Moldova - Data Protection Overview
1. THE LAW
1.1. Key Acts, Regulations, Directives, Bills
- Law No. 133 of 8 July 2011 on Personal Data Protection ('the Law');
- Law No. 182-XVI of 10 July 2008 regarding the Approval of the Regulation of the National Center for Personal Data Protection ('NCPDP') Structure, Staff Limit, and Financial Arrangements;
- Government Resolution No. 1123 of 14 December 2010 approving the Requirements for the Assurance of Personal Data Security and their Processing within the Information Systems of Personal Data ('Resolution No. 1123/2010'); and
- Government Decision No. 296 of 15 May 2012 approving the Regulation of the Register of Evidence of Personal Data Controllers (only available in Romanian here).
- the 1981 Convention on the Protection of Individuals with regard to Automatic Processing of Personal Data in force for the Republic of Moldova since 1 June 2008; and
- Additional Protocol to the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data regarding Supervisory Authorities and Transborder Data Flows in force for the Republic of Moldova since 24 June 2011.
The practice of the National Center for Personal Data Protection ('NCPDP'), i.e. the national data protection authority, consists of issuing various subject-limited decisions and instructions (only available in Romanian here) whereby it provides the public its official opinion on particular personal data protection issues. From a more general and comprehensive standpoint, the NCPDP has also issued the following:
- Instructions on the Processing of Personal Data in the Election Process (Order No. 03/1 of 28 February 2013);
- Instructions on the Processing of Personal Data in the Police Sector (Order of May 2013);
- Instructions on the Processing of Personal Data in the Education Sector (Order No. 03 of 21 January 2015) (only available in Romanian here); and
- Instructions on the Processing of Personal Data on Health Status (only available in Romanian here).
1.3. Case Law
Under Moldovan law, except in relation to the parties to the dispute, court judgments have no binding character. This also applies to the Supreme Court of Justice, which has the authority and responsibility to issue explanatory plenum judgments to unify the case law, and has so far issued no judgments on personal data protection issues.
2. SCOPE OF APPLICATION
2.1. Who do the laws/regs apply to?
The Law regulates legal relations arising during the processing operations of personal data, which form part of an evidence system or are intended to be included in such an evidence system (Article 2(1) of the Law).
2.2. What types of processing are covered/exempted?
The Law shall apply where (Article 2(2) of the Law):
- the controllers that process personal data are established in the territory of the Republic of Moldova;
- the processing of personal data is carried out within the diplomatic missions and consular offices of the Republic of Moldova, as well as where the controller is not established on national territory but in a place where national law applies by virtue of public international law;
- the controller is not established on national territory and, for purposes of processing personal data makes use of equipment, automated or otherwise, situated on national territory, unless such equipment is used only for purposes of transit through national territory; and
- the processing of personal data is related to the prevention and investigation of criminal offences, enforcement of convictions, and other activities within criminal or administrative procedures according to law.
The exemptions to the Law apply where (Article 2(4) of the Law):
- the processing of the personal data is carried out exclusively for personal and family purposes, and no violations of the rights of data subjects arise;
- the processing of personal data is related to state secrets; and
- the processing operations and cross-border transfer of personal data are related to perpetrators or victims of genocide, war crimes, and other crimes against humanity.
3. DATA PROTECTION AUTHORITY | REGULATORY AUTHORITY
3.1. Main regulator for data protection
The NCPDP supervises compliance with legal requirements and discharges its functions with impartiality and independence (Art. 19 of the Law).
3.2. Main powers, duties and responsibilities
The NCPDP's main duties include (Article 20(1) of the Law):
- to supervise and monitor compliance with the legislation on personal data protection;
- to authorise the processing of personal data;
- to order the suspension or cessation of personal data processing;
- to keep the register of personal data controllers and receive and analyse notifications on personal data processing;
- to make draft law proposals and cooperate with public authorities, the mass media, and Non-Governmental Organisations, as well as with similar foreign institutions;
- to collect and analyse annual activity reports of public authorities with regard to the protection of individuals in respect of personal data processing; and
- to establish and sanction contraventions according to the Contravention Code of the Republic of Moldova No. 218-XVI of 24 October 2008 ('the Contravention Code').
The NCPDP's main rights include (Article 20(2) of the Law):
- to request and receive from natural or legal persons governed by public or private law, information necessary for the exercise of its duties;
- to obtain from controllers the support and information necessary for the exercise of its duties;
- to recruit specialists and experts in the activity of prior checking and control of the lawfulness of personal data processing in areas which require special expertise; and
- to request from controllers the rectification, blocking, or destruction of personal data which are inaccurate or obtained unlawfully.
