Newsletter No. 4
1. Information and training activities performed by NCPDP
Between February 2020 and April 2020, the National Center for Personal Data Protection (NCPDP) organized a series of trainings, workshops, inter-institutional meetings as well as participated in International Conferences in the field of personal data protection organized from different public and private entities. At the same time, it should be mentioned that pursuant to Decision no. 6 of the National Extraordinary Public Health Commission of the Republic of Moldova from 10.03.2020, following the evolution of the epidemiological situation at national level, in order to ensure the protection of life and health of employees and visitors of the institution and to prevent the spread of COVID-19 virus, NCPDP, like other state institutions, had a special work regime, thus limiting itself only to the strictly necessary activities.
• On February 4, 2020, the NCPDP representatives participated in the International Conference on Personal Data – Practical insights to consider for businesses, an event organized by the European Business Association of Moldova (EBA) in partnership with Association for the Protection of Private Life. The goal of the event was to share best practices in the context of the transposition of European legislation in the field of personal data protection. During the Conference were discussed practical issues related to personal data protection implemented by state institutions and private sector, represented by data protection officers within the European multinational companies in the field of banking, retail, health and telecommunications (from Moldova, Romania, Hungary and Slovakia).
• On February 7, 2020, an inter-institutional meeting was organized with the representatives of NCPDP and the Ministry of Justice. The dialogue was focused on authorization the cross-border transfer of personal data, according to art. 32 of Law no. 133 of 08-07-2011 on personal data protection and capacity building of cooperation relations between the institutions targeted in the given segment, in order to operationalize the process of authorization of cross-border transfer of personal data.
• On February 14, 2020, a working meeting was held, in the context of drafting the Protocol Decision on the mechanism for the permanent placement of children, identified without legal representatives, with the participation of representatives from the Reintegration Policy office and the Ministry of Health, Labor and Social Protection. During the meeting, issues regarding the situation of minors identified without legal representatives and the need to ensure their return to permanent residence and the identification of the mechanism for transmission of personal data to the Transnistrian authorities, based on the protocol decision, were addressed.
• Additionally, on February 14, 2020, a meeting was held with the head of the Secretariat of the Economic Council under the Prime Minister of the Republic of Moldova (Economic Council), during which issues on the role of the Economic Council in resolving environmental issues were discussed as well as the need for the private sector to comply with legal requirements for the processing of personal data. Thus, cooperation in the field of personal data protection and ensuring a high level of personal data protection in accordance with European Union standards are objectives to which aim both the NCPDP and the Economic Council.
• On February 27, 2020, at the invitation of the International Police Cooperation Center, the NCPDP representatives held an internal training session with the representatives of International Police Cooperation Center. During the discussions, topics such as: international and national legal framework in the field of personal data protection, principles of personal data processing, rights of data subjects, protection of information containing personal data, issues related to the processing of personal data in the police sector, the consequences of illegal processing and practical issues were addressed.
• At the same time, during the reference period, the NCPDP issued the institutional opinion on the Processing of personal data in the context of coronavirus pandemic (COVID-19) in the Republic of Moldova. The NCPDP emphasizes the risks and challenges of the protection of individuals with regard to the processing of personal data in the context of combating COVID-19, in particular of patients’ health data.
2. Activity of Control of NCPDP
During the reference period, the NCPDP carried out a number of 44 investigations on data controllers, both in the private and public sectors, in order to verify the lawfulness of personal data processing performed. Out of the 44 investigations – 6 investigation procedures were initiated as a result of NCPDP self-notification in connection with an alleged processing of personal data not in accordance with the rules in the field of personal data protection. Out of 44 investigations, 5 cases were finalized, the violation of the legal provisions was found and contravention in the form of fines was applied by the courts – in the total amount of 22 thousand MDL. The other cases are still under investigation.
