Newsletter No. 25
10 Views
I. Information and training activities carried out by NCPDP
In the first quarter of 2026 (January–March), the National Center for Personal Data Protection (NCPDP) continued to register significant progress in its efforts to inform and raise awareness among the general public regarding personal data protection. Through various initiatives, the institution sought to strengthen the public’s understanding of the importance of respecting the right to privacy and the rules governing the processing of personal data. These actions have contributed to increasing the sense of responsibility among both individuals and controllers, with a view to ensuring compliance in the processing and protection of information containing personal data.
During the reporting period, training courses continued to be organized for the subdivisions of the General Police Inspectorate (GPI), in accordance with the training plan approved and signed by the heads of the NCPDP and the GPI on January 28, 2026.
Thus, training courses were organized for the following subdivisions:
- February 13 – Forensic and Judicial Expertise Centre;
- February 17 – Northern Investigation Directorate of the National Investigation Inspectorate;
- February 20 – Southern Investigation Directorate of the National Investigation Inspectorate;
- February 27 – Călărași Police Inspectorate.
In this context, 166 representatives from the GPI subdivisions were trained.
At the same time, the organization of training courses for the subdivisions of the General Inspectorate of Border Police (GIBP) continued, in accordance with the training plan approved and signed by the heads of the NCPDP and the GIBP on January 28, 2026.
Thus, on February 12, 45 representatives of the Eastern Regional Directorate of the GIBP were trained.
During the reporting period, the NCPDP demonstrated openness and a spirit of cooperation by organizing a series of training courses for representatives of public/private institutions, at their request.
Thus, training courses were organized for the following institutions:
- February 19 – Information Technology Service of the Ministry of Internal Affairs;
- February 23 and 24 – Customs Service;
- February 26 – Public Institution Real Estate Cadastre.
In this context, 372 representatives of the above-mentioned institutions were trained.
The training courses aimed to familiarize participants with aspects related to the field of personal data protection, the regulation of processing procedures, as well as the confidentiality and security regime of personal data in accordance with the legislation in force. During the events, important topics were discussed, such as: the definition of general notions related to the field of personal data protection; principles and legal grounds for the processing of personal data; the rights of data subjects; the processing of special categories of personal data; requirements regarding the protection of personal data in the exercise of professional duties; ensuring the security and confidentiality of processed personal data; aspects related to the designation of the Data Protection Officer (DPO), as well as their obligations and duties; aspects related to the Data Protection Impact Assessment (DPIA), as well as the stages of conducting a DPIA, etc.
At the same time, the information and awareness-raising campaign for the school community was continued with the generic “Personal Data Protection and Children’s Safety in the Online Environment”. The purpose of the campaign was to increase children’s awareness and education regarding: the importance of personal data protection; the identification of risks in the online environment; adopting responsible, safe and informed behavior in the digital space to support children to browse the Internet safely, ethically and informed, reducing their vulnerability to online threats.
The topics addressed during the campaign included: what is personal data; how to protect your personal data online; risks and threats in the online environment; safety on communication platforms and online games, etc. The training course was organized on February 4 for the “Principesa Natalia Dadiani” Theoretical High School, with 34 students being trained.
II. Control activity
Between January and March 2026, the NCPDP initiated the verification of the compliance of personal data processing operations in 68 cases. During the reporting period, 62 decisions were issued, of which 39 cases were found a violation of legal provisions. During the same period, 35 reports of administrative offenses were drawn up, which were subsequently submitted to the court for resolution.
III. Findings of the National Center for the Protection of Personal Data
1. Following the examination of the request submitted by the Audiovisual Council of the Republic of Moldova, whereby the position of the NCPDP was sought regarding the alleged non-compliant processing of personal data of minors included in a video report broadcast by a media company, the NCPDP, pursuant to Article 27(4) of Law No. 133/2011 on Personal Data Protection, initiated a control procedure.
In this case, it was established that a media company published a report in which images of minors were broadcast without the application of anonymization measures, including footage from the sleeping room, which constituted a disproportionate interference with their private life.
During the control procedure, the NCPDP found that the consent granted by the parents to the kindergartens limited the use of children’s images to educational purposes and the promotion of the institution, subject to the approval of the administration; however, the broadcasting of the images without depersonalization exceeded these limits.
Freedom of expression is not an absolute right and must be balanced with the right to private life, especially in the case of minors. The identity of the children was not relevant to the subject of the report, and the issue could have been illustrated through general footage or blurred images.
The case law of the European Court of Human Rights (ECHR) confirms that the publication of images of minors without parental consent violates Article 8 of the European Convention on Human Rights (ECHR). In this case, the media company, acting as a controller, violated the obligations provided by Law No. 133/2011 on Personal Data Protection, including the principles of proportionality and confidentiality.
