Newsletter No. 24

I. Information and training activities carried out by NCPDP

       In the last quarter of 2025 (October – December), the National Center for the Protection of Personal Data (NCPDP) continued to register important developments in the achievement of its objectives, placing particular emphasis on planning and carrying out activities aimed at informing and raising public awareness regarding the importance of personal data protection. In this sense, various initiatives of an educational nature and information campaigns have been implemented, aimed both at clarifying citizens’ rights regarding the processing of personal data and at encouraging the adoption of responsible behavior in protecting them.

       Through these actions, NCPDP aimed not only to increase the level of knowledge of the applicable normative framework, but also to promote an organizational and social culture based on respect for data confidentiality and security. This approach aims both at ensuring compliance with national and European legislation and at strengthening citizens’ confidence in personal data protection mechanisms.

       During the reference period, the organization of training courses for the subdivisions of the General Police Inspectorate (GPI) continued, according to the training plan approved and signed by the heads  of the NCPDP and GPI, on January 28, 2025.      

       Thus, training courses were organized for the following subdivisions:

• October 21 – Florești Police Inspectorate;
• 04 November – Leova Police Inspectorate;
• 18 November – Nisporeni Police Inspectorate;
• December 3 – Ocnița Police Inspectorate.

       In this context, 212 representatives from the GPI subdivisions were trained.

       At the same time, the organization of training courses for the subdivisions of the General Inspectorate of the Border Police (GIBP) continued, according to the training plan approved and signed by the heads of the NCPDP and GIBP, on January 28, 2025. Thus, training courses were organized for the following subdivisions:

• 01 October – General Inspectorate of the Border Police, West Regional Department;
• October 15 – Border Police Unit “Chisinau International Airport”;
• December 17 – General Inspectorate of Border Police.

In this context, 213 representatives from the GIBP subdivisions were trained.

       In the same way, the organization of training courses for employees within the structural, specialized and territorial subdivisions of the General Inspectorate for Migration (GIM) continued, according to the training plan approved and signed by the heads of the NCPDP and GIM, on January 27, 2025.

       Thus, on November 21, the training course was organized for the Central Regional Department of GIM, training 16 representatives.

       At the same time, during the reference period, NCPDP demonstrated openness and spirit of collaboration, organizing multiple training courses for representatives of public/private institutions, at their request.

       Thus, training courses were organized for the following entities:

• October 1 – Romanian Investors Association;
• October 3 – Agency for Digitization in Justice and Judicial Administration;
• October 6 – Refugee Council, Dondușeni;
• 13 October – Customs Service;
• October 17 – National Center for Sustainable Energy;
• October 22 – Military Academy of the Armed Forces „Alexandru cel Bun”;
• 31 October – Ministry of Finance;
• 06 November – Superior Council of Magistrates;
• November 25 – Parliament of the Republic of Moldova;
• 10 December – State Social Inspectorate;
• 11 December – Ministry of Infrastructure and Regional Development;
• December 12 – Ministry of Culture.

In this context, 633 representatives of the entities mentioned above were trained.

       The purpose of the training courses aimed to familiarize with the aspects related to the field of personal data protection, the regulation of processing activities, as well as with the regime of confidentiality and security of personal data in accordance with the legislation in force. During the events, important topics were discussed, such as: defining the general notions related to the field of personal data protection; principles and legal grounds for the processing of personal data; the rights of personal data subjects; processing special categories of personal data; requirements regarding the protection of personal data, in the exercise of service duties; ensuring the security and confidentiality of processed personal data; aspects related to the appointment of the Data Protection Officer (DPO), as well as his obligations and tasks; aspects related to the Data Protection Impact Assessment (DPIA), as well as the stages of carrying out a DPIA, etc.

       At the same time, the information and awareness campaign for the school community was continued with the generic: „Protection of personal data and safety of children in the online environment”. The aim of the campaign was to increase children’s awareness and education regarding: the importance of personal data protection; identifying risks in the online environment; adopting responsible, safe and informed behavior in the digital space to support children to browse the Internet safely, ethically and informed, reducing their vulnerability to online threats. The topics addressed during the trainings concerned: what is personal data; how to protect your personal data online; risks and threats in the online environment; safety on online communication and gaming platforms, etc.

       Thus, several training courses were organized:     

• October 13 – PITHS „Tudor Vladimirescu”, Chisinau;
• November 5 – PITHS „Universul”, Chisinau;
• November 14 – PITHS „Ștefan cel Mare” , Chisinau;
• December 3 – Art School, Ialoveni.

The events took place during the Personal Development class, the target audience being the 4th grade students. In this context, 163 students were trained.

