’s Office; the National Integrity Authority; the Ministry of Internal Affairs; the National Institute of Justice; the Office for Prevention and Combating of Money Laundering.
On 9 – 11 November, the OSCE Mission to Moldova, in cooperation with the OSCE Mission for Conflict Prevention in Vienna, continued the project entitled “Joint Expert Working Group” started last year. The event took place in Vienna, Austria and aimed at capacity building for female leaders. The objective of the project was to enable women co-chairs and women in key positions to participate more effectively in the work of the Joint Expert Working Group in the Transnistrian settlement process by improving technical skills and strengthening personal relationships between the representatives of the parties. The event addressed a number of topics, including: gender dynamics; gender analysis of conflicts; negotiation behaviour; enlarging the space for maneuver in negotiation processes; etc.
On 14 November, the 71st Plenary Session of the European Data Protection Board took place online. During the plenary session, the EDPB adopted the Recommendations on the application for approval and on the elements and principles to be found in Controller Binding Corporate Rules (BCR-C). BCR-Cs are a transfer tool that can be used by a group of undertakings or enterprises, engaged in a joint economic activity, to transfer personal data outside the European Economic Area to controllers or processors within the same group. BCRs create enforceable rights and set out commitments to establish a level of data protection essentially equivalent to the one provided by the GDPR. The aim of these recommendations is to:
· provide an updated standard application form for the approval of BCR-Cs;
· clarify the necessary content of BCR-Cs and provide further explanation;
· make a distinction between what must be included in a BCR-C and what must be presented to the BCR lead data protection authority in the BCR application;
A second set of recommendations for BCR-processors is currently being developed.
The 43rd Plenary Meeting of the Consultative Committee of Convention 108 for the Protection of Individuals with regard to Automatic Processing of Personal Data took place on 16-18 November, in Strasbourg, France. The event, held in person after three years of online/hybrid meetings, brought together around 80 participants from all regions of the world for three days to work and exchange views on various topical issues in the field of personal data protection and to contribute to the development of common policies.
Among the topics discussed during this session were:
· Digital identity;
· Model contractual clause for the transfer of personal data;
· Cooperation with other Council of Europe bodies and entities;
· The Committee organised elections and elected the new Bureau;
· Observers – The Committee examined and approved two requests to attend the Committee’s meetings respectively introduced by the Organisation of American States and the Burkina Faso Data Protection Authority;
· Upcoming 2022 and 2023 meetings – the Committee reported on the dates of the next plenary meetings, to be held on 14-16 June 2023 and 15-17 November 2023, as well as the next Bureau meetings on 15-16 December 2022, 22-24 March 2023, 27-29 September 2023 and 12-14 December 2023;
· Stefano Rodotà Award – The two winners of the 2022 Rodotà Award presented their work to the Committee and received their awards.
On 18-19 November 2022, the representatives of the NCPDP participated in the European Case Handling Workshop 2022, held in Tbilisi, Georgia.
The event focused on actual issues in the field of personal data protection and privacy, in particular such as:
· The steps taken by employees of the authorities in investigations;
· Social data protection, guidelines and exceptions in national legislation;
· International transfers of personal data;
· Personal data and artificial intelligence;
· Main challenges faced by data supervisory authorities, etc.
Attending the event, the representatives of the NCPDP addressed the topic – “The experience of the Republic of Moldova and the methodology of examining the complaints having children as data subjects”. The invitation to participate in the Workshop came from the Personal Data Protection Service of Georgia, which has been carrying out the control of the lawfulness of personal data processing since 2013. The event brought together around 50 participants from 26 European countries.
On 12-14 December, the Cyber East project meeting took place: Action on Cybercrime for Resilience in the Eastern Partnership Region and included two major events, namely, the 6th EU-CoE CyberEast Project Steering Committee Meeting and the Regional Cyber Reporting and Data Sharing Session which aims to support Eastern Partnership countries in building and maintaining partnerships with private sector entities, mainly Internet Service Providers (ISP), to strengthen cooperation and trust mechanisms between the private sector, citizens and criminal justice authorities, in Tbilisi, Georgia. The meeting addressed several topics, including:
· Cybercrime/Cybersecurity Reporting. Reporting challenges;
· Classification of cyber incidents/cybercrimes. Use of taxonomies and their necessity;
· Examples of reporting systems: ideas for improvement for national systems;
· National SOPs and segregation of duties;
· Public-private cooperation in Ukraine: focus on new procedural legislation and use of procedures/models;
· Which types of data and how they can be shared by CSIRTs.
