The Parliament of the Republic of Moldova released, on 22 November 2018, a Draft Law on the Protection of Personal Data (‘the Draft Law’) and a Draft Law on the National Centre for the Protection of Personal Data (‘the Draft NCPDP Law’) that seek to align the data protection legislation in Moldova with the General Data Protection Regulation (Regulation (EU) 2016/679) (‘GDPR’). The Draft NCPDP Law also aims to strengthen the capacity of the NCPDP and create a systematised legal framework to regulate its activity. The NCPDP outlined that the Draft Law and the Draft NCPDP Law were created with the support of European experts from the EU Twinning project: ‘Capacity Building of the NCPDP.’
The Draft Law outlines data subject rights and principles, including the right to deletion and rectification of data, data portability, the storage limitation principle, as well as, among other things, the fairness and transparency principle. It would also introduce definitions for concepts such as, biometric and genetic data, direct marketing, pseudonymisation and anonymisation of personal data. The Draft Law proposes to exclude the current legislative obligation to register as a personal data operator, in order to reduce excessive administrative formalities.
Furthermore, according to the provisions of the Draft Law, processing would only be valid when combined with other types of processing; therefore, consent would not be applied to an open set of activities, instead it would have to be validated for each individual processing purpose. Moreover, the Draft Law outlines that consent should be given through an unequivocal action constituting a freely expressed, specific, knowledgeable and clear expression of the data subject’s consent to the processing of personal data. Under the Draft Law, Data Protection Impact Assessments are also necessary when processing is likely to generate a ‘high risk’ to the rights and freedoms of individuals, the operational assessment of which will be through the relevant codes of conduct. The Draft Law increases sanctions for non-compliance up to a maximum of MDL 2 million (approx.€100,000), or 2% of a company’s annual turnover. In addition, the Draft Law outlines that sanctions will be enforced on a strict case by case basis, linked to the severity of the breach.
The Draft NCPDP Law would introduce new duties for the NCPDP, including the enforcement and operational administration of data protection issues. The Draft NCPDP Law aims to ensure that the NCPDP has the resources necessary for the performance of its tasks by creating a training subdivision within the NCPDP, improving the qualifications available for NCPDP staff and establishing a new role of ‘data protection inspector.’
If approved, the Draft Law and the Draft NCPDP Law will come into force on 2 May 2019.
CHRISTOPHER CAMPBELL Junior Privacy Analyst