II. Control activity

       Between October – December 2025, NCPDP initiated the verification of the compliance of personal data processing operations in 55 cases. During the reference period, 106 decisions were issued, of which in 41 cases, violations of legal provisions were found. During the same period, 46 reports on the contravention were concluded, which were subsequently submitted to the court for resolution.

III. Findings of the National Center for the Protection of Personal Data

       1. NCPDP examined the complaint of a personal data subject, which concerned the alleged non-compliant operations of processing personal data, manifested by the disclosure on the Facebook social network of the copy of the petitioner’s notification addressed to a public authority, which integrated the personal data of the data subject, namely: name, surname, home address and contact number.

       The online publication of such data constitutes a form of personal data processing, within the meaning of Article 3 (1) of Law No 133/2011.

       The social network Facebook, by its nature, does not provide effective control over access to published data, which causes a major risk of access, copying, distribution and reuse of information by third parties. Thus, the act of the controller was likely to expose the person concerned to harm to private life, dignity and personal security, which contravenes the principle guaranteed by art. 8 of the Charter of Fundamental Rights of the European Union and art. 4 paragraph (1) letter e) of Law no. 133/2011.

       Although the controller has failed to provide information that would justify the purpose of publishing the information contained in the notification, it is noted that, even in the event of a possible desire to manifest its right to freedom of expression, the right to personal data protection must be reconciled with the right to freedom of expression and information and the controller is to ensure that the processing is proportionate, non-excessive necessary and justified for significant reasons of public interest.

       Data that are not relevant to the goal achieved should not be published. Even if the information was obtained and kept correctly, it must be analyzed separately which information is correct to publish. It should be determined how much personal data needs to be published to properly relate a history, balanced against the level of intrusion into the privacy of data subjects and the potential harm this can cause. The controller should depersonalize personal data before publication, in situations where their disclosure is not necessary for the full presentation of the reported facts.

       Thus, the NCPDP determined, in the case, the violation of the provisions of art. 4 paragraph (1) letter a), c) and art. 5 paragraph (1) of Law no. 133/2011 on personal data protection and in the case initiated the contravention procedure.

       2. NCPDP  examined the complaint of a personal data subject, which concerned the alleged non-compliant activities of personal data processing, carried out by the responsible person within a communal Council, manifested by the publication of a Decision regarding the designation of the candidates of the members for the establishment of the bodies electoral, with the annex containing confidential information of the members of the electoral bodies (name, surname, IDNP, year of birth, contact details), in the State Register of Local Acts (SRLA) and on the web page of the local public authority.

       Thus, by the NCPDP Decision it was found that the processing of personal data concerning the data subject was carried out in violation of the provisions of art. 4 para. (1) letter a), b) and c), art. 5 and art. 29 para. (1) of Law no. 133/2011 on personal data protection, emphasizing that, administrative documents containing such personal data cannot be published/publicly viewed in their initial/full form, access to them in SRLA being restricted and viewing documents in full format is possible only for authorized employees in the manner established by Government Decision no. 672/2017 for the approval of the regulations regarding the State Register of Local Documents. In this context, the spectrum of information concerning the subject whose personal data have been processed does not correspond to the principles of proportionality, adequacy, relevance and non-excessive in terms of data processing.

       3. The NCPDP received the complaint of a personal data subject regarding the alleged illegal processing of personal data concerning him carried out by an ascertaining agent of a specialized subdivision within a public authority, who, without a legal basis, accessed/processed and extracted personal data after adopting the solution on the side of a contravention process and concluding the minutes regarding the contravention, with the subsequent sending of the information to the court.

       In these circumstances, the NCPDP initiated the verification of compliance with the provisions of Law no. 133/2011 on personal data protection, when processing the personal data of the data subject.

       From the materials accumulated during the control procedure, it was established that the processing activity of the data subject personal data, manifested by the consultation and extraction of the information from an automated record information system by the ascertaining agent, aimed to prepare and remitt the contravention file in court, following the appeal against the minutes regarding the contravention submitted by the data subject.

       Under these conditions, the lack of violation of the provisions of Law no. 133/2011 regarding the personal data protection by the ascertaining agent, or, the annexation and remittance by them, of some evidence/documents containing the personal data of the data subject to the court examining the appeal filed by the data subject against the minutes regarding the contravention, it cannot be qualified as non-compliant processing, as long as the court to which personal data is communicated uses it in the exercise of the powers established by law.

IV. Prevention activity

       During the reference period, in order to carry out the advisory tasks, in addition to the multiple answers provided, for advisory purposes, 90 consultations were provided by phone, via e-mail or at the authority’s headquarters.