The NCPDP established that the processing of minors personal data concerned in the report broadcast by the media company contravened the legal provisions set out in Article 4(1)(a) and (c), and Article 29 of Law No. 133/2011 on Personal Data Protection.
At the same time, the NCPDP reiterates the importance of protecting the personal data of minors by educational institutions, emphasizing that respect for these rights is essential for the safety and dignity of children.
2. The NCPDP received a complaint from a personal data subject requesting the verification of the legality of the personal data processing operations concerning them, carried out by a company from the Republic of Moldova (hereinafter – the controller), in the context of the use of such data for commercial prospecting purposes.
In order to examine the circumstances of the case, the NCPDP initiated a control procedure, requesting from the controller information regarding the legal basis and purpose of the data processing, the manner in which the data were collected and used, the existence of consent, as well as the mechanisms for informing data subjects and enabling them to object.
As a result of the verifications carried out, the Supervisory Authority found that the personal data had been collected in the context of purchasing tickets through a digital platform, where acceptance of the terms and conditions constituted a mandatory condition for completing the transaction. At the same time, information regarding the use of data for commercial prospecting purposes was included in the privacy policy, without the existence of a separate mechanism for expressing consent for this purpose.
At the same time, the NCPDP established that the controller pursued two distinct processing purposes, namely the performance of the contract and the subsequent transmission of commercial communications, but failed to ensure the separation of consent for each of these purposes. Under these circumstances, the data subject did not benefit from a real and effective option to accept or refuse the processing of data for commercial prospecting purposes without affecting the possibility of purchasing the service.
It was established that the agreement expressed through the general acceptance of the terms and conditions does not meet the legal requirements of valid consent, as it was not freely given, specific, informed and unambiguous. Furthermore, the mere provision of data for the purpose of contract performance cannot be interpreted as an unequivocal expression of will for an additional purpose.
With regard to the invocation of the legitimate interest of the aforementioned company as a legal basis for the processing, the Authority found that the controller failed to demonstrate the existence of a genuine legitimate interest and its prevalence over the rights and freedoms of the individual, as no appropriate proportionality test had been carried out. Consequently, this legal basis was considered unfounded.
The NCPDP emphasized that the legal bases for processing are distinct in nature and cannot be confused or used cumulatively for the same purpose. The performance of a contract justifies only the processing operations necessary for the fulfillment of contractual obligations, while processing for additional purposes, such as commercial prospecting, requires a separate legal basis.
At the same time, it was determined that the inclusion of clauses in internal regulations or privacy policies cannot derogate from the mandatory rules governing personal data protection and cannot substitute the legal requirements for obtaining valid consent.
Thus, following the examination of the complaint, the NCPDP established, by decision, that the processing of personal data concerning the data subject for commercial prospecting purposes had been carried out in violation of the provisions of Article 4(1)(a), (b), (c), and Article 5(1) of Law No. 133 of 08.07.2011 on Personal Data Protection.
IV. Prevention activity
During the reporting period, the NCPDP resumed the organization of training courses for persons designated by the controller or by the processor acting on behalf of the controller as Data Protection Officers. This obligation is established by the provisions of Law No. 133/2011 on Personal Data Protection, which imposes on the controller and the processor the duty to designate a Data Protection Officer in the cases provided for under Article 25 of the aforementioned law.
The purpose of the training course, which took place on February 5, was to strengthen theoretical knowledge in the field of personal data protection and practical skills regarding the application of normative acts and the requirements of the relevant legislation. During the event, topics specific to the activity of the Data Protection Officer (DPO) were addressed, such as: the role and position of the DPO within the organization; their duties and responsibilities under the legislation; monitoring compliance with legal provisions on data protection; advising the controller or processor; cooperation with the supervisory authority; handling requests from data subjects; involvement in the Data Protection Impact Assessment (DPIA); ensuring compliance through internal policies and staff training; as well as the management of personal data security incidents. During the event, 15 DPOs from both the public sector and the private sector were trained.
At the same time, for the purpose of fulfilling its advisory tasks, in addition to the multiple responses provided in a consultative capacity, 70 consultations were offered by telephone, via electronic mail or at the authority’s headquarters.
During the reporting period, the NCPDP also provided several clarifications, recommendations, and guidelines for data subjects:
Guidelines/Explanations for the Correct Application of Law No. 195/2024 on Personal Data Protection
The National Center for Personal Data Protection (NCPDP), for informational purposes, announces the development of the Guidelines/Explanations for the Correct Application of Law No. 195/2024 on Personal Data Protection, a normative act which will enter into force starting from August 23, 2026.
