1. Information activities performed by NCPDP
In the reference period, NCPDP registered a remarkable evolution in terms of training and awareness activities. The series of trainings organized for the representatives of the local public authorities (LPA) from the districts of the Republic of Moldova was continued, with the aim of strengthening the capacities of LPA representatives throw familiarizing, raising awareness and informing them with the field of personal data protection. The topics addressed in the training were: general notions on personal data protection; legal grounds for personal data processing; recording and live streaming of local councils’ meetings; approval of security policy and personal data filling systems instructions, etc. Separately, the issues related to the correct depersonalization of personal data contained in the administrative acts of local public authorities published in the State Local Documents Registry. The events, moderated by national experts in the field of personal data protection within NCPDP, were organized for about 50 mayors, district councilors and secretaries of local councils from each district center based on the protection measures imposed in the context of the COVID pandemic – 19. The training courses were conducted:
· On October 7 – within Căușeni District Council;
· On November 5 – within Râșcani District Council;
· On November 11 – within Fălești District Council;
· On November 19 – within Briceni District Council;
· On November 26 – within Glodeni District Council;
· On December 3 – within Cahul District Council.
Furthermore, on November 19, was held the Public Action – “Protect personal data”, organized by NCPDP representatives. The target audience – the inhabitants of Ialoveni district, were informed about the importance of personal data protection. The action took place near Ialoveni District Council and the citizens were informed about the notion of personal data, the rights of data subjects, data security and confidentiality measures, as well as the principles of personal data protection. The purpose of this action was to educate, motivate and encourage the citizens of the Republic of Moldova to pay more attention to the protection of their personal data.
2. Control activity
During the reference period, the NCPDP initiated the verification of the conformity of the personal data processing operations, thus initiating 55 investigations. Of the 55 investigations: 5 investigation procedures were initiated following the self-notification of the NCPDP in connection with an alleged non-compliant processing of personal data; from 41 finalized cases, in 19 cases the violation of the legal provisions was found. Furthermore, 22 minutes regarding the contravention were concluded, being subsequently submitted to the court for settlement.
3. Findings of the NCPDP
3.1 The NCPDP received the complaint of a personal data subject, regarding the alleged violation of his right of opposition, by an economic agent, manifested by ignoring the request of the data subject, submitted on the bases of art. 16 paragraph (1) of the Law on personal data protection, by which the latter requested the deletion of personal data concerning him, stored in the company’s database and the cessation of sending commercial messages on his telephone number. Following the examination of the case, it was determined that the economic agent, ignoring the request of the data subject, did not exercise his right of opposition, a fact recognized by the personal data controller as an omission.
In this case, the NCPDP found a violation of the provisions of art. 16 para. (1) of the Law on personal data protection no. 133/2011, being started a contravention process regarding the economic agent provided by art. 74 1 para. (3) Contravention Code.
3.2 Furthermore, NCPDP issued a decision regarding the establishment of the non-compliant processing of personal data by the mayor of a locality. The non-compliant processing of personal data of the data subject who notified the National Authority for personal data protection, was materialized by multiple accesses by the mayor of the locality, the data contained in the Real Estate Register, without having a purpose and legal basis, as well as in the absence of the data subject’s consent.
At the same time, during the examination of the audit of personal data accesses by the mayor, NCPDP found that the mayor made 134 personal data accesses, from 10 different IP addresses, of which multiple accesses were made outside the work schedule and on weekends.
Thus, following the control of those notified, was found the violation of art. 4, art. 5 and art. 29 of the Law 133/2011 on personal data protection.
Therefore, from the content of the related circumstances, it results the fact of the existence in the actions / inactions of the mayor of the contravention provided by art. 741 para. (4) Contravention Code.
3.3 On December 22, the Supreme Court of Justice rejected the appeal of the Ministry of Internal Affairs and upheld the decision of the NCPDP of November 16, 2018, which found the processing of personal data through the Automated Information System “Register of forensic and criminological information” inconsistent with the requirements of legislation in the field of personal data protection.