V. International and European News

       – The NCPDP high management participated in the 109th Plenary Meeting of the European Data Protection Board (EDPB), which took place from 7 to 8 October 2025 in Brussels, Belgium.

       During the meeting, the EDPB and the European Commission approved their first joint guidelines on the interaction between the Digital Markets Act (DMA) and the General Data Protection Regulation (GDPR). These guidelines have been developed to facilitate the consistent application of both normative acts and to strengthen legal certainty for authorities, companies, users and individuals.

       In line with the EDPB Strategy 2024-2027 and the objectives of the Helsinki Declaration, the Committee cooperated with the European Commission, each within its competences, to support the coherent implementation of the DMA and the GDPR. Although DMA and GDPR pursue different goals – GDPR protects the rights and privacy of individuals, and DMA promotes fairness and accountability in digital markets – their goals complement each other, addressing interconnected challenges in the digital environment.

       Several provisions of the DMA involve the processing of personal data by the persons responsible for data control, and certain articles make explicit reference to definitions and concepts provided for in GDPR.

       Based on these first common guidelines, work continues to clarify the interregulatory framework and ensure coherent and consistent data protection safeguards. In this regard, the EDPB is working with the European Commission, including the European AI Office, to develop common guidelines on the interaction between the AI Act and EU data protection legislation.

       -From November 3-5 this year, NCPDP representatives participated in the 49th plenary meeting of the Consultative Committee of the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (Convention 108), which took place in Strasbourg, France.

• During the Meeting, topics of importance were discussed, including:
• Convention 108+, current ratifications and accessions;
• Cross-border flows of personal data;
• Data protection in the context of large language models (LLMs);
• Cooperation with other bodies and entities of the Council of Europe;
• Major developments and activities in the field of data protection, etc.   

       At the same time, after a detailed analysis, the Committee adopted the Work Program for the period 2026–2029, which will be implemented starting from January 2026. The document outlines the strategic directions regarding: strengthening the legal framework of Convention 108+; addressing emerging risks in the field of AI and neurodigital technologies; development of international cooperation tools and technical assistance for member and partner states. The status of the development of the Data Protection Guide in the context of neuroscientific research was also presented, with Member States invited to submit comments by 21 November 2025 and the document will be analyzed in detail at the next plenary session.

       The plenary meeting demonstrated the dynamic and evolving nature of the European data protection regulatory framework. The Consultative Committee of Convention 108 continues to play a critical role in guiding public policy, defining the ethical principles of digitization and promoting responsible data governance globally. Participation in this session constituted a valuable occasion for exchanging expertise and strengthening international cooperation, reaffirming our State’s commitment to protecting fundamental rights in the digital age. 

       -From 1 to 5 December, representatives of the NCPDP participated in the third edition of Data Protection Week, which took place in Brussels, Belgium, an event hosted by the European Commission and the EDPB.

       The third edition of the Data Protection Week brought together the supervisory authorities from the Eastern Partnership states and the Western Balkans, with the objective of strengthening institutional capacities and facilitating continuous alignment with European standards in the field of data protection.

       During the event, important topics were addressed, such as: international data flows and their global governance, analyzing recent developments regarding the European framework for international transfers, compliance and cooperation mechanisms with external partners, as well as strategic trends that define the role of the European Union in the global architecture of data governance; algorithmic decision-making processes, the experts illustrated the risks associated with the use of automated systems, addressing essential principles such as transparency, accuracy and avoidance of discrimination; EDPB surveillance activities in the field of artificial intelligence, highlighting the roles and responsibilities of EDPS and EDPB in the surveillance of AI systems and describing coordination mechanisms between national authorities and European institutions for the coherent application of regulatory standards; monitoring emerging technologies, EDPS experts presenting the tools and activities used to assess the impact of innovative digital solutions; data protection in the context of artificial intelligence, in which EDPS’s new responsibilities in the supervision of AI systems under the EU AI Act were analyzed. At the same time, activities dedicated to the exchange of experience between the data protection authorities of the Western Balkans and those of the Eastern Partnership were carried out, facilitated by GIZ and SIGMA experts, discussions aimed at strengthening institutional capacities, operational challenges encountered in the surveillance activity, as well as the identification of effective cooperation mechanisms between regions.

       The participation of NCPDP representatives in the third Data Protection Week demonstrated the importance of the active involvement of the Republic of Moldova in regional and European initiatives in the field of data protection, contributing to the continuous alignment of the national framework with European Union standards and strengthening the institutional role of NCPDP in the process of European transition.

