NEWSLETTER No. 8
1. Information activities performed by NCPDP
– On February 17, 18 and 19, the National Center for Personal Data Protection trained the local authorities from the north, center and south of the Republic of Moldova. The training aimed at familiarizing the participants with video surveillance and live streaming of local councils’ meetings. The participants in the training obtained information about: how the meetings of the local councils are to be live streamed, who is responsible for their live streaming and how the information will be provided. The training took place online and was attended by 300 people.
– At the beginning of March, the students of the Faculty of Law of Moldova State University were familiarized with the mission of the National Center for Personal Data Protection. The event took place online on the zoom platform where over 50 students were present. NCPDP employees explained to them which are the most frequently used personal data. These are first name, surname, address, telephone number, e-mail address, location data, IP address, marital status, face photo, habits and preferences, online identifiers and any other data related to physical, physiological, economic, cultural or social identity that can be used to identify directly or indirectly a natural person. Furthermore, the representatives of NCPDP spoke to students about the legislation and EU experience regarding personal data protection, ascertained cases of personal data processing, the procedures related to the registration of personal data controller and about contravention cases and the consequences of the non – compliant personal data processing.
– On March 11, NCPDP provided a training course for 50 lawyers from the Republic of Moldova, in the field of personal data protection. The training course was performed within the Council of Europe’s HELP online meeting. The topics addressed during the event were: personal data protection and the rights of data subjects in the European Union, but also the legislation of the Republic of Moldova on personal data protection. Previously, NCPDP has addressed practical aspects aimed at the protection of personal data by lawyers, including the publishing on the website www.datepersonale.md “Aspects regarding the practice of submitting to the materials of the files examined by the courts, the documents with personal data of natural persons, which are not covered in the examined case”. These recommendations aim to ensure the application by lawyers of adequacy principle which consists in limiting the volume of personal data relevant to the cases examined, with depersonalization of data that are excessively irrelevant to the case, according to art. 31 of Law no. 133/2011 on personal data protection.
– On March 16, NCPDP performed a training course in the field of personal data protection for the employees of the National Insurance Company in Medicine (CNAM) at the request of the institution. The event was attended by about 100 persons. The topics addressed in the training were: the principles of personal data protection, the rights of the data subjects, the recommendations on identifying the filing systems in which the processing of personal data takes place, the regulatory framework for data protection and implementation of legal requirements in that area. Any personal data subject has the right to obtain from the controller or processor, upon request and free of charge: the rectification, update, blocking or erasure of personal data, the processing of which does not comply with the law, in particular because of their incomplete or inaccurate nature and the notification of the third parties to whom the personal data have been disclosed, about any operations performed, except where such notification proves to be impossible or involves disproportionate effort towards the legitimate interest that might be violated. The participants in the training obtained information regarding the practical application of the legislation in the field of personal data protection, including the assurance of the legality of personal data processing in the information systems managed by CNAM.
– On March 30, the NCPDP performed a training course for the employees of the Parliament’s Secretariat of the Republic of Moldova to ensure the compliant implementation of the provisions of the legislation on personal data protection within personal data filling systems. The topics addressed in the training were: general notions on personal data protection, the principles of personal data protection, assurance the security and confidentiality of personal data within the personal data filling systems, general aspects of personal data security, simple and essential security measures and data subjects’ rights. The training course was held online at the request of Parliament’s Secretariat and was attended by 51 employees.
2. Control activity
During the reference period, the NCPDP initiated the verification of the conformity of the personal data processing operations, thus initiating 95 investigations. Of the 95 investigations: 16 investigation procedures were initiated following the self-notification of the NCPDP in connection with an alleged non-compliant processing of personal data; in 45 finalized cases, the violation of the legal provisions was found, 68 minutes regarding the contravention were concluded, being subsequently submitted to the court for settlement.
3. Findings of the National Center for Personal Data Protection
3.1. The NCPDP was notified by a data subject regarding the violation of personal data principles of the petitioner by an insurance company from the Republic of Moldova, through the envelope with window (transparent border) used in correspondence.
Following the examination of the case, it was determined that, by the non-compliant practice of entering in the header of complaints / letters an excessive volume of personal data, in relation to the stated purpose, which are subsequently disclosed through the transparent letter box used by the controller, the access of an indeterminate number of foreigners to personal data is favored, which cannot be considered a “compliant” processing within the meaning of Law no. 133/2011 on personal data protection, or the legislation on personal data protection established clear rigors regarding the implementation of appropriate and effective technical and organizational measures for the protection of personal data, to ensure the confidentiality and security of personal data.