In addition, at the “One-Stop Shop” of the NCPDP, 259 notifications were submitted for examination in order to register personal data controllers and / or personal data filing systems. Following the analysis of those notifications151 authorization decisions and 108 refusal decisions were issued. Thus, about 95 data controllers and 151 personal data filing systems were registered in the Register of evidence of personal data controllers, which indicates an increased interest of data controllers to comply with the requirements of the Law no.133 of 8 July, 2011 on personal data protection, compared to the previous period.
3. European and international news
On February 18th and 19th, the eighteenth plenary session of the European Data Protection Board (EDPB) took place in Brussels. During the plenary, a wide range of topics were discussed:
Assessment and review by EDPB and national supervisory authorities of the application of the GDPR in the first 20 months.
EDPB considered the possibility of drafting guidelines to provide further clarification on the application of Articles 46.2 (a) and 46.3 (b) of the GDPR.
Another issue discussed in the plenary was the Declaration on privacy implications of mergers.
During its February Plenary Session, the EDPB adopted the following documents:
- EDPB Contribution to the evaluation of the GDPR under Article 97
- Guidelines on Articles 46 (2) (a) and 46 (3) (b) for transfers of personal data between EEA and non-EEA public authorities and bodies
- Statement on privacy implications of mergers
- Letter to Hoda
Details are available at: https://edpb.europa.eu/news/news/2020/eighteenth-plenary-session-adopted documents_en
On 19 March 2020, the European Data Protection Board adopted a formal Declaration on the processing of personal data in the context of the COVID-19 outbreak by written procedure. The full statement is available at: https://edpb.europa.eu/our-work-tools/our-documents/other/statement-processing-personal-data-context-covid-19-outbreak_en
The 20th Plenary Session of the European Data Protection Board took place on 7 April 2020. This meeting was organized remotely.
The topics discussed were:
ü Processing of personal data to fight COVID-19;
ü Request for mandate regarding geolocation and other tracing tools in the context of the COVID-19 outbreak;
ü Request for mandate regarding teleworking tools and practices in the context of the COVID-19 outbreak;
ü Request for mandate regarding COVID-19 related processing of health data for research purposes in the context of the COVID-19 outbreak;
ü Impact of COVID 19 on EDPB activities.
On 21 April 2020 the next online Plenary Session of the European Data Protection Board was held. The following documents were adopted.
ü Guidelines no. 3/2020 on the processing of health data for research purposes in the context of the Covid-19 pandemic. The aim of this Guidelines is to clarify issues related to the use of health data, in particular the legal basis for processing, the subsequent use of data for scientific research, including cross-border, and to ensure the rights of data subjects.
ü Guidelines no. 4/2020 on geolocation and other tracing tools in the context of the COVID -19 outbreak. The document aims at highlighting the conditions and principles of proportional use of location data in order to monitor the spread of the virus, respectively the detection tools to notify people close to other people detected as infected. On this occasion, the Committee emphasizes that the use of this data must be done voluntarily by each person and that the person’s movements must not be monitored, and the principles of necessity and proportionality must be respected in determining the measures for this period.
4. Other data protection authorities
During this period, several data protection authorities in the European Union carried out investigations which led to the imposition of administrative fines on data controllers in various sectors of activity. Of these, we highlight the following:
• Fine of 27.802.496 € imposed by the Italian Data Protection Authority (Garante per la protected dei dati persone) for several cases of illegal data processing for marketing purposes. The violations target millions of people.
• Fine of 75 million SEK imposed by the Swedish Data Protection Authority for non-compliance with the GDPR. The fine was imposed on a search engine operator that failed to fulfill its obligations regarding the right to request removal.
• Fine of 20 thousand PNL imposed by the Polish Data Protection Authority in connection with the infringement concerning the processing of children’s biometric data when using the school canteen.
• A fine of 200 thousand SEK imposed by the Swedish Data Protection Authority to a controller in connection with personal data breach concerning an error in the IT system for the administration of the salary. The error involved the possibility of unauthorized access to personal data of both the staff of the authorities using the system and third parties.