The 73rd Plenary Session of the European Data Protection Board took place on 13-14 December, in Brussels, Belgium. During the meeting, the EDPB adopted a statement on the recent judgment C-817/19 of the Court of Justice of the European Union (CJEU) on the use of passenger name record (PNR) data for the prevention, detection, investigation and prosecution of terrorist offences and serious crime, under the PNR Directive 2016/681. In its statement, the EDPB calls on EU Member States to take all necessary steps at legislative and/or administrative level to ensure that their respective national transposition and implementation of the PNR Directive are in line with the Charter as interpreted by the CJEU. In this regard, the EDPB notes that Data Protection Authorities are fully competent to investigate compliance with EU data protection requirements at national level.
The 57th Meeting of the Bureau of the Consultative Committee of Convention 108 for the Protection of Individuals with regard to Automatic Processing of Personal Data, took place on 15-16 December. Several topics were discussed during the meeting, including:
· Convention 108+, state of play;
· Digital identity;
· Data protection for the processing of personal data for Anti-Money Laundering /
Countering Financing of Terrorism purposes;
· Model contractual clauses for the transfer of personal data;
· Interpretation of Article 11 of the modernised Convention 108;
· Major developments and activities in the field of data protection;
· Cooperation with other Council of Europe bodies and entities.
6. Other data protection authorities
On 19 October, the French Data Protection Authority (CNIL) issued an administrative fine in the amount of 20 million euros to Clearview AI for the infringement of Articles 6, 12, 15, 17 and 31 of GDPR.
The CNIL has received numerous complaints from individuals about Clearview AI facial recognition software and has launched an investigation.
As a result of the investigation, the CNIL found several violations, such as:
· Unlawful processing of personal data (breach of article 6 of the GDPR)
· Individuals’ rights not respected (articles 12, 15 and 17 of the GDPR)
· Lack of cooperation with the CNIL (Article 31 of the RGPD)
On the basis of the information brought to its attention, CNIL decided to impose a maximum financial penalty of 20 million euros, according to article 83 of the GDPR.
Regarding the very serious risks to the fundamental rights of the data subjects resulting from the processing carried out by the company, CNIL decided to order Clearview AI to stop collecting and processing data of individuals residing in France without a legal basis and to delete the data of these persons that it has already collected, within a period of two months, adding to this injunction a penalty of 100,000 euros per day of delay beyond these two months.
On 24 November, the French Data Protection Authority (CNIL) issued an administrative fine in the amount of 600,000 euros to Electricité de France (EDF) for r the infringement of articles 7, 13, 14, 32 of GDPR and of the Postal and Electronic Communications Code.
The CNIL, has received many complaints regarding difficulties encountered by individuals in having their rights considered by the company EDF, which is the first electric utility in France.
Following the investigations, CNIL found several violations, such as:
· Failure to collect consent of individuals to receive commercial prospecting by e-mail (Articles L. 34-5 of the French Postal and Electronic Communications Code and 7 of the GDPR)
· Failures to inform (Articles 13 and 14 of the GDPR) and to respect the exercise of rights (Articles 13 and 14 of the GDPR)
· Failure to ensure security of personal data (Article 32 of the GDPR).
The amount of the fine was decided considering the breaches observed and the cooperation by the company and all the measures it has taken during the proceedings to reach compliance with all alleged breaches.
On 2 November, the Portuguese Data Protection Authority (CNPD) issued a fine in the amount of 4.3 million euros to Portuguese National Statistics Institute (INI) for the infringement of article 9(1); article 12; article 13; article 28(1), (6) and (7); article 35(1), (2) and (3)(b); article 44; article 46; article 83 of GDPR.
The CNPD received several complaints about the national census survey that was still undergoing at that moment. For the performance of the census, INE used the CDN (a content delivery network) services of a US company, Cloudflare, Inc., with over 200 data centres spread over 100 countries. In light of the complaints received, the CNPD opened an inquiry. At that point, circa 2.5 million forms, containing the personal data of over six million citizens residing in Portugal, had already been submitted to the INE.
As a result of the subsequent investigation, the CNPD identified five infringements of the GDPR in the context of the Census 2021 data processing, regarding the following issues:
· Lack of lawfulness for the processing of special categories of personal data (article 9(1) GDPR).
· Lack of compliance with transparency obligations (articles 12 and 13 GDPR), in particular regarding the provision of any information concerning the processing operations, e.g. through the display of a privacy notice on the INE institutional website.
· Lack of a Data Protection Impact Assessment (article 35(1),(2) and (3)(b) GDPR).
· Lack of due diligence concerning the choice of the processor (article 28(1),(6) and (7)), namely by accepting a standard contract, that was not assessed in substance in what regards the requirements of article 28(3) GDPR.
· Lack of compliance with the legal requirements for international data transfers (articles 44 and 46(2)), as interpreted by the CJEU in the Schrems II judgement.
In this context, as a result of the facts and the legal reasoning, the CNPD determined that the controller infringed different GDPR provisions in the context of the 2021 Census data processing and therefore decided, pursuant to article 58(2)(i) and article 83 GDPR and some national provisions, to apply one single fine of 4.3 million euros to the controller. This decision is final, but can be challenged in the national courts.