January 2024

1. Governing Texts

Given the internationally recognized importance of the right to personal data protection, as well as the consecration of this right in the Constitution of the Republic of Moldova ('the Constitution') (in particular Article 28 of the Constitution which provides the right to intimate, family, and private life), starting from mid-2000 Moldovan lawmakers paid special attention to the personal right protection. So, the first dedicated law, enacted back in 2007, was shortly replaced, back in April 2012, by a more modern Law No. 133 on Personal Data Protection ('the Law'). This Law has transposed the European Union's Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the Protection of Individuals with regard to the Processing of Personal Data and on the Free Movement of Such Data ('Data Protection Directive').

In a new legislative reform spur, on January 10, 2022, important amendments to the Law were enacted, passed by Law No. 175 of 11 November 2021 (only available to download in Romanian here) ('the Amendments'), which aim to partially transpose the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'),

1.1. Key acts, regulations, directives, bills

National instruments

• the Constitution;

• the Law;

• the Amendments;

• Law No. 182-XVI of 10 July 2008 regarding the Approval of the Regulation of the National Center for Personal Data Protection Structure, Staff Limit, and Financial Arrangements;

• National Center for Personal Data Protection Decision No. 581 of 10 September 2015 on Determination of Cases in which Cross-Border Transfer of Personal Data May Be Performed Without Authorization (only available in Romanian here); and

• Requirements for the Assurance of Personal Data Security at their Processing within the Information Systems of Personal Data, approved by the Government Resolution No.1123 of 14 December 2010 ('the Resolution').

International instruments

• GDPR, applicable based on the extra-territoriality principle;

• Convention on the Protection of Individuals with regard to Automatic Processing of Personal Data (1981) ('Convention 108'), which has been in force for the Republic of Moldova since June 1, 2008; and

• Additional Protocol to the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data regarding Supervisory Authorities and Transborder Data Flows, which has been in force for the Republic of Moldova since June 24, 2011.

1.2. Guidelines

The role of the National Center for Personal Data Protection ('NCPDP'), i.e. the national data protection authority, consists of issuing various subject-limited decisions and instructions (only available in Romanian here), whereby it provides the public with official opinions on particular personal data protection issues. From a more general and comprehensive standpoint, the NCPDP has also issued the following:

• Instructions on the Processing of Personal Data in the Election Process (Order No. 03/1 of 28 February 2013) (only available in Romania here);

• Instructions on the Processing of Personal Data in the Police Sector (Order of May 2013 (only available in Romanian here);

• Instructions on the Processing of Personal Data in the Education Sector (Order No. 03 of 21 January 2015) (only available in Romanian here); and

• Instructions on the Processing of Personal Data on Health Status (only available in Romanian here).

1.3. Case law

Under Moldovan law, except in relation to the parties to the dispute, court judgments have no binding character. As of April 2023, the Supreme Court of Justice ('the Supreme Court') has undergone a review of its status. The Supreme Court now has the authority to ensure consistent interpretation and application of the Moldovan legislation. This includes creating guidelines, issuing advisory opinions, or deciding on appeals on points of law. These changes aim to enhance the Supreme Court's role in upholding the rule of law and standardizing judicial practices. So far, the Supreme Court hasn't taken any of these actions regarding personal data protection issues.

2. Scope of Application

2.1. Personal scope

Article 1 of the Law states that its purpose is to ensure the protection of the rights and fundamental freedoms of natural persons with respect to the processing of personal data. Furthermore, Article 2 of the Law provides that it applies to activities performed by both data controllers and data processors without prejudice to legal actions that could be initiated against the data controllers themselves (Article 2 of the Law).

2.2. Territorial scope

The Law will apply if (Article 2(2) of the Law):

• the controller is established in the territory of the Republic of Moldova;

• in the case of processing of personal data that is carried out within the diplomatic missions and consular offices of the Republic of Moldova, or where the controller is not established on national territory, such processing is situated in a place where national law applies by virtue of public international law; and

• the controller is not established on national territory, but for purposes of processing personal data, and makes use of equipment, automated or otherwise, situated on national territory, unless such equipment is used only for purposes of transit through national territory.

2.3. Material scope

The Law regulates legal relations arising during the processing operations of personal data, which form part of an evidence system or are intended to be included in such an evidence system (Article 2(1) of the Law). In addition, the Law will apply where the processing of personal data is related to the prevention and investigation of criminal offenses, enforcement of convictions, and other activities within criminal or administrative procedures according to law (Article 2(2) of the Law).

