Support Centre

Moldova

Summary

Law: Law of 8 July 2011 No. 133 on Personal Data Protection ('the Law')

Regulator: National Centre for Personal Data Protection ('NCPDP')

Summary: The Law provides general personal data protection provisions, establishes data subject rights such as the rights to access, rectification, or erasure, and includes requirements to appoint a data protection officer and provide data processing notifications. In addition, the Governmental Decision of 14 December 2010 No. 1123 on the Security of Personal Data within Automatic Databases (only available in Romanian here) established data breach notification requirements, as well as sanctions for failure to notify the NCPDP.

Moldova has an Association Agreement with the EU through which it has committed to ensuring adequate safeguards for the protection of personal data, and is a signatory of the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data ('Convention 108'). The Moldova EU Twinning Project is also particularly active, and a draft personal data protection law (only available to download in Romanian here) has been in discussion over the past few years that would further align Moldovan law with data protection requirements in the EU.

On 10 December 2021, the Law of 11 November 2021 No. 175 for the amendment of some normative acts was published in the Official Gazette and amends the Law. Notably, the amendments introduce requirements to conduct Data Protection Impact Assessments in place of the data processing notification obligations, designate a person responsible for data protection, and new requirements for cross-border data transfers, among other things.

Insights

On 22 April 2022, the National Centre for Personal Data Protection ('NCPDP') approved the standard contract for the cross-border transmission of personal data to states that do not ensure an adequate level of personal data protection. Roger Gladei, Iulian Pașatii, and Irina Culinschi, from Gladei & Partners, look at Standard Contractual Clauses ('SCCs'), their main clauses, and challenges of this newly established data transfer regime.

The Law of 11 November 2021 No. 175 for the amendment of some normative acts ('the Amendment Law') amended the Law of 8 July 2011 No. 133 on Personal Data Protection ('the Law on Personal Data Protection') and entered into effect on 10 January 2022. In particular, the Amendment Law introduces new controller obligations, including the obligation to conduct Data Protection Impact Assessments ('DPIAs') and the appointment of a data protection officer ('DPO'). OneTrust DataGuidance breaks down the key amendments.

In this report, OneTrust DataGuidance provides a means of analyzing and comparing data protection requirements and recommendations under the General Data Protection Regulation (GDPR) and the Law No. 133 of 8 July 2011 on Personal Data Protection (the Law on Personal Data).

The report examines and compares the scope, main definitions, legal bases, data controller and processor obligations, data subject rights, and enforcement capacities of the Law on Personal Data with the  GDPR.

You can access the latest version of the report here.

Feedback