       The event, organized within the Project “Public Administration Reform in the Eastern Partnership Countries”, phase III, implemented by GIZ and authorized by the Federal Ministry for Economic Cooperation and Development, brought together representatives of the Data Protection Authorities from Armenia, Moldova, Ukraine, Albania, Bosnia and Herzegovina, Kosovo, Montenegro, North Macedonia and Serbia.

VI. Other data protection authorities

       -The Italian Data Protection Authority (SA) imposed fines in the amount of 3 million euros for the company Acea Energia spa and 850 00 euros to the agencies involved for violating art. 5 par. (1), art. 6, art. 7, art. 13, art. 24, art. 25, art. 28, art. 29, art. 32 of the GDPR and art. 130 of the Italian Data Protection Code.

       The Italian SA carried out investigations, together with the Guardia di Finanza, following a complaint regarding the illegal activity of unauthorized call centers. They contacted people for offers regarding the energy or telephone provider, using databases obtained without consent and without being registered in the Register of Communications Controllers (RCC).

       Investigations showed that the personal data of customers who had recently changed their energy supplier was being used to persuade them, through misleading methods, to sign new contracts. The data came from the network of partner companies, without informing the data subjects.

       Although representatives of the energy company were in contact with telemarketing agencies, it revoked the collaboration and applied corrective measures once it learned of the irregularities.

       In this context, Italian SA imposed fines in the amount of 3 million euros on the company Acea Energia spa and 850 00 euros on the agencies involved. The company must notify affected persons and verify the legality of subcontractors, and agencies can no longer use legally unjustified contact lists.

       -Administrative fine in the amount of 4,022,773 euros for McDonald’s Polska and 43,680 euros for 24/7 Communication applied by the Polish Data Protection Authority (SA) for the violation of Article 5 (Principles related to the personal data processing), Article 24 (Responsibility of the controller), article 25 (Data protection by design and by default), article 28 (Processor), Article 32 (Security of processing), Article 34 (Communication of a personal data breach to the data subject) and Article 38 (Position of the data protection officer) of the GDPR.

       McDonald’s company Polska sp. z o. o. (McDonald’s) notified a data security breach, as controller, finding that the following data of its employees and its franchisees were included in the shared file in the public catalogue: names, personal identification numbers (PESEL numbers), passport numbers (if the PESEL number is not available), McDonald’s restaurant number, start date and time, end date and time, number of hours worked, holidays, type of activity, etc.

       Following the investigation, it was found that neither the controller (McDonald’s Polska) nor the processor (24/7 Communication) carried out a risk analysis and did not implement sufficient technical and organizational measures for personal data protection. In addition, the data protection officer was not properly involved and the partners’ audit and monitoring obligations were not fulfilled.

       The Polish SA emphasized that responsibility for data protection lies both with the companies that collect and manage personal data and with their contractual partners. Security measures must be constantly checked and updated, not just at the beginning of data processing.

       In this context, Polish SA imposed an administrative fine in the amount of 4,022,773 euros on McDonald’s Polska and 43,680 euros on 24/7 Communication.

       -The administrative fine of 1.8 million euros applied by the Finnish Data Protection Authority (SA) to S-Bank for violating Article 5 (Principles related to processing of personal data), Article 25 (Data protection by design and by default) and Article 32 (Security of processing) of the GDPR.

       Following the notification sent by S-Bank in August 2022, the Finnish SA initiated an investigation regarding a security breach that affected a significant number of the bank’s customers. The vulnerability occurred in April 2022, with the release of a new authentication mechanism. Due to a software error in the authentication service, logging into the online bank and access to digital services using strong authentication was possible using the login data of other customers. This technical failure remained exploitable for more than three months and some of the customers were directly affected.

       Following the investigation, the lack of adequate security measures and appropriate technical and organizational controls by the bank was found. Deficiencies include: insufficient testing of new functionality before implementation; failure to identify vulnerability in the development and testing stage and inadequate response to customer alerts for authentication anomalies.

       In this context, the Finnish SA imposed an administrative fine of 1.8 million euros to the controller for violating the provisions of articles 5(1)(f), 25(1), 32(1) and 32(2) of GDPR and issued a reprimand for non-compliance with data protection legislation.

       When determining the amount of the fine, the Finnish SA took into account the need to protect the rights of the persons concerned, the general seriousness of the incident, as well as the fact that the bank had previously been warned about its obligations. The fine was also adjusted in the context of a separate penalty issued in May 2025 by the Finnish Financial Supervisory Authority, which imposed a fine of €7,670,000 on S-Bank for deficiencies in operational risk management in relation to the same set of events.