The NCPDP decision addresses the need to delete information that was collected / obtained from unrecognized authorities / institutions in the Transnistrian region during the years 1991-2005. It should be emphasized that the automatic processing of personal data of the Republic of Moldova’s citizens based on information received from unconstitutional structures, which in fact cannot be considered authentic / truthful, as well as its use to the detriment of the data subject concerned, is a serious violation of human rights and freedoms. In this sense, the Decision of the Superior Council of Magistracy (SCM) no. 209/14 of April 10, 2012 “on the approach of Mr. Oleg Efrim, Minister of Justice, regarding the opinion on the address f Mr. Eugen Carpov, Deputy Prime Minister, on approaching some legal issues”, by which the SCM found: “that any act issued by the self-proclaimed authorities of the Republic of Moldova contravenes the Constitution and are considered illegal. This fact refers equally to any decisions, sentences handed down by the courts established in the region. Thus, the Council considers as unacceptable any collaborations, legal cooperation and proposals for legal solutions with the structures from the Transnistrian region “.
Consequently, in the jurisprudence concerning the Republic of Moldova, the European Court of Human Rights in numerous cases (Ilascu and others vs. Moldova and Russia; Eriomenco against Republic of Moldova and the Russian Federation; Mozer against Republic of Moldova and Russian Federation; Catan and others against Republic of Moldova and Russia) found acts adopted by unrecognized and unconstitutional entities on the left bank of the Dniester as illegal. It should be specified that, according to the Declarations submitted together with the instrument of ratification of Convention no. 108 for the protection of individuals with regard to the automated processing of personal data, the Republic of Moldova has not declared reservations on the provisions of the Convention, regarding its application on the territory of the Transnistrian region. Thus, the Republic of Moldova has the obligation to ensure the protection of the fundamental rights and freedoms of its citizens with regard to the processing of personal data, especially the right to inviolability of privacy, family and private life, throughout its territory.
4. Surveillance activity
During the reference period, arising from the impossibility, for technical reasons to issue and sign automated decisions through the Register of evidence of personal data controllers, NCPDP sent 204 information letters in order to comply with the provisions of Art. 23-25 of Law no. 133 on personal data protection.
At the same time, in accordance with the provisions of Law no. 175 of November 11, 2021 for the amendment of some normative acts, which will enter into force on January 10, 2022, it is excluded the obligation of personal data controllers to notify the National Center for Personal Data Protection and it is repealed art. 28 of Law no. 133 of 08.07.2011 on personal data protection, which determines the liquidation of Register of evidence of personal data controllers, by the irreversible destruction of documents and information stored on paper records and those stored in electronic form, under the conditions provided by law.
Furthermore, in order to provide methodological and advisory support to personal data controllers and / or processors, over 405 telephone consultations and 178 responses via e-mail were provided.
5. International and European news
– On October 13, took place the 56th Plenary Session of the European Data Protection Board (EDPB), which was held on-line. During the Plenary, the EDPB adopted several documents, among which:
· Consistency mechanism and Guidelines;
· Guidelines on Restrictions under Art. 23 GDPR (following public consultation);
· Guidelines on children’s data – request for mandate.
– On November 18, took place the 57th Plenary Session of the European Data Protection Board, which was held at Brussels, Belgium.
During the Plenary, the EDPB adopted several documents, among which:
· Guidelines on the interplay between Art. 3 and Chapter V GDPR. The Guidelines will be subject to public consultation until the end of January.
· Statement on the European Commission’s Digital Services Package and Data Strategy.
· Finally, the EDPB nominated two representatives from the Belgian and Hessen (DE) SA to take part in the 6th Joint Review of the EU-US Terrorist Finance Tracking Program (TFTP) Agreement.