In this case, NCPDP found a violation of the provisions of personal data protection legislation and ordered the review / adjustment of information included in the header of complaints to the requirements of Law on personal data protection no. 133/2011, namely the exclusion of excessive volume of personal data, as well as the elaboration / approval / updating of the internal instrument (regulation / instruction), in which to regulate a clear procedure regarding the keeping of secretarial works, with the description of the technical and organizational measures necessary for the protection of personal data.
3.2. Taking into account the repeated / continuous nature of the complaints / notifications addressed to NCPDP during the last period regarding the non-conformity of the publication of individual administrative acts in the State Register of Local Acts, especially the aspects without depersonalization or incorrect depersonalization of these acts, adopted the decision by which find the violation of legal provisions in the field of personal data protection. At the same time, the NCPDP ordered the State Chancellery, jointly with the local public authorities, to take the necessary measures in order to establish a mechanism for depersonalization of local documents to be placed in the Register.
3.3. NCPDP received the complaint from a data subject, regarding the verification of the lawfulness of the processing of his personal data, manifested by sending the criminal record certificate to a third party, without the consent of the data subject.
Following the examination of the case, it was determined that the operation of personal data processing, manifested by the issuance of a criminal record certificate containing personal data, to an unauthorized person, was not legally justified, being made incorrectly and contrary to the provisions of Law on personal data protection no. 133/2011.
On this case, NCPDP found a violation of the provisions of art. 4 para. (1) let. a), art. 5 para. (1), art. 6 para. (1), art. 8 para. (1), art. 29 of the Law on personal data protection no. 133/2011.
3.4. NCPDP, in the context of examining the approach of a subdivision of the Ministry of Internal Affairs of the Republic of Moldova, pursuant to art. 27 para. (4) of the Law on personal data protection no. 133/2011, notified itself in the part related to the non-conformities admitted by a collaborator of the MIA, when processing / accessing personal data, without a purpose and legal basis for accessing a data subject, through the Information System – “EDATA MAI”.
As a result of the examination of the control materials, NCPDP found the violation of the provisions of art. 4 para. (1) let. a) of the Law on personal data protection no. 133/2011, by the MIA collaborator, manifested by accessing / consulting personal data concerning the data subject.
4. Surveillance activity
During the reference period, 717 notifications were submitted for examination at the “One-Stop Shop” of the NCPDP for the registration of personal data controllers and / or managed filing systems. Following the analysis of those notification forms, 262 authorization decisions and 271 refusal decisions were issued. Thus, about 184 data controllers and 262 personal data filing systems were registered in the Register of evidence of personal data controllers.
5. International and European news
The 45th Plenary Session of the European Data Protection Board, held online, took place on February, 2. A wide range of documents were adopted at the meeting:
– Recommendations on the adequacy referential under the Law Enforcement Directive
– Opinion on the draft Administrative Arrangement for transfers of personal data between the Haut Conseil du Commissariat aux Comptes (H3C) and the Public Company Accounting Oversight Board (PCAOB)
– Statement on new draft provisions of the second additional protocol to the Council of Europe Convention on Cybercrime (Budapest Convention)
– EDPB response to the European Commission questionnaire on processing personal data for scientific research, focusing on health related research
– Recommendations on Art. 36 of Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA.
On 10 March, a series of documents were adopted during the 46th Plenary Session of the European Data Protection Board, held online:
– EDPB adopted its Work Programme for 2021-2022, according to Article 29 of the EDPB Rules of Procedure.
– EDPB adopted a Statement on the draft ePrivacy Regulation.
– EDPB adopted Guidelines 02/2021 on Virtual Voice Assistants (VVAs). These Guidelines aim to identify some of the most relevant compliance challenges for VVAs and to provide recommendations to relevant stakeholders on how to address them. The Guidelines was submitted for public consultation for a period of six weeks.
– EDPB adopted a final version of the Guidelines 01/2021 on Connected Vehicles following public consultation. The Guidelines focus on the processing of personal data in relation to the non-professional use of connected vehicles by data subjects.
– EDPB adopted EDPB-EDPS Joint Opinion 03/2021 on the Proposal for a regulation of the European Parliament and of the Council on European data governance.
– EDPB adopted, following public consultation, the Guidelines 09/2020 on relevant and reasoned objection.
– Furthermore, the EDPB discussed the draft UK adequacy decisions, which were received from the European Commission.
On March, 30 took place the 47th Plenary Session of the European Data Protection Board, which was held online.
During the Session, The European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS) adopted a Joint Opinion on the Proposals for a Digital Green Certificate. The Digital Green Certificate aims to facilitate the exercise of the right to free movement within the EU during the COVID-19 pandemic by establishing a common framework for the issuance, verification and acceptance of interoperable COVID-19 vaccination, testing and recovery certificates. With this Joint Opinion, the EDPB and the EDPS invite the co-legislators to ensure that the Digital Green Certificate is in line with EU personal data protection legislation and underline that its use may not, in any way, result in direct or indirect discrimination of individuals, and must be fully in line with the fundamental principles of necessity, proportionality and effectiveness.