However, the Law does not apply where (Article 2(4) of the Law):

• the processing of the personal data is carried out exclusively for personal and family purposes, and no violations of the rights of data subjects arise;

• the processing of personal data is related to state secrets; and

• where the processing operations and cross-border transfer of personal data are related to perpetrators or victims of genocide, war crimes, and other crimes against humanity.

3. Data Protection Authority | Regulatory Authority 

3.1. Main regulator for data protection

The NCPDP supervises compliance with legal requirements and discharges its functions with impartiality and independence (Article 19 of the Law).

3.2. Main powers, duties and responsibilities

The NCPDP's main duties include (Article 20(1) of the Law):

• to supervise and monitor compliance with the legislation on personal data protection;

• to issue the necessary instructions to bring the processing of personal data in accordance with the provisions of the Law;

• to order the suspension or cessation of personal data processing;

• to make draft law proposals and cooperate with public authorities, the mass media, and non-governmental organizations, as well as with similar foreign institutions;

• to collect and analyze annual activity reports of public authorities regarding the protection of individuals in respect of personal data processing; and

• to establish and conclude minutes on contraventions (with subsequent submission for approval to the Moldovan Courts) according to the Contravention Code of the Republic of Moldova No. 218-XVI of 24 October 2008 ('the Contravention Code').

The NCPDP's main competencies include (Article 20(2) of the Law):

• to request and receive from natural or legal persons governed by public or private law, information necessary for the exercise of its duties;

• to obtain from controllers the support and information necessary for the exercise of its duties;

• to recruit specialists and experts in the activity of prior checking and control of the lawfulness of personal data processing in areas that require special expertise; and

• to request from controllers the rectification, blocking, or destruction of personal data that are inaccurate or obtained unlawfully.

4. Key Definitions

Data controller: A natural or legal person governed by public or private law, including a public authority, agency, or any other body which alone or jointly with others determines the purposes and means of the processing of personal data (Article 3 of the Law).

Data processor: A natural or legal person governed by public or private law, including a public authority and its territorial subdivisions, which processes personal data on behalf and upon the instruction of the controller (Article 3 of the Law).

Personal data: Any information relating to an identified or identifiable natural person ('data subject'). An identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to their physical, physiological, mental, economic, cultural, or social identity (Article 3 of the Law).

Sensitive data: Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, social affiliation, data concerning health or sex life, as well as data relating to criminal convictions, coercive measures, or administrative sanctions (Article 3 of the Law).

Health data: Not defined.

Biometric data: Not defined.

Pseudonymization: The Law does not define 'pseudonymization.' However, the Law defines 'depersonalization of data' as the alteration of personal data so that details of personal or material circumstances can no longer be linked to an identified or identifiable natural person, or so that a link can only be made within an investigation with disproportionate efforts, expense, and use of time (Article 3 of the Law).

Consent: Any freely given, specific, informed, and unambiguous indication of the data subject's wishes by which they, by a statement or by clear affirmative action, signifies agreement to the processing of personal data relating to them (Article 3 of the Law, as per the Amendments).

Data subject: An identified or identifiable natural person. An identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to their physical, physiological, mental, economic, cultural, or social identity (Article 3 of the Law).

Profiling: A form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, to analyze or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location, or movements (Article 3 of the Law, as per the Amendments).

5. Legal Bases

5.1. Consent

Article 5(1) of the Law establishes that personal data may be processed with the consent of the data subject. However, the consent given for personal data processing may be withdrawn at any time by the data subject, although such withdrawal is not retroactive (Article 5(2) of the Law).

Further to this, where the data subject is physically or legally incapable of giving their consent, the consent for the processing of personal data may be given in writing by their legal representative (Article 5(3) of the Law). In case of the death of the data subject, the consent for the processing of their personal data must be given in writing by the successors of the same, where such consent has not been given by the data subject during life (Article 5(4) of the Law).

5.2. Contract with the data subject

The data subject's consent is not required where the processing is necessary for the performance of a contract to which the data subject is party, in order to take steps at the request of the data subject prior to entering into a contract (Article 5(5)(a) of the Law).

5.3. Legal obligations

 The data subject's consent is not required where the processing is necessary to carry out an obligation of the controller under the Moldovan law (Article 5(5)(b) of the Law).

5.4. Interests of the data subject

The data subject's consent is not required where the processing is necessary in order to protect the life, physical integrity, or health of the data subject (Article 5(5)(c) of the Law).