4. KEY DEFINITIONS | BASIC CONCEPTS
Personal Data: The Law defines 'personal data' as any information relating to an identified or identifiable natural person ('data subject'). An identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his/her physical, physiological, mental, economic, cultural, or social identity (Article 3 of the Law).
Sensitive Data: The Law employs the notion of 'special categories of data,' that is particular data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, social affiliation, data concerning health or sex life, as well as data relating to criminal convictions, coercive measures, or administrative sanctions (Article 3 of the Law).
Data Controller: The Law defines 'controller' as a natural or legal person governed by public or private law, including a public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data (Article 3 of the Law).
Data Processor: The Law defines 'processor' as a natural or legal person governed by public or private law, including a public authority and its territorial subdivisions, which processes personal data on behalf and upon the instruction of the controller (Article 3 of the Law).
Consent: The Law defines 'consent' as any freely given, express and unconditional indication of the data subject's wishes, in written or electronic form, according to the requirements of the electronic document, by which the data subject accepts that the personal data relating to them will be processed (Article 3 of the Law).
5. NOTIFICATION | REGISTRATION
5.1. Requirements and brief description
Before carrying out the processing of personal data, the controller shall notify the NCPDP and specify the scope of data processing. Each category of data processing must be notified. Notifications to the NCPDP must contain the following information (Article 23(2) of the Law):
- the name and address or headquarters in the Republic of Moldova of the controller and the processor, if any;
- the purpose(s) of processing;
- the description of category of personal data subjects and of the data to be processed, as well as the sources of such data;
- whether the personal data subject has consented to the processing of data;
- the manner in which personal data subjects have been informed about their rights, estimated end date of processing operations, as well as on any further destination to which their personal data may be transferred;
- the recipients to whom the personal data are intended to be disclosed;
- the guarantees for the transfer of personal data to third parties;
- proposals on cross-border transfers of personal data intended to take place;
- the persons responsible for personal data processing;
- the specification of personal data filing systems related to processing, as well as possible relations with other processing operations of data or with other personal data filing systems, whether performed or not, and if there are established on the territory of the Republic of Moldova;
- reasons that justify the application of the provisions of the Law where the processing of data is performed exclusively for journalistic, literary, or artistic purposes, for statistical purposes or for the purposes of historical or scientific research; and
- a general description of measures taken to ensure the security of personal data processing.
When the processed personal data is to be transferred abroad, notifications must also include (Article 23(3) of the Law):
- the categories of data intended to be transferred; and
- the country of destination for each category of data.
6. DATA CONTROLLER RIGHTS AND RESPONSIBILITIES
The controller has the obligation to provide that personal data is (Article 4(2) of the Law):
- processed fairly and lawfully;
- collected for specified, explicit, and legitimate purposes, and not further processed in a way incompatible with such purposes;
- adequate, relevant, and not excessive in relation to the purposes for which it is collected and/or further processed;
- accurate and, where necessary, kept up to date; and
- kept in a form which allows identification of the data subjects for no longer than is necessary for the purposes for which the data was collected or for which it is further processed.
Other responsibilities of the data collector are to process data only after notification and only with the consent of the data subject. The collector is also obliged to provide the data subject information regarding the following (Article 12(1) of the Law):
- the controller or processor's identity;
- the purposes of the processing for which the data are intended;
- the existence of the right of access to, and the right to rectify, the data concerning them; and
- any further information, such as the recipients or categories of recipients of data, whether replies to questions relating to the collection of personal data are obligatory or voluntary, as well as the possible consequences of failure to reply.
The data controller has the right to process data after notification to the NCPDP, and may process such data without data subject consent only if processing is necessary for (Article 5(5) of the Law):
- the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
- compliance with a legal obligation to which the controller is subject;
- protecting the vital interests of the data subject;
- the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller or in a third party to whom the data are disclosed;
- the purposes of the legitimate interests pursued by the controller or by the third party or parties to whom the data are disclosed, except where such interests are overridden by the interests for fundamental rights and freedoms of the data subject which require protection;
- statistical purposes or for the purposes of historical or scientific research; or
- the exchange of data according to the law.
7. DATA PROCESSOR RIGHTS AND RESPONSIBILITIES
Section 6., above, is applicable to data processors as well, without prejudice to any rights of the data subject to take legal action against the controller (Article 2(3) of the Law).
8. DATA CONTROLLER AND PROCESSOR AGREEMENTS
When data processing is carried out by a processor, the Law obliges the controller to choose a processor providing sufficient guarantees in respect of the technical security measures and organisational measures governing the intended processing, and that can ensure compliance with such measures (Article 30(2) of the Law).