On March, 13 during the 48th Plenary Session of the European Data Protection Board (EDPB), which was held online were adopted several documents, among which:
– two Opinions on the draft UK adequacy decisions (Opinion 14/2021 based on the GDPR and Opinion 15/2021 based on the Law Enforcement Directive). The EDPB notes that there are key areas of strong alignment between the EU and the UK data protection frameworks on certain core provisions such as: grounds for lawful and fair processing for legitimate purposes; purpose limitation; data quality and proportionality; data retention, security and confidentiality; transparency; special categories of data; and on automated decision making and profiling.
– Guidelines on the application of Article 65(1)(a) GDPR to delineate the main stages of the procedure and clarify the competence of the EDPB when adopting a legally binding decision on the basis of this Article. The guidelines were subjected to public consultation for a period of six weeks.
– Final version of the Guidelines on the targeting of social media users following public consultation. The aim of the Guidelines is to clarify the roles and responsibilities of social media providers and targeted individuals.
– Statement on international agreements including transfers. The EDPB invites EU Member States to assess and, where necessary, review their international agreements that involve international transfers of personal data to align them with EU data protection law.
On May, 19 took place the 49th Plenary Session of the European Data Protection Board, which was held online. During the Plenary, the EDPB adopted several documents, among which:
– Two Opinions on the first draft decisions on transnational Codes of Conduct presented by the Belgian Supervisory Authority (draft decision concerns the EU CLOUD Code of conduct, addressed to cloud service providers) and French Supervisory Authority (draft decision concerns the CISPE Code of conduct, addressed to cloud infrastructure service providers). These Codes aim to provide practical guidance and define specific requirements (Art. 28 GDPR) for processors in the EU subject to these Codes. They are not to be used in the context of international transfers of personal data. The EDPB is of the opinion that both draft codes comply with the GDPR and fulfil the requirements set forth in Art. 40 and 41 GDPR.
– Statement on the Data Governance Act (DGA) in light of developments in the legislative process. The EDPB reiterates that, without robust data protection safeguards, there is a risk that the trust in the digital economy would not be sustainable. The statement further highlights the need to ensure consistency of the DGA with the EU data protection acquis and urges the co-legislators to carefully consider certain aspects, such as the interplay between the DGA and the GDPR, and the importance of ensuring that the new definitions and concepts are not incompatible with the GDPR.
– Recommendations on the legal basis for the storage of credit card data for the sole purpose of facilitating further online transactions. The recommendations cover situations in which data subjects buy a product or pay for a service via a website or an application and provide their credit card data in order to conclude a unique transaction. As such, consent in accordance with Art. 6 (1) (a) GPDR should be considered the sole appropriate legal basis for storing credit card data after the purchase.
On June, 18 took place the 50th Plenary Session of the European Data Protection Board, which was held online. During the Plenary, the EDPB adopted several documents, among which:
– A final version of the Recommendations on supplementary measures following public consultation. The Recommendations were first adopted in November 2020 following the CJEU Schrems II ruling. They aim to assist controllers and processors acting as data exporters with their duty to identify and implement appropriate supplementary measures where they are needed to ensure an essentially equivalent level of protection to the data they transfer to third countries.
– A letter addressed to EU Institutions on the privacy and data protection aspects of a possible digital euro. In the letter, the EDPB stresses that a very high standard of privacy and data protection is crucial to reinforce the trust of end users and should be considered a distinctive element in the offering of a digital euro, representing a key factor of success. The EDPB further indicates that it stands ready to provide advice to the ECB or other EU institutions.
– Designated three representatives to the European Travel Information and Authorisation System’s (ETIAS) Fundamental Rights Guidance Board, which is tasked to evaluate the impact of the processing of applications and will play an important role in ensuring the system’s compliance with fundamental rights, in particular with regard to privacy and personal data protection.
– A joint opinion on the European Commission’s Proposal for a Regulation laying down harmonised rules on artificial intelligence (AI).
On 24 -26 March, took place the 52nd meeting of the Bureau of the Consultative Committee of the Convention for the protection of individuals with regard to automating processing of personal data, which was held online.
During the Meeting, several topics were discussed, among which:
– Convention 108+ State of play, ratifications and accessions;
– Evaluation and follow up mechanism under Convention 108+;
– Law enforcement transborder access to data;
– Digital identity;
– Personal data processing by and for political campaigns;
– Automatic Exchange of data;
– Cooperation with other Council of Europe bodies and entities;
– Major developments and activities in the field of data protection.