5.5. Public interest

The personal data subject's consent is not required where the processing is necessary for the performance of tasks carried out in the public interest or in the exercise of public authority prerogatives vested in the controller or in a third party to whom the personal data are disclosed (Article 5(5)(d) of the Law).

5.6. Legitimate interests of the data controller

The data subject's consent is not required where the processing is necessary for the purposes of the legitimate interest pursued by the controller or by the third party to whom personal data is disclosed, except where such interest is overridden by the interests for fundamental rights and freedoms of the data subject (Article 5(5)(e) of the Law).

5.7. Legal bases in other instances

The data subject's consent is not required where the processing is necessary for (Article 5(5) (e¹), (f), and (g) of the Law):

• performing the external public audit;
• statistical, historical, or scientific/research purposes, except where the personal data remains anonymous for a longer period of processing; and
• data exchange in accordance with the legislation in force regarding data exchange and interoperability.

6. Principles

The controller is under the obligation to ensure that personal data is (Article 4(1) of the Law):

• processed fairly and lawfully;
• collected for specified, explicit, and legitimate purposes, and not further processed in a way that is incompatible with such purposes;
• adequate, relevant, and not excessive in relation to the purposes for which it is collected and/or further processed;
• accurate and, where necessary, kept up to date; and
• kept in a form that allows identification of the data subjects for no longer than is necessary for the purposes for which the data was collected or for which it is further processed.

7. Controller and Processor Obligations

7.1. Data processing notification

Before the Amendments, the controller had the obligation, before carrying out the processing of personal data, to notify the NCPDP and specify the scope and categories of data processing, either personally or through the representatives authorized by them (i.e. processors) (Article 23(1) of the Law).

Pursuant to the Amendments and from the day thereof, the controller was relieved from this obligation. The controller was also relieved from the NCPDP notification obligation (similar to EU countries) and the obligation to specify the personal data filing systems related to processing, as well as possible relations with other processing operations of data or with other personal data filing systems, whether performed or not and if there are established on the territory of the Republic of Moldova.

7.2. Data transfers

On April 1, 2022, the NCPDP announced that it had adopted the Decision of the NCPDP No. 23 of 17 March 2022 on the approved list of states that ensure an adequate level of personal data protection (only available in Romanian here) ('the Decision'). The Decision entered into effect on the date of publication. The decision outlines the following jurisdictions as providing an adequate level of protection:

• Andorra

• Argentina;

• Canada;

• the Faroe Islands;

• Guernsey;

• the State of Israel;

• the Isle of Man;

• Japan;

• Jersey;

• New Zealand;

• the Republic of Korea;

• Switzerland;

• Uruguay; and

• the United Kingdom of Great Britain and Northern Ireland.

In addition, pursuant to Article 32(2) of the Law, transfer of personal data is allowed if the transfer is made to the member states of the European Economic Area ('EEA').

Where a country is not a member state of the EEA or is not recognized as providing an adequate level of protection, personal data may still be transferred but only if:

• the processing takes place on the basis of an agreement or treaty signed between the Republic of Moldova and the country of destination;

• the data subject has explicitly consented to the proposed transfer, after having been informed of the possible risks of such transfers for the data subject due to the absence of an adequacy decision and appropriate safeguards;

• the transfer is necessary for the performance of a contract between the data subject and the controller or between the controller and a third party in the interest of the subject data;

• the transfer is necessary in order to protect physical integrity, life, and health of the data subject;

• the transfer may be performed if journalistic, artistic, scientific, literary, or archival purposes are pursued in the public interest;

• the transfer may be operated to other companies or organizations from the same group as the controller, provided that the corporate rules are observed, rules approved by the EEA countries, or those approved by the NCPDP;

• the transfer is necessary for important reasons of public interest;

• the transfer is necessary for the establishment, exercise, or defense of legal claims; and

• if the transfer takes place under the standard agreement for the cross-border transfer of personal data, developed and approved by the NCPDP and concluded by the controller. To this end, on April 22, 2022 the NCPDP issued the Order of the NCPDP No.33, on the approval of the Standard Agreement for the cross-border transfer of personal data to countries that do not ensure an adequate level of personal data protection (only available in Romanian here).

7.3. Data processing records

The Law does not impose an obligation on controllers to observe a minimum period of maintaining data processing records. However, given the general limitation period, data controllers and processors are recommended to maintain their data processing records for at least three years. Certain employment documents along with the associated personal data, shall be kept in compliance with the relevant minimum storage periods.