– On December 14, took place the 58th Plenary Session of the European Data Protection Board (EDPB), which was held on-line. During the Plenary, the EDPB adopted several documents, among which:
· The EDPB and the individual Supervisory Authorities (SAs) contributed to the evaluation and review of the Data Protection Law Enforcement Directive (LED), carried out by the European Commission in accordance with Art. 62 LED. The LED aims to provide a harmonised level of data protection for individuals in the area of law enforcement across the EU;
· As part of the implementation of the EDPB 2021-2023 strategy and following the establishment of a Support Pool of Experts (SPE), the EDPB has now agreed on the SPE’s project plan;
· The EDPB adopted a reply to MEP Ujhelyi on hacking spyware Pegasus;
· The EDPB adopted a final version of the Guidelines on examples regarding data breach notifications. They aim to help data controllers in deciding how to handle data breaches and what factors to consider during risk assessment.
– On December 20-21, took place the 54th meeting of the Bureau of the Committee of the Convention for the protection of individuals with regard to automating processing of personal data, which was held online. During the Meeting, several topics were discussed, among which:
· Convention 108+ State of play, ratifications and accessions;
· Evaluation and follow up mechanism under Convention 108+;
· Digital identity;
· Inter-state exchanges of data for Anti-Money Laundering/Countering Financing of Terrorism, and tax purposes;
· Interpretation of Article 11 of the modernised Convention 108;
· Contractual clauses in the context of transborder data flows.
In the context of NCPDP collaboration with the European Data Protection Authorities, on November 18, the National Center for Personal Data Protection and the Office of the Information and Data Protection Commissioner of Malta signed a Collaboration Agreement in the field of personal data protection. The Agreement provides for the development of cooperation relations between the two institutions in terms of achieving constant progress in the field of personal data protection and the promotion of good practices that will create favorable conditions for ensuring effective protection of personal data of Malta’s and Moldova’s citizens.
6. Other data protection authorities
– On October 14, Polish Data Protection Authority (UODO) impose a fine of 80,000 EUR to Bank Millennium S.A, for the infringement of Article 33(1) and Article 34(1) of GDPR. UODO learnt about the personal data breach from a complaint lodged against the bank. The complaint concerned the loss by a courier company of correspondence containing personal data, such as: name, surname, personal identification number (PESEL number), registered address, bank account numbers, identification number assigned to the bank’s customers. In the course of the case, it turned out that the controller did not notify this breach to the Supervisory Authority, and did not fully comply with the obligation to communicate it to the data subjects.
– On November 26, Icelandic Data Protection Authority fined the Ministry of Industries and Innovation with 7,5 million ISK (approx. 50.800 Euros) and the company YAY ehf. was fined with 4 million ISK (approx. 27.100 Euros) for the infringement of Article 7, 9, 12, 13, 24, 25, 28 (3) and 32 of GDPR. Due to economic difficulties in Iceland caused by COVID-19 the Icelandic government decided, to boost the tourism sector and small businesses by issuing a digital gift certificate of 5000 ISK (approx. 34 euros) to all Icelanders over 18 years old. In the course of the case, the Icelandic DPA found the unlawful and unnecessary collection of considerable amounts of personal data, requirements for consent for processing were not met and the information the data subjects received when signing into the app was inadequate. Additionally, the controller and the processor had not ensured the appropriate security of the personal data.
– On December 13, he Norwegian Data Protection Authority has imposed an administrative fine of 6.5 million EUR to Grindr LLC for the infringement of Article 6 and 9 of GDPR. In 2020, the Norwegian Consumer Council filed a complaint against Grindr claiming unlawful sharing of personal data with third parties for marketing purposes. The data shared was GPS location, IP address, Advertising ID, age, gender and the fact that the user in question was on Grindr. The Norwegian Data Protection Authority concluded that Grindr has disclosed user data to third parties without a legal basis. Furthermore, the information about the sharing of personal data was not properly communicated to users and this was contrary to the GDPR requirements for valid consent.