The purpose of these Guidelines is to support controllers, processors, as well as other interested parties, in understanding, interpreting and correctly applying the new legal provisions, in a context marked by rapid technological developments and the intensification of personal data flows. The document provides explanations and reasoning intended to clarify the new requirements introduced by the law, promoting a modern approach based on risk assessment and management, as well as on the proactive accountability of controllers.
The Guidelines were developed based on the principles established by Regulation (EU) 2016/679 and are aimed at ensuring a high level of protection of the fundamental rights and freedoms of individuals, strengthening legal certainty and creating a clear and coherent framework that supports consistent practice in the field of personal data protection.
At the same time, the NCPDP specifies that the document is of a guiding nature and constitutes a reference tool for the correct and uniform application of the provisions of Law No. 195/2024 on Personal Data Protection and its constant consultation is recommended.
The full text of the Guidelines/Explanations for the Correct Application of Law No. 195/2024 may be consulted by accessing the following link:
V. International and European News
On January 28, 2026, the NCPDP organized the national conference “Implementation of the Legal Framework on Data Protection: Challenges, Benefits, Resilience”, a landmark event dedicated to strengthening the personal data protection framework in the Republic of Moldova, in the context of its European integration path.
The event took place at a crucial moment for the Republic of Moldova, as a candidate state for integration into the European Union, marked by the adoption of Law No. 195/2024 on Personal Data Protection, which will enter into force on August 23, 2026 and transposes the General Data Protection Regulation (GDPR). The new law establishes a modern data protection regime applicable to both the public and private sectors, contributing to the strengthening of individuals’ fundamental rights and increasing trust in digital processes.
The main purpose of the event was to support public authorities and the private sector in the process of preparing for the implementation of Law No. 195/2024, by strengthening the level of compliance with the new legal obligations.
The discussions benefited from the contributions of experts from European Union Member States, including Estonia, Latvia, Lithuania and Romania, as well as interventions by representatives of the private sector and the IT sector, providing participants with practical perspectives and applicable solutions for the implementation of the new legislation.
The event was organized with the support of the project “Improving Cyber Resilience in Eastern Partnership Countries”, implemented by the e-Governance Academy (eGA) and funded by the European Union, as well as with the support of the European Union Partnership Mission in the Republic of Moldova (EUPM Moldova).
During the period of February 10–11, 2026, the 115th plenary meeting of the European Data Protection Board took place in Brussels.
Throughout the meeting, several agenda items were examined and adopted, starting with the approval of the minutes and the agenda, followed by the adoption of opinions issued under Article 64(1) of the GDPR concerning draft decisions of the Dutch supervisory authority regarding Binding Corporate Rules (BCR-P for Arcadis Group and BCR-C for ABN AMRO Bank). The discussions highlighted the importance of ensuring adequate safeguards for international data transfers and the consistent application of GDPR requirements in a cross-border context.
Furthermore, issues related to the Coordinated Enforcement Framework were addressed, with the presentation of the report on the application of the right to erasure. At the same time, joint EDPB–EDPS opinions on legislative initiatives such as the Digital Omnibus were analysed, as well as preliminary aspects concerning a future European Biotech Act proposal. The meeting also included discussions on the Work Program for the 2026–2027 period, which sets strategic priorities, the development of tools and templates for organizations, and the strengthening of trans-regulatory cooperation.
During the information sessions, national experiences regarding the management of personal data breach notifications were presented, including the model applied by Denmark, as well as the risks to which European Union citizens may be exposed in the context of traveling to third countries. In addition, the conclusions of a stakeholder event dedicated to data anonymization and pseudonymization were discussed, emphasizing the importance of clarifying these concepts and ensuring their correct practical application.
During the period of March 18–19, 2026, representatives of the NCPDP participated in the 65th meeting of the Bureau of the Committee of the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (Convention 108) – T-PD-BUR, held in Paris, France.
The meeting aimed at engaging in strategic discussions regarding the development of the international framework for personal data protection, as well as contributing to the implementation of activities set out in the 2026–2029 Work Program.
During the meeting, several key topics were addressed, including:
- the state of implementation of Convention 108+ and the progress of the ratification process of the amending Protocol (CETS No. 223);
- cross-border flows of personal data and the promotion of Model Contractual Clauses (MCC);
- data protection in the context of large language models (LLMs);
- the development of guidelines on data protection in the field of neurosciences.
During the event, the delegation of the Republic of Moldova informed participants about the progress achieved in the national ratification process, noting the approval of the draft law by the Government on March 4, 2026 and its submission to the Parliament for examination and adoption. Participation in this meeting represented an important opportunity to engage in international decision-making processes, exchange best practices and strengthen cooperation in the field of personal data protection.
