Moldova: NCPDP publishes approved list of data processing activities requiring a DPIA
The National Centre for Personal Data Protection ('NCPDP') announced, on 22 April 2022, that it had published, in the Official Gazette of the Republic of Moldova, Decision of the NCPDP No. 27 of 31 March 2022 on the approved list of processing operations that are subject to the requirement of performing a Data Protection Impact Assessment ('DPIA'). In particular, the decision outlines that it adopts the same approach and purpose for DPIAs as the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'). More specifically, the decision highlights that the approved list is meant to ensure data controllers are responsible for their operations, and establish appropriate measures and steps to hold data controllers accountable for their data processing activities.
To this end, the decision establishes where two or more of the below criteria are applicable, the data controller must conduct a DPIA of the highest quality, such as:
- systematic and extensive evaluation of personal aspects or scoring, including the creation of profiles and forecasts;
- automatic decision-making, including processing which aims at making decisions concerning data subjects which produce legal effects for them or which affect them in a similar way to a significant extent;
- systematic monitoring, including processing used to observe, monitor, or control the data subject, e.g. data collected through networks or large-scale systematic monitoring of an area accessible to the public;
- processing of the personal data of vulnerable persons, including children;
- large-scale processing of personal data, including:
- special categories of data of at least 5,000 individuals;
- data presenting high risks for at least 10,000 individuals; and
- any other data of at least 50,000 individuals; and
- video surveillance in public areas, e.g. stadiums and markets.