Support Centre

Moldova

Summary

Law: Law No. 195/2024 on the Protection of Personal Data (only available in Romanian here) (Law No. 195/2024)

Regulator: National Centre for Personal Data Protection (NCPDP)

On August 23, 2024, Law No. 195/2024 on the Protection of Personal Data was published in the Official Gazette of the Republic of Moldova. Law No. 195/2024 fully transposes the General Data Protection Regulation (Regulation (EU) 2016/679) (GDPR) into Moldovan law and provides general personal data protection provisions including data subject rights, duties of data operators, requirements for Data Protection Impact Assessments (DPIAs), and data transfer requirements. Law No. 195/2024 will come into effect two years after publication. In the meantime, Law of 8 July 2011 No. 133 on Personal Data Protection (Law No. 133/2011) remains in force.

In addition, the Governmental Decision of 14 December 2010 No. 1123 on the Security of Personal Data within Automatic Databases (only available in Romanian here) established data breach notification requirements, as well as sanctions for failure to notify the NCPDP. Moldova has an Association Agreement with the EU through which it has committed to ensuring adequate safeguards for the protection of personal data and is a signatory of the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (Convention 108). 

Insights

On 22 April 2022, the National Centre for Personal Data Protection ('NCPDP') approved the standard contract for the cross-border transmission of personal data to states that do not ensure an adequate level of personal data protection. Roger Gladei, Iulian Pașatii, and Irina Culinschi, from Gladei & Partners, look at Standard Contractual Clauses ('SCCs'), their main clauses, and challenges of this newly established data transfer regime.

The Law of 11 November 2021 No. 175 for the amendment of some normative acts ('the Amendment Law') amended the Law of 8 July 2011 No. 133 on Personal Data Protection ('the Law on Personal Data Protection') and entered into effect on 10 January 2022. In particular, the Amendment Law introduces new controller obligations, including the obligation to conduct Data Protection Impact Assessments ('DPIAs') and the appointment of a data protection officer ('DPO'). OneTrust DataGuidance breaks down the key amendments.