1. Information and training activities performed by NCPDP
In the period May to July 2020, the National Center for Personal Data Protection (NCPDP) organized a series of workshops and participated in several webinars related to the field of personal data protection organized for various public authorities and private entities.
At the same time, it should be mentioned that, pursuant to Decision no. 6 of National Extraordinary Commission of Public Health of the Republic of Moldova from 10.03.2020, following the evolution of the epidemiological situation at national level, in order to ensure the protection of life and health of employees and visitors of the institution, and to prevent the spread of COVID-19 virus, NCPDP, like other state institutions, had in a special work regime, thus limiting itself only to the strictly necessary activities.
· On May 19, 2020, a working meeting was organized at the NCPDP headquarters with the participation of the high management of the Customs Service of the Republic of Moldova and the National Authority for Personal Data Protection. During the working meeting, some aspects regarding the compliance of the Customs Service of the Republic of Moldova with the provisions of the legislation in the field of personal data protection, including the notification of the video surveillance filling system and other personal data filling systems managed by the entity concerned, in particular the Integrated Customs Information System, were discussed
· On June 4, 2020, at the invitation of the high management of the Congress of Local Authorities of Moldova (CALM), NCPDP’s representatives gave a speech in a webinar addressed to secretaries of local councils, members of Secretaries Network of CALM, on “Security policy development and the Regulation on the processing of personal data under the LPA”. The webinar was attended by about 85 secretaries of local councils.
· On June 4, 2020, a working meeting was organized at the NCPDP’s headquarters with the participation of the high management of Î.C.S. Metro Cash & Carry Moldova S.R.L. and the National Authority for the Protection of Personal Data. During the working meeting were discussed some issues regarding the compliance of Î.C.S. Metro Cash & Carry Moldova S.R.L. with the provisions of the legislation in the field of personal data protection, including the notification of the video surveillance filling system.
· On July 27, 2020, at the request of the Training Center in the Field of Labor Relations, the NCPDP’s representative participated as a trainer, moderating a seminar on personal data protection in which the following topics were addressed:
l) general notions of personal data;
2) registration of the employer (enterprise) as a personal data controller;
3) protection of personal data of employees.
The seminar was attended by about 90 employers and representatives of employers such as accountants, directors, lawyers, heads of departments, as well as specialists in the field of human resources.
• On July 31, 2020, NCPDP’s representatives participated at the invitation of the USAID Moldova Structural Reforms Program in online discussions with institutions in the field of personal data protection, consumer protection and competition protection. The purpose of the thematic discussions and consultations in question was to conduct a complex study of the realities of e-commerce in the Republic of Moldova, at all levels, but also to address specific recommendations for the promotion of e-commerce.
Regarding the courts, during the reference period (May 20, 2020), the Supreme Court of Justice decided irrevocably to maintain in force the decision of the NCPDP of November 16, 2018, which found the processing of personal data inconsistent with the requirements of the legislation in the field of personal data protection by the Ministry of Internal Affairs, in the Automated Information System “Register of forensic and criminological information”, the latter being obliged to destroy information containing personal data relating to the data subject covered by this processing, which were collected / obtained from unrecognized authorities / institutions from the Transnistrian region.
2. The control activity of NCPDP
During the reference period, NCPDP carried out a number of 92 investigations on data controllers, in order to verify the lawfulness conditions of personal data processing performed. Out of the 92 investigations – 12 investigation procedures were initiated as a result of the self-notification of the NCPDP in connection with an alleged non-compliant processing of personal data. Out of 92 investigations, on 38 completed cases, the violation of the legal provisions was found, 52 minutes regarding the contravention were concluded, being subsequently submitted to the court for settlement.
3. The supervision activity of NCPDP
During the reference period, 268 notifications were submitted for examination at the “One-Stop Shop” of the NCPDP for the registration of personal data controllers and / or managed filing systems. Following the analysis of those notification forms, 131 authorization decisions and 137 refusal decisions were issued. Thus, about 98 data controllers and 131 personal data filing systems were registered in the Register of evidence of personal data controllers, which indicates an increased interest of data controllers to comply with the rules established by Law no. 133 of July 8, 2011 on personal data protection, compared to the previous period.
4. European and international news
In the period May to July, 2020, several plenary sessions of the European Data Protection Board were held. The meetings took place remotely, each of them addressing one or two topics. Among the most important are: the 25th and 26th plenary sessions, which focused on the EDPS letter on the Polish presidential election by postal vote and the decrees of the Hungarian government on coronavirus during the state of emergency. The 28th plenary session, which discussed topics such as: the letter from Amazon to the President of the EDPB on the COVID-19 project, the processing of personal data for the purpose of reopening EU borders in the context of COVID-19, the website of the EDPB – the publicly available summaries of art. 60. The 34th meeting, which discussed: Decision SCHREMS II of the European Court of Justice, Decision of the French Council of State on the guidelines on CNIL cookies, Decision of the French Council of State on the sanction of Google. GOOGLE / FITBIT merger, transparency of EDPB minutes.
5. Other data protection authorities
During the above-mentioned period, several European data protection authorities carried out investigations which led to the imposition of administrative fines on data controllers in various sectors of activity. Regarding this aspect, the following should be mentioned:
– an administrative fine of 120 000 Swedish kronor (approx. 11 000 euro) against the Healthcare Committee in Region Örebro County is imposed by the Swedish Data Protection Authority for wrong publishing on the region’s website sensitive personal data about a patient admitted to a forensic psychiatric clinic.
– a fine of 50 000 Danish kroner against the Danish recruitment company JobTeam has been proposed by the Danish Data Protection Authority for not metting the basic requirements of the General Data Protection Regulation (GDPR) that personal data must be processed lawfully, fairly and transparently.
– an administrative fine of 72 000 EUR on Taksi Helsinki is imposed by the Finnish Data Protection Authority for processing the personal data of drivers, staff and the customers of its drivers with a camera surveillance system that records both video and audio, that was not in line with the GDPR’s principle of data minimisation.
– a fine of 5 000 EUR on a candidate in local elections is imposed by the Litigation Chamber of the Belgian Data Protection Authority for using the staff registry of a municipality to send election propaganda (in the form of a letter) to staff members.
– a fine of 10 000 EUR on a controller is imposed by the Belgian Data Protection Authority for sending a direct marketing message to the wrong person and for not responding adequately to the data subject’s subsequent request for access to his data.
– a fine of 800 000 EUR on a Dutch organization is imposed by the Netherlands Data Protection Authority for failing to comply with the right of access of data subject. Specifically, the entity in question charged an annual amount for accessing that data online, and if they wanted to receive that information by mail, applicants could obtain it free of charge, but only once a year.
– a fine of 600 000 EUR on Google Belgium is imposed by the Belgian Data Protection Authority for not respecting the right to be forgotten of a Belgian citizen, and for lack of transparency in its request form to delist.