7.4. Data protection impact assessment

The Amendments have imposed an obligation on controllers to perform data protection impact assessment ('DPIA') where, taking into account the nature, scope, context, and purposes of the processing, in particular using new technologies, the processing is likely to result in a high risk to the rights and freedoms of natural persons. Prior to the processing, the controller must carry out a DPIA of the envisaged processing operations on the protection of personal data. The data protection officer ('DPO') must issue an opinion on the performed DPIA. The Amendments have required the DPIA to:

• a systematic and extensive evaluation of personal aspects relating to natural persons which are based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person;

• processing on a large scale of special categories of data, or of personal data relating to criminal convictions and offences referred to a natural person; and

• a systematic monitoring of a publicly accessible area on a large scale.

The assessment shall contain at least:

• a systematic description of the envisaged processing operations and the purposes of the processing, including, where applicable, the legitimate interest pursued by the controller;

• an assessment of the necessity and proportionality of the processing operations in relation to the purposes;

• an assessment of the risks to the rights and freedoms of data subjects; and

• the measures envisaged to address the risks, including safeguards, security measures, and mechanisms to ensure the protection of personal data and to demonstrate compliance with the Amendments;

•  taking into account the rights and legitimate interests of data subjects and other persons concerned.

On April 22, 2022, the NCPDP issued the Order of the NCPDP No.27, on the approval of the List of types of processing operations that are subject to the requirement of performing DPIA (only available in Romanian here) ('the DPIA Order'). This list is based on the requirements laid down in the DPIA Order and contains the types of processing operations, as well as examples of personal data processing that require the performance of DPIA.

Pursuant to the DPIA Order, when estimating whether the planned processing operations require the performance of DPIA, the controller shall take into account the following criteria:

• the processing requires a systematic and extensive evaluation of personal aspects or scoring, including the creation of profiles and forecasts (e.g. the monitoring by a financial institution of its customers in a credit history database);

• the processing implies automatic decision-making with a legal or similar significant effect (e.g. automatic evaluation of staff, if as a result of such evaluation, the employees may receive 'unsatisfactory' ratings);

• the processing implies systematic monitoring: processing used to observe, monitor, or control the data subject, including data collected through networks or large-scale systematic monitoring of a publicly accessible area;

• the processing includes processing of special (sensitive) categories of personal data (e.g. data on political opinions, health, criminal convictions, or crimes);

• the large-scale processing of personal data, i.e.:

  • sensitive personal data for at least 5,000 persons;

  • high-risk personal data for at least 10,000 persons (e.g. e-signatures, geolocation, credit card data); or

  • any other personal data of at least 50,000 persons;

• the processing requires the correlation or combination of data sets (e.g. by combining two or more data processing operations carried out for different purposes and/or by different controllers, in a way that would exceed the reasonable expectations of the data subject);

• the processing includes processing of personal data of vulnerable data subjects, including children, employees in relation to their employers, and vulnerable groups that require special protection (e.g. mentally ill persons, asylum seekers) when an imbalance can be identified between the position of the data subject and the of the controller;

• the processing implies the innovative use or application of new technological or organizational solutions (e.g. combining the use of fingerprint with facial recognition, to improve the control of physical access); and

• the processing prevents the data subject from exercising a certain right or using a service or contract (e.g. processing operations aimed at allowing, modifying, or denying natural persons' access to a service or conclusion of a contract).

If the intended processing of personal data may imply two or more of the above criteria (e.g. large-scale processing and processing of vulnerable data subjects), then the controller is required to perform DPIA. Otherwise, the controller shall justify and formalize (via an internal order) the reasons justifying the non-performance of DPIA.

The DPIA Order provides the following List of types of processing operations that are subject to the requirement of performing DPIA:

7.5. Data protection officer appointment

The Amendments have further imposed the obligations of the controller and the processor to designate a DPO where:

• the processing is carried out by a public authority or body, except for courts acting in their judicial capacity;

• the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope, and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; or

• the core activities of the controller or the processor consist of processing on a large scale of special categories of data pursuant.

The DPO shall be selected and appointed based on professional qualities and, in particular, expert knowledge of data protection law and practices. The DPO may be an employee of the controller, or the controller can outsource this activity through an agreement. The DPO shall not receive any instructions regarding the exercise of their tasks from the controller or the processor. The DPO may not be dismissed or sanctioned by the controller or the processor, they must directly report to the top management of the controller or the processor.

The main tasks of the DPO include:

• to inform and advise the controller or the processor and the employees who carry out the processing of their obligations pursuant to the data protection legal framework;

• to monitor compliance with the Law, other normative acts, and with the policies of the controller or processor in relation to the protection of personal data, including the assignment of responsibilities, awareness-raising and training of staff involved in processing operations, and the related audits;

• to provide advice where requested as regards the DPIA and monitor its performance;

• to cooperate with the NCPDP; and

• to act as the contact point for the NCPDP on issues relating to processing, including the prior consultation, and to consult, where appropriate, with regard to any other matter.

7.6. Data breach notification

There are currently no particular provisions in national law on data breach notification, as described in the GDPR. There is a general obligation for the controller to notify the NCPDP on an annual basis of all system security incidents. This is done by reporting every year no later than January 31 (Article 90 of the Resolution).

7.7. Data retention

The controller and processor must ensure that the data is kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which the data was collected or for which it is further processed. When the processing has finished, and there is no consent of the data subject for further data processing, the data must be (Article 11 of the Law):

• destroyed;

• transferred to another controller, only if the same purpose of processing applies; and/or

• transformed into anonymized data for statistical purposes or for the purposes of historical or scientific research.

In addition, Moldovan entities shall observe a minimum period of maintaining certain documents (e.g. employment orders) in accordance with the provisions of the Indicator of Standard Documents and Retention Period for Public Administration Bodies, Institutions and Organizations and Enterprises of the Republic of Moldova, as approved by the Order of State Archive Service No.57 as of July 27, 2016 (only available in Romanian here).

The controller and processor must ensure that the data is kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which the data was collected or for which it is further processed. When the processing has finished, and there is no consent of the data subject for further data processing, the data must be (Article 11 of the Law):

• destroyed;

• transferred to another controller, only if the same purpose of processing applies; and/or

• transformed into anonymized data for statistical purposes or for the purposes of historical or scientific research.

In addition, Moldovan entities shall observe a minimum period of maintaining certain documents (e.g. employment orders) in accordance with the provisions of the Indicator of Standard Documents and Retention Period for Public Administration Bodies, Institutions and Organizations and Enterprises of the Republic of Moldova, as approved by the Order of State Archive Service No.57 as of July 27, 2016 (only available in Romanian here).

7.8. Children's data

Children's personal data may be processed without having to comply with certain special conditions (except that the controller may be required to perform DPIA, see the section on DPIAs above). However, when the consent of the data subject is required, the controller is required to obtain it from the legal representative (e.g. parents) of the child (Article 5(3) of the Law). According to the general rules, a person is considered to have full legal capacity (i.e. considered as an adult) at the age of 18, subject to certain exceptions.

7.9. Special categories of personal data

The processing of personal data relating to criminal convictions, coercive procedural measures, or administrative sanctions may be carried out only by or under the control of public authorities, within the limits of their competencies and on the conditions set by laws regulating these areas (Article 8(1) of the Law). In addition, before processing the data, the controller may be required to perform a DPIA (see the section on DPIAs above).

7.10. Controller and processor contracts

When data processing is carried out by a processor, the Law obliges the controller to choose a processor that provides sufficient guarantees with respect to the technical security and organizational measures governing the intended processing, and that can ensure compliance with such measures (Article 30(2) of the Law).

The carrying out of processing by way of a processor must be governed by a contract or a binding legal act on the processor, which stipulates in particular (Article 30(3) of the Law):

• that the processor shall act only on instructions from the controller; and

• the controller's obligation to implement appropriate technical and organizational measures to protect personal data against the destruction, loss, alteration, blocking, disclosure, or access of personal data, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing are incumbent on the processor.

8. Data Subject Rights

8.1. Right to be informed

Data directly collected from the data subject

The controller is obliged to provide the data subject with the following information (Article 12(1) of the Law):

• the controller or processor's identity;

• the purposes of the processing for which the data are intended;

• the existence of the right of access to, and the right to rectify, the data concerning them; and

• any further information, including the recipients or categories of recipients of data, whether replies to questions relating to the collection of personal data are obligatory or voluntary, as well as the possible consequences of failure to reply.

Data indirectly collected from the data subject

 Where the personal data is not collected directly from the data subject, the controller or the processor must provide, at the time of data collection, or if a disclosure to the third parties is envisaged, no later than the time when the data is first disclosed, with information on the categories of personal data which are intended to be collected or disclosed. The controller or the processor must also provide the following information (Article 12(2) of the Law):

• the controller or processor's identity;

• the purposes of the processing for which the data are intended;

• the existence of the right of access to, and the right to rectify, the data concerning them; and

• any further information, including the recipients or categories of recipients of data.

This is not applicable where (Article 12(3) of the Law):

• the data subject has already the information;

• processing of personal data is carried out for statistical, historical, or scientific/research purposes;

• provision of such information proves to be impossible or involves disproportionate effort toward the legitimate interest that might be violated; and

• recording or disclosure of personal data is expressly stipulated by law.

8.2. Right to access

Data subjects have the right to obtain from the controller, upon request, without delay and free of charge, the following (Article 13(1) of the Law):

• confirmation as to whether or not data relating to them is being processed, and information as to the purposes of the processing, the categories of data concerned, and the recipients or categories of recipients to whom the data are disclosed;

• communication to them, in an intelligible form and in a way that does not require additional equipment, of the data undergoing processing, and of any available information as to their source;

• information on the logic involved in any automatic processing of data concerning the data subject;

• information on legal consequences for the data subject generated by processing of these data; and

• information on the exercise of the right of intervention upon personal data.

8.3. Right to rectification

Data subjects have the right to obtain from the controller or their representative, on request and free of charge, the rectification of personal data, the processing of which does not comply with the Law, particularly where such data is incomplete or inaccurate in nature (Article 14(a) of the Law).

Further, the data subject may also request such rectification to be notified to any third parties to whom their personal data has been disclosed, except where such notification seems to be impossible or involves a disproportionate effort towards the legitimate interest that might be violated (Article 14(b) of the Law).

8.4. Right to erasure

Data subjects have the right to obtain from the controller or their representative, on request and free of charge, the erasure of personal data, the processing of which does not comply with the Law, particularly where such data is incomplete or inaccurate in nature (Article 14(a) of the Law).

Further, the data subject may also request such erasure to be notified to any third parties to whom their personal data has been disclosed, except where such notification seems to be impossible or involves a disproportionate effort towards the legitimate interest that might be violated (Article 14(b) of the Law).

8.5. Right to object/opt-out

Article 16(1) of the Law states that:

• data subjects have the right to object, at any time and free of charge, on compelling legitimate grounds relating to the particular situation to the processing of personal data relating to them, save where otherwise provided by law; and

• where there is a justified objection, the processing instigated by the controller may no longer involve such data.

Further, data subjects also have the right to right to object, at any time and free of charge, without any justification for the processing of personal data relating to them for the purpose of direct marketing. In this regard, the controller or processor is also obliged to inform the data subject about their right to object to such operation before their personal data is to be disclosed to third parties (Article 16(2) of the Law).

8.6. Right to data portability

Not applicable.

8.7. Right not to be subject to automated decision-making

Any person shall have the right to request for the annulment, in whole or in part, of any individual decision which produces legal effects concerning their rights and freedoms, and which is based solely on the automated processing of data intended to evaluate certain personal aspects relating to them, such as their performance at work, creditworthiness, conduct, or other similar aspects (Article 17(1) of the Law). However, a person may nevertheless be subject to automated decision-making if such decision is:

• authorized by a law that also lays down measures to safeguard the data subject's legitimate interests; and

• taken in the course of the entering into or performance of a contract, provided that the request for the entering into or the performance of the contract, lodged by the data subject, has been satisfied.

8.8. Other rights

Not applicable.

9. Penalties

Failure to observe the legal or regulatory requirements concerning the processing of personal data may entail various forms of personal and corporate liability. This is particularly manifested through the application of sanctions set forth in the Contravention Code and the Criminal Code of the Republic of Moldova (No. 985-XV of 18 April 2002) ('the Criminal Code'), but may also imply liability for damages occurred under civil law.

Among the harshest sanctions are fines of approx. €7,500 or the deprivation to hold an office or to carry out certain activities for a period of one year. Natural persons may be criminally charged for the illegal collection or dissemination of another person's legally protected information that amounts to a personal or family secret (Article 177 of the Criminal Code).

In particular, failure to comply with the main conditions for the processing, storage, and use of personal data, shall be sanctioned with a maximum fine of approx. €750 and/or with the deprivation to carry out certain activities for a period of three years (Article 74¹ of the Contravention Code).

9.1 Enforcement decisions

Not applicable.