At the same time, during the Meeting, a topic of major importance related to COVID-19 vaccination certificates was addressed. The representatives of the Committee on Bioethics (DH-BIO), as well as the representatives of the Secretariat, made a considerable contribution in this regard. In this context, will be submitted to delegations the draft Statement on “Covid-19 Vaccination, digital attestations and data protection”
6. Other data protection authorities
– Fine in the amount of 10.4 million euros applied by State Commissioner for Data Protection in Lower Saxony, Barbara Thiel to Notebooksbilliger.de AG for monitoring its employees for at least two years with no legal justification. The video cameras were installed in the workspaces, sales floors, warehouses and staff rooms. According to the company the video cameras had been installed to prevent and investigate criminal offences and to track the flow of goods in warehouses. At the same time, many of the recordings were stored for more than 60 days, contrary to the law. The fine of 10.4 million euros is the highest penalty that has ever been imposed by the State Commissioner for Data Protection in Lower Saxony under the General Data Protection Regulation (GDPR). The GDPR enables supervisory authorities to impose fines of up to 20 million euros – or up to 4% of a company’s total annual turnover worldwide.
– The administrative fine in the amount of 250 000 euro applied by Swedish Authority for Privacy Protection to Police Authority, for unlawfully use of application Clearview AI for facial recognition in order to identify people. The investigation carried out by Swedish Authority for Privacy Protection concluded that Clearview AI has been used by a few employees without any prior authorisation. The Police Authority has failed to implement sufficient organisational measures to ensure and be able to demonstrate that the processing of personal data in this case has been carried out in compliance with the Criminal Data Act, unlawfully processing biometric data for facial recognition as well as having failed to conduct a data protection impact assessment which this case of processing would require. Furthermore, to the fine mentioned above, Police Authority will conduct further training and education of its employees in order to avoid any future unlawfully processing of personal data.
– Administrative fine in the amount of EUR 6.000.000 applied by Spanish Data Protection Authority (AEPD) to CAIXABANK, S.A., for unlawfully processing of clients’ personal data (4.000.000 EUR) and not providing sufficient information regarding the processing of personal data (2.000.000 EUR). The Spanish Data Protection Authority considered that CAIXABANK did not provide sufficient information regarding the categories of personal data concerned, the purposes of the processing of personal data and the lawfulness of their processing, especially regarding those processing activities based on the company’s legitimate interest. Consequently, the AEPD found a breach of the provisions of Articles 13 and 14 of GDPR, imposing a fine of EUR 2.000.000. The Spanish Data Protection Authority found that CAIXABANK did not provide any mechanism to collect the data subject’s consent and the processing activities based on the company’s legitimate interest were not sufficiently justified. The AEPD concluded that this constituted an infringement of Article 6 of the GDPR and, in accordance with Article 83 (5) a of the GDPR, an administrative fine of EUR 4.000.000 was imposed. When deciding on the amount of the administrative fine, the AEPD took into account, the nature, gravity and duration of the infringement, the relationship between the company’s activity and the processing of personal data and its turnover. In addition to the administrative fine, the highest ever imposed by the Spanish DPA, the AEPD ordered CAIXABANK to bring its processing operations into compliance with Articles 6, 13 and 14 of the GDPR within the next six months.
– Fine in the amount of EUR 475 000 applied by Dutch Data Protection Authority (DPA) to Booking.com for delay in reporting data breach. In a telephone scam targeting 40 hotels in the United Arab Emirates (UAE) in December 2018, the criminals persuaded hotel staff to reveal the log-in details for their accounts in a Booking.com system. In this way, the criminals gained access to the data of 4 109 people who had booked a hotel room in the UAE. The data included their names, addresses and telephone numbers, as well as details of their booking. Furthermore, the criminals were able to access the credit card information of 283 people. In 97 cases, the credit card security code was obtained as well. The criminals also tried to get hold of the credit card information of other victims, by posing as Booking.com staff in emails or on the telephone. Dutch Data Protection Authority warned it was seeing an explosive increase in the number of hacks aimed at stealing personal data, which in 2020 was 30% higher than in the previous year.
– Total fine in the amount of EUR 1 258 478 applied by Swedish Authority for Privacy Protection (IMY) to Medhelp and Voice Integrate for the recorded phone calls to the medical consultation service, 1177, which were available and unprotected on the Internet. The cause of the incident was that a network attached storage unit had been incorrectly configured and was thereby accessible on public internet. In addition, the unit did not use encrypted communication. Consequently, a vast amount of calls became available without password protection or other security protection. The only thing that was necessary in order to get access to the files with the phone calls was to know the IP address of the storage unit. Further to the contraventions that were established, the IMY has issued an administrative sanction of 12 million SEK (1 193 813 €) towards Medhelp and an administrative sanction towards Voice Integrate of 650 000 SEK (64 665 €).