The carrying out of processing by way of a processor must be governed by a contract or a binding legal act on the processor, which stipulates in particular (Article 30(3) of the Law):
- that the processor shall act only on instructions from the controller; and
- the controller's obligation to implement appropriate technical and organisational measures to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing are incumbent on the processor.
9. DATA SUBJECT RIGHTS
Concerning their personal data, in particular, data subjects enjoy the following rights:
- the right to information (Article 12 of the Law);
- the right to access their data (Article 13 of the Law);
- the right to ask for rectification, erasure, or blocking of data, the processing of which is inconsistent with the law (Article 14 of the Law); and
- the right to object to the processing of their data (Article 16 of the Law).
10. DATA PROTECTION OFFICER
10.1. DPO – compulsory appointment (yes/no)
There are currently no provisions in national law on the appointment of the data protection officer ('DPO') as described in the European Union's General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'). By way of analogy, the Law contains the obligation for controllers and/or processors to designate a person in their staff with the responsibility of carrying out data processing (Article 21(1) of Resolution No. 1123/2010).
11. DATA BREACH NOTIFICATION
11.1. General obligation (yes/no)
There are currently no provisions in national law on data breach notification, as described in the GDPR. That being said, by way of analogy, there is a general obligation for the controller to notify the NCPDP of all system security incidents. This is done by reporting every year no later than 31 January (Article 90 of the Resolution No. 1123/2010).
11.2. Sectoral obligations
Failure to observe the legal or regulatory requirements concerning the processing of personal data may entail various forms of personal and corporate liability. This is particularly manifested through the application of sanctions set forth in the Contravention Code and the Criminal Code of the Republic of Moldova (No. 985-XV of 18 April 2002) ('the Criminal Code'), but may also imply liability for damages occurred under civil law.
Among the harshest sanctions are fines of approx. €7,500 or the deprivation to hold an office or to carry out certain activities for a period of one year. Natural persons may be criminally charged for the illegal collection or dissemination of another person's legally protected information that amounts to a personal or family secret (Article 177 of the Criminal Code).
In particular, the carrying out of processing without notification, or the unlawful cross-border transmission of personal data shall be sanctioned with a maximum fine of approx. €750 and/or with the deprivation to carry out certain activities for a period of one year (Article 74of the Contravention Code).
13. ADDITIONAL RELEVANT TOPICS
13.1. Data Transfers and Outsourcing
The transfer to a third country of personal data which is undergoing processing or is intended for processing after transfer may take place only with NCPDP authorisation and if the third country in question ensures an adequate level of protection. The adequacy of the level of protection afforded by a third country shall be assessed by the NCPDP in light of the circumstances surrounding the data transfer operation. Particular consideration shall be given to the nature of the data, the purpose and duration of the proposed processing operation or operations, the country of destination, the rules of law in force in the third country in question, and the professional rules and security measures which are complied with in that country (Art. 32(3) of the Law).
There are currently no specific provisions in national law on employee personal data processing, such as those contained in the GDPR. A particular treatment of employee personal data can be found in the processing of special categories of data where, as an exception, employee data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, social affiliation, data concerning health or sex life, as well as data relating to criminal convictions, coercive measures, or administrative sanctions, may be processed by the controller only when complying with its labour-related obligations (Article 6 of the Law; Articles 91–94 of the Labour Code of the Republic of Moldova (No. 154-XV of 28 March 2003) ('the Labour Code')).
13.3. Data Retention
The controller and processor shall ensure that the data is kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the data was collected or for which it is further processed. When the processing has finished, and there is no consent of the data subject for another data processing operation, the data must be (Article 11 of the Law):
- transferred to another controller, only if the same purpose of processing applies; and/or
- transformed into anonymised data for statistical purposes or for the purposes of historical or scientific research.
14. OTHER SPECIFIC JURISDICTIONAL ISSUES
The Law provides that the transfer of personal data to a third country which does not ensure an adequate level of protection may take place on the condition that (Article 32(9) of the Law):
- the data subject has given their consent unambiguously for the suggested transfer;
- the transfer is necessary for the conclusion or performance of a contract between the data subject and the controller;
- the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the controller and a third party;
- the transfer is necessary in order to protect the vital interests of the data subject;
- the transfer is made from a register which, according to laws or regulations, is intended to provide information to the public, and which is accessible either to the public in general or to any person who can demonstrate a legitimate interest, to the extent that the conditions laid down in law for consultation are fulfilled in the particular case; or
- the transfer is necessary or legally required on important public interest grounds, or for the establishment, exercise, or